Segregating IP Cameras on their own LAN

Our macOS CCTV software SecuritySpy allows you to set up an effective video surveillance system of any size, in both home and commercial settings.

The simplest setup for a LAN (Local Area Network) that includes network cameras is to have a central Ethernet switch with all devices, including the cameras connected to it. This works well for small networks, but there are some problems with this setup that become especially important on larger networks:

• IP cameras generate constant traffic, which can slow down the LAN.
• Having cameras on the main LAN, with Internet access, can be a security risk.
• Larger PoE (Power-over-Ethernet) switches are expensive, have significant power consumption, and often contain noisy fans.

The solution to these problems is to segregate the IP cameras onto their own LAN. In contrast, this solution has the following advantages:

• Camera traffic is completely separate and does not impact the normal LAN.
• Cameras do not have Internet access, removing the risk of sending them sensitive information over the Internet or being hacked.
• You can use a PoE switch that is no larger than you need it to be. Smaller PoE switches are less expensive, use less power, and are quieter.

Setting this up does require a bit of knowledge of IP address, so if you are not familiar with this topic, we would advise you to research how IP addresses work on local networks before proceeding. An example setup is as follows:

Step 1: Connect the Mac to both networks

This requires the Mac to have two Ethernet ports, in order to connect it to both switches. Most Macs have just one Ethernet port built in, apart from the Mac Pro which has two. You can add Ethernet ports via Thunderbolt-to-Ethernet adapters or USB-C-to-Ethernet adapters, which are available from Apple. Alternatively, you can use USB-3-to-Ethernet adapters, which are available from third parties.

Step 2: Configure the subnets

The key to running multiple LANs side by side is that they operate on different subnets. Each device on a LAN has an IP address comprising four numbers separated by full stops; the subnet is typically defined by the first three numbers. For example, if the LAN devices have IP addresses like 192.168.1.20, 192.168.1.21, etc., then the subnet is 192.168.1.

The router will decide which subnet is being used for the main LAN. It runs a DHCP service, which hands out IP addresses to devices automatically, to avoid the need to manually configure them. You can determine this subnet by referring to the Network system preference on any Mac that is connected to the main LAN.

The subnet used for the LAN camera can be anything within the private address space that is different from the main LAN. For example, if the main LAN uses the subnet 192.168.1, you can choose the subnet 192.168.2 for the camera LAN.

As the LAN camera does not have a DHCP service running on it, each device on this LAN, including the Mac, needs to be configured manually with a unique static IP address.

Assuming you are using the 192.168.2 subnet for the LAN camera as in the above example, then set up the Mac with the manual IP address 192.168.2.1, via the Network system preference, and specify a subnet mask of 255.255.255.0. Do not specify a router address.

Step 3: Configure the cameras

Most cameras will obtain an IP address automatically via DHCP by default, in which case the easiest way to set them up would be to first connect them to the main LAN, configure them, then move them to the LAN camera. The steps are as follows:

• Connect the camera to the main LAN (for power, temporarily use a PoE injector or separate power supply, or, temporarily disconnect the PoE switch from the Mac, connect it to the main switch, and connect the camera to the PoE switch – but note that this will temporarily take offline any other cameras already up and running on the camera LAN).
• Use our Network Device Finder utility to locate the camera; double-click on it to open its web interface.
• Set the camera to use a manually-assigned static IP address on the camera LAN (eg 192.168.2.x where x is unique). Note that as soon as you save this setting, the camera will become inaccessible from the main LAN.
• Disconnect the camera from the main LAN and connect it to the LAN camera.
• You do not need to give the camera a router address or DNS address, but if the camera requires these, you can specify a dummy address of 0.0.0.0 or 192.168.2.254.

Step 4: Add the cameras to SecuritySpy

Add the cameras to SecuritySpy via the Cameras section of the Preferences window using the static IP addresses that you configured in the previous step.

Step 5: Set up a local NTP time server for the cameras

As the cameras now have no access to the Internet, you may like to install an NTP server on your Mac to ensure that all cameras maintain the correct time.

Final notes

Once the cameras are on their own LAN, they can only be accessed from the Mac mini (which is on both networks) or from other devices on the LAN camera; they cannot be accessed by devices that are only on the main LAN, or from the Internet. The cameras themselves will not have Internet access.

This does not affect remote access to SecuritySpy from the Internet – this will still work in exactly the same way.

The above network diagram features the Netgear GS116LP and Netgear GS316 Ethernet switches, which are reliable and cost-effective, and a Mac mini, which is an ideal machine to run our Mac CCTV software SecuritySpy.