how to segregate cameras from rest of network?

[spamvarun]

Hi all,

I have internet --> opnsense box (has internet modem) --> switch (cisco 350 28MP) --> fritzbox 7590 (for wifi)

most devices connect via wifi or lan to the switch

I have 7 wireless ip cameras (ring) that i want separated from everything else
-> unfortunately need to give them internet access it seems to use ring app

My understanding is that I need to set up a vlan for these devices and then segregate them

Is this correct/Are there any tutorials on this?

Cheers

[Demusman]

Depends on how many physical interfaces you have on the router.
Do you have a spare interface? IOW, WAN, LAN, and at least one more physical OPT?
If yes, run a cable from the OPT to your switch. In the switch, put the interface you just plugged into in a separate vlan. That will give you a separate network on the switch.
Now you have to be able to access that network from the cameras.

I'm not familiar with the fritz box but you will have to carry both vlans to it in order to separate the wireless devices. Commonly called a trunk port. You will set the switch port going to the AP as a trunk and put both of your vlans on it, your LAN vlan can be untagged but the new one will need to be tagged or both can be tagged. Depends on how the fritz box handles vlans.
You should search for vlans on the fritz and all the info I gave should get you started.

[spamvarun]

i don't think the fritzbox can do vlans?

i have another router i can use for the camera wifi though

OPT = opnsense? the open sense is a repurposed hp minipc / only has 2 ethernet ports unfortunately

so could I do internet --> opensense --> switch --> to each wifi router and somehow set each wifi router to its own vlan?

cheers

[Demusman]

No, OPT is the designation for interfaces other than WAN and LAN. Optional interfaces.

So only 2 interfaces, what you need to do is set a vlan on the LAN interface. Assign that vlan as an interface (Interfaces/Assignment), set the IP, name it, and enable it.
Then you'll need to trunk the interface on your switch that connects to the LAN interface on the router. You can leave the native vlan untagged, leave it there way it is now IOW, and tag it with the vlan I'd you use on the LAN interface.
Then untag another switch port with that same vlan Id, and plug the camera AP into that port.

You can enable the dhcp server on the vlan or set cameras as static IP 's.

[twintailterror]

make a vlan  even if its just a section of ip  that have no access you can indeed do that 

i personally need help with rules i can do the vlan part easy  enough tho. 
to do a vlan with 1 ip just make the range bigger or set aside 20 or so ip put on vlan (x)  then make x have no internet

even with out the other machine doing it, you can make it a access rather than a trunk line  and just segment it anyway.

[Demusman]

make a vlan  even if its just a section of ip  that have no access you can indeed do that 

i personally need help with rules i can do the vlan part easy  enough tho. 
to do a vlan with 1 ip just make the range bigger or set aside 20 or so ip put on vlan (x)  then make x have no internet

even with out the other machine doing it, you can make it a access rather than a trunk line  and just segment it anyway.

Seen multiple posts from you about his.
How about you try to be more clear about what you want??
You should try to use some punctuation in your posts. People tend to ignore posts like yours because it's hard to understand what you are actually saying.

What exactly are you trying to do??

[thewolf56]

One idea is to use a Unifi Access Point connected to your switch, if your current router cannot tag separate SSIDs.  I have a couple of SSIDs setup at my house with a few different VLANs to separate out traffic (normal LAN WiFi, Guest WiFi, IOT WiFi, and another IOT WiFi because Nintendo Switches do not work nicely when trying to play multiple consoles in a multiplayer game at the same time (their support saying to open all ports to them is another security story).  There are quite a few tutorials on how to create VLAN WiFi networks with Unifi and the other SENSE offering out there, and they work well for OPNsense, with just a few changes to the screens.

https://www.linuxserver.io/blog/2019-11-13-pfsense-unifi-wifi-vlan

If you can go that route, you do not need another NIC on your computer running OPNsense for that to work and you do not necessarily need a managed switch as long as your switch will pass the tags through (I started off with a switch that just did passthrough and now have a couple of managed switches in my home network.)