VLAN for Security Cameras HowTo

Wed Feb 12, 2020 2:07 pm

Your feedback on how to configure the setup below would be greatly appreciated.
Looking on how to design (architect?) a VLAN for IP cameras. I would like the IP cameras to NOT have access to the internet nor the rest of the network.

There is a small network, with the following equipment (everything network related is Mikrotik).
- one RB4011 as the router, DHCP server, and DNS
- two CRS326-24G-2S+RM
- one RB951G (wifi AP)
- one CRS112-8P-4S-IN (for PoE into IP cameras)
- one DVR (ip camera) with ZoneMinder installed
- two IP cameras
Network Map.png
The RB4011 serves the DHCP pool of It also has six static IPs for different machines.

I have been reading the Mikrotik wiki and watching a couple of videos for information on VLANs.
Yet I'm still lost on how to set it up.

The IP cameras at the moment are only on the 1st floor, yet eventually there will be IP cameras all over the facility.
Thus I think it would be best to inter-connect the CRS326 switches with "VLAN trunks"?
From the little I have learned I think Mikrotik calls "VLAN trunks" tagged ports?

Where do I start? At the main router (RB4011)?
It would be ideal to have the IP cameras on their own network (small DHCP pool of
Who would serve this pool? The main RB4011?

Then the DVR machine, I would like it to be able to receive the data from the cameras, yet also be accessible from the main network.
Main network:
IP cams: VLAN-30

How can I go about this?

Thank you for your help... I'm just quite lost on how to start.
Re: VLAN for Security Cameras HowTo

Wed Feb 12, 2020 4:26 pm

Yes, VLANs are the way to go. If you haven't done it yet, read through this excelent tutorial.

Yes, you have to configure VLANs all over the place. When doing it, do yourself a favour and convert everything to VLANs (also your main home LAN). Makes management simpler.

It doesn't matter which device serves as DHCP server for cam network, but makes sense to have things centralized (on RB4011 in your case).

Inter-VLAN connectivity is subject to firewall rules on the router between different subnets (WAN in this concept is yet another subnet, same principles apply to e.g. cam subnet). So you probably want to block any connectivity between cam subnet and anything else, you explicitly only allow connections from LAN subnet to DVR (but not the other way around) ...
How about time sync for cams and DVR, do they use NTP? Either enable NTP server on your RB4011 and set cams and DVR to use it or allow them to connect to NTP servers in internet.
Re: VLAN for Security Cameras HowTo

Wed Feb 12, 2020 5:34 pm

I use a similar setup too. Read the article mkx linked to. It will tell you all you need to know. After that, you'll make custom firewall rules. I allow IP Cameras to access NTP servers and nothing else, for example. Take time to really study the article. It won't waste your time.
Re: VLAN for Security Cameras HowTo

Wed Feb 12, 2020 6:27 pm

Greatly appreciate both of you replies.
Going to study the linked article now.
Will update later when I have something more concrete.


