Subscriber Discussion

Networking Question - Add Router

KJ
Kenny Johnson
Aug 18, 2016

Hello, we have a router that has about 240 ip cameras on it
192.168.1.1

We want to add another router behind our existing one which will have this address
192.168.2.x

From the WAN port on our NEW router we go to a LAN port on the existing router.

In the NEW router we set its LAN ip to
192.168.2.1

In the NEW router we set its WAN ip to:
Static ip = 192.168.1.200 (an open ip on the existing router)
Mask = 255.255.255.0
Gateway = 192.168.1.1

Was hoping to add cameras to the NEW router like...
192.168.2.5
192.168.2.6
192.168.2.7
etc...

Then have the NVRs over on the existing router be able to see those new cameras...

 

We have things set up this way... but cannot communicate between the 2 router.
no ping.   no browse.   nothing.

multiple restarts etc


Sorry to be so long and confusing...
Tried to keep it simple.

Thanks!!!

KJ
Kenny Johnson
Aug 18, 2016

OK... so I turned off the firewall in the NEW router....

Now I am able to ping the WAN port on my NEW router which is
192.168.1.117

BUT I still cannot see the LAN ports on my NEW router.

These are the NVR and Cameras....
192.168.2.5
192.168.2.6
192.168.2.7
etc.

From the EXISTING router I still cant see the LAN ports of the NEW router...

I am trying to access the 192.168.2.x network from the 192.168.1.x network.

Any tips?

U
Undisclosed #1
Aug 19, 2016
IPVMU Certified

The old router has no idea that it has to go to 192.168.1.200 to get to the 192.168.2.0 network.

The simplest way is just to add a static route that says exactly that. Most modern routers have an advanced setting for "Static Routes", go there and add the information above and a 255.255.255.0 mask and you should be all set.

If you tell me the router I can walk you thru it.

KJ
Kenny Johnson
Aug 19, 2016

Thanks! Yeah... the main router (.1) is an arris nvg599 from AT&T
I looked but dont see "static route" in there...

U
Undisclosed #1
Aug 19, 2016
IPVMU Certified

It should have a screen like this, which hopefully does the same thing:

Have you set this up?

KJ
Kenny Johnson
Aug 19, 2016

I do the section for "cascade router"

I have no idea what to put there though... the direction dont seem very clear to me...

Cascaded Router Address: The IP address for the router behind this device. The Cascaded Router Address should be in the LAN Private IP subnet range. Use 0.0.0.0 if IP Passthrough is enabled to have the cascaded router get the IP Passthrough address.

Network Address: The Network Address that defines the range of IP addresses available to clients of the cascaded router.

Subnet Mask: The subnet mask that with the Network Address defines the range of IP addresses available to clients of the cascaded router.

U
Undisclosed #1
Aug 19, 2016
IPVMU Certified

Put 192.168.1.200 in the Cascaded Router Address

Put 192.168.2.0 or something like that in the Network Address field, don't know what it lets you type there.

Put 255.255.255.0 as the Subnet Mask.

(1)
U
Undisclosed #1
Aug 19, 2016
IPVMU Certified

kenny, if its not working dont kill yourself, it may be that the cascaded router option only works to the internet not between networks.

Look at this from the att forum.

The NVG589 can't have static routes set up, so it can only route non-local traffic out the default gateway. You're not allowed to use the 10.0.0.0/8 subnet (or any subnet of it) on the RG because AT&T has reserved it for its own use. The Cascaded router feature is intended for handing off a public static address block to your router, but still doesn't set up an internal route to those IP addresses.

hopefully its not true..

KJ
Kenny Johnson
Aug 19, 2016

Thank you so much for your time!

Looks like I will need to just get 2 linksys routers to do this with...

CN
Corey Nelson
Aug 23, 2016
IPVMU Certified

Just a thought, how about a larger subnet 255.255.0.0?

(1)
U
Undisclosed #1
Aug 23, 2016
IPVMU Certified

He's got 240 cameras on the subnet already, it might be a good time to break-up the broadcast domain, no?

Avatar
Vincent Tong
Aug 23, 2016

create rules for the 192.168.1.200

On the cameras change the web port (onvif) and streaming port.

Forward the ports for the new router

On the NVR connect the other cameras 192.168.1.200 : (Port Cam 1) for camera 241 etc

And do the same for the other cameras 192.168.1.200 : (Port Cam2)

(1)
U
Undisclosed #1
Aug 23, 2016
IPVMU Certified

Yes, this should work.

Though setting up port forwarding for 200 cameras is something I personally would spend $200 to avoid.

Still can't believe that the cascaded router option doesn't make a route between the LAN segments of the routers.

UI
Undisclosed Integrator #2
Aug 24, 2016

Why not move to a 255.255.254.0 subnet with the addresses starting at 192.168.1.1-192.168.2.254? this should give you 510 addresses all on the same network able to talk to each other without going through a router interface? While you wouldnt have to change the existing cameras subnet mask unless they needed to talk with something on the 2.x network like the nvr.

(2)
U
Undisclosed #1
Aug 24, 2016
IPVMU Certified

...this should give you 510 addresses all on the same network able to talk to each other without going through a router interface?

How many cameras can you put on a subnet before the broadcast traffic impacts everyone?

KJ
Kenny Johnson
Aug 25, 2016

Thanks for the reply!

I have looked at the subnet calculators for this subnet... and its a bit confusing. :)

Do you know what IPs I could use with this subnet?

255.255.254.0

192.168.(1-254).(1-254)

So...

You have to pick one number for the 3rd octet... and then the 4th octet can be anything from 1 through 254.

Or you can pick one number for the 4th octet... and then the 3rd octet can be anything form 1 through 254,

Is that right?

Thanks!

U
Undisclosed #1
Aug 25, 2016
IPVMU Certified

Kenny, if you choose 255.255.254.0, you get 510 valid hosts from 192.168.0.1 to 192.168.1.255, NOT from 192.168.1.1 to 192.168.2.254 as Integrator 2 claimed.

There is no picking the numbers, that's just the way it is.

You might as well use 255.255.0.0, and take the whole 192.168.0.0 if you want to make it easier to remember. Or use a 10.0.0.0 address.

Either way, take the extra time and update the netmask on the devices to the correct one. You or someone else will thank you later.

(1)
UI
Undisclosed Integrator #2
Aug 24, 2016

Security cameras should be on their own VLAN or physical switches to keep security/pc network separated with only the nvr having access to the pc network. With that many cameras, i assume you would have at least 6 48 port switches in a stack so you should have that functionality.

(1)
U
Undisclosed #1
Aug 24, 2016
IPVMU Certified

Yes, I agree. When I said everyone, I meant everyone (all the cameras) on that broadcast domain.

How many cameras have you put on one broadcast domain? 500 seems like a lot of chatter needlessly replicated on all ports. At some point it consumes more than the individual streams.

UI
Undisclosed Integrator #2
Aug 24, 2016

It can be limited by good Layer 2 switches using VLANS that can control broadcast storms. It will be limited by the quality of hardware and current capacity as well as the camera settings. i definitely wouldnt be using consumer grade routers/switches in this scenario.

U
Undisclosed #1
Aug 24, 2016
IPVMU Certified

Ah, so you mean setup multiple VLANs, each with groups of cameras?

That wasn't clear to me in you first response of change the mask.

KJ
Kenny Johnson
Sep 06, 2016

So what IP addresses could we use if used this subnet? 255.255.0.0

Or if we just did this subnet: 255.0.0.0 could we use:

10.0.0.1 - 10.everything :)

UI
Undisclosed Integrator #2
Sep 06, 2016

might be good to sign up for this.

https://ipvm.com/course/ip-networking-for-video-surveillance-winter-2017/overview

This IETF may help you too

http://www.ietf.org/rfc/rfc1878.txt

U
Undisclosed #1
Sep 06, 2016
IPVMU Certified

So what IP addresses could we use if used this subnet? 255.255.0.0

192.168.0.1 to 192.168.255.255

Or if we just did this subnet: 255.0.0.0 could we use:

10.0.0.1 - 10.everything :)

Yes.you.could.

KJ
Kenny Johnson
Sep 06, 2016

I believe this is the answer.

If you use the subnet mask 255.0.0.0 here are the addresses you can use:

10.0.0.1 - 10.255.255.254

The first octet must stay as 10

The second octet can be from 0-255

The third octet can be from 0-255

The fourth octet can be from 1-254

U
Undisclosed #1
Sep 06, 2016
IPVMU Certified

The second octet can be from 1-254

You mean the fourth octect?

U
Undisclosed #1
Sep 06, 2016
IPVMU Certified

FYI, the last .255 of the examples I gave is called the broadcast address, very useful, but not as host addresss.

KJ
Kenny Johnson
Sep 06, 2016

So are you saying that no host can ever use .255 in it's address?

Do you know if the following is correct?

"If you use the subnet mask 255.0.0.0 here are the addresses you can use:

10.0.0.1 - 10.255.255.254

The first octet must stay as 10

The second octet can be from 0-255

The third octet can be from 0-255

The fourth octet can be from 1-254"

U
Undisclosed #1
Sep 07, 2016
IPVMU Certified

So are you saying that no host can ever use .255 in it's address?

No, I'm not saying that.

.255, (in the last octet), cannot be used for a host only when it refers to the last ip address in the subnet, for instance 192.168.1.255/255.255.255.0 is not a valid host ip, nor is 10.255.255.255/255.0.0.0.

However, 10.0.0.255/255.0.0.0 is perfectly valid.

Btw, .0 in the last octect follows the same rule in reverse, it cannot be used for a host address when it is the first ip in the subnet. e.g. 192.168.1.0/255.255.255.0 is no good, but ok is 192.168.1.0/255.255.0.0.

If this isn't perfectly clear to you, you may just want to stick to to a standard subnet scheme, as troubleshooting will really suck if you have doubts about hos its setup.

Avatar
Jon Dillabaugh
Sep 07, 2016
Pro Focus LLC

You have 240 cameras running on a router like that?

:O

(1)
(1)
U
Undisclosed #1
Sep 07, 2016
IPVMU Certified

Soon to be more...

CN
Corey Nelson
Sep 08, 2016
IPVMU Certified

I was thinking the same thing, may be time for an upgrade.

Avatar
Jon Dillabaugh
Sep 08, 2016
Pro Focus LLC

On a serious note, you need some managed switches with at LEAST 1GbE uplink ports, 10GbE is better.

You also need a router firewall that can handle the traffic of 250+ hosts. It should have enough processing power and RAM to handle that many hosts. You should seriously look into VLANS to segregate traffic for security purposes.

Stacking routers isn't the professional, reasonable, or cost effective way to manage a network of that scale.

A professional firewall/router doesn't have to cost a fortune. Sonicwalls and PFSense are reasonable and would have a model to suit this scale of network. You will surely spend more on appropriate switches and DAC cables than your router/firewall.

(1)
New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions