CareCam

For installers & IT-minded owners

Put your daycare cameras on an isolated network — VLAN or dual-NIC

Cameras don't belong on the same network as your office PCs, and they never need internet access. CareCam works cleanly with both isolation patterns — here's exactly how to wire each one.

Why isolate the cameras at all?

IP cameras are the least-trusted devices in any building: they rarely get firmware updates, many quietly phone home to manufacturer clouds, and a camera with a known vulnerability is a foothold into everything else on the same network. In a daycare — where the video is of children — the bar should be higher, not lower.

Isolation fixes this structurally. The cameras live on a network segment with no internet route and no path to your office LAN. The only device that can reach them is the CareCam appliance, which pulls their streams locally and sends a single outbound encrypted copy to CareCam. Parents watch through CareCam's cloud — they never connect to your building.

Pattern 1: dual-NIC appliance (no managed switch needed)

The appliance's two network interfaces do the isolation physically — its built-in ethernet port plus a second gigabit interface we include and pre-configure when your install calls for dual-NIC. NIC 1 joins the camera network; NIC 2 joins your main LAN. No VLANs to configure — an unmanaged PoE switch on the camera side is enough.

Camera network — isolated10.10.20.0/24 · no internet gatewayMain LAN + internet192.168.1.0/24blockedcameras have no route to the LAN or internetPoE camera10.10.20.11PoE camera10.10.20.12PoE switchunmanaged OKRTSP pull · port 554CareCam appliancethe only bridgebetween the networksNIC 110.10.20.2NIC 2192.168.1.x (DHCP)Your routermain LAN gatewayoutboundTLS onlyCareCam cloudstreaming + access controlHTTPSParents' phonesnever touch your LANethernet — you plug inencrypted streamblocked — no routenetwork zone

Pattern 2: camera VLAN on a managed switch

Already running a managed switch? Put the cameras in their own VLAN with no internet gateway, and give the appliance either an access port in that VLAN (plus a firewall rule for its outbound stream) or an 802.1Q tagged port carrying both VLANs. Same isolation, one less box.

Example addressing plan

NetworkSubnetGatewayDevices
Camera network / VLAN10.10.20.0/24None (no internet)Cameras (static or DHCP reservation), appliance NIC 1
Main LAN192.168.1.0/24Your routerOffice PCs, WiFi, appliance NIC 2

Firewall rules, summarized

FromToRuleWhy
CamerasInternetBlockedCameras can't phone home to manufacturer clouds or be reached from outside
CamerasMain LANBlockedA compromised camera can't touch office PCs or WiFi devices
Appliance (NIC 1)CamerasRTSP 554 + ONVIFThe only thing that ever talks to the cameras
Appliance (NIC 2)CareCam cloudOutbound TLS onlyOne encrypted stream out; nothing inbound is required for cameras
ParentsYour networkNeverParents connect to CareCam's cloud, not to your building

NVR variant (common on professional installs): if your cameras hang off an NVR's built-in PoE ports, they're already on a private camera network. Plug the appliance's NIC 1 into a spare NVR PoE port and NIC 2 into the main LAN — the NVR keeps recording exactly as before, and CareCam streams to parents alongside it.

VLAN & dual-NIC questions

Why should daycare cameras be on their own VLAN or network?
IP cameras are the least-trusted devices in a building: firmware updates are rare and many phone home to manufacturer clouds. Isolating them means a compromised camera can't reach your office PCs, and cameras with internet access blocked can't send video anywhere except to the CareCam appliance on their own network segment.
Do I need a managed switch for this?
Only for the VLAN approach. The dual-NIC approach needs no VLANs and no managed switch — the appliance's two network interfaces physically bridge the isolated camera network and your main LAN, and an unmanaged PoE switch on the camera side is enough.
What is a dual-NIC appliance setup?
The appliance uses two network interfaces: NIC 1 connects to the camera switch — an isolated network with no internet gateway — and NIC 2 connects to your main LAN for the outbound encrypted stream to CareCam. When your install calls for dual-NIC, we ship the appliance with the second gigabit interface included and pre-configured. The appliance is the only bridge between the two networks, and it only moves video one way.
Can the appliance plug into a spare PoE port on my NVR?
Usually, yes. Most NVRs with built-in PoE ports run the cameras on a private internal network. Plugging the appliance's NIC 1 into a spare NVR PoE port puts it on that camera network directly, and NIC 2 goes to your LAN. This is a common pattern for professional installs where the NVR stays the recording system.
Which VLAN settings does the appliance support?
The appliance runs standard Linux networking, so it can sit on an 802.1Q tagged port or a plain access port in the camera VLAN — whichever your switch setup prefers. For most installs we recommend the simplest thing that works: an access port in the camera VLAN plus a firewall rule allowing the appliance to reach CareCam outbound. Tell us your switch layout and we'll pre-configure the appliance to match before it ships.
Should the cameras get static IPs or DHCP?
DHCP reservations where a DHCP server exists; plain static addressing where one doesn't. On a camera VLAN served by your router or managed switch, reserve each camera's address so it survives reboots and outages — CareCam pulls each stream by address, so it must never change. On a fully isolated dual-NIC segment there's usually no DHCP server at all, so set static IPs on the cameras (e.g. 10.10.20.11+) and note them somewhere. Cameras on an NVR's built-in PoE ports are handled by the NVR automatically.
Do parents connect to my network to watch?
No. Parents' phones connect to CareCam's cloud over HTTPS with their own approved accounts. Your network only ever makes one outbound encrypted connection from the appliance — there are no inbound connections to your cameras and no public stream links.
We're an integrator speccing this for a client. Who configures what?
You handle the switch, VLANs, and firewall as you would on any job; we ship the appliance pre-configured and finish the camera connections remotely once it's online. Send us the camera/NVR model list before the bulk order and we'll confirm stream compatibility — we can also bench-test one camera and recorder with you first.

Network plan review

Integrators & IT: send us the spec before the bulk order

Share your camera/NVR models and network layout and we'll confirm stream compatibility and the cleanest isolation pattern — including a bench test with one camera before you commit. We reply by email, usually within one business day.

Free for parents · No spam · We reply by email