How to separated Camera traffic and user data traffic?
JohnsonLiu
Newbie ✭
Originally,only one Branch (Linkou Branches) used the Surveillance cameras. The traffic at that time was that both the cameras and branch users were connected back to the Taipeihead office (X2 interface) through VPN (Site to Site).
Later, each branch office installed cameras one after another, so the camera's traffic began to increase. The department manager then requested that the traffic to the branch office cameras be separated from the data traffic of end users.
The camera's traffic needs to be redirected to the X1 interface, while end users still use the VPN site-to-site method.
How can I make a policy so that the camera traffic of each branch can be connected back through the X1 interface of the head office?
Category: High End Firewalls
0
Answers
I am not 100% sure here, but I think you're saying CCTV systems should have internet access but not site-site VPN? If so:
Create a CCTV zone.
Create a CCTV VLAN. Assign to CCTV Zone.
Configure VLANs on switches to suit.
Do not add the CCTV VLAN to the site-site VPN polices.
Review the rules between the zones LAN, CCTV and WAN to ensure it will allow/block what you want.
Hi ARKWRIGHT
Thank you very much for your reply.
The branch office only installed general PoE cameras. I don’t know if this counts as CCTV.
In order to avoid misunderstandings, I have posted pictures of the Interface settings of Taipei head office and the interface settings of Linkou Branch.
All the required settings in the Interface have been set, and I have also removed the surveillance camera network segment from the VPN policy.
For adding a new policy in Linkou Branch's Firewall, I don't know how to set its Destination.
From your diagram and description it sounds like you want any traffic from Security Cameras to have connectivity to the NVR at Taipei, but to utilize the WAN connection on X1 on the NSA4600 at Taipei, rather than the X2 connection (which normal user traffic flows over).
Simply create a second VPN tunnel at your remote sites that only includes the local Security Camera VLAN and Taipei NVR VLAN, and point it to the X1 IP at Taipei. Then on the Taipei NSA, create a corresponding tunnel, setting the preferred WAN interface in the advanced settings.
That said, theres going to be alot of traffic from these security cameras depending on things like resolution, frame rate, and encoding. If you have secondary ISPs at your remote offices I would suggest utilizing the secondary ISP so as not the overload the primary ISP connection.
Hi TKWITS
Thank you very much for your reply.
Take the Linkou branch as an example (it only has one public IP: 61.220.75.x), it has established a site-to-site VPN with the Taipei head office (61.220.40.x)for user data traffic.
Because Taipei Office has 2 public IP, so i can easily create a new VPN Policy from the Linkou branch (the destination is 220.130.34.x)(X1 interface ip) (site to site). However, in contrast, when i want to create a VPN Policy from Taipei Office to the Linkou branch (which has only one public IP), it is because it already has a VPN in use (as shown in the figure below). So I get the error message:「
Found a policy with the same peer gateway 61.220.75.x Phase1 proposal for matching policy might be overwritten.Click OK to proceed or Cancel to change settings.」Because the Linkou branch already has one VPN policy in use (end user DATA flow), I cannot create a second VPN policy.
I think you will need tunnel-mode VPNs with route policies to do this
https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-a-tunnel-interface-vpn-route-based-vpn/220428013352773
I dont think tunnel-mode VPN would work, because ultimately we would run into the same issue (same tunnel gateway IP). I was under the assumption there was another ISP we could use at the Linkou site.
Is it a requirement that the camera traffic go over a VPN tunnel? You are hitting the limitation of VPN tunnel technology and would require another ISP at Linkou.
If a tunnel is not required you can try to create a inbound NAT policy (and access rule) using X2 at Taipei for the camera traffic, then point the Linkou cameras to the X2 IP. I would, of course, limit the allowed connections to only your Linkou (and other remote site) public IP.
Hi TKWITS
Regarding the part of establishing Taipei inbound NAT Policy(using X1 interface), could you please describe more details. What should I do?
I think it will - when I need to "mesh" 2x sites together each with 2x WANs, then it's 4x tunnels, each one bound to an interface.
But if there's no need for the traffic to use the VPN, then this complexity can be avoided.
Sorry, I meant X1 as you correctly interpreted. This is simple port forwarding with inbound source restrictions.
Hi TKWITS
Thank you for your reply.
I will read the article you recommended first. Then I will follow the article and implement it, and get back to you.