r/HomeNetworking u/BrilliantSelect4260 17d ago

Need to share an unmanaged switch between 2 different LANs

I have got IP Cameras installed in my building and I installed an unmanaged PoE switch for them. I want to share access to the cameras with my neighbours who are getting internet from the same ISP as me.

From what I know and researched over the past 2 days I am thinking of this setup:

Unmanaged Switch(With IP Cameras connected to it) -> Managed Switch -> Both LANs

I am planning to get a managed switch for this but confused on what to look for.
Also I can't replace the unmanaged switch with a managed switch as it would increase the budget and I am trying to avoid it. I am not sure but I believe that if I connect both networks without proper isolation from each other it might create a loop and end up creating more issues so what do I need to check before getting a managed switch (other than VLAN capability which every L3 switch has)? Also will my setup work or am I overlooking anything?

More details->
I need to share cameras on both networks because both LANs will be running Home Assistant Server. I thought about installing a router instead of the managed switch but it just feels redundant as I would only be using VLANs(I think?) and that can be done with managed switch too. Currently my network is connected directly to the unmanaged switch and I assigned static IP to the cameras in 192.168.68.0/24 subnet which is what I am using in my network, my neighbours haven't connected yet. I have connected the unmanaged switch to a managed switch in my network so there is a possibiility for me to setup VLAN for my network to isolate it, if required.

0 Upvotes

44% Upvoted

16 comments sorted by

3

u/tschloss 17d ago

Not sure if I captured all information correctly - but I think you will need something routing between your networks. Given that both parties have their own LAN (Layer 2) and their subnets you must creating a place where both are coming together.

By using a switch with a port into A and into B every resource can be accessed by each party. The different subnets are only a small obstacle. Also the DHCP service wouldn’t work as expected anymore.

So a router between the networks (could be one of the existing routers if capable must be present somewhere also having a port or interface into each network.

Then you want to add a FW rule on the router to limit access across to the camera. But still the person running the router could peek into the neighbors network.

1

u/Human-Suspect-232 17d ago

I second this.
Be mindful of what you want to share/don’t.

1

u/ReadingNo7551 17d ago

Thanks for the reply! If I am understanding correctly, I need to get a router and connect both networks to it and then give the second network access to the specific IP addresses of the cameras while isolating it from the rest of my network using FW rules. The cameras can connect to my network and DHCP will work in this case. This should let me connect the two networks, right?

1

u/tschloss 17d ago

Yes exactly. DHCP traffic will not cross a router. The camera will probably live in one of the 2 layer2 lans and use an IP address out if this subnet (could probably also be an IP of an arbitrary 3rd subnet).

But both subnets must be different - if your ISP‘s preconfigured both of your routers to the same subnet the routing won‘t work.

Not sure about the Homeassistant: if this requires L2 access the router will kill it for the other side.

Regarding the config of the routing: in the „other“ LAN each client will have a default GW pointing to ISP router. So either the ISP router does the routing to the „original“ network (directly or via the new router) or each client needing access to the cam must get an additional static route pointing to the GW.

By configuring this new router with NAT you should be able to avoid a similar configuration on the „original“ side (for the packets‘ return path).

A little travel router (Gl.iNet) should do the job.

1

u/dedXlights 17d ago

I know this is home networking, but can't you give them access to the software used to view the camera? Why involve networking at all? Maybe look at something more like a VPN setup (Pangolin or Tailscale). What kind of camera system is it?

1

u/ReadingNo7551 17d ago

They already have access to the software, this is because they plan to have a scrypted and home assistant server and plan to connect the cameras to homekit using them. I hadn't considered tailscale as Ithey would need 24/7 access to the cameras and it might overwhelm their router or throttle their speed. The cameras are from RTSP enabled IP Cameras from TP-Link. I had thought about sharing the NVR but unfortunately the NVR has only one NIC so can't connect to 2 networks simultaneously which would end up leading me back to the same issue with NVR in place of my unmanaged switch

1

u/Square_Yam9853 17d ago edited 17d ago

the video stream data will need to flow though their router regardless. Also you should confirm anything flow out of your internet gateway actually goes to their gateway without extra hup. It very likely the Internet provider would isolate customers for security reasons and even if your neighbor have the same ISP still count toward your upload and his download allowance. Are you hosting their IP Camera for them? This is also issue with the RTSP stream and I believe the IP Camera only have enough resource to process one full stream and send them to a server. so you will always need to one primary NVR to process them first. if then they pull from your NVR then that's a constant cpu / resources drain. What are your agreement for doing this for them?

1

u/Square_Yam9853 17d ago edited 17d ago

You want to just use the firewall on your gateway router and setting on your nvr / IP Camera to create an account with specific access for your neighbor. What you are describing does NOT secure or isolate your network in any way. It only going to cause headache for yourself later on. If your gateway router are capable of multiple vlans, then I would separate your home network from your ip cameras but you don't need to separate one camera just so you can share that one. Next door neighbor on the same isp has no barring. Once it is outside of the your internet gateway it is the Internet.

1

u/junktrunk909 17d ago

This is a very confusing post. Forget managed vs unmanaged, the VLAN issue is the last thing to worry about. You can't have the same device on two LANs (well unless that device has two NICs which basically no cameras do unless you want one to be wireless and even then it isn't likely to work). So if you really insist on both of your individual routers having access to this one device (or set of devices) you're going to need a new router (not a switch) that has two WAN ports, and then you can run a cable from each of your individual routers' LAN ports to this 3rd router's WAN ports, then connect the cameras to that 3rd router's LAN ports. Make sure all 3 routers are using different IP ranges to ideally avoid headaches eg neighbor on 192.168.0.0/24 , you're 192.168.1.0/24, camera router is 192.168.2.0/24, or whatever. Now you're both able to establish routes to the camera LAN, assuming you set that router's firewall up correctly to allow those inbound connections.

Honestly this seems like a nightmare though so I really wonder why you're going to all this trouble. There are much easier ways to share camera feeds if that's all you're after.

1

u/WTWArms 17d ago

This can be done with a L3 switch or router/firewall. You need to have something to do routing between the subnets. Could do it with L3 and ACLs to offer some protection but by default a L3 switch is going to just route without any security policy. Recommendation would be a firewall that is Vlan aware and each VLAN as L2 with the firewall being the L3 gateway.

2

u/SnooKiwis9257 17d ago

Abstracting the hardware for a minute and I read this as a means for your network and your neighbor's network to connect to your camera network.

Based on what I've read, here are my thoughts. I'm assuming you are not using WiFi to connect your two networks together.

Your network and your neighbor's internal networks will need to be in non-overlapping IPv4 networks for this to work. (We will use the examples of 192.168.0.0/22 and 192.168.4.0/22)

An additional router (or POE L3 Switch replacing the existing switch) will need to placed where it can connect to:

  • Your network
  • Neighbor's network
  • Camera network on the unmanaged switch.

Current configuration for the camera network would need to be removed from your existing equipment and moved to the new router/switch.

The new router would need three network Interfaces connected to these networks

  • 192.168.0.2/22 - Resides your new router and connects to your existing network as a next hop for your hosts to reach the cameras
  • 192.168.4.2/22 - Resides on your your neighbor's router and connects as a next hop for your neighbor's hosts to reach the camera.
  • 192.168.68.1/24 - This connects to the unmanaged switch and drives acts as the camera's default gateway.

Your current router would have to have a static route to 192.168.68.0/24 installed on it to direct traffic to 192.168.0.2 on the new router to connect to the cameras.

Your neighbor's router would have to have a static route to 192.168.68.0/24 installed on it to direct traffic to 192.168.4.2 on the new router to connect to the cameras.

The new router would not need any additional routes installed other than a 0.0.0.0/0 to 192.168.0.1 if they require Internet Access.

I would put in access list to allow only appropriate traffic between the camera networks and all other networks. I would also block traffic between your network and your neighbors. Routing should allow that, but block It anyways;.

Here are some reasons just creating a VLAN and joining things won't work well for you.

  • A VLAN does not provide routing between networks. It only separates networks.
  • Generally, a host (camera) can only have one default gateway. You currently have a default gateway on your network, 192.168.68.1 which all your cameras send all packets not addressed to their local network to.
  • Without adding a new router, here is what happens if you continue to use the existing default gateway for the cameras.
    • You connect your neighbors router at to your camera network by assigning an address of 192.168.68.2 to a network interface on your neighbor's router.
    • You connect that interface to your unmanaged switch creating a network both networks share.
    • One of your neighbors hosts at 192.168.4.8 sends a packet to a camera on the unmanaged switch.
    • Since 192.168.4.8 does not exist in the camera network, the camera host sends response to its default gateway at 192.168.0.1.
    • Traffic reaches your network and is dropped.
    • Your neighbor never sees any responses but can still send requests that reach the network.
    • Even if the routing is correct, it's the behavior of the hosts that will cause issues here.

There are security concerns you are going to have to address here as well.

This is also a rough, off the top of my head way of doing this. With more budget I'd do it differently.

I would also diagram this all out to see how it meshes together.

1

u/ahj3939 17d ago

You would just forward ports to the camera or NVR the exact way you would configure them for remote access from another ISP/location. The fact they are in the same building and using the same ISP does not change that.

0

u/SeaPersonality445 17d ago

Reading your post and what it exposes. You shouldn't be running vlans, just a flat network. It sounds ds like you thought vlans were a good idea with fully understanding how they work, in which case dont. Or pony up and buy another managed switch.

0

u/SaleWide9505 17d ago

I assume both of you have your Internet connection going into your own router if so you don't need to buy any extra equipment. All you need to do is connect a cable from your poe switch to your router.

0

u/ReadingNo7551 17d ago

it is not possible to install an ethernet cable between their router and mine due to how the building is constructed so can't do that.

2

u/SaleWide9505 17d ago

So how will you guys connect to each other? Over the Internet?