Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block Xiaomi camera from calling home

    Scheduled Pinned Locked Moved Firewalling
    13 Posts 4 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      blaz23
      last edited by

      Thanks guys,
      the camera is in separate network segment, that's not an issue, and I can ping it, that's all fine. The only problem that I have is that I cannot see the stream from that camera.
      Rules for that camera:
      666437ea-4252-40b5-bc8b-771bd0d7498f-image.png

      johnpozJ V 2 Replies Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @blaz23
        last edited by johnpoz

        @blaz23 Please post rules on your lan and this vlan you put your camera in.

        That first rule you have there posted is pretty pointless. As mentioned already pfsense has nothing to do with traffic internal to a network/vlan - only to get off of it.

        That rule would allow this 10.10.10.5 to talk to pfsense IP in 10.10.10.0/25 - but better to use the alias optX address.

        Is 10.10.10.0/25 your lan or this network/vlan?

        Rules are evaluated as traffic enters pfsense from the network attached. Top down, first rule to trigger wins, no other rules are evaluated.

        Return traffic is allowed via state. But if you want to allow unsolicited traffic from vlan A to B, the rules need to be on vlan A.

        Understanding the IP ranges you using for your 2 different networks/vlans and the rules on each will help us help you figure out what is not correct. So are you using say 10.10.10.128/25 on this other network?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        B 1 Reply Last reply Reply Quote 0
        • V
          viragomann @blaz23
          last edited by

          @blaz23 said in Block Xiaomi camera from calling home:

          the camera is in separate network segment, that's not an issue

          If so, it's not clear, how your rules should work.
          Are both network segments on one interface?

          Basically the camera shouldn't need any access.
          You only need to allow your LAN devices to access the cam, if the traffic has to pass pfSense.

          1 Reply Last reply Reply Quote 0
          • B
            blaz23 @johnpoz
            last edited by

            @johnpoz thank you for that explanation. Let me explain this a bit more. I have separate subnet for devices like this camera, and in this subnet I have one PC from which I'm trying to access this camera. That PC is able to ping camera and to access internet, and that is ok. As I said, the issue is because I'm not able to see the stream from that camera. In the direction that you guys are going with all the answers I think the problem is not the firewall or any of the rules, but maybe that camera's software.

            KOMK 1 Reply Last reply Reply Quote 0
            • KOMK
              KOM @blaz23
              last edited by

              @blaz23 How exactly do you access this stream? Via browser to the camera's IP address, or to some external domain?

              B 1 Reply Last reply Reply Quote 0
              • B
                blaz23 @KOM
                last edited by

                @kom it's actually an app, it's called Mi Home. In that app I tried to find an option to just change default gateway for that camera to some random IP, but that's not possible. And because of that now I'm trying to block internet access on pfsense

                KOMK 1 Reply Last reply Reply Quote 0
                • KOMK
                  KOM @blaz23
                  last edited by

                  @blaz23 I'm willing to bet that you need to let that camera talk to its home server as that's how the app gets access to it. Check the technical details of those cameras to see exactly how they're supposed to work.

                  B 1 Reply Last reply Reply Quote 0
                  • B
                    blaz23 @KOM
                    last edited by

                    @kom probably you're right. The way you guys explained all this to me, now I'm also pretty sure the issue is in that app. But I think I'm not willing to share the video from my home with some server in China or somewhere else. So I will replace this camera.

                    V 1 Reply Last reply Reply Quote 0
                    • V
                      viragomann @blaz23
                      last edited by viragomann

                      @blaz23
                      Check if there is a way to access it by its IP in a web browser.

                      Apps will mostly need to connect to their home servers to establish a connection to the devices.
                      I would never buy a camera which requires an app for watching its video stream.

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @viragomann
                        last edited by johnpoz

                        Yeah some shitty apps might require L2 discovery only, and have to be on the same network to find the camera.

                        Depending on your setup functionality.. You could join say your phone or tablet to wifi that is same L2 as the camera.

                        You prob want to look for a camera that software allows for just IP or FQDN without having to use discovery protocols if your go is to not let it use the internet and then use locally via browser or app..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.