Trying to confirm a network intrusion

Current working theory:
There may be some ip instability with the two cameras.
Probably a function of buggy programming.

I guess one could programmatically have the cameras continually change ip addresses as a function of security.
That would be quite clever if the panel choreographed this little dance.

The problem with a lot of camera system is they "call back home" to China or other countries and quite prone to hacking.  I use Reolink, and they are great cameras, but they don't ever touch the internet.  If I access them off-site, it's through a VPN.  Firmware updates are manually installed by me.

Yeah, most have hard coded DNS entries in these cameras which bypass any internal DNS filtering like PiHole. Only way around this I found is to create a firewall rule to block the camera from connecting outbound to the internet other than to contact an NTP server so it can keep it's time synched. The idea is to never allow it to connect to their cloud service, and disable P2P, which can bypass the firewall and allow remote access even if DNAT rules are not used. Anyone with the QR code can access the camera remotely if P2P is enabled. Scary.

What do you mean by "burned in address"? Does the camera allow you to create a static IP? Can you create a network definition for the camera?

These are manufactured by the security company in Utah.  They appear to get all of their DHCP et al from the primary security panel in my house.  No data hit my UTM's DHCP server.  They appear to be hardened to some degree.  These other IP addresses are a curiosity.  They may be VM's the panel created for engineers (or scripts) to investigate the network environment I created for their gear.

The burned in was just text I copied from a MAC address lookup.  It just means this is a custom MAC not the one assigned to the hardware from the manufacturer.  I can create a network definition, but no data was ever sent or received from the UTM's DHCP server.  It's irrelevant.

This is part of a suite of devices from a security company.  I'm fine with them calling back home in Utah.

Interestingly, the only device on this network that has ever connected to the internet is the primary security panel, so the cameras only communicate with the panel - good security architecture.

VPN's touch the internet.

I'm just having trouble understanding your network topology. It appears that your "Vivint security panel" hub is attempting to act as a DHCP server and assign an IP address to your cameras? But they also are on a different subnet than your DHCP server.

Your IP logs

"DHCPREQUEST for 172.16.222.39 (172.16.0.1) from 06:11:22:33:44:55 via eth7""DHCPREQUEST for 172.16.222.40 (172.16.0.1) from 0c:83:cc:ef:7e:7e (MeshNode-ef7e7d) via eth7"

That 172.16.X.X IP range tells me you are using The XG firewall? Are you in the right forum?

Explain your topology better:

1. Are you using XG or UTM?

2. How exactly does your Vivint system fit in with your network? 

3. Is The IP address of your Sophos (the gateway, internal LAN address) is 172.16.0.1?