Help with 2nd LAN Port Configuration

Currently reading
Help with 2nd LAN Port Configuration

83
31
NAS
220+
Operating system
  1. Windows
Mobile operating system
  1. Android
Last edited:
SETUP...
  • Router: ASUS RT-AX88U Pro Firmware version 3.0.0.6.102_32843 (supports VLANs)
  • NAS: DS220+ (2 LAN ports) running version DSM 7.2.1-69057 Update 3 (current version)
  • Synology Surveillance Station version 9.1.3-10869 (current version)

USE CASE..
  • I am intending to connect a Netgear GS308E 8-port managed switch to NAS LAN port #2
  • All my Surveillance Station cameras will be connected to this Netgear GS308E switch.
  • The Netgear GS308E switch will be set as DHCP without VLAN configuration (like a dumb switch).
  • No port on the Netgear GS308E switch will be connected to my router
  • NAS LAN port #1 is connected to my router
This is a screen shot of the LAN-2 Edit screen along with informational warning message.

Screenshot 2023-12-02 102011.png


After researching LAN-2 applications, most seem to be about load balancing and port fail over or link aggregation. None seem to address my use case.

Since the warning messages are pretty ominous, I am reaching out to the community for some guidance.

Q1: It looks like the “Enable VLAN (802.Q)” options give Synology LAN ports some L2 functions. Do I need to activate this option if my camera clients don’t have a VLAN tagging option?

Q2: If I want all camera clients connected to my Netgear GS308E switch to be on a separate subnet (eg. 192.168.60.XX), with NO internet access, how would I configure the LAN-2 Edit screen?
  • Would I choose the “Get network configuration automatically (DHCP)” field.
  • Or should I choose the “Use manual configuration” option and set an IP of 192.168.60.XX
    • With Subnet Mask set to 255.255.255.0 (for 253 clients)
    • With NO GATEWAY
    • With NO DNS Server
Q3: Will I need to create additional “Allow” rules in my firewall to allow the NAS Surveillance Station to connect to cameras on my Netgear GS308E with a different subnet (192.168.60.XX)?

Thank you in advance for your kind assistance and guidance.

UPDATE (no love yet): Tests without DSM VLAN (802.Q) and L1 "dumb" switch config...
Plugged Netgear switch. into LAN port #2 Synology reports connection at 169.254.9.12​
Plug in client on switch on port #7​
No Connection​
Change DS220+ LAN port #2 to static​
Static IP: 192.168.70.10​
Subnet Mask: 255.255.255.0​
NAS reports these edits on LAN port #2 configuration screen​
Plug in client on switch on port #7​
No Connection​
Reboot Client. No change​
Reboot DS220+ NAS​
LAN port #2 configuration screen reports​
Static IP: 192.168.70.10​
Subnet Mask: 255.255.255.0​
Gateway: 192.168.[Gateway subnet].[Gateway IP]​
DNS: 192.168.[Gateway subnet].[Gateway IP]​
Rebooting NAS filled in the Gateway and DNS fields.​
Was able to apply​
Static IP: 192.168.70.10​
Subnet Mask: 255.255.255.0​
NO Gateway​
No DNS​
Plug in client on switch on port #7​
No Connection - No blinking lights on switch.​
Add FireWall Allow rule​
Ports: All​
Specific IP/range: 192.168.60.1/192.168.60.254​
Action: Allow​
Place Allow FireWall rule above last "Deny" rule​
Check LAN-2 port edit screen. No change. Gateway and DNS still empty.​
Plug in client on switch on port #7​
No Connection to any network - No blinking lights on switch.​
Add Gateway 192.168.60.1 to LAN port #2 Edit screen and OKay​
DSM took the value of 192.168.60.1 as a gateway.​
Plug in client on switch on port #7​
No Connection to any network - No blinking lights on switch.​
Reboot DS220+ NAS​
LAN port #2 configuration screen reports (same as last input)​
Static IP: 192.168.70.10​
Subnet Mask: 255.255.255.0​
Gateway: 192.168.[Gateway subnet].[Gateway IP]​
DNS: BLANK​
Plug in client on switch on port #7​
No Connection to any network - No blinking lights on switch.​
Reboot client​
No Connection to any network - No blinking lights on switch.​
 
To answer some of your questions:

1) You don't need to enable the 802.Q vlan options for lan port #2 since you're not planning on using VLAN's.

2) You're going to need to use a static IP. You don't have a DHCP server out lan port #2. So configuring the port with the 192.168.70.10 IP address and 255.255.255.0 subnet is appropriate.

3) I can't speak to the firewall question. I wouldn't think you'd need to modify that but I don't use surveillance station so I'll plead ignorance on that one ;).

The connection from lan port #2 on the NAS to port #7 on the switch has nothing to do with the configuration of the IP settings for lan port #2. You should get blinking lights regardless so this suggests something with the physical connection between the two devices. Try another port on the switch to verify whether the port has an issue. Try another cable as well. You might try a port on your other switch just as a quick test to see if you get lights when plugging in there. Your ASUS router is also a switch so you can simply plug in to that momentarily to see if you get a light..

From what you've said I assume your Netgear switch is configured as it came out of the box. Have you logged in to it to check it's configuration at all? To make sure it doesn't have any VLAN's configured other than the way it came from the factory? Also to make sure the ports aren't set to down somehow within the switch? I looked briefly at the manual for this switch and didn't see it, but some switches (Cisco for one) allow you to "administratively down" a port so it's basically a dead port until it's brought up again.
 
Last edited:
Tks @strikes2k . Your comments are most encouraging and informative. A few comments in reply to your post.
You should get blinking lights regardless so this suggests something with the physical connection between the two devices.
When making the initial connection to port #7 on my switch, there is some LED light blinking. But after about 20-30 seconds, the LEDs stop blinking and go steady on. So, it appears that the physical connection is there, but there is no data transfer. And my client reports "No Connection".

From what you've said I assume your Netgear switch is configured as it came out of the box. Have you logged in to it to check it's configuration at all? To make sure it doesn't have any VLAN's configured other than the way it came from the factory?

I have connected the switch to my router LAN port #1 and configured the router to be VLAN ID 70. It works even when the switch is in "dumb" mode (no declared switch VLAN and set as DHCP). So I know the switch works. And yes, I have logged into the switch to be sure there is no VLAN settings and set to DHCP,

I do have another, almost identical, Netgear managed switch in production. That switch is configured with "Advanced" 802.Q settings (multiple VLANs). It works in spite of my novice level understanding of "Trunks".

For this new switch, I only need one subnet for isolation purposes. In the end, only clients connecting to Surveillance Station will be on this switch.

Based on your comments to Q1 & Q2, I am of the understanding that my DS220+ is NOT acting as a DHCP server. I had read some other posts that suggested otherwise although they were more than 5 years old. If my understanding is correct, then there would be no way for my DHCP client connected to switch port #7 to connect. As you have said, I would need to assign a static IP to this client. Then both the LAN port-2 and my client would be on the same broadcast subnet. But this in-and-of-itself may not be enough.

Synology's Surveillance Station requires that each camera be connected by IP address. That is part of the initial camera configuration step. The second step is to authenticate each camera with its user name and password. I don't understand how devices on the same subnet can identify and communicate with each other without a router assigned IP . Perhaps it can be done. But I don't understand how.

Again, based on your helpful post, I am less fearful to try some NAS LAN-2 802.Q configurations. The warning message on the LAN-2 Edit screen was a bit intimidating. I'm may also need to set up a basic 802.Q configurations on the switch for this topology to work.

And if all this fails, I will fall back to connecting my switch to my router with VLAN settings.

Again, thank you for your post. You have helped set me on a more productive testing path. Your continued insights are most welcomed.
 
So, your client is your camera? Did you assign a static IP address to that? If not, you need to. Each device has to have an IP address, so both your Synology port #2 and the client have to have different IP addresses on the same subnet to communicate. That IP address can either be statically configured as you did for the Synology lan port #2 or it can be assigned by a DHCP server. DSM does not have a built in DHCP server. There is an add on package for one if you ever wanted your NAS to act as a DHCP server but it won't by default. Given the small network you're trying to configure for surveillance station I wouldn't worry about that but would just assign different IP addresses for each device on that Netgear switch.
 
From the sound of it, the objective is to create an isolated private LAN. The NAS (LAN 2) and cameras on this private LAN will use the GS308E switch, which will be in a basic configuration (no VLAN etc). The NAS (LAN 1) would also be connected to the other LAN.

You said this:
  • The Netgear GS308E switch will be set as DHCP without VLAN configuration (like a dumb switch).
So does the switch run a DHCP service? I don't think it does when reading the user manual.

It may be easier to install and run DSM's DHCP Server: you can select which interfaces to run DHCP services, so for you that would be just on LAN 2. Then configure it with a unique private IP subnet etc. and then it should start assigning IP and network configurations to the private LAN devices... they may need to be restarted, depends how often they look for a DHCP service. Once the devices are assigned IP addresses you can reserve the IPs in DHCP Server, so now each camera will have a fixed address. If you don't want to run DHCP Server then you'll have to manually connect to each camera and assign network configurations.

Since this is an isolated LAN then you don't need an VLAN settings on the NAS (or other device) interfaces. As for default gateway, this is the subnet's router for accessing devices on other networks, so leave it blank and see if things still work.
 
@strikes2k and @fredbert. Thank you both for your replies and tolerance with my network naivety. Both have good comments and have helped me understand.

So does the switch run a DHCP service? I don't think it does when reading the user manual.
https://www.downloads.netgear.com/files/GDC/GS105EV2/WebManagedSwitches_UM_EN.pdf
I think you are right. The switch does not have DHCP services. I do believe it can pass DHCP services from a gateway (router). Now, I understand why by test client, which was set up to receive a DHCP client, was not able to communicate.

So, your client is your camera? Did you assign a static IP address to that? If not, you need to. Each device has to have an IP address, so both your Synology port #2 and the client have to have different IP addresses on the same subnet to communicate.
YES. I believe your comment gets to the heart of the matter.

_______________

Based on my experiments and both your comments, I think I understand how a simple network can work with Synology Surveillance Station. Please check my understanding and comment.
  • NAS LAN-2 is a network client that can accept a DHCP IP from a gateway (eg. router) or configured with a static IP. It is not a DHCP server. But, it can be configured to broadcast L2 VLAN tagging, which would be handy in a VLAN setup.
  • A dumb (L1) switch may be connected to NAS LAN-2.
  • All devices connected to the dumb switch are clients that can accept a DHCP IP from a gateway or configured with a static IP.
  • When all of the clients (devices connected to the switch and NAS LAN-2) are configured with static IPs on the same subnet, each client can "hear" the other clients.
  • In this simple network, there is no DHCP server, gateway, or VLAN.
Surveillance Station (SS) is an application server that is able to listen to client broadcast communications. When SS is connected to NAS LAN-2, it can hear all the other clients (cameras) on the same subnet. And, because SS has application server characteristics, it can manage communications between clients without the aid of a L3 router or VLAN or DHCP server.

How did I do?

If I have the above right, then I know why my tests failed and what to do next.

I have some camera clients I can use for testing purposes and will try some experiments next week. I now think the 'trick' is to configure my Firewall to "allow" communications between my "simple network" subnet and Surveillance Station.

Again, big thanks to @strikes2k and @fredbert for helping me think this through.
 
Regarding VLAN IDs and tagging: nothing ‘broadcasts’ this. The tags are added to packets to identify which VLAN the network and client devices handle them as. When clients don’t add tags, the vast majority of times, then a switch handles the packet as whatever it has be configured to do (add tag for a specific VLAN, or assume VLAN ID 0). There’s more to this so you can read up about it. But for a simple network just forget about VLAN IDs.

Just an FYI: a router/gateway doesn’t have to have a DHCP service capability. However, domestic/consumer routers have them, and other features too, to make it simpler for users to setup their networks.

But you are right in that with all devices manually configured for the same, unique subnet then you don’t need a DHCP service, gateway IP, DNS IP, domain.

I don’t know how Surveillance Station adds cameras but it might be by using the camera IP address. So you would have to know what these are.
 
Hey @fredbert and @strikes2k. It worked.

I created a test-bed with a test camera and Netgear GS308E. Each was set to a 192.168.60.xx subnet static IP. Then, I hooked up the switch to NAS LAN-2 and plugged the test camera into one of the switch ports.

The last part of the puzzle was to open the NAS Firewall to the 192.168.60.xx subnet.

After launching Surveillance Station from DSM, I was able to manually "Add" the test camera static IP address and authenticate with the camera's user and pwd. Within a few seconds, the camera came on.

This test-bed configuration is a proof-of-concept that IP cameras CAN be connected to NAS LAN port-2 while being completely isolated from the rest of my network.

There is still more work to be done. I still need to verify that Surveillance Station will push notifications to DS CAM mobile phone app. And I need to establish a temporary method of gaining access to cameras from the router gateway subnet for camera Firmware updates.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
Thank you all for your help I am now able to use the 5tb drive. I reformatted the drive using exfat and...
Replies
13
Views
1,251
For failure rate, the backblaze article on the topic is interesting...
Replies
6
Views
674
  • Question
Well that is a relief thank you Rusty, I've submitted a support ticket with Synology. Like you say, I...
Replies
2
Views
795
Glad you got your answers, I was going to suggest the same thing, replace 1 drive at a time, rebuild pool...
Replies
6
Views
1,068
I added Crucial CT8G4SFS8266 (1 x 8GB, DDR4-2666, SO-DIMM 260 to my DS920+ and works without any problems...
Replies
3
Views
4,127
As others have mentioned, definitely need some more information. One thing that doesn't sit right with me...
Replies
4
Views
3,291

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top