For installers & IT-minded owners
Put your daycare cameras on an isolated network — VLAN or dual-NIC
Cameras don't belong on the same network as your office PCs, and they never need internet access. CareCam works cleanly with both isolation patterns — here's exactly how to wire each one.
Why isolate the cameras at all?
IP cameras are the least-trusted devices in any building: they rarely get firmware updates, many quietly phone home to manufacturer clouds, and a camera with a known vulnerability is a foothold into everything else on the same network. In a daycare — where the video is of children — the bar should be higher, not lower.
Isolation fixes this structurally. The cameras live on a network segment with no internet route and no path to your office LAN. The only device that can reach them is the CareCam appliance, which pulls their streams locally and sends a single outbound encrypted copy to CareCam. Parents watch through CareCam's cloud — they never connect to your building.
Pattern 1: dual-NIC appliance (no managed switch needed)
The appliance's two network interfaces do the isolation physically — its built-in ethernet port plus a second gigabit interface we include and pre-configure when your install calls for dual-NIC. NIC 1 joins the camera network; NIC 2 joins your main LAN. No VLANs to configure — an unmanaged PoE switch on the camera side is enough.
Pattern 2: camera VLAN on a managed switch
Already running a managed switch? Put the cameras in their own VLAN with no internet gateway, and give the appliance either an access port in that VLAN (plus a firewall rule for its outbound stream) or an 802.1Q tagged port carrying both VLANs. Same isolation, one less box.
Example addressing plan
| Network | Subnet | Gateway | Devices |
|---|---|---|---|
| Camera network / VLAN | 10.10.20.0/24 | None (no internet) | Cameras (static or DHCP reservation), appliance NIC 1 |
| Main LAN | 192.168.1.0/24 | Your router | Office PCs, WiFi, appliance NIC 2 |
Firewall rules, summarized
| From | To | Rule | Why |
|---|---|---|---|
| Cameras | Internet | Blocked | Cameras can't phone home to manufacturer clouds or be reached from outside |
| Cameras | Main LAN | Blocked | A compromised camera can't touch office PCs or WiFi devices |
| Appliance (NIC 1) | Cameras | RTSP 554 + ONVIF | The only thing that ever talks to the cameras |
| Appliance (NIC 2) | CareCam cloud | Outbound TLS only | One encrypted stream out; nothing inbound is required for cameras |
| Parents | Your network | Never | Parents connect to CareCam's cloud, not to your building |
NVR variant (common on professional installs): if your cameras hang off an NVR's built-in PoE ports, they're already on a private camera network. Plug the appliance's NIC 1 into a spare NVR PoE port and NIC 2 into the main LAN — the NVR keeps recording exactly as before, and CareCam streams to parents alongside it.
VLAN & dual-NIC questions
Why should daycare cameras be on their own VLAN or network?
Do I need a managed switch for this?
What is a dual-NIC appliance setup?
Can the appliance plug into a spare PoE port on my NVR?
Which VLAN settings does the appliance support?
Should the cameras get static IPs or DHCP?
Do parents connect to my network to watch?
We're an integrator speccing this for a client. Who configures what?
Network plan review
Integrators & IT: send us the spec before the bulk order
Share your camera/NVR models and network layout and we'll confirm stream compatibility and the cleanest isolation pattern — including a bench test with one camera before you commit. We reply by email, usually within one business day.
