Segregating IP Cameras on their own LAN

Our macOS CCTV software SecuritySpy allows you to set up an effective video surveillance system of any size, in both home and commercial settings.

The simplest setup for a LAN (Local Area Network) that includes network cameras is to have a central Ethernet switch with all devices, including the cameras, connected to it. This works well for small networks, but there are some problems with this setup that become especially important on larger networks:

  • IP cameras generate constant traffic, which can slow down the LAN.
  • Having cameras on the main LAN, with Internet access, can be a security risk.
  • Larger PoE (Power-over-Ethernet) switches are expensive, have significant power consumption, and often contain noisy fans.

The solution to these problems is to segregate the IP cameras onto their own LAN. In contrast, this solution has the following advantages:

  • Camera traffic is completely separate and does not impact the normal LAN.
  • Cameras do not have Internet access, removing the risk of them sending sensitive information over the Internet or being hacked.
  • You can use a PoE switch that is no larger than you need it to be. Smaller PoE switches are less expensive, use less power, and are quieter.

Setting this up does require a bit of knowledge of IP addressing, so if you are not familiar with this topic, we would advise you to research how IP addresses work on local networks before proceeding. An example setup is as follows:

Step 1: Connect the Mac to both networks

This requires the Mac to have two Ethernet ports, in order to connect it to both switches. Most Macs have just one Ethernet port built in, apart from the Mac Pro which has two. You can add Ethernet ports via Thunderbolt-to-Ethernet adaptors or USB-C-to-Ethernet adaptors, which are available from Apple. Alternatively, you can use USB-3-to-Ethernet adaptors, which are available from third parties.

Step 2: Configure the subnets

The key to running multiple LANs side by side is that they operate on different subnets. Each device on a LAN has an IP address comprising four numbers separated by full stops; the subnet is typically defined by the first three numbers. For example, if the LAN devices have IP addresses like, etc., then the subnet is 192.168.1.

The router will decide which subnet is being used for the main LAN. It runs a DHCP service, which hands out IP addresses to devices automatically, to avoid the need to manually configure them. You can determine this subnet by referring to the Network system preference on any Mac that is connected to main LAN.

The subnet used for the camera LAN can be anything within the private address space that is different from the main LAN. For example, if the main LAN uses the subnet 192.168.1, you can choose the subnet 192.168.2 for the camera LAN.

As the camera LAN does not have a DHCP service running on it, each device on this LAN, including the Mac, needs to be configured manually with a unique static IP address.

Assuming you are using the 192.168.2 subnet for the camera LAN as in the above example, then set up the Mac with the manual IP address, via the Network system preference, and specify a subnet mask of Do not specify a router address.

Step 3: Configure the cameras

Most cameras will obtain an IP address automatically via DHCP by default, in which case the easiest way to set them up would be to first connect them to the main LAN, configure them, then move them to the camera LAN. The steps are as follows:

  • Connect the camera to the main LAN (for power, temporarily use a PoE injector or separate power supply, or, temporarily disconnect the PoE switch from the Mac, connect it to the main switch, and connect the camera to the PoE switch – but note that this will temporarily take offline any other cameras already up and running on the camera LAN).
  • Use our Network Device Finder utility to locate the camera; double-click on it to open its web interface.
  • Set the camera to use a manually-assigned static IP address on the camera LAN (e.g. 192.168.2.x where x is unique). Note that as soon as you save this setting, the camera will become inaccessible from the main LAN.
  • Disconnect the camera from the main LAN and connect it to the camera LAN.
  • You do not need to give the camera a router address or DNS address, but if the camera requires these, you can specify a dummy address of or

Step 4: Add the cameras to SecuritySpy

Add the cameras to SecuritySpy via the Cameras section of the Preferences window, using the static IP addresses that you configured in the previous step.

Step 5: Set up an NTP time server for the cameras

As the cameras now have no access to the Internet, you may like to set up an NTP server on your Mac to ensure that all cameras maintain the correct time.

Final notes

Once the cameras are on their own LAN, they can only be accessed from the Mac mini (which is on both networks) or from other devices on the camera LAN; they cannot be accessed by devices that are only on the main LAN, or from the Internet. The cameras themselves will not have Internet access.

This does not affect remote access to SecuritySpy from the Internet – this will still work in exactly the same way.

The above network diagram features the Netgear GS116LP and Netgear GS316 Ethernet switches, which are reliable and cost effective, and a Mac mini, which is an ideal machine to run our Mac CCTV software SecuritySpy.

2 thoughts on “Segregating IP Cameras on their own LAN

  1. Jeff Alves

    If I were to separate my cameras to their own sub-net following these instructions will I still be able to access them through HomeKit?

    Right now I have SS and my home automation software, Indigo, running on the same server with everything on the same sub-net. I use two Indigo plug-ins to allow me to see my cameras on the Apple Home App. These plugins are Cynical Security Spy and HomeKitBridge. Since all this runs on the same machine I would think that I’d still be able to see the cameras using the Home App, but wanted to confirm that assumption.

    1. Ben Software Post author

      It sounds like all communication is relayed via the Mac, so in this case I think it should work fine. If your setup relies on a device on one network communicating with a device on the other network, this is when things won’t work; the Mac is the only device that is attached to both networks and therefore the only device that can communicate with devices attached to both networks.


Leave a Reply

Your email address will not be published. Required fields are marked *