We help IT Professionals succeed at work.

How to easily separate Security Camera system on LAN to its own network for security.

mimi8118
mimi8118 asked
on
We have a small business that uses Comcast as our ISP. They supplied us with a Netgear CG3000DCR Modem. We currently have a static IP address to allow us to remotely view our security camera DVR via port forwarding. We process credit cards thru the same system & have ports open to do so & now we are failing our security scan by our credit card security people (SecureScan). What would be the easiest way to segment our security camera system off of the main LAN but still use the gateway for remote viewing access? Can I just add an additional router to an open LAN port on the modem, change the internal IP to another network & place the DVR on that network? How will that affect port forwarding to the new network?
Comment
Watch Question

This article may help, I were thinking of doing the same at one site but never got round to it, in the end, it were more secure to have a second broadband installed for the transactions.
http://portforward.com/help/doublerouterportforwarding.htm
Owner
Commented:
Does your router support Port Translation.

It allows you set an uncommon external port to connect to a device via its preferred port.  We have Head Office clerical maintaining the address books in Digital Multifunction printers (MFD) at other sites

EG - I setup port 32333 as the incoming port, which gets translated to Port 80, and forwarded to our Digital Multifunction printer to allow Admin staff to maintain the address book.

They connect to Http://1.1.1.1:32333, the router converts it to port 80, and routes it to the MFD on 192.168.1.111

Of course this will only work if the software you use to remotely access the Stream allows you to specify the port other than standard.

Using this method helps us get approval for this config to remain.
Commented:
You can indeed add another router, forwarding will still work.
Example, current situation:

port forward
80 >  public IP > router 1 LAN > 192.168.1.2
81 >  public IP > router 1 LAN > 192.168.1.3

You can reach both security cam 1 and 2 through public IP:80 and 81, where camera 1 is IP 192.168.1.2 and cam2 is IP x.3
NAT rules in router 1 is port 80 to 192.168.1.2 and port 81 t0 192.168.1.3

new situation:

80 >  public IP > router 1 LAN > router 2 192.168.1.250 > 192.168.2.2
81 >  public IP > router 1 LAN > router 2 192.168.1.250 > 192.168.2.3

NAT rules in router 1 is port 80 to 192.168.1.250 and port 81 ALSO to 192.168.1.250 (with router 2 WAN having this IP)
NAT rules on router 2 is port 80 to IP 192.168.2.2 for cam1 and port 81 to IP 192.168.2.3 for cam2

Another method is to have a new modem/router that has VLAN options.
VLAN1 is current network, VLAN2 (it's own DHCP server, and IP range, most easy in wifi situations, because SSID links to this VLAN)