Isolated LAN for Cameras and Security Spy
  • I finally got around to moving all my 16 cameras and SecuritySpy Mac to their own, isolated LAN (local area network). The cameras are only allowed NTP and DNS access, no DHCP, nothing inbound or outbound from the WAN. The SecuritySpy Mac was allowed special access to the outside wold and be accessed via the security spy server port. The SS Mac is also accessible from my main LAN.

    Took three days programming an Ubiquity Edgerouter X (under $60). It is not a project for the feint of heart, but worthwhile to gain more granular control of my devices. . Now I have a main LAN that can see everything, 2 restricted LAN, 1 super restricted camera LAN, and an isolated Guest VLAN. Each could be setup up with firewall rules to enact isolation and desired access. I specify which LAN's get WAN access and forward only the desired ports. Special access for the SS Mac was easy to create.

    With this setup, a fair amount of unidentified camera traffic with the outside world is blocked. I can see the firewall blocking camera attempts to reach the outside world every few seconds. No more leaks. The cameras also can't touch any of my other LANs, call home, nor participate in a botnet.

    Nice to finally get this done.
  • Thanks for taking the time to post this, it sounds like a great setup that will minimise security risks. As you have discovered, many cameras will make frequent Internet connections for various things - most are benign (NTP etc.) but you have never be sure, and there have been cases of cameras being hacked for botnets.

    My advice to other users who don't want to invest in such a complicated setup is to use strong passwords for your cameras and turn off their UPnP options so that they can't accept incoming connections from the Internet.
  • 60,000 outbound packets blocked in 24 hours from my cameras. None of them have ever been exposed directly to the internet nor had PNP enabled. I doubt they have been hacked, but their firmwares include calls that are not controllable from the user interface.

    All network services are turned off in their setups except those needed to stream video and synchronize clocks.

    Despite those precautions, some are still trying to access things on the internet.
    The packets payloads are small. Not like they are sending video streams,
    I'm really happy to be blocking all those communication attempts.

    My eventual router setup implemented….

    eth0 - WAN 0 - connects to cable modem with DHCP
    eth1 - 192.168.1.1/24 - LAN1 Main full access to the internet. Hands out DHCP leases. CAN reach all other LAN's
    eth2 - 192.168.2.1/24 - LAN2 Security Spy - no access to internet. No DHCP. Allows NTP and DNS. Cannot reach other LAN's
    eth3 - 192.168.3.1/24 - LAN3 - full access to internet. Hands out DHCP leases. Cannot reach other LAN's
    eth4 - 192.168.4.1/24 - LAN4 - full access to internet. Hands out DHCP leases. Cannot reach other LAN's

    eth1.1003 - 10.10.10.1/24 - Guest WiFi VLAN Apple Guest WiFI with internet access. Cannot reach other LAN's

    Took about 15 rules to implement proper isolation and desired, special accesses.

    Security Spy Macintosh and cameras live on 192.168.2.0/24 subnet and physically connected via POE switches to LAN2 eth2
    All their addresses, netmasks and router addresses are set manually.
    Router has total control over LAN2 reaching the rest of the world.
    Potential malware on cameras cannot reach the internet to get commands nor call home.
    Even plugging into LAN2 network via ethernet cable will NOT get DHCP address, internet access, nor reach other LAN's

    Guest WiFi cannot see rest of network.

    Security Spy server Macintosh granted special permission to access the internet despite being on LAN2. This allows browsing from SS Mac, but no other LAN2 machines can browse or reach the internet.

    Exception made for NTP access to keep camera clocks in sync.

    Port forwarding from WAN into SS Macintosh (with hairpin NAT) allows SS server access from WAN and LAN1.

    Took me three days doing it from scratch. If someone wants to do similar to protect their SS setup, post here to let me know.

    I could put together a generic config file that could be uploaded to get most of the configuration done quickly. One would only need to edit a few things in the EdgeMax GUI and turn on hardware acceleration via the CLI.

    Because such a config file will take a few hours work. I will create one only if someone is actually going to use an Edgerouter X with their SS setup.
  • Thanks a lot! Very useful advice. This is useful information
  • guykuo, Ben and joebell.
    Cameras are compliant with all National Security Laws, that means they phone home whether you approve of it or not. If its imported and sold as retail in your country, it 'phones home' under several methods, hint. check your DNS activity in Console and your local Wifi sniffer software, even if you have all the wifi in your cameras and routers off.
    The newer OSX Systems are also fully compliant, ie. you can't turn off IPV6, and the functions of the 'Firewall' rules in the Security System Preferences will not allow them to be completely blocked.
    That being said... there are some things you can do to get better service levels from your network and reduce the factors that cause concern.
    On little units like the Edgerouter, their log traffic tells you they are busy, but not with what.
    Culprits include running poor or mediocre Cat5e cabling for POE support over more than 60 meters per subnet, high powered external towers and EM devices you can't control, running the high FPS channels to multiple receiving devices, ect. Even recompression in SecuritySpy for added controls like Masking and TimeStamp cause additional 2 way traffic.
    Narrowing down physical causes can reduce some of the packet throughput which can look like unauthorized traffic. Download the X11 package and Wireshark, and teach yourself the basics of 'packet sniffing' from their excellent online tutorials.
    If its out of your league for a setup like guykuo has done, you can hire specialists online who can do this from outside, but you control the ball. Teamviewer gets the basics done, but at all times have the outsiders work with generic passwords which you change for a strong one later...(hint, NEVER type an admin password live while in Teamviewer, the authorities monitor this traffic also).
    If you do have real suspicions about outside hitters, or curious teenagers inside your local ISP, contact them to have a firmware change on your router, or to cycle the IP address from their DHCP table, or to flush your DNS cache, all legally allowed and most ISP' are happy to comply as they don't want to answer to authorities for unauthorized packets on their network.
    The manufacturing of most basic IP cameras points to only 3 or 4 trusted board makers and their respective firmware. That means scriptkiddies and the real troublemakers know their weak points. But having VERY strong passwords (ie. 40+ Hexidecimal on a USB stick in a note file) slows down their bots attempts to guess correctly.

    So, lastly, Ben, as a long time user (more than 8 years) I would like a feature added to SecuritySpy. A logging tracker that watches the ports that goes further than the logging that occurs now. Wireshark can be used as an alternative, but we require some script writing from your end to set proper filters on what is moving.

    Many thanks for your dedication to this platform.


  • Looking at my Edgerouter stats for the last 3 months there is little doubt in my mind that isolating the cameras from "calling home" is a good thing.

    My rule for preventing the camera/Security Spy subnet blocked in that period...
    88,042,381 packets headed to the outside world.
  • I would very much like to see your ER setup since I think I have blocked my Sunba and Wyze cameras from phoning home but would very much like to see your setup.
    Thanks,
    Martin
  • Finally got around to doing a tutorial. Wasn't practical to do with this forum's limited formatting, but it you can find it at...

    https://ipcamtalk.com/threads/ubiquity-edgerouter-x-configuring-to-isolate-surveillance-networks.45038/
  • I use several piHoles as a DNS server. You have control of what can be outbound/inbound by blocking and whitelisting. Works very well, been using it for years. Also have OpenVpn installed on the Pis
  • [long time SS user here, way back to v1]

    I know this is long after the original post, but I want to do a similar thing. Just wondering if this is the only approach or if there might be something more simple lurking.

    Like the original post, I want to place my IP cameras onto their own LAN, that doesn't touch the internet at all. I have Amcrest IP cameras connected to a cheap BV-Tech PoE switch, connected to the Ethernet port on my 2012 Mac mini. Everything on this separate wired LAN has static IPs. The Mac then is connected to the internet via my main house LAN on Wifi using the separate built in Airport adapter.

    I want the cameras to communicate to SS on their own LAN, with no internet at all, and have SS and the rest of things on the Mac in general use Wifi for internet. I connect to that Mac via other devices on the home wifi and would want to connect to the SS Server from the outside world. The Mac seems confused where to route certain traffic because some websites work and some don't.

    I was wishing it was this simple, but will I need a more complicated router setup like the ER-X to get this done?
  • Hi @Turbo, good to hear from such a long-time user!

    This should work fine, providing the subnets of the two networks are different. The subnet is (usually) defined as the first three numbers of the IP address, so the IP 192.168.1.23 is on the subnet 192.168.1.

    The subnet of your house LAN is determined by the router (it can be changed, but it's easiest to leave as-is). So, for example if this is 192.168.1, you can then choose something like 192.168.2 for the camera LAN. Note that everything on the camera LAN, including the Mac mini, must be set up with a manual IP address (as there will be no DHCP server on this LAN to give out automatic IP addresses).

    My other comment would be that it would be better to connect your Mac mini to your house LAN using via wired Ethernet (e.g. using a USB-Ethernet dongle or Thunderbolt-Ethernet dongle), if this is possible due to cabling/location considerations. Wired Ethernet is faster and more reliable than WiFi.
  • Thanks Ben!

    The SS wired LAN is on 192.168.1.x, and the main house WiFi LAN with 30-something devices is on 10.0.0.x via the cable router.

    Everything generally works well on their respective sides of that Mac mini, but it’s odd that some websites don’t work via the house internet connection when the wired camera LAN is plugged into the Mac. Unplug the Ethernet, all websites work fine on the WiFi. Plug SS back in, same websites fail (including Amcrest for firmware updates, etc.)

    Not a huge deal, as long as the cams work on the wired side, and the viewing access works from the WiFi side. It’s just one of my many spare 2012 Mac minis so no worry.

    I can’t get viewcam.me to work for access from the internet, but that’s probably due to uPNP issues on the locked-down cable router. I may just use the great ngrok solution seen in your remote access blog post.

    Just upgraded to v5 for h.265 out of the Amcrest cams, and the file sizes are way smaller hour-to-hour (h.264 2.5Gb/hour, h.265 about 80Gb/hour. Awesome difference.) However, I get lots of key frame errors that disables motion capture, but that’s for a different thread.

    General stability, (relatively) tiny CPU and memory usage, feature set, etc., continue to make SS the most solid app I’ve ever run this long (years at a time). Big hats off to you and your team.
  • @turbo,
    When you plug in that wire, it could be that the order of services in your system preferences is set to have that wire have a higher priority. As long as the cable is out, all traffic goes through the next available service, when you plug the cable in, it becomes the main connection. You can set the order of services with the cog in the System Preferences Network, left column. See if changing the order (wifi on top) solves your issue.
  • Also, for your Mac's network setup for the wired camera LAN, make sure you have only specified an IP address (192.168.1.x) and subnet (255.255.255.0). Do not specify a router address or any DNS servers. Without a router address, your Mac should not try to use this network for any IP that isn't on the 192.168.1 subnet.

    Beyond this, I really can't think of any reason why you are seeing this problem connecting to web sites. I have a similar setup here, with a separate wired LAN for cameras on a different subnet, and do not see any such issues.

    Thanks for your comments about SecuritySpy - great to hear that you have been using it successfully for so long!
  • Thanks eljonco and Ben. Both suggestions make perfect sense. I’ll make those changes soon and will report back when I can.
  • I thought it would be a good idea to write up how to implement a separate LAN for segregating IP cameras, as I think this would be useful for many users. Here's the blog post: Segregating IP Cameras on their own LAN.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!