Segregating IP Cameras on their own LAN

Our macOS CCTV software SecuritySpy allows you to set up an effective video surveillance system of any size, in both home and commercial settings.

The simplest setup for a LAN (Local Area Network) that includes IP cameras is to have a central Ethernet switch with all devices, including the cameras, connected to it. This generally works well, and has the advantage that every device can talk to every other device, which helps when setting up new devices. However, there are some potential downsides with this configuration:

  • Performance: at the Mac’s Ethernet port, camera traffic can be significant, and it can slow down other network data transfers to the Mac.
  • Privacy: some cameras “phone home”, sending data of unknown content back to the manufacturer’s servers. While the content of this data is probably benign (e.g. business/diagnostic information), some users worry about private data being sent.
  • Security: some cameras automatically make themselves available from the Internet; automated bots will find the cameras, and will attempt to hack into them.

The above can be mitigated to some extent by changing camera settings, and the Ethernet speed for the Mac can be increased by using a faster link speed (e.g. 2.5 Gbps) or link aggregation. However, if you are sufficiently concerned by the above issues, the ultimate solution is to segregate the IP cameras onto their own, separate, LAN. This has the following advantages:

  • Camera traffic is completely separate and does not impact the general LAN in any way.
  • Cameras do not have Internet access, so cannot send data to the Internet.
  • Cameras cannot make themselves available from the Internet, so hacking into them becomes impossible.

The main downside of this configuration is that the setup is more difficult, and does require some knowledge of IP addressing. If you are unfamiliar with this topic, we would advise you to research how IP addresses work on local networks before proceeding.

An example setup is as follows:

Step 1: Connect the Mac to both networks

This requires that the Mac has two Ethernet ports, in order to connect it to both switches. Most Macs have just one built-in Ethernet port, so you can add a second via a Thunderbolt-to-Ethernet adaptor or USB-C-to-Ethernet adaptor, which are available from Apple. Alternatively, you can use a USB-3-to-Ethernet adaptor, which are widely available from third parties.

Step 2: Configure the subnets

The key to running multiple LANs side by side is that they operate on different subnets. Each device on a LAN has an IP address comprising four numbers separated by full stops; the subnet is typically defined by the first three numbers. For example, if the LAN devices have IP addresses like 192.168.1.20, 192.168.1.21 etc., then the subnet is 192.168.1.

The router will decide which subnet is being used for the main LAN. It runs a DHCP service, which hands out IP addresses to devices automatically, to avoid the need to manually configure them. You can determine this subnet by referring to the Network system preference on any Mac that is connected to main LAN.

The subnet used for the camera LAN can be anything within the private address space that is different from the main LAN. For example, if the main LAN uses the subnet 192.168.1, you can choose the subnet 192.168.2 for the camera LAN.

As the camera LAN does not have a DHCP service running on it, each device on this LAN, including the Mac, needs to be configured manually with a unique static IP address.

Assuming you are using the 192.168.2 subnet for the camera LAN as in the above example, then set up the Mac with the manual IP address 192.168.2.1, via the Network system preference, and specify a subnet mask of 255.255.255.0. Do not specify a router address.

Step 3: Configure the cameras

Most cameras will obtain an IP address automatically via DHCP by default, in which case the easiest way to set them up would be to first connect them to the main LAN, configure them, then move them to the camera LAN. The steps are as follows:

  • Connect the camera to the main LAN (for power, temporarily use a PoE injector or separate power supply, or, temporarily disconnect the PoE switch from the Mac, connect it to the main switch, and connect the camera to the PoE switch – but note that this will temporarily take offline any other cameras already up and running on the camera LAN).
  • Use our Network Device Finder utility to locate the camera; double-click on it to open its web interface.
  • Set the camera to use a manually-assigned static IP address on the camera LAN (e.g. 192.168.2.x where x is unique). Note that as soon as you save this setting, the camera will become inaccessible from the main LAN.
  • Disconnect the camera from the main LAN and connect it to the camera LAN.
  • You do not need to give the camera a router address or DNS address, but if the camera requires these, you can specify a dummy address of 0.0.0.0 or 192.168.2.254.

Step 4: Add the cameras to SecuritySpy

Add the cameras to SecuritySpy via the Cameras section of the Settings window, using the static IP addresses that you configured in the previous step.

Step 5: Set up a local NTP time server for the cameras

As the cameras now have no access to the Internet, you may want to install an NTP server on your Mac to ensure that all cameras maintain the correct time.

Final notes

Once the cameras are on their own LAN, they can only be accessed from the Mac running SecuritySpy (which is on both networks) or from other devices on the camera LAN; they cannot be accessed by devices that are only on the main LAN, or from the Internet. The cameras themselves will not have Internet access.

This does not affect remote access to SecuritySpy from the Internet – this will still work in exactly the same way.

The above network diagram features the Netgear GS116LP and Netgear GS316 Ethernet switches, which are reliable and cost effective, and a Mac mini, which is an ideal machine to run our Mac CCTV software SecuritySpy.

27 thoughts on “Segregating IP Cameras on their own LAN

  1. Jeff Alves

    If I were to separate my cameras to their own sub-net following these instructions will I still be able to access them through HomeKit?

    Right now I have SS and my home automation software, Indigo, running on the same server with everything on the same sub-net. I use two Indigo plug-ins to allow me to see my cameras on the Apple Home App. These plugins are Cynical Security Spy and HomeKitBridge. Since all this runs on the same machine I would think that I’d still be able to see the cameras using the Home App, but wanted to confirm that assumption.
    Thanks

    Reply
    1. Ben Software Post author

      It sounds like all communication is relayed via the Mac, so in this case I think it should work fine. If your setup relies on a device on one network communicating with a device on the other network, this is when things won’t work; the Mac is the only device that is attached to both networks and therefore the only device that can communicate with devices attached to both networks.

      Reply
  2. Jeff Kluth

    thanks for this article. Question, I have 2 hardwired cameras going into a switch (SW2) which in turn feeds into another switch (SW1) that is currently attached to my Mac and my router. My other 2 cameras are connected via WIFI to an access point which is connected to SW1. I do have fixed IP addresses defined on the cameras.

    If I get the adapter to create a 2nd ethernet port on my Mac would I then take the feed from SW2 and the access point and connect those to the 2nd ethernet port ? And if so then I assume anything connecting to SW2 or the access point would NOT have internet access ? Thank you.

    Reply
    1. Ben Software Post author

      Hi Jeff – yes that’s exactly right. SW1 would have your Mac (1st port), and router connected into it; SW2 would have your Mac (2nd port), WiFi access point, and cameras connected into it. Devices connected to SW2 would have no Internet connectivity (because your Mac stands in the way between SW2 and the router, and won’t pass traffic through unless specifically configured to do so).

      The only thing you would have to do is to change the static IP allocations of your cameras to a different subnet. For example, if your current network uses 192.168.1.x addressing, you could use 192.168.2.x addressing for the camera LAN (i.e. for everything connected into SW2).

      Reply
  3. Matthew Ross

    Hi. Thanks for the article. I’ve recently upgraded my network components to Ubiquiti Unifi products, including a 24 port switch to reduce the number of switches I was using. I can configure my wired POE cameras to use a static IP address on a separate VLAN to my internet traffic. Does this achieve the same outcome as your article without the need for a separate switch connected directly to my Mac? Thanks for your help.

    Reply
    1. Ben Software Post author

      Yes, you can achieve the same effect using a port-based VLAN. It’s a bit more complicated to configure, but it has the advantage that you don’t need a separate physical switch nor a second network interface to the Mac. As you say, you would set up your switch to have two VLANs: one for the cameras and the other for all other devices. The port that the Mac is connected to should be configured to be on both VLANs.

      You can either use the same IP subnet for both VLANs, or you can use a different subnet for the camera VLAN: in this case, so that the Mac can communicate with the cameras, you would go to the Network system preference, click the plus button to add a second Ethernet interface, and configure it with a static IP address on the camera subnet.

      Reply
  4. William

    Many pieces of software include the ability to pick and choose between available network interfaces on a mac, but this facility seems to be written into macos software far less than it appears in network-centric windows OS software. Does SecuritySpy now (or might it in the future) include some ability to “target” different logical LAN connections available to the host mac, or does it rely solely on the OS network stack to work things out, where it’s highly likely the OS will “favor” the LAN with WAN access over any others and potentially make one’s cameras on additional logical LANs unreachable?

    Reply
    1. Ben Software Post author

      It is possible for software to target specific interfaces, however this isn’t something that would be useful for SecuritySpy, because for everything that SecuritySpy does, this functionality is handled by the OS.

      Using the layout described above as an example, where the main LAN (the one with the Internet connection) uses the subnet 192.168.1, and the separate camera LAN (with no Internet access) uses the subnet 192.168.2, here’s what happens for various connections:

      – SecuritySpy makes a connection to 192.168.1.5. The OS sees that the request is on the 192.168.1 subnet, and routes the request to the network interface that is connected to the main LAN.

      – SecuritySpy makes a connection to 192.168.2.5. The OS sees that the request is on the 192.168.2 subnet, and routes the request to the network interface that is connected to the camera LAN.

      – SecuritySpy makes a request to 54.36.160.184 (which happens to be bensoftware.com – perhaps it’s checking for a software update). The OS sees that this IP is on neither subnet, therefore it needs to go via a router in order to reach the destination. It sees that only the 192.168.1 subnet has a router, therefore it routes the request to the router on the 192.168.1 subnet.

      As you can see, with this setup, there is no “favouring” one network over the other: it’s the IP address of connection endpoint that determines which network interface that the connection uses, based on logical rules.

      Reply
  5. Tom Quackenbush

    Hi,

    Step 1: Installed the Apple Developer Tools: I think this was successful. The ntpd-install.sh file is in the Downloads folder.

    Step 2: When I do the chmod +x ~/Downloads/ntpd-install.sh command Terminal responds with just my name. Is that correct? Is there supposed to be something that replaces the “~”? Volume, username path to the Downloads folder? Example?

    The second command, sudo ~/Downloads/ntpd-install.sh, appears to have failed, but might be due to the first command not being completed correctly?

    Thanks, Tom Q

    Reply
    1. Ben Software Post author

      Hi Tom,

      As long as the script is in your Downloads folder, then “~/Downloads/ntpd-install.sh” is the correct path and you don’t have to substitute anything for the tilde. In Step 2, as long as you don’t get an error message, it succeeded. When running the script you might get some warning message, but this doesn’t necessarily indicate failure. After running the script, do you see that the NTP daemon is running?

      Reply
  6. James

    Ben

    I have set my Mac mini as shown in this tutorial. Lan on 192.168.1.1 via ethernet. camera lan on separate router with 192.168.2.1 via USB to ethernet. Camera setup don 192.168.2.2 and connected to the camera lan. I can see the camera from the Mac mini but cannot open it (it’s an axis 1065-L). Same subnet mask and not router specified (just set to 0.0.0.0). When I see the camera via IP Scanner it shows the correct IP address but shows MAC address unknown. Can’t ping it either.

    I triple check the setup per your instructions and can’t see why this wouldn’t work. When camera on the main LAN, and with DHCP set it all works fine.

    Any ideas.

    James

    Reply
  7. James

    I should add that from the Mac mini, the bensoftware network device find sees both subnets but not the camera on the camera lan (scanning for port 80)

    Reply
  8. James

    I mean’t separate switch, not router. Setup is exactly as in your diagram. Two switches, different subnets both connected to Mac mini. Home LAN on 192.168.1.x and camera LAN on 192.168.2.x. Aixs camera manual ip od 192.168.2.2 each with 255.255.255.0 mask.

    Reply
    1. Ben Software Post author

      Hi James, good to see you spotted the problem – so does this all work for you now?

      Reply
  9. Jeff

    The cameras work surprisingly better when on their own isolated LAN. I also found that putting the Camera IP address into the SecuritySpy camera setup works better than the auto discovery. I had an extra Cisco POE switch available for the isolated LAN and ordering more cameras to take advantage of the new rock solid camera network. Thanks again for these directions.

    Reply
  10. Loc Winn

    Hello Ben,

    Thank you for posting the instruction for creating a separate LAN for the cameras. I have a couple questions or clarification and hope you do not mind helping me out.
    Is the MAC you mention in the instruction meaning the iMAC computer? If so, will your instruction work with an older iMAC such as Processor 2.5GHz Intel Core i5, 4 GB 1333 MHz DDR3 with Mac OS X Lion 10.7.5? or is it too old?
    Will your instruction will work with Windows 10 and 7?
    I know how to connect the cameras to the NVR (Network Video Recorder) system with Internet (Sharing LAN) but How do I connect my camera system to the NVR on the separate LAN?
    Thank you very much for your help.

    Reply
    1. Ben Software Post author

      The instructions are tailored for our Mac CCTV software SecuritySpy, which runs on any Mac (e.g. iMac, Mac mini etc.) that is running macOS 10.13 or later. According to the specifications of the iMac you mention, you should be able to upgrade its system to version 10.13, and then run the latest version of SecuritySpy.

      However, the implementation of the network layout described above, with a separate LAN for cameras, can be used with any recorder device (e.g. a Windows PC), as long as it has two separate network interfaces.

      Note that many dedicated NVR devices have each camera connected directly into the back of the NVR, and they are not shared with the rest of the network anyway.

      Reply
  11. Macster

    Hello..
    Can this be done with wireless cameras or only if they are wired?
    If it can be done.. how can I do this?

    Thanks.

    Reply
    1. Ben Software Post author

      Yes this is possible, though we would strongly recommend using wired Ethernet wherever possible, as this is much more reliable than WiFi. To use WiFi, you will need a WiFi access point (either a basic model or one that is also a router, though you won’t be needing its routing features).

      If you have a mixture of wired and WiFi cameras, then add the WiFi access point to the camera LAN Ethernet switch, which extends the camera LAN over WiFi. The WiFi access point should be configured to be on the same subnet as the camera LAN.

      Or, if ALL your cameras are WiFi (again, not recommended), then all the cameras AND the Mac could connect by WiFi to the access point, and you don’t need the Ethernet section of the network at all.

      If the WiFi access point has a DHCP server feature, this could be used to provide IP addresses to the cameras (and Mac) automatically, which makes setup easier.

      Reply
  12. Araujo

    The problem with what I see with this is that SS does not access the cameras web server as in the manufacturers WAN app.
    Incase there needs to be a restart of camera say or some other thing on the LAN; no problem to access the camera’s web server via web browser on the Mac. Is that right?

    Reply
    1. Ben Software Post author

      Hi Araujo, I’m not sure exactly what you mean by this. For tasks like setting up the camera’s settings or rebooting it, you will need to use a web browser to connect to the camera directly in order to do this via the camera’s web interface. SecuritySpy cannot do this itself – there are thousands of different cameras out there all with their own, different, non-standard, web interfaces. Does this answer your question?

      Reply
  13. Chester Wood

    Hi Ben,

    Thanks so much for all your networking tips. I have been using your VLAN setup for a couple of years and it works great. My question is, how can you set up temporary routing with this setup so that you can access the internet from the camera, say to upgrade its firmware? I added a static route to my router 192.168.2.0/24 -> 192.168.1.100 (my SS server) but I think I need to do something on the server also and I haven’t been able to figure it out.

    Reply
    1. Ben Software Post author

      Hi Chester, great to hear this has been working well for you! Note that the setup described above is for two physically separated networks, not a VLAN solution. With the setup described above, the only device connected to both networks is the Mac, and it may be possible to get your Mac to share the Internet connection. This can be done via the “Internet Sharing” option in the Sharing system setting. I have never tried this, so I can’t tell you whether it will actually work or not, but it should if configured correctly.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *