Questions Regarding Isolating Web Cams on Their Own Network

LeiShen

I've watched videos on basic setup of Web Cams on their own isolated network so if their crappy firmware is hacked, it doesn't compromise the rest of the network. In may of these overviews, they talk about setting rules so the camera cannot talk to the internet and cannot talk to other networks within the pfSense router. Lawrence Systems talks about just that kind of set up.

My question are:
How do you access these camera then?
Do you have to be on the same network as them?
Do you have to use a VPN from outside to access the cameras? How?
If I enable Port Forwarding for those isolated cameras, so I can access them from outside, that'll only compromise that sub-net, right?

The setup I am considering is this on a 4-port router:
Port 1: Wan
Port 2: Normal (192.168.1.0/24)
Port 3: Cameras (192.168.2.0/24)

Can someone point me in the direction of a detailed instructions to help me get my head around this?

Thanks!

JKnott

@leishen

When I set up cameras, they were connected to a DVR with 2 ports. One port went to the cameras and the other to the main network. You could set up a 2nd subnet on the same network, on your computer, that can route to the camera network. Or just put a 2nd NIC in your computer. You could also use a VLAN and managed switch.

neogrid

That's super simple, block all traffic leaving your cam vlan and allow your other vlans to access your cam vlan.

You need to get your head around the rules of pfSense.

dma_pf

@leishen said in Questions Regarding Isolating Web Cams on Their Own Network:

My question are:
How do you access these camera then?

As @neogrid mentions, you would create a rule on your Normal interface to allow access to the Camera's network.

@leishen said in Questions Regarding Isolating Web Cams on Their Own Network:

Do you have to be on the same network as them?

No. they can be on different networks. But as @JKnott mentions you will need either a dedicated NIC port or a managed switch so you can create vlans.

@leishen said in Questions Regarding Isolating Web Cams on Their Own Network:

Do you have to use a VPN from outside to access the cameras? How?

Using a VPN is the most secure way to do this. You could VPN into the Normal network which would then allow you to access the cameras. OpenVpn or Wireguard in pfSense would be your best bet here.

@leishen said in Questions Regarding Isolating Web Cams on Their Own Network:

If I enable Port Forwarding for those isolated cameras, so I can access them from outside, that'll only compromise that sub-net, right?

Don't do this, use a VPN instead. Bad practice and a much bigger security risk.

AndyRH

I moved my cameras to an isolated VLAN. I posted the rules and a question about it here.
https://forum.netgate.com/topic/168726/is-there-a-better-way?_=1642607048626

I chose to place the DVR in the same VLAN and access it across the FW.

JKnott

@andyrh said in Questions Regarding Isolating Web Cams on Their Own Network:

I chose to place the DVR in the same VLAN and access it across the FW.

Does your DVR have 2 ports?

AndyRH

No, I use rules to limit access. Less wires...
Hosts in that VLAN cannot initiate contact with other VLANs, but can respond.

LeiShen

Thanks everyone!
My confusion was with 'blocking' - I thought it was a too way street. Now I understand it only prevents the source from Initiating a connection, but not replying to a request.