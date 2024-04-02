I always think of vlans in terms of physical lans--makes it easier to think through the logic.



If I have physically isolated a lan from another lan and I want traffic to flow between the two lans, then why did I separate the two lans to begin with? This is a common problem with people learning with vlans where they have like 5 different vlans and then have intervlan routes between all of them, thereby pretty much negating any use of having the vlans in the first place.



For your use case, I think you're doing it right--completely separate physical air-gapped network for those ww3 spybots that you can access from a particular system via a nic that puts that system on that same lan. No way for the cameras to really get out unless they want to break into your system or your system has some sort of bridging enabled between the two lans.



Now, a lot of times you can also isolate Internet access with creative routing. You simply don't route IPs above say 30 out to the Internet. So then you can still have a flat lan and still get the blocking you want at the router level vs the lan or vlan level. Functionally the same, but technically not as secure since it's all on the same lan.