Synology: Advice on separate surveillance VLAN

I’m new to Synology and Surveillance Station, and I’m seeking advice on my network camera setup.

I already have a separate IoT VLAN (thanks for YouTube tutorials!) that I’m thinking of using that for my IP cameras.

My Synology NAS has multiple Ethernet ports, and I’m wondering if this is possible:

  • Assign one port to the IoT network to exchange data with the cameras
  • Configure Synology such that only Surveillance Station ports are exposed on that IoT interface

Or, if there’s a better way to structure this, I’d appreciate any advice. TIA!

Like most things it depends on your level of paranoia :see_no_evil:

Have a QNAP with multi-NIC running surveillance software. Given enough time either or both your NAS and CAMS will fall out of support but will still operate quite ok. This is the situation I am in and designed my CAM vlan accordingly.

My CAM vlan doesn’t allow any traffic out of the WAN or vLAN, it connects to the NAS via a NIC on the CAM vlan. The cams themselves connect to the network over ethernet and 802.1x from a radius server, meaning if you were to enter my network via the cable outside my house you need a username and password. CAMs would still work in the same way over wifi, as my AP is setup for it though I don’t have any wifi cams.

Now when I want to view my cams via my mobile I access my network via OpenVPN on my ISPvlan, my other vlans can access the CAMvlan but not the other way round.

My IoT vlan is there, setup with access to the WAN, though not to the other vlans via my paid VPN, I only put TVs, blurays etc on it. Don’t really need it but set it up in case I need it.

I’d recommend the above nothing too wrong with it unless your CAMS won’t operate without access to the internet, in which case I would change them !

Depending on your switch you may have different options to secure the connection for external cams as you basically have a wire into your network, probably 1% chance someone tries anything but probably a good idea to know how to solve the problem.

1 Like

On my guest vlan I have blocked access to the firewall (pfsense) GUI perhaps this would also be a good idea for the IoT and CAM vlans.

Thanks for your reply. I like the idea of keeping the cams on a VLAN that has no Internet access.

Just to clarify about the NAS: Are you using 2 NICs on your QNAP, connected to LAN and “cam” networks respectively?

This may be vendor specific, but I’m wondering if I can configure the NAS to not expose admin/file sharing ports on the “cam” interface.

Yes I have 4 NICs on the NAS, one of which is on the CAM vlan, so I can access the NAS from the CAM vlan.

If I understand you correctly, you want your cams and NAS on different vlans. That should work as the NAS initiates the comms with the CAM (I think), hence if the CAM vlan is compromised then you can’t access your NAS. That’s a good idea. Should be easy enough to test, just disable the CAM vlan NIC on the NAS.

However, you might have a lot of traffic on the “other” vlan if the CAMs are recording 24x7, I’m not sure but perhaps. Though my current set up I don’t notice anything being slow.

Thanks again for the feedback. I was aiming for a configuration like yours, but I was looking to protect the NAS services from access via the CAM network. (In case cameras get compromised,etc.) I just figured out that I could enable Synology’s builtin firewall to block incoming traffic on the NIC connected to CAM network.

Perhaps that’s possible, QNAP doesn’t have a firewall that I’ve seen. Though I would say even if the cam is compromised (in my scenario) they would have to get onto the Network, that would be difficult as my external cables are secured with 802.1x, I disabled the SSID on the Cam vlan. Obviously, if they get in the front door, they can just pick up the NAS :slight_smile: but it has 2FA and LUKS encryption.

Though I have to say QNAP has an issue with malware etc. but I think it’s just a function of their popularity. You have to make the same effort that the actual NAS is not inherently compromised through weak passwords, no 2FA, old firmware. QNAP only just recently fixed their NTP issue, so I would find myself occasionally locked out ! What joy !

I’m mostly counting on pfsense doing a good job rather than counting on a consumer router.