I have a Mikrotik RB3011. Im using it for my main router. I have 16 IP cams on the network. They are connected to a 18 port POE switch. How do I separate the 16 IP cams and put them on there own Lan or whatever its called? I basically want to take the 16 IP address for the Cameras and make sure they have no internet connection out. So I believe I need them on a private Lan.
Please help.
Is PoE switch used for cameras purpose only ?
If so , you can assign a different LAN subnet (included the routerboard ethernet port it connects to) and filter its outgoing traffic in firewall.
There is a few more things on the switch but I can move them off and put them on the Router. How do I set it up like you suggested? How can I islote the IPs for the cameras and just tell the router not to allow them to be allowed outside the netwrok?
Right now the cameras all have static IPs. I do not want to change the Subnet because it could change the IP address for the 16 cams. Is there another way?
If you want to stop IPs on the same router from talking to each other over layer2,
Then,
a. put them on VLANs and use FW rules to stop routing between them at layer 3
b. put them on a bridge, or everything else on a bridge (or two bridges)
and then use FW rules to block traffic between interfaces or bridges as appropriate.
The simple version is ensure the IPCams are on their own interface and own DHCP server
and then use FW rules to block them from other interfaces except the internet (if that is required)
If you must retain the subnet the cameras are on for that purpose, then move anything else to a different subnet and DHCP server and to a different interface.
Then you can uSE FW rules to block traffic between interfaces that dont need it.
I use deny rules at the end of my forward chain so traffic between interfaces is already dropped I just need to add ACCEPT rules
for such thinks as interface to WAN allow etc…
Create Address list for each of Cam IP’s, address list must have same name
Then block internet access for that address list
Ok I will try. I basically just do not want the IPs exposed to the internet. Internal is all I need.
How do I do this?
Nah bud, you have to try first at least, then come back if you have problems.
Here is a starting point:
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Address_list
Ok ill do my best and try to get this to work.
Thanks