Isolated LAN for Cameras and Security Spy
I finally got around to moving all my 16 cameras and SecuritySpy Mac to their own, isolated LAN (local area network). The cameras are only allowed NTP and DNS access, no DHCP, nothing inbound or outbound from the WAN. The SecuritySpy Mac was allowed special access to the outside wold and be accessed via the security spy server port. The SS Mac is also accessible from my main LAN.
Took three days programming an Ubiquity Edgerouter X (under $60). It is not a project for the feint of heart, but worthwhile to gain more granular control of my devices. . Now I have a main LAN that can see everything, 2 restricted LAN, 1 super restricted camera LAN, and an isolated Guest VLAN. Each could be setup up with firewall rules to enact isolation and desired access. I specify which LAN's get WAN access and forward only the desired ports. Special access for the SS Mac was easy to create.
With this setup, a fair amount of unidentified camera traffic with the outside world is blocked. I can see the firewall blocking camera attempts to reach the outside world every few seconds. No more leaks. The cameras also can't touch any of my other LANs, call home, nor participate in a botnet.
Nice to finally get this done.
Took three days programming an Ubiquity Edgerouter X (under $60). It is not a project for the feint of heart, but worthwhile to gain more granular control of my devices. . Now I have a main LAN that can see everything, 2 restricted LAN, 1 super restricted camera LAN, and an isolated Guest VLAN. Each could be setup up with firewall rules to enact isolation and desired access. I specify which LAN's get WAN access and forward only the desired ports. Special access for the SS Mac was easy to create.
With this setup, a fair amount of unidentified camera traffic with the outside world is blocked. I can see the firewall blocking camera attempts to reach the outside world every few seconds. No more leaks. The cameras also can't touch any of my other LANs, call home, nor participate in a botnet.
Nice to finally get this done.
Comments
My advice to other users who don't want to invest in such a complicated setup is to use strong passwords for your cameras and turn off their UPnP options so that they can't accept incoming connections from the Internet.
All network services are turned off in their setups except those needed to stream video and synchronize clocks.
Despite those precautions, some are still trying to access things on the internet.
The packets payloads are small. Not like they are sending video streams,
I'm really happy to be blocking all those communication attempts.
My eventual router setup implemented….
eth0 - WAN 0 - connects to cable modem with DHCP
eth1 - 192.168.1.1/24 - LAN1 Main full access to the internet. Hands out DHCP leases. CAN reach all other LAN's
eth2 - 192.168.2.1/24 - LAN2 Security Spy - no access to internet. No DHCP. Allows NTP and DNS. Cannot reach other LAN's
eth3 - 192.168.3.1/24 - LAN3 - full access to internet. Hands out DHCP leases. Cannot reach other LAN's
eth4 - 192.168.4.1/24 - LAN4 - full access to internet. Hands out DHCP leases. Cannot reach other LAN's
eth1.1003 - 10.10.10.1/24 - Guest WiFi VLAN Apple Guest WiFI with internet access. Cannot reach other LAN's
Took about 15 rules to implement proper isolation and desired, special accesses.
Security Spy Macintosh and cameras live on 192.168.2.0/24 subnet and physically connected via POE switches to LAN2 eth2
All their addresses, netmasks and router addresses are set manually.
Router has total control over LAN2 reaching the rest of the world.
Potential malware on cameras cannot reach the internet to get commands nor call home.
Even plugging into LAN2 network via ethernet cable will NOT get DHCP address, internet access, nor reach other LAN's
Guest WiFi cannot see rest of network.
Security Spy server Macintosh granted special permission to access the internet despite being on LAN2. This allows browsing from SS Mac, but no other LAN2 machines can browse or reach the internet.
Exception made for NTP access to keep camera clocks in sync.
Port forwarding from WAN into SS Macintosh (with hairpin NAT) allows SS server access from WAN and LAN1.
Took me three days doing it from scratch. If someone wants to do similar to protect their SS setup, post here to let me know.
I could put together a generic config file that could be uploaded to get most of the configuration done quickly. One would only need to edit a few things in the EdgeMax GUI and turn on hardware acceleration via the CLI.
Because such a config file will take a few hours work. I will create one only if someone is actually going to use an Edgerouter X with their SS setup.
Cameras are compliant with all National Security Laws, that means they phone home whether you approve of it or not. If its imported and sold as retail in your country, it 'phones home' under several methods, hint. check your DNS activity in Console and your local Wifi sniffer software, even if you have all the wifi in your cameras and routers off.
The newer OSX Systems are also fully compliant, ie. you can't turn off IPV6, and the functions of the 'Firewall' rules in the Security System Preferences will not allow them to be completely blocked.
That being said... there are some things you can do to get better service levels from your network and reduce the factors that cause concern.
On little units like the Edgerouter, their log traffic tells you they are busy, but not with what.
Culprits include running poor or mediocre Cat5e cabling for POE support over more than 60 meters per subnet, high powered external towers and EM devices you can't control, running the high FPS channels to multiple receiving devices, ect. Even recompression in SecuritySpy for added controls like Masking and TimeStamp cause additional 2 way traffic.
Narrowing down physical causes can reduce some of the packet throughput which can look like unauthorized traffic. Download the X11 package and Wireshark, and teach yourself the basics of 'packet sniffing' from their excellent online tutorials.
If its out of your league for a setup like guykuo has done, you can hire specialists online who can do this from outside, but you control the ball. Teamviewer gets the basics done, but at all times have the outsiders work with generic passwords which you change for a strong one later...(hint, NEVER type an admin password live while in Teamviewer, the authorities monitor this traffic also).
If you do have real suspicions about outside hitters, or curious teenagers inside your local ISP, contact them to have a firmware change on your router, or to cycle the IP address from their DHCP table, or to flush your DNS cache, all legally allowed and most ISP' are happy to comply as they don't want to answer to authorities for unauthorized packets on their network.
The manufacturing of most basic IP cameras points to only 3 or 4 trusted board makers and their respective firmware. That means scriptkiddies and the real troublemakers know their weak points. But having VERY strong passwords (ie. 40+ Hexidecimal on a USB stick in a note file) slows down their bots attempts to guess correctly.
So, lastly, Ben, as a long time user (more than 8 years) I would like a feature added to SecuritySpy. A logging tracker that watches the ports that goes further than the logging that occurs now. Wireshark can be used as an alternative, but we require some script writing from your end to set proper filters on what is moving.
Many thanks for your dedication to this platform.
My rule for preventing the camera/Security Spy subnet blocked in that period...
88,042,381 packets headed to the outside world.
Thanks,
Martin
https://ipcamtalk.com/threads/ubiquity-edgerouter-x-configuring-to-isolate-surveillance-networks.45038/
I know this is long after the original post, but I want to do a similar thing. Just wondering if this is the only approach or if there might be something more simple lurking.
Like the original post, I want to place my IP cameras onto their own LAN, that doesn't touch the internet at all. I have Amcrest IP cameras connected to a cheap BV-Tech PoE switch, connected to the Ethernet port on my 2012 Mac mini. Everything on this separate wired LAN has static IPs. The Mac then is connected to the internet via my main house LAN on Wifi using the separate built in Airport adapter.
I want the cameras to communicate to SS on their own LAN, with no internet at all, and have SS and the rest of things on the Mac in general use Wifi for internet. I connect to that Mac via other devices on the home wifi and would want to connect to the SS Server from the outside world. The Mac seems confused where to route certain traffic because some websites work and some don't.
I was wishing it was this simple, but will I need a more complicated router setup like the ER-X to get this done?
This should work fine, providing the subnets of the two networks are different. The subnet is (usually) defined as the first three numbers of the IP address, so the IP 192.168.1.23 is on the subnet 192.168.1.
The subnet of your house LAN is determined by the router (it can be changed, but it's easiest to leave as-is). So, for example if this is 192.168.1, you can then choose something like 192.168.2 for the camera LAN. Note that everything on the camera LAN, including the Mac mini, must be set up with a manual IP address (as there will be no DHCP server on this LAN to give out automatic IP addresses).
My other comment would be that it would be better to connect your Mac mini to your house LAN using via wired Ethernet (e.g. using a USB-Ethernet dongle or Thunderbolt-Ethernet dongle), if this is possible due to cabling/location considerations. Wired Ethernet is faster and more reliable than WiFi.
The SS wired LAN is on 192.168.1.x, and the main house WiFi LAN with 30-something devices is on 10.0.0.x via the cable router.
Everything generally works well on their respective sides of that Mac mini, but it’s odd that some websites don’t work via the house internet connection when the wired camera LAN is plugged into the Mac. Unplug the Ethernet, all websites work fine on the WiFi. Plug SS back in, same websites fail (including Amcrest for firmware updates, etc.)
Not a huge deal, as long as the cams work on the wired side, and the viewing access works from the WiFi side. It’s just one of my many spare 2012 Mac minis so no worry.
I can’t get viewcam.me to work for access from the internet, but that’s probably due to uPNP issues on the locked-down cable router. I may just use the great ngrok solution seen in your remote access blog post.
Just upgraded to v5 for h.265 out of the Amcrest cams, and the file sizes are way smaller hour-to-hour (h.264 2.5Gb/hour, h.265 about 80Gb/hour. Awesome difference.) However, I get lots of key frame errors that disables motion capture, but that’s for a different thread.
General stability, (relatively) tiny CPU and memory usage, feature set, etc., continue to make SS the most solid app I’ve ever run this long (years at a time). Big hats off to you and your team.
When you plug in that wire, it could be that the order of services in your system preferences is set to have that wire have a higher priority. As long as the cable is out, all traffic goes through the next available service, when you plug the cable in, it becomes the main connection. You can set the order of services with the cog in the System Preferences Network, left column. See if changing the order (wifi on top) solves your issue.
Beyond this, I really can't think of any reason why you are seeing this problem connecting to web sites. I have a similar setup here, with a separate wired LAN for cameras on a different subnet, and do not see any such issues.
Thanks for your comments about SecuritySpy - great to hear that you have been using it successfully for so long!
We are longtime users of SS for house and pet monitoring. We recently became interested in using it more for security. I have internet access in my shop provided by a Tplink CPE510 in client mode so it is essentially a wireless LAN. The CPE510 is plugged into a TPlink POE switch to distribute service to an old iMac and a Airport in bridge mode.
I installed 8MP Amcrest cameras and used the switch to power them. They overloaded the wireless connection and causes the c5400 router to need frequent rebooting. I tried various strategies to balance the traffic but none helped.
I read the blog post on a separate LAN for the cameras and though I might imply a variant to solve the traffic problem. I used a port based VLAN to isolate the cameras and tie them to the iMac where SS is running. My understanding of networking is rudimentary so this has been a great opportunity to learn things. Like the IP of the wireless and the ethernet can't be the same, hah. The break through was to discover that the service order, as mentioned above gives me the wired cameras on the ethernet the wireless camera on wireless. The ethernet cameras don't appear to be able to access the internet.
Is there a way to build a wireless VLAN to isolate the wireless cameras. I do have an AC1750 I could use for the wireless cameras, how would I set that up?
TIA
For the wireless cameras, a separate WiFi access point that provides a dedicated WiFi network is probably the way to go, so that the cameras don't use bandwidth from your existing WiFi network. Assuming the AC1750 can be set to bridge mode (i.e. NAT/routing turned off), it could be used for this purpose. Just connect it into one of the ports on the switch that is set to the VLAN you created for the cameras.
However, I would always recommend connecting cameras by wired Ethernet rather than WiFi wherever possible, as this is more reliable and performant. Is this possible for you?
This is the situation. The Old Mac is a 2010 vintage and the newer one, 2017 i7, is in the house where I can monitor and review SS.
I have an unused 10/100 switch that I could use on the new Mac end that I could use for the AC 1750. It is not a Gigabyte switch, will that cause problems? The wireless cameras are not in places that I can put Ethernet cables. Bridge mode is available, I’ll see how that works.
Thank you!
Thank you
I would strongly recommend "pfSense" as a firewall software package - it's free, has support for pretty much every possible thing you might want, and it's easy to configure and any old PC you have laying around will work as well as a variety of custom-built options as well. And I've put what are probably hundreds of billions of packets through it with no crashes in the last few years. I use Cisco switching equipment here at home which is now absurdly inexpensive, even for more modern stuff, and it's pretty easy to get VLANs set up even if you're a beginner, once the light bulb goes off over your head as to how VLANs work. I also use VLANs to have many different WiFi SSIDs around my buildings, one of which is on the camera VLAN for the few wireless cameras I have still in place.
Cameras are like harbor rats - they carry a huge variety of communicable diseases, from privacy violations to malware to remote execution attacks. Don't let them talk to the Internet, EVER. I block maybe 1 packet per second from my highly varied camera network, trying to talk to various servers in China, eastern Europe, and at cloud providers.
I've all my cameras on non internet LAN's except one which has a firmware issue. In the process I've used wireless, Ethernet and Ethernet over USB through a Hub. Part of the problem for home uses is the wireless and the router are not separate and manageable for VLAN as all networks have internet access. Hence the need for a separate router on a different subnet. Using three network adapters allowed three subnets.
It sounds like you have some unusual bandwidth issues in your network or more specifically in the switches. 100% agreed with @jtodd that the cameras themselves should be part of a VLAN that keeps them off of the main network and, ideally, without a way out to the world (i.e. no access to the router).
The forum and the Blog post have helped enormously.
Thank you to all!