@graham-b 

Sorry having to tell you, but your drawing on page 2 is not going to work.

1. You should put all of the cameras and the NVR into the same VLAN (VLAN 2 in your case). In your drawing the NVR and the cameras cannot communicate.

2. If the NVR does not have two LAN ports or allows configuration of tagged VLANs (and I don't assume this), to access the NVR from VLAN 1 you need a device which is capable of VLAN routing. This can either be done with software e.g. pfsense or you need a better switch with L2+ support e.g. TL-SG2218.

If you don't have a server running already 24/7 in the office where you can simply add a pfsense VM, I'd go with the better switch.

Kind regards

Martin

  @mwo 

Hi Martin,

Many thanks for taking the time to reply, much appreciated.

I bought the TL-SG1016DE with a view to using it anyway. If the setup I wanted wasn't going to work I'd probably just employ some flow control to lighten the network load.

Had a good play about with the new switch yesterday, between the manual and trying different setting just to get my head around everything having absolutely no experience of managed switches.

During this I stumbled accross a solution that seem to work perfectly in line with what I was after.

I created VLAN 2 for ports 1 to 5, all un-tagged ports 1-4 (cameras) PVID = 2 , Port 5 (NVR) PVID = 1. Then re-enabled all ports in VLAN 1 again all un-tagged

Port 16 linked to router

Using a laptop in port 5 (instead of the NVR I can ping all 4 cameras and get internet and also ping my desktop (not on the switch but attached router)

With the laptop in port 1 to 4 no internet and no access to desktop or internet.

All VLAN 1 ports with the exception of 1 - 4 have full internet access and all devices on same subnet.

Possibly what I have configured is not deemed as correct, however it works for me.

Again, many thanks for your reply to my query.

Kind regards, Graham

  @graham-b 

Dear Graham.

Thanks for sharing. And congratulations for finding a working solution although it is quite surprising.

From my understanding, the cameras and the NVR transmit untagged packets, so the switch will do the tagging according to the given PVID. Thus, all camera packets are on VLAN 2. The NVR is able to receive such packets because VLAN 2 is enabled at port 5, but all packets from the NVR should be tagged with 1 and therefore not be sent to the cameras. As I said, quite surprising.

D-Link offers an option to active asymmetric VLAN which is mainly for using a single server or router in two separate VLANs. But during activation you'll be notified that this does not comply with standard VLAN rules. Maybe TP-Link offers the same by default without notification which I would consider a potential security breach. Or maybe this works by mistake and is corrected in the next firmware update.

Anyway, enjoy your working setup.

Kind regards

Martin

  @KJK 

Hi Kris,

Thanks for the reply.

To clarify, although all devices are on the same subnet they ALL have static address so DHCP and the router are out of the equation.The devices will use ARP to resolve addresses.

I can see when and where different subnets are used to segregate networks and be useful in large networks but in my scenario this is not needed.

I know many people state VLANs must be of different subnets and many other say this is not required. So I think we will have to agree to disagree on that subject.

I have spent many hours trying different methods and iterations of crossing the boundary between vlan1 and vlan2 and found it not to be possible and the network behaves EXACTLY as I wanted.

If all ports as you suggest are part of VLAN 1 then I should be able to access the camera feeds from vlan1 or anywhere else in the network which I can not.

I am unsure how the switch performs this but the only difference in vlan2 namely port 5 is the PVID set to VLAN 1. When set to VLAN 2 (ie port 5 PVID 2) I loose outside access to port 5.

May not be pretty but it works for me.

Thanks again.

Kind regards, Graham