..

小米摄像头通过 vlan 储存视频到 samba

网络拓扑图

flowchart TB switch_poe_uplink <--> router_eth8 camera1 <--> switch_poe_eth1 camera2 <--> switch_poe_eth2 u6-lr <--> switch_poe_eth3 pppoe <--> router_eth2 router_sfp <--> switch_sfp external_camera <--> u6-lr nas <--> switch_eth7 container_samba <--> switch_eth7 subgraph vlan21[vlan_21] external_camera end subgraph nas samba subgraph vlan21_nas[vlan_21] container_samba end end subgraph SG1005PE switch_poe_eth1[eth1] switch_poe_eth2[eth2] switch_poe_eth3[eth3] switch_poe_eth4[eth4] switch_poe_uplink[uplink] end subgraph RB5009UPr router_sfp[sfp+] router_eth1[eth1] router_eth2[eth2] router_eth3[eth3] router_eth4[eth4] router_eth5[eth5] router_eth6[eth6] router_eth7[eth7] router_eth8[eth8] end subgraph SKS1200-8GPY1XF switch_sfp[sfp+] switch_eth1[eth1] switch_eth2[eth2] switch_eth3[eth3] switch_eth4[eth4] switch_eth5[eth5] switch_eth6[eth6] switch_eth7[eth7] switch_eth8[eth8] end

环境信息

主网段:192.168.1.0/24
guest 网段(vlan id 21):192.168.2.0/24

guest 网段主要用于接入 IoT 设备,米家、天猫精灵什么的。其中有一个小米的户外无线摄像头通过无线网接入。小米近期推出的摄像头都支持自动将视频转存到 nas 中。但因为摄像头在 2.0/24 网段中,是无法访问主网中的 samba 服务的。这也是有意进行的隔离。所以计划在 vlan 网段中创建一个 samba 来专门提供数据保存服务。

这里我们直接通过 nas 的 docker 来创建 ipvlan 网络。

docker network create -d ipvlan \
    --subnet=192.168.2.0/24 \
    --gateway=192.168.2.1 \
    -o parent=eth0.21 net_guest

docker-compose.yml

services:
  camera-guest-smb:
    build:
      context: ./build-context
      dockerfile_inline: |
        From alpine:3.19      
        RUN apk add -U samba        

        COPY <<EOF /etc/samba/smb.conf
        [global]
            netbios name = camera-guest
            unix charset = UTF-8
            workgroup = WORKGROUP
            guest account = nobody
            guest ok = yes
            invalid users = root
            load printers = no
            map to guest = Bad User
            passdb backend = smbpasswd
            printable = no
            security = user            
            socket options = TCP_NODELAY IPTOS_LOWDELAY
            logging = syslog@1
            use sendfile = yes
            deadtime = 120            

        [public]
            path = /data            
            public = yes
            writable = yes
        EOF

        ENTRYPOINT /usr/sbin/smbd && /usr/sbin/nmbd -i
    container_name: camera-guest-smb
    networks:
      - net_guest
    volumes:
      - /opt/camera/xiaomi:/data
    restart: unless-stopped

networks:
  net_guest:
    external: true

routeros

/interface vlan add interface=bridge name=vlan-guest vlan-id=21

/interface bridge vlan add bridge=bridge tagged=bridge,sfp-sfpplus1,ether8 vlan-ids=21

...

routeros 配置关键在于 tagged 设置,因为 ap 中划分了 vlan,并且接入了 poe 交换机,而交换机的 up 口是从这里接入了 ether8 接口,所以需要从里面识别 vlan.21。而 nas 是直接接入的主交换机,主交换机的 sfp+ 口通过 dac 线缆连接到主路由,所以需要从 sfp-sfpplus1 接口中识别 vlan.21。

通过米家设置摄像头