Skip to content

Isolated LAN for Cameras and Security Spy

edited March 2018 in General
I finally got around to moving all my 16 cameras and SecuritySpy Mac to their own, isolated LAN (local area network). The cameras are only allowed NTP and DNS access, no DHCP, nothing inbound or outbound from the WAN. The SecuritySpy Mac was allowed special access to the outside wold and be accessed via the security spy server port. The SS Mac is also accessible from my main LAN.

Took three days programming an Ubiquity Edgerouter X (under $60). It is not a project for the feint of heart, but worthwhile to gain more granular control of my devices. . Now I have a main LAN that can see everything, 2 restricted LAN, 1 super restricted camera LAN, and an isolated Guest VLAN. Each could be setup up with firewall rules to enact isolation and desired access. I specify which LAN's get WAN access and forward only the desired ports. Special access for the SS Mac was easy to create.

With this setup, a fair amount of unidentified camera traffic with the outside world is blocked. I can see the firewall blocking camera attempts to reach the outside world every few seconds. No more leaks. The cameras also can't touch any of my other LANs, call home, nor participate in a botnet.

Nice to finally get this done.

Comments

  • Thanks for taking the time to post this, it sounds like a great setup that will minimise security risks. As you have discovered, many cameras will make frequent Internet connections for various things - most are benign (NTP etc.) but you have never be sure, and there have been cases of cameras being hacked for botnets.

    My advice to other users who don't want to invest in such a complicated setup is to use strong passwords for your cameras and turn off their UPnP options so that they can't accept incoming connections from the Internet.
  • edited March 2018
    60,000 outbound packets blocked in 24 hours from my cameras. None of them have ever been exposed directly to the internet nor had PNP enabled. I doubt they have been hacked, but their firmwares include calls that are not controllable from the user interface.

    All network services are turned off in their setups except those needed to stream video and synchronize clocks.

    Despite those precautions, some are still trying to access things on the internet.
    The packets payloads are small. Not like they are sending video streams,
    I'm really happy to be blocking all those communication attempts.

    My eventual router setup implemented….

    eth0 - WAN 0 - connects to cable modem with DHCP
    eth1 - 192.168.1.1/24 - LAN1 Main full access to the internet. Hands out DHCP leases. CAN reach all other LAN's
    eth2 - 192.168.2.1/24 - LAN2 Security Spy - no access to internet. No DHCP. Allows NTP and DNS. Cannot reach other LAN's
    eth3 - 192.168.3.1/24 - LAN3 - full access to internet. Hands out DHCP leases. Cannot reach other LAN's
    eth4 - 192.168.4.1/24 - LAN4 - full access to internet. Hands out DHCP leases. Cannot reach other LAN's

    eth1.1003 - 10.10.10.1/24 - Guest WiFi VLAN Apple Guest WiFI with internet access. Cannot reach other LAN's

    Took about 15 rules to implement proper isolation and desired, special accesses.

    Security Spy Macintosh and cameras live on 192.168.2.0/24 subnet and physically connected via POE switches to LAN2 eth2
    All their addresses, netmasks and router addresses are set manually.
    Router has total control over LAN2 reaching the rest of the world.
    Potential malware on cameras cannot reach the internet to get commands nor call home.
    Even plugging into LAN2 network via ethernet cable will NOT get DHCP address, internet access, nor reach other LAN's

    Guest WiFi cannot see rest of network.

    Security Spy server Macintosh granted special permission to access the internet despite being on LAN2. This allows browsing from SS Mac, but no other LAN2 machines can browse or reach the internet.

    Exception made for NTP access to keep camera clocks in sync.

    Port forwarding from WAN into SS Macintosh (with hairpin NAT) allows SS server access from WAN and LAN1.

    Took me three days doing it from scratch. If someone wants to do similar to protect their SS setup, post here to let me know.

    I could put together a generic config file that could be uploaded to get most of the configuration done quickly. One would only need to edit a few things in the EdgeMax GUI and turn on hardware acceleration via the CLI.

    Because such a config file will take a few hours work. I will create one only if someone is actually going to use an Edgerouter X with their SS setup.
  • edited April 2018
    Thanks a lot! Very useful advice. This is useful information
  • guykuo, Ben and joebell.
    Cameras are compliant with all National Security Laws, that means they phone home whether you approve of it or not. If its imported and sold as retail in your country, it 'phones home' under several methods, hint. check your DNS activity in Console and your local Wifi sniffer software, even if you have all the wifi in your cameras and routers off.
    The newer OSX Systems are also fully compliant, ie. you can't turn off IPV6, and the functions of the 'Firewall' rules in the Security System Preferences will not allow them to be completely blocked.
    That being said... there are some things you can do to get better service levels from your network and reduce the factors that cause concern.
    On little units like the Edgerouter, their log traffic tells you they are busy, but not with what.
    Culprits include running poor or mediocre Cat5e cabling for POE support over more than 60 meters per subnet, high powered external towers and EM devices you can't control, running the high FPS channels to multiple receiving devices, ect. Even recompression in SecuritySpy for added controls like Masking and TimeStamp cause additional 2 way traffic.
    Narrowing down physical causes can reduce some of the packet throughput which can look like unauthorized traffic. Download the X11 package and Wireshark, and teach yourself the basics of 'packet sniffing' from their excellent online tutorials.
    If its out of your league for a setup like guykuo has done, you can hire specialists online who can do this from outside, but you control the ball. Teamviewer gets the basics done, but at all times have the outsiders work with generic passwords which you change for a strong one later...(hint, NEVER type an admin password live while in Teamviewer, the authorities monitor this traffic also).
    If you do have real suspicions about outside hitters, or curious teenagers inside your local ISP, contact them to have a firmware change on your router, or to cycle the IP address from their DHCP table, or to flush your DNS cache, all legally allowed and most ISP' are happy to comply as they don't want to answer to authorities for unauthorized packets on their network.
    The manufacturing of most basic IP cameras points to only 3 or 4 trusted board makers and their respective firmware. That means scriptkiddies and the real troublemakers know their weak points. But having VERY strong passwords (ie. 40+ Hexidecimal on a USB stick in a note file) slows down their bots attempts to guess correctly.

    So, lastly, Ben, as a long time user (more than 8 years) I would like a feature added to SecuritySpy. A logging tracker that watches the ports that goes further than the logging that occurs now. Wireshark can be used as an alternative, but we require some script writing from your end to set proper filters on what is moving.

    Many thanks for your dedication to this platform.


  • Looking at my Edgerouter stats for the last 3 months there is little doubt in my mind that isolating the cameras from "calling home" is a good thing.

    My rule for preventing the camera/Security Spy subnet blocked in that period...
    88,042,381 packets headed to the outside world.
  • I would very much like to see your ER setup since I think I have blocked my Sunba and Wyze cameras from phoning home but would very much like to see your setup.
    Thanks,
    Martin
  • Finally got around to doing a tutorial. Wasn't practical to do with this forum's limited formatting, but it you can find it at...

    https://ipcamtalk.com/threads/ubiquity-edgerouter-x-configuring-to-isolate-surveillance-networks.45038/
  • I use several piHoles as a DNS server. You have control of what can be outbound/inbound by blocking and whitelisting. Works very well, been using it for years. Also have OpenVpn installed on the Pis
  • edited April 2020
    [long time SS user here, way back to v1]

    I know this is long after the original post, but I want to do a similar thing. Just wondering if this is the only approach or if there might be something more simple lurking.

    Like the original post, I want to place my IP cameras onto their own LAN, that doesn't touch the internet at all. I have Amcrest IP cameras connected to a cheap BV-Tech PoE switch, connected to the Ethernet port on my 2012 Mac mini. Everything on this separate wired LAN has static IPs. The Mac then is connected to the internet via my main house LAN on Wifi using the separate built in Airport adapter.

    I want the cameras to communicate to SS on their own LAN, with no internet at all, and have SS and the rest of things on the Mac in general use Wifi for internet. I connect to that Mac via other devices on the home wifi and would want to connect to the SS Server from the outside world. The Mac seems confused where to route certain traffic because some websites work and some don't.

    I was wishing it was this simple, but will I need a more complicated router setup like the ER-X to get this done?
  • BenBen
    edited May 2020
    Hi @Turbo, good to hear from such a long-time user!

    This should work fine, providing the subnets of the two networks are different. The subnet is (usually) defined as the first three numbers of the IP address, so the IP 192.168.1.23 is on the subnet 192.168.1.

    The subnet of your house LAN is determined by the router (it can be changed, but it's easiest to leave as-is). So, for example if this is 192.168.1, you can then choose something like 192.168.2 for the camera LAN. Note that everything on the camera LAN, including the Mac mini, must be set up with a manual IP address (as there will be no DHCP server on this LAN to give out automatic IP addresses).

    My other comment would be that it would be better to connect your Mac mini to your house LAN using via wired Ethernet (e.g. using a USB-Ethernet dongle or Thunderbolt-Ethernet dongle), if this is possible due to cabling/location considerations. Wired Ethernet is faster and more reliable than WiFi.
  • edited April 2020
    Thanks Ben!

    The SS wired LAN is on 192.168.1.x, and the main house WiFi LAN with 30-something devices is on 10.0.0.x via the cable router.

    Everything generally works well on their respective sides of that Mac mini, but it’s odd that some websites don’t work via the house internet connection when the wired camera LAN is plugged into the Mac. Unplug the Ethernet, all websites work fine on the WiFi. Plug SS back in, same websites fail (including Amcrest for firmware updates, etc.)

    Not a huge deal, as long as the cams work on the wired side, and the viewing access works from the WiFi side. It’s just one of my many spare 2012 Mac minis so no worry.

    I can’t get viewcam.me to work for access from the internet, but that’s probably due to uPNP issues on the locked-down cable router. I may just use the great ngrok solution seen in your remote access blog post.

    Just upgraded to v5 for h.265 out of the Amcrest cams, and the file sizes are way smaller hour-to-hour (h.264 2.5Gb/hour, h.265 about 80Gb/hour. Awesome difference.) However, I get lots of key frame errors that disables motion capture, but that’s for a different thread.

    General stability, (relatively) tiny CPU and memory usage, feature set, etc., continue to make SS the most solid app I’ve ever run this long (years at a time). Big hats off to you and your team.
  • @turbo,
    When you plug in that wire, it could be that the order of services in your system preferences is set to have that wire have a higher priority. As long as the cable is out, all traffic goes through the next available service, when you plug the cable in, it becomes the main connection. You can set the order of services with the cog in the System Preferences Network, left column. See if changing the order (wifi on top) solves your issue.
  • Also, for your Mac's network setup for the wired camera LAN, make sure you have only specified an IP address (192.168.1.x) and subnet (255.255.255.0). Do not specify a router address or any DNS servers. Without a router address, your Mac should not try to use this network for any IP that isn't on the 192.168.1 subnet.

    Beyond this, I really can't think of any reason why you are seeing this problem connecting to web sites. I have a similar setup here, with a separate wired LAN for cameras on a different subnet, and do not see any such issues.

    Thanks for your comments about SecuritySpy - great to hear that you have been using it successfully for so long!
  • Thanks eljonco and Ben. Both suggestions make perfect sense. I’ll make those changes soon and will report back when I can.
  • I thought it would be a good idea to write up how to implement a separate LAN for segregating IP cameras, as I think this would be useful for many users. Here's the blog post: Segregating IP Cameras on their own LAN.
  • I hope this is not to old a post to comment on?

    We are longtime users of SS for house and pet monitoring. We recently became interested in using it more for security. I have internet access in my shop provided by a Tplink CPE510 in client mode so it is essentially a wireless LAN. The CPE510 is plugged into a TPlink POE switch to distribute service to an old iMac and a Airport in bridge mode.

    I installed 8MP Amcrest cameras and used the switch to power them. They overloaded the wireless connection and causes the c5400 router to need frequent rebooting. I tried various strategies to balance the traffic but none helped.

    I read the blog post on a separate LAN for the cameras and though I might imply a variant to solve the traffic problem. I used a port based VLAN to isolate the cameras and tie them to the iMac where SS is running. My understanding of networking is rudimentary so this has been a great opportunity to learn things. Like the IP of the wireless and the ethernet can't be the same, hah. The break through was to discover that the service order, as mentioned above gives me the wired cameras on the ethernet the wireless camera on wireless. The ethernet cameras don't appear to be able to access the internet.

    Is there a way to build a wireless VLAN to isolate the wireless cameras. I do have an AC1750 I could use for the wireless cameras, how would I set that up?

    TIA
  • I'm surprised you had WiFi problems with the Amcrest cameras connected into the switch - when the Mac and the cameras are plugged into the same switch, the traffic should not have been reaching the other devices nor hitting the WiFi network at all. I am assuming that you are running SecuritySpy on the "old iMac" that you mention that is plugged into the switch? If, instead, SecuritySpy is running on a Mac that is connected to the WiFi then that is another story - that could indeed cause WiFi problems.

    For the wireless cameras, a separate WiFi access point that provides a dedicated WiFi network is probably the way to go, so that the cameras don't use bandwidth from your existing WiFi network. Assuming the AC1750 can be set to bridge mode (i.e. NAT/routing turned off), it could be used for this purpose. Just connect it into one of the ports on the switch that is set to the VLAN you created for the cameras.

    However, I would always recommend connecting cameras by wired Ethernet rather than WiFi wherever possible, as this is more reliable and performant. Is this possible for you?
  • “If, instead, SecuritySpy is running on a Mac that is connected to the WiFi then that is another story - that could indeed cause WiFi problems.”

    This is the situation. The Old Mac is a 2010 vintage and the newer one, 2017 i7, is in the house where I can monitor and review SS.

    I have an unused 10/100 switch that I could use on the new Mac end that I could use for the AC 1750. It is not a Gigabyte switch, will that cause problems? The wireless cameras are not in places that I can put Ethernet cables. Bridge mode is available, I’ll see how that works.

    Thank you!
  • I would recommend sticking to Gigabit switches only. And, ideally, have one single Gigabit switch as the centre of your network that everything connects into (router, Mac, cameras, access point). Or, for two separate networks, you have two gigabit switches (or two halves of the same Gigabit switch under VLAN port-based isolation), where for each network, all devices connect into their respective switch.
  • I’ve ordered a new Gigabyte switch. I’ll see what I can do to implement your suggestions.

    Thank you
  • Browsing here, and a few comments: I've been running SS as well for many, many years in at at least 6 different environments. In all of them, the model has been to isolate the cameras on a separate VLAN which has no access to the outside world. The Mac running SS has its primary interface (the built in ethernet, or one of them) connected to that same VLAN, and a secondary interface which can talk to my other VLANs or "the Internet".

    I would strongly recommend "pfSense" as a firewall software package - it's free, has support for pretty much every possible thing you might want, and it's easy to configure and any old PC you have laying around will work as well as a variety of custom-built options as well. And I've put what are probably hundreds of billions of packets through it with no crashes in the last few years. I use Cisco switching equipment here at home which is now absurdly inexpensive, even for more modern stuff, and it's pretty easy to get VLANs set up even if you're a beginner, once the light bulb goes off over your head as to how VLANs work. I also use VLANs to have many different WiFi SSIDs around my buildings, one of which is on the camera VLAN for the few wireless cameras I have still in place.

    Cameras are like harbor rats - they carry a huge variety of communicable diseases, from privacy violations to malware to remote execution attacks. Don't let them talk to the Internet, EVER. I block maybe 1 packet per second from my highly varied camera network, trying to talk to various servers in China, eastern Europe, and at cloud providers.
  • I appreciate the thoughts on pfSense, although for now it appears far above my understanding of a managed network. The reinforcement of camera access to the internet is understood.

    I've all my cameras on non internet LAN's except one which has a firmware issue. In the process I've used wireless, Ethernet and Ethernet over USB through a Hub. Part of the problem for home uses is the wireless and the router are not separate and manageable for VLAN as all networks have internet access. Hence the need for a separate router on a different subnet. Using three network adapters allowed three subnets.
  • edited November 2020
    As a point of reference: I have six 5MP (1920x1080) h.264 cameras connected to a 10/100 PoE switch (an ancient Cisco 3560POE). That switch is in turn connected via gigabit SFP to my main switch, another ancient Cisco 2970G. My SS server is connected to that gigabit switch. No issues at all with frames dropping over the past few years I've been running SS and the cameras are all running between 20 and 30fps. I've even been experimenting with a HomeAssistant VM and it sets up another 6 h.264 streams from the cameras on that 10/100 switch and there are no frames dropping.

    It sounds like you have some unusual bandwidth issues in your network or more specifically in the switches. 100% agreed with @jtodd that the cameras themselves should be part of a VLAN that keeps them off of the main network and, ideally, without a way out to the world (i.e. no access to the router).
  • All cameras access the SS server without access to the internet. In the process I also set up hardwire access to the entertainment center so it is off the wireless as well. Our WiFi traffic is down to handhelds and iMac traffic. The difference is night and day with virtually no dropped traffic to the SS server or for entertainment.

    The forum and the Blog post have helped enormously.

    Thank you to all!
Sign In or Register to comment.