@kineticspl said in Blocking IOT inbound access:
I thought outbound only access was "safe" for IOT devices
Noop.
On the contrary.
With free outbound access you can't be sure what the camera does with all the info (images) it collects.
Storing all these videos on a 'cloud' => great. You really have to trust that cloud storage.
That's why cameras are (should !) be using a local NAS or DVR, with big disks (+UPS because this is /privacy security related).
Or you rent your own cloud "NAS", a place where you are the admin (root ) and no one else. Best would be to open a VPN tunnel between your pfSense and this off site cloud/disk space storage facility.
@kineticspl said in Blocking IOT inbound access:
didn't work locally on my network even with rules in place
What rules ? Where / on what interface ?
@kineticspl said in Blocking IOT inbound access:
I tried googling and found "hole punching"
Also called : NATting (actually PATting) : this is needed so you or some one else can initiate a connection to the IOT from 'anywhere on the Internet'.
This is ok, if it was 'you' using, for example, your phone, to client to 'home' to look at the camera.
Normally, you don't NART anymore. Activate the OpenVPN server on pfSense.
On your phone : use an OpenVPN app.
When needed, activate the phone openvpn app fist : your phone is now connected safely with your pfSense, and you can access all local resource 'as if you were at home' without any security issue.
When done, stop the OpenVPN connection.
@kineticspl said in Blocking IOT inbound access:
robot vacuum
What is that ?
@kineticspl said in Blocking IOT inbound access:
Ideally I'd like to only be able to access these devices locally and not from the outside at all.
That's what you obtain by default.
Put them, IOT stuff, on a separate network, and if needed, block outgoing traffic on that network, with the exception of, for example, NTP-to-pfSense, if these IOT need real time.