[dervjd]

Once you step up from consumer level (Nest/Ring/Wyze) cameras, you'll find that nearly every IP camera supports the standard RTSP/ONVIF format. They don't need any internet access to function. Standard practice is to secure them by using a dedicated VLAN (so they can't talk to anything else on your network) and default deny firewall rules (so they can't get to the Internet or other parts of your network). It's definitely not plug-and-play, but if you have experience setting up networks it's pretty straightforward. If you want remote access to the cameras while off your local network, you'll need to set up a VPN.

I have a bunch of Hikvision cameras (DS-2CD2342WD-I) that were about $120/each that I'm happy with. I don't have any security concerns about them phoning home or doing anything nefarious, because they're completely segregated on their own locked down network.

If you want to record, you'll need to set up an NVR. You can buy one (i.e. https://amzn.to/3HFNEWw) or run software on your own server. I use Milestone XProtect's free license at one site, and Synology's Surveillance Station at another. You could also look for cameras that have an SD card slot built in, and configure recording directly on the camera.

[voakbasda]

I have never accepted the “separate VLAN” approach as safe. You must assume those devices are actively hostile, so you must maintain perfect security and constant vigilance.

To borrow an idea I first heard uttered about male birth control: it makes less sense to put on a bulletproof vest than it does to take the bullets out of the gun.

Why allow hostile devices on your network at all? How does this not end up with you eventually shooting yourself in the foot?

[bradknowles]

The issue here is that HikVision is a Chinese company, and they have been widely known to supply equipment to the government to aid in the suppression of the Uighur people. Same with Dahua.

The next problem is that both these companies operate under a very wide array of brands, hundreds if not thousands of names, some of which you might recognize and may have thought that they were separate. Lorex is one such brand. Many more can be found at https://securitycamcenter.com/hikvision-oem-list/ and https://securitycamcenter.com/dahua-oem-list/ among others.

Next, you have the other companies like Wyze that take Dahua hardware and put their own firmware on it.

So, if you want to use hardware from a company that is not compromised like HikVision or Dahua, the options get much more limited. At that point, you might want to start looking at building your own on top of the Raspberry Pi plus their camera options.

Personally, I'm still looking for someone who has decided to commercialize cameras based on the Raspberry Pi, so that I can buy a whole stack of them at once and I don't have to build them all myself.

[voakbasda]

As an embedded engineer, I wonder if it would be possible for me to become a VAR for one of those Chinese companies, such that I could get enough of their hardware specs to do a full-featured clean room implementation of the firmware that then could be released as open source. I don’t want to make hardware, but I could build out a Yocto-based distribution. Or has someone already done this?

[bradknowles]

I think that is basically what Wyze has done, only they haven't released their firmware.

There are open source versions of firmware for Wyze/Dahua cameras, but I believe they include major components that are just black boxes from the OEM. I don't know how much of that you would be able to reverse Engineer in a clean room.

[spacexsucks]

Thank you for those links. I tried avoiding Danua and Hikvision. I went with Amcrest, only to find it on the Danua list. :(

Luckily i only spent $150 for 3 cameras

[bradknowles]

Yeah, when I saw Amcrest on the list, I figured out that something like that might have happened.

Sorry to be the bearer of bad news!

[peterhadlaw]

I've been trying for a long time to learn how to setup this "separate VLAN" stuff. Do you have a resource you could recommend? :)

[bradknowles]

It's a router/switch/firewall thing. You're building multiple virtual LANs and using them to separate the traffic.

You could implement VLANs in your core switch for the house, maybe using Mikrotik or other managed switches that are VLAN-capable. That might allow you to use a simpler router that doesn't need to understand how

You could implement VLANs in your router or gateway or firewall, depending on your hardware. In that case, you might be able to use simpler and less expensive unmanaged switches.

Exactly how those devices implement VLANs is going to differ somewhat. It might be easy to configure a switch for VLANs, where a given port or group of ports are on one VLAN, and a different port or group of ports might be on a different VLAN. Implemented at the router/gateway/firewall level, you might have to make those assignments based on MAC addresses, and/or internal IP addresses if you can tie that into your DHCP service.

VLANs can be complex to set up, depending on where and how they are configured. And they're not a panacea. But they can be very helpful, if implemented correctly.

[wesapien]

A VLAN is a separate broadcast domain in ethernet networks. VLANs prevent communication between different VLANs unless you set it up for inter-vlan routing. Thats why they suggest putting these untrusted devices on a separate VLAN (isolation). Typically you assign a whole new group of ip adresses for each Vlan ID.

For example: camera network - vlan 10 - 10.0.10.0 255.255.255.0

wifi network - vlan 11 - 10.0.11.0 255.255.255.0

wired network - vlan 12 - 10.0.12.0 255.255.255.0

[nonamechicken]

pfsense supports VLANs. Lawrence Systems in YouTube covers pfsense a lot. This is one video where they talk about setting up VLAN in pfsense: https://www.youtube.com/watch?v=b2w1Ywt081o

On the wifi side, TPLink EAP245 access point allows you to configure multiple SSIDs, each with separate VLANs so that you can have one set of devices connect to one SSID, another group of devices to another SSID and so on. pfsense firewall rules can be configured to prevent the devices on separate VLANs from seeing each other. You can also block internet to access for one VLAN, and have the wireless IP cameras connect to it.