I created a few IPs (a /28) in my DHCP range which I have set aside for IP Cameras (Hikvision, Dahua etc),
then, I made a firewall rule for these IPs
add action=drop chain=forward comment="No Outside Access" dst-address=!192.168.0.0/16 src-address=192.168.110.128/28
I have noticed a lot of attempts to connect to a few various Chinese based IPs (not DNS requests) after implementing this. I’m hoping this rule will be enough to keep my LAN safe from whatever chatter is going on
Sounds like something I’d really love to have in my network. 
Maybe in VLAN, completely isolated from everything else.
What happens is those devices are served with DHCP assignment without defining a gateway?
Without gateway they will not going outside.
A lot of these Chinese IP Camera use P2P networking to their “cloud based” server to view from anywhere, I will tread very careful providing access to my LAN and Internet for these
In theory yes. I’d be interested to see somebody verify that. And to verify that they still function properly if connected from within same LAN segment.
Yea I was thinking they may not pull a DHCP address without a gateway, I plugged in an ‘Anpvis’ IP camera where that seemed to be the case..
I’m not sure running a VLAN through my LAN would do anything? That would just be a different port on my router, going to the same unmanaged switch?
The worst part was how long I didn’t have this rule 
even though I know I should have..
I also have a bunch of Chinese cameras at home. I created a dedicated VLAN for them that is firewalled so that they can get to the internet (required for remote viewing), and nothing else on my home networks.
Do not forget to route them through anonymous proxy or gateway.
Or use onvif cameras together with your nas and stop those cameras’ outbound communication at all.
Btw - same applies for all IoT devices (including Win10 computers)!