We keep adding little sites that need surveillance cameras. Internet connections, firewalls, switches, etc., get expensive, and its easy to go overboard. We planned to use Axis Cameras and Axis Camera Station software on a Windows 10 Pro PC.
To minimize costs and eliminate excess on-site hardware, I started trying to figure out a way to just have the W10 PC, a cellular connection, and a PoE Switch. I wanted to avoid a hardware firewall, and didn't like the idea of just having a VPN client on the PC (I'd still need a way to manage network connectivity for cameras and any other devices should the network grow).
Having experimented with pfSense, I knew you couldn't just plug a USB Cellular modem into a pfSense firewall and have it work. However, I also have used enough USB Cellular modems to know that when you plug one into a Windows 10 PC, the PC detects it as an Ethernet port. Having Hyper-V experience, I knew you could assign an Ethernet port to a virtual switch. Hmmm, an idea was brewing...
Here's what I did:
Windows 10 Pro PC with the Hyper-V role installed.
Connect a USB Modem
Setup a DDNS Service and install the corresponding updater software on the PC.
Setup TWO virtual switches: SW1 connects to the built-in Ethernet port (hereafter Eth1), and SW2 connects to the Ethernet 2 port (Eth2) that Windows 10 assigned to the Cellular Modem.
Spin up a virtual machine and install pfSense. Assign it two NICs, one on SW1 to be the LAN interface, and the other on SW2 to be the WAN interface. Eureka! pfSense is now happily using a USB Cellular Modem as it's WAN connection!
Setup a Site to Site VPN from the pfSense VM to our HQ Firewall. On the HQ end, point the connection to the DDNS name of the micro site.
Configure DHCP on the pfSense LAN and set it to point DNS to public DNS (to eliminate devices on this LAN from needing CAL's).
Manually configure the IP on the virtual NIC "vEthernet (SW1)" as I want it's IP to stay the same, and I want to point it's DNS to our internal DNS servers at HQ since it is domain joined.
Plug Eth1 into a PoE switch. PC sees it's Ethernet port plugged in and detects its on a domain network since the tunnel is already up to HQ.
To ensure the PC always routes any outbound traffic through the pfSense firewall rather than its direct connection to the cellular modem, I disabled the "vEthernet (SW2)" that HyperV passed back to the host PC, leaving the PC only able to use "vEthernet (SW1)", which is the LAN interface.
Now then, plug two cameras into the PoE switch, they pick up IP's from the pfSense LAN, and the Axis Camera Station software on the PC detects the cameras.
While we will likely outgrow the Cellular Connection at some point, for now we will only be using the connection to check in on the cameras--all the recording happens locally on the Windows 10 PC.
In testing, I sent 72000 ping requests to this PC from my office PC, with just 87 lost packets. 115ms average round trip time. Slow, but it's a pretty stable connection.