Unifi network and Security Spy Cameras subnet
I have always kept my hardwired Security Spy cameras on their own local network that hangs directly off of my MAC. I recently upgraded my home network to Unifi equipment and wonder if I should keep them on their own isolated network or create a separate VLAN on my unifi network for the cameras. Any thoughts or insights from others who have the same situation? Thanks
Comments
-
Hi @duss ,
I have Unifi equipment (UDM, 3 PoE managed switches, 4 WAPs). I have newer Reolink PoE cams all on their own VLAN. This works fine so far. At this point I am just evaluating Security Spy and so far everything is working just fine. I am not a security expert but my intent is for that VLAN to be cut off from the internet. They are already isolated from the rest of the networks via the managed switches. The Mac is on the native network and I have set up 1-way rules that allow the mac to see the cams. I am considering adding a USB/thunderbolt network adapter to the mac that is only connected to the camera VLAN, I need to investigate the pros/cons of this approach and whether or not anything is gained from doing this.
The only thing I wish Security Spy would do (so far) is have an architecture on the "server' side that runs as a daemon and does not require a user to be logged in. Separating the basic functions from the user interface would be a great win I think.
Anyway, there's my non-security expert take.
Good Luck!
-
For this purpose, a VLAN would provide the same advantages as a physically separate network, so both approaches are valid. The main downsides of a VLAN is that it requires more advanced/expensive network hardware (simple switches don't have this functionality), and is more complex from a software/setup point of view. But it achieves the same objective of separating traffic and preventing the cameras from Internet access.
-
Ben
As always, thanks for the feedback. Since I've upgraded to the Unifi equipment (more expensive for sure), I'm going to move my cameras from their dedicated network to an isolated VLAN within Unifi. And see how it goes.
-
desmo_rob
Thanks for the feedback. I am brand new to Unifi, but have been a Security Spy user since at least 2012. And I can't sing its praises loud enough. My current set up has the SS Cams directly connected to my Mac, as outlined in Ben's physically separate network. And has worked great. I'm hoping my integration of the SS cams into Unifi goes smoothly.
-
I use SecuritySpy with VLANs too, but my setup might help others looking to improve performance with high-bandwidth camera networks.
I run SecuritySpy on a Mac mini M4, which auto-starts after a power failure and launches SecuritySpy on auto-login. It's connected to a Ubiquiti UDM Pro via a Pro Max 24 switch.
The key to my setup is this:
- The Mac mini sits on the primary (untagged) VLAN with internet access and port forwarding.
- All cameras are on two separate VLANs, which are tagged on the same physical interface going to the Mac.
- The switch port is configured to pass the untagged VLAN and only the two tagged VLANs used for cameras.
- On the Mac, I use System Settings → Network → [•••] → Manage Virtual Interfaces to add tagged VLAN support.
This setup allows the Mac mini/SecuritySpy to get regular software updates, and allows me to access SecuritySpy from the mobile app or laptop outside my home network. It also isolates cameras from the internet (unless I allow it for firmware updates) and from each other, while still making them accessible to SecuritySpy. An added bonus: it offloads cross-VLAN traffic from the switch entirely, routing it all directly to the Mac mini. This significantly improved network performance in my case—I'm running 26 cameras without bottlenecks now.
And as an added bonus, if you have two WAN interfaces, you can even configure the setup so the camera VLANs access the internet through one of the WAN interfaces, while the default VLAN that the Mac mini sits on could access the internet through the second WAN interface.
-
On our UI network we have a separate vlan for hardwired cameras and a SSID for Wifi cameras. Neither of these have access to the internet to prevent cameras from calling home to momma and keep any bad mommas from accessing the cameras. All they can see are other cameras and SS.
Most of our hardwired cameras are also on a dedicated switch. This is purely for performance and to keep camera traffic off the rest of the network. A few cameras are attached to other switches but still on the cameras vlan.
SS is on a Mac Studio that has two ethernet connections; one to the cameras switch/vlan and the other to a network that allows internet access (software updates, remote access, etc.).
Ben has an article on this setup here: https://bensoftware.com/blog/segregating-ip-cameras-on-their-own-lan/
