Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sagvan
New Contributor III

Need Help - Configuring Policy for Camera Access from LAN and Wi-Fi (Conflicting Subnet Masks)

Hi everyone,

I'm seeking guidance on setting up a policy for accessing our network cameras from both LAN and Wi-Fi clients on our Fortigate firewall. We're facing a bit of a challenge due to some potential misconfiguration with our NVRs and camera subnet masks.

Our Setup:

  • Multiple NVRs with interfaces:
    • Facing Firewall: 192.168.91.41 (different subnet than NVR cameras)
    • Facing Cameras: 10.10.10.5 (Class A address, but cameras likely misconfigured)
  • Cameras and switches: 10.10.10.10 - 255.255.0.0 (Class A subnet)
  • Local LANs: 192.168.88.2 - 192.168.127.254 (Class C subnet)
  • Wi-Fi SSIDs: 172.16.x.x (Class B subnet)

Problem:

The camera subnet mask (255.255.0.0) doesn't seem to match the Class A network address (10.10.10.x). This mismatch likely stems from a misconfiguration during deployment. We need to establish a policy allowing camera access from both LAN and Wi-Fi clients while potentially addressing the subnet mask discrepancy.

Questions:

  1. Policy Configuration: Can someone guide us on configuring a Fortigate policy to enable camera access from both LAN and Wi-Fi clients, considering the subnet mismatch?
  2. Subnet Mask Correction: Should we adjust the camera subnet mask to match the Class A network address or is there another solution?
  3. Best Practices: What are the best practices for securing camera access in this scenario?

Additional Issue:

  • I'm encountering an error when attempting to create an address object for 10.10.10.5 on the Fortigate. It states, "Bits of the IP address will be truncated by the subnet mask." This might be related to the subnet mask discrepancy mentioned above.

 

We appreciate any insights and assistance you can offer. Thank you in advance for your time and expertise!

Sincerely,

Sagvan Saleem
Sagvan Saleem
6 REPLIES 6
AEK
Honored Contributor II

Hi Sagvan

I don't have experience with cameras, but I'll try give some advice in general aspects.

  • Regarding policy configuration and best practice, it depends on the services and applications that need access. I guess reading vendor's documentation should help
  • Regarding camera subnet, if you don't plan to have more than 250 devices in that subnet then I think you should correct it on all cameras with a shorter mask. Technically it can work with /16 but it is not good design for more than a reason

In case there is a router between firewall and cameras, you need to add a static route on FG in order to reach the cameras, if needed.

 

Additional issue:

The error message means you may did a mistake in subnet mask.

  • When you create a host IP do it like this:  h-nvrc  10.10.10.5/32
  • When you create a subnet IP do it like that:  n-nvrc  10.10.10.0/24 (or other mask)
AEK
AEK
sagvan
New Contributor III

@AEK 

So will the following changes solve problem:

NVRs

       - Interfaces facing cameras (acting as default gateway): 10.0.0.1, 10.0.0.2, and 10.0.0.3

       - Subnet mask: 255.0.0.0 (/8)

&

       - Interfaces facing Fortigate: 192.168.91.41, 192.168.91.42, 192.168.91.43

       - Subnet mask: 255.255.192.0 (/18)


Cameras:

       - Individual addresses: 10.0.0.2, 10.0.0.3, 10.0.0.4, etc.

       - Default gateway: 10.0.0.1, 10.0.0.2, or 10.0.0.3 (based on NVR)

       - Subnet mask: 255.0.0.0

Sagvan Saleem
Sagvan Saleem
AEK
Honored Contributor II

Hi Sagvan

/8 and /18 are too big and you will consume all your 10.x in just one subnet.

To make a good subnetting you need to ask the question how many cameras do you have? and how many do you plan to have in the future?

If it is less than 250 cameras then just use /24 mask or even a shorter mask (/26 or /28)

On the other hand, if you have 3 NVRs that are also routers for the cameras then you can't make a single subnet for the three, you need to have three subnets, e.g.: 10.10.10.0/24, 10.10.11.0/24 and 10.10.12.0/24.

 

So to summarize and to make it simple, you can do subnetting as follows:

  • Subnet camera 1: 10.10.10.0/24
  • Subnet camera 2: 10.10.11.0/24
  • Subnet camera 3: 10.10.12.0/24
  • Subnet NVR: 192.168.91.0/24

Then you also add the following static routes to FG:

  • 10.10.10.0/24 -> GW: NVR1-IP
  • 10.10.11.0/24 -> GW: NVR2-IP
  • 10.10.12.0/24 -> GW: NVR3-IP
AEK
AEK
sagvan
New Contributor III

Thank you for your reply again, @AEK 

We will try it and see.

If I need more guidance, I will ask further.

 

I appreciate it.

Sagvan Saleem
Sagvan Saleem
amrit
Staff
Staff

You can reference this KB article for the error "Bits of the IP address will be truncated "  https://community.fortinet.com/t5/FortiGate/Technical-Tip-Bits-of-the-IP-address-will-be-truncated-b...

Amritpal Singh
sagvan
New Contributor III

Thank you, @amrit 

I appreciate it.

Sagvan Saleem
Sagvan Saleem
Labels
Top Kudoed Authors