Segregating IP Cameras on their own LAN

Our macOS CCTV software SecuritySpy allows you to set up an effective video surveillance system of any size, in both home and commercial settings.

The simplest setup for a LAN (Local Area Network) that includes network cameras is to have a central Ethernet switch with all devices, including the cameras, connected to it. This works well for small networks, but there are some problems with this setup that become especially important on larger networks:

  • IP cameras generate constant traffic, which can slow down the LAN.
  • Having cameras on the main LAN, with Internet access, can be a security risk.
  • Larger PoE (Power-over-Ethernet) switches are expensive, have significant power consumption, and often contain noisy fans.

The solution to these problems is to segregate the IP cameras onto their own LAN. In contrast, this solution has the following advantages:

  • Camera traffic is completely separate and does not impact the normal LAN.
  • Cameras do not have Internet access, removing the risk of them sending sensitive information over the Internet or being hacked.
  • You can use a PoE switch that is no larger than you need it to be. Smaller PoE switches are less expensive, use less power, and are quieter.

Setting this up does require a bit of knowledge of IP addressing, so if you are not familiar with this topic, we would advise you to research how IP addresses work on local networks before proceeding. An example setup is as follows:

Step 1: Connect the Mac to both networks

This requires the Mac to have two Ethernet ports, in order to connect it to both switches. Most Macs have just one Ethernet port built in, apart from the Mac Pro which has two. You can add Ethernet ports via Thunderbolt-to-Ethernet adaptors or USB-C-to-Ethernet adaptors, which are available from Apple. Alternatively, you can use USB-3-to-Ethernet adaptors, which are available from third parties.

Step 2: Configure the subnets

The key to running multiple LANs side by side is that they operate on different subnets. Each device on a LAN has an IP address comprising four numbers separated by full stops; the subnet is typically defined by the first three numbers. For example, if the LAN devices have IP addresses like 192.168.1.20, 192.168.1.21 etc., then the subnet is 192.168.1.

The router will decide which subnet is being used for the main LAN. It runs a DHCP service, which hands out IP addresses to devices automatically, to avoid the need to manually configure them. You can determine this subnet by referring to the Network system preference on any Mac that is connected to main LAN.

The subnet used for the camera LAN can be anything within the private address space that is different from the main LAN. For example, if the main LAN uses the subnet 192.168.1, you can choose the subnet 192.168.2 for the camera LAN.

As the camera LAN does not have a DHCP service running on it, each device on this LAN, including the Mac, needs to be configured manually with a unique static IP address.

Assuming you are using the 192.168.2 subnet for the camera LAN as in the above example, then set up the Mac with the manual IP address 192.168.2.1, via the Network system preference, and specify a subnet mask of 255.255.255.0. Do not specify a router address.

Step 3: Configure the cameras

Most cameras will obtain an IP address automatically via DHCP by default, in which case the easiest way to set them up would be to first connect them to the main LAN, configure them, then move them to the camera LAN. The steps are as follows:

  • Connect the camera to the main LAN (for power, temporarily use a PoE injector or separate power supply, or, temporarily disconnect the PoE switch from the Mac, connect it to the main switch, and connect the camera to the PoE switch – but note that this will temporarily take offline any other cameras already up and running on the camera LAN).
  • Use our Network Device Finder utility to locate the camera; double-click on it to open its web interface.
  • Set the camera to use a manually-assigned static IP address on the camera LAN (e.g. 192.168.2.x where x is unique). Note that as soon as you save this setting, the camera will become inaccessible from the main LAN.
  • Disconnect the camera from the main LAN and connect it to the camera LAN.
  • You do not need to give the camera a router address or DNS address, but if the camera requires these, you can specify a dummy address of 0.0.0.0 or 192.168.2.254.

Step 4: Add the cameras to SecuritySpy

Add the cameras to SecuritySpy via the Cameras section of the Preferences window, using the static IP addresses that you configured in the previous step.

Step 5: Set up a local NTP time server for the cameras

As the cameras now have no access to the Internet, you may like to install an NTP server on your Mac to ensure that all cameras maintain the correct time.

Final notes

Once the cameras are on their own LAN, they can only be accessed from the Mac mini (which is on both networks) or from other devices on the camera LAN; they cannot be accessed by devices that are only on the main LAN, or from the Internet. The cameras themselves will not have Internet access.

This does not affect remote access to SecuritySpy from the Internet – this will still work in exactly the same way.

The above network diagram features the Netgear GS116LP and Netgear GS316 Ethernet switches, which are reliable and cost effective, and a Mac mini, which is an ideal machine to run our Mac CCTV software SecuritySpy.

19 thoughts on “Segregating IP Cameras on their own LAN

  1. Jeff Alves

    If I were to separate my cameras to their own sub-net following these instructions will I still be able to access them through HomeKit?

    Right now I have SS and my home automation software, Indigo, running on the same server with everything on the same sub-net. I use two Indigo plug-ins to allow me to see my cameras on the Apple Home App. These plugins are Cynical Security Spy and HomeKitBridge. Since all this runs on the same machine I would think that I’d still be able to see the cameras using the Home App, but wanted to confirm that assumption.
    Thanks

    Reply
    1. Ben Software Post author

      It sounds like all communication is relayed via the Mac, so in this case I think it should work fine. If your setup relies on a device on one network communicating with a device on the other network, this is when things won’t work; the Mac is the only device that is attached to both networks and therefore the only device that can communicate with devices attached to both networks.

      Reply
  2. Jeff Kluth

    thanks for this article. Question, I have 2 hardwired cameras going into a switch (SW2) which in turn feeds into another switch (SW1) that is currently attached to my Mac and my router. My other 2 cameras are connected via WIFI to an access point which is connected to SW1. I do have fixed IP addresses defined on the cameras.

    If I get the adapter to create a 2nd ethernet port on my Mac would I then take the feed from SW2 and the access point and connect those to the 2nd ethernet port ? And if so then I assume anything connecting to SW2 or the access point would NOT have internet access ? Thank you.

    Reply
    1. Ben Software Post author

      Hi Jeff – yes that’s exactly right. SW1 would have your Mac (1st port), and router connected into it; SW2 would have your Mac (2nd port), WiFi access point, and cameras connected into it. Devices connected to SW2 would have no Internet connectivity (because your Mac stands in the way between SW2 and the router, and won’t pass traffic through unless specifically configured to do so).

      The only thing you would have to do is to change the static IP allocations of your cameras to a different subnet. For example, if your current network uses 192.168.1.x addressing, you could use 192.168.2.x addressing for the camera LAN (i.e. for everything connected into SW2).

      Reply
  3. Matthew Ross

    Hi. Thanks for the article. I’ve recently upgraded my network components to Ubiquiti Unifi products, including a 24 port switch to reduce the number of switches I was using. I can configure my wired POE cameras to use a static IP address on a separate VLAN to my internet traffic. Does this achieve the same outcome as your article without the need for a separate switch connected directly to my Mac? Thanks for your help.

    Reply
    1. Ben Software Post author

      Yes, you can achieve the same effect using a port-based VLAN. It’s a bit more complicated to configure, but it has the advantage that you don’t need a separate physical switch nor a second network interface to the Mac. As you say, you would set up your switch to have two VLANs: one for the cameras and the other for all other devices. The port that the Mac is connected to should be configured to be on both VLANs.

      You can either use the same IP subnet for both VLANs, or you can use a different subnet for the camera VLAN: in this case, so that the Mac can communicate with the cameras, you would go to the Network system preference, click the plus button to add a second Ethernet interface, and configure it with a static IP address on the camera subnet.

      Reply
  4. William

    Many pieces of software include the ability to pick and choose between available network interfaces on a mac, but this facility seems to be written into macos software far less than it appears in network-centric windows OS software. Does SecuritySpy now (or might it in the future) include some ability to “target” different logical LAN connections available to the host mac, or does it rely solely on the OS network stack to work things out, where it’s highly likely the OS will “favor” the LAN with WAN access over any others and potentially make one’s cameras on additional logical LANs unreachable?

    Reply
    1. Ben Software Post author

      It is possible for software to target specific interfaces, however this isn’t something that would be useful for SecuritySpy, because for everything that SecuritySpy does, this functionality is handled by the OS.

      Using the layout described above as an example, where the main LAN (the one with the Internet connection) uses the subnet 192.168.1, and the separate camera LAN (with no Internet access) uses the subnet 192.168.2, here’s what happens for various connections:

      – SecuritySpy makes a connection to 192.168.1.5. The OS sees that the request is on the 192.168.1 subnet, and routes the request to the network interface that is connected to the main LAN.

      – SecuritySpy makes a connection to 192.168.2.5. The OS sees that the request is on the 192.168.2 subnet, and routes the request to the network interface that is connected to the camera LAN.

      – SecuritySpy makes a request to 54.36.160.184 (which happens to be bensoftware.com – perhaps it’s checking for a software update). The OS sees that this IP is on neither subnet, therefore it needs to go via a router in order to reach the destination. It sees that only the 192.168.1 subnet has a router, therefore it routes the request to the router on the 192.168.1 subnet.

      As you can see, with this setup, there is no “favouring” one network over the other: it’s the IP address of connection endpoint that determines which network interface that the connection uses, based on logical rules.

      Reply
  5. Tom Quackenbush

    Hi,

    Step 1: Installed the Apple Developer Tools: I think this was successful. The ntpd-install.sh file is in the Downloads folder.

    Step 2: When I do the chmod +x ~/Downloads/ntpd-install.sh command Terminal responds with just my name. Is that correct? Is there supposed to be something that replaces the “~”? Volume, username path to the Downloads folder? Example?

    The second command, sudo ~/Downloads/ntpd-install.sh, appears to have failed, but might be due to the first command not being completed correctly?

    Thanks, Tom Q

    Reply
    1. Ben Software Post author

      Hi Tom,

      As long as the script is in your Downloads folder, then “~/Downloads/ntpd-install.sh” is the correct path and you don’t have to substitute anything for the tilde. In Step 2, as long as you don’t get an error message, it succeeded. When running the script you might get some warning message, but this doesn’t necessarily indicate failure. After running the script, do you see that the NTP daemon is running?

      Reply
  6. James

    Ben

    I have set my Mac mini as shown in this tutorial. Lan on 192.168.1.1 via ethernet. camera lan on separate router with 192.168.2.1 via USB to ethernet. Camera setup don 192.168.2.2 and connected to the camera lan. I can see the camera from the Mac mini but cannot open it (it’s an axis 1065-L). Same subnet mask and not router specified (just set to 0.0.0.0). When I see the camera via IP Scanner it shows the correct IP address but shows MAC address unknown. Can’t ping it either.

    I triple check the setup per your instructions and can’t see why this wouldn’t work. When camera on the main LAN, and with DHCP set it all works fine.

    Any ideas.

    James

    Reply
  7. James

    I should add that from the Mac mini, the bensoftware network device find sees both subnets but not the camera on the camera lan (scanning for port 80)

    Reply
  8. James

    I mean’t separate switch, not router. Setup is exactly as in your diagram. Two switches, different subnets both connected to Mac mini. Home LAN on 192.168.1.x and camera LAN on 192.168.2.x. Aixs camera manual ip od 192.168.2.2 each with 255.255.255.0 mask.

    Reply
    1. Ben Software Post author

      Hi James, good to see you spotted the problem – so does this all work for you now?

      Reply
  9. Jeff

    The cameras work surprisingly better when on their own isolated LAN. I also found that putting the Camera IP address into the SecuritySpy camera setup works better than the auto discovery. I had an extra Cisco POE switch available for the isolated LAN and ordering more cameras to take advantage of the new rock solid camera network. Thanks again for these directions.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *