Cameras on isolated VLAN

Networking & Firewalls
1

I’m setting up a camera system with DW Spectrum IPVMS 4.0 running on a custom Ubuntu 18.04 box and Dahua cameras. At the headend, there is a Sonicwall, and the switches are UniFi (us24-250, us48, us16xg). The Ubuntu box has a network interface on the main LAN and another on a VLAN. The VLAN is defined in the switches, and the appropriate ports (cameras and the server interface for the cameras) are set to the VLAN profile.

I’ve installed a DHCP server (isc-dhcp-server) in Ubuntu for the camera VLAN. The cameras have been set up for DHCP. I set up each camera with a reserved lease (host, hardware ethernet, fixed-address} in dhcpd.conf. From systemctl status, I can see DHCPREQUESTs, DHCPDISCOVERs, and DHCPACKs, but dhcp-lease-list shows no leases and pings to the ACKed IPs go unanswered (Destination Host Unreachable).

At this point, I’m not sure if the problem(s) lies in the switch/VLAN config or the DHCP server config – or maybe something else that I still need to configure. Any ideas what I should check next?

1 Like
2

I’ve never done what you’re describing so outsider perspective — do you need open ports on the firewall to accomplish what you need?

3

@dumser

Just want to clarify, you mention you installed DHCP server in Ubuntu for the camera VLAN. Is this a different Ubuntu server or the same Ubuntu server that is running IPVMS? If it is different is the Ubuntu DHCP server in the same VLAN as the cameras? If not you may need to enable DHCP relay in your Sonicwall (I assume this is router/firewall).

4

No, I don’t need open ports on the firewall. The point is to isolate the cameras so they can’t talk to the Internet. I didn’t specify a “router” (gateway) in the DHCP configuration either.

The DHCP server is running on the same box as Spectrum, and that box is the only non-camera device on the camera VLAN. This interface is configured with a static IP of 172.16.100.1. DHCP should be handing out addresses in 172.16.100.0/24. Here is my dhcpd.conf:

default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 172.16.100.255;
INTERFACES="enp9s0f0";

subnet 172.16.100.0 netmask 255.255.255.0 {
  range 172.16.100.50 172.16.100.100;

  host cam001 {
    hardware ethernet 38:AF:29:xx:xx:xx;
    fixed-address 172.16.100.2;
  }

  # more hosts
}

From systemctl status, I got
$ sudo systemctl status isc-dhcp-server.service
● isc-dhcp-server.service - ISC DHCP IPv4 server
Loaded: loaded (/lib/systemd/system/isc-dhcp-server.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2020-01-26 08:17:27 CST; 9s ago
Docs: man:dhcpd(8)
Main PID: 22893 (dhcpd)
Tasks: 1 (limit: 4915)
CGroup: /system.slice/isc-dhcp-server.service
└─22893 dhcpd -user dhcpd -group dhcpd -f -4 -pf /run/dhcp-server/dhcpd.pid -cf /etc/dhcp/dhcpd.conf

Jan 26 08:17:34 dws dhcpd[22893]: DHCPREQUEST for 172.16.100.2 (172.16.100.1) from 38:af:29:xx:xx:xx via enp9s0f0
Jan 26 08:17:34 dws dhcpd[22893]: DHCPACK on 172.16.100.2 to 38:af:29:xx:xx:xx via enp9s0f0

But no hosts are listed by dhcp-lease-list, and attempting to ping the IPs doesn’t work either.

5

Why do you need a DHCP at all, justvset them all up with static IP. And forget it.