What is your approach to keeping these cameras off the Internet, but still on your local network to ensure they're not backchanneling with your awareness?
All IoT devices on my network go into a VLAN that blocks internet access. Using Unifi, I think it's just a checkbox to turn internet access on/off. I use a virtual nic on my Home Assistant VM that recognizes that vlan and can communicate with all those devices, as well as a separate nic which is hooked up to the main vlan.
In my router admin page, there is something called parental control. I used it to disable internet access for all the cameras. I've also used the DHCP settings to give all the cameras static IPs as well.
Dedicated VLAN. Firewall rule forbids all outgoing connections from camera VLAN, even to other LAN, but allows inbound from designated devices on a privileged VLAN (this way random devices on my network can’t talk to the cameras). Frigate is on a VM that is so designated.
I do DHCP reservations then firewall rules. Not as safe as a VLAN but not aware of any devices assigning themselves random IPs outside the DHCP reservation to circumvent it
Easier than getting VLANs working across switches and APs
