Adding ZoneMinder network

JayneCobb · Oct 17, 2016, 2:58 PM

I'm going to be installing some IP cameras controlled by ZoneMinder. I worked up a network diagram, see below. Things I would like to accomplish.

1. Isolate Surveillance network (192.168.50/24) from the Internet. The ZoneMinder server needs to have (WAN) NAT access for software updates but that is it. I will use pfSense DHCP to assign static IP's for all of the cameras and the server and then add "block" firewall rules for all of the cameras. Do I need to add anything else to isolate from the WAN?

2. If I understand the pfSense manual correctly all traffic is blocked between (LAN) 192.168.1/24 and (Surveillance) 192.168.50/24 by default. Do I need to do anything else besides adding "Allow" Rules to communicate with the just the ZoneMinder server from any address in the LAN? Does NAT need to be configured?

3. For security reasons I was only going to remote access ZoneMinder through OpenVPN(192.168.10/24) I suppose I will need to configure rules/NAT but on what network subnet?

I will be monitoring the thread. If I left out any information please ask for a clarification. I plan on posting my config when it is working so the thread will be a completed mini "cookbook".

Thanks
Jayne

johnpoz · Oct 17, 2016, 3:13 PM

"If I understand the pfSense manual correctly all traffic is blocked between (LAN) 192.168.1/24 and (Surveillance) 192.168.50/24 by default."

Where would you have gotten that idea?

The default lan rules are any any.. So if you bring up any other networks be them native on opt interface or vlans.. Lan would be able to talk to that network, just like it can talk to internet. Ie the any any rule. Now your new network be it a vlan or opt would have NO rules so it would be blocked out of the box from talking to anyway where it started the conversation.

So what exactly do you want zoneminder or camera's on this network to be able to start conversations with. And do you want your other networks ie your lan and guest vlan to be able to talk to stuff on this zoneminder network?

What are your current rules on your lan and guest vlan and we can discuss how to create the rules to allow only what you want, etc. be it from your existing networks to your new zoneminder network, or from your zoneminder network to your other networks or the internet.

JayneCobb · Oct 17, 2016, 4:01 PM

Thanks johnpoz.

I guess I misunderstood what I read. The guest VLAN has no access to to the machines on my LAN and I didn't do anything special to isolate it. I just configured the AP and the switch for tagging and created the VLAN network called "Guest" in pfSense and it had Internet access only.

With all the things I have read about IP cameras (IoT) being insecure I wanted to isolate them from all other networks. The cameras talk to ZoneMinder and ZoneMinder talks to the world (LAN and VPN to be exact). The only IP address I want accessible from anywhere on 192.168.50/24 is the ZoneMinder server.

See screenshots of current rules. The hardware for ZoneMinder (computer, switch and cameras) is on order but I have started the configuration process to work out as many bugs as I can. FYI it is all theory at this point.

KOM · Oct 17, 2016, 4:41 PM

LAN has a default Allow All rule. All subsequent interfaces do not have any rule whatsoever. LAN can get to VLAN, but VLAN cannot get to LAN other than to reply to traffic initiated by LAN.

JayneCobb · Oct 17, 2016, 5:09 PM

So I need to add a rules to explicitly block all traffic to and from Guest except to the WAN. Good to know. Thanks

johnpoz · Oct 17, 2016, 5:16 PM

"following rules block camera's from internet"

On your WAN.. No they do no such thing ;)

This always just blows my mind… It comes up like every couple of days where clearly rules are setup with zero understanding of how the rules are evaluated.

Rules are evaluated top down on the interface the traffic would first enter pfsense.

How would there ever be source of lan net on your surveillance network inbound to that interface?

If you want to block stuff on your surv network from going somewhere, then you would put the rules on that interface.. Here is my psk vlan where my wireless iot devices are at, for example my nest thermostat, my nest protect, my harmony hub, etc.

So you see I let them ping pfsense IP address in this segment.
I let them use psfense for dns.
I let them talk to my ntp servers that are on my lan segment (192.168.9.32 and 192.168.9.40) In that alias
I then actually reject any traffic from that segment to ANY IP address that pfsense would have (this firewall) This would be wan IP, other opt interfaces or vlans any IP that pfsense would have on it..

And then the last rule says they can go anywhere they want, as long as its not any of my other networks. Which all fall into rfc1918 space, so I created a rfc1918 alias. This is all my other segments this is my vpn tunnel networks, etc.

I then log that rule - because I like to keep an eye on what they do ;) They mostly just phone home ever now and then over http/https..

JayneCobb · Oct 19, 2016, 5:45 PM

How about this. DHCP is broadcast so it should go through to the cameras, right? Allow NTP traffic to pfSense so all timestamps are synchronized. The cameras will be isolated to their network. This would work wouldn't it?

johnpoz · Oct 19, 2016, 7:03 PM

Yeah that would block camera's from talking to anything other than that 192.168.1.1 on udp 123.

You could do that in 1 rule. As far as dhcp. When you enable dhcp server on an interface there are hidden rules created that allow for the dhcp traffic to pfsense dhcpd running on that interface.

Do you have other devices on this vlan? You do understand there is default deny not shown. So the only rule you really need would be your allow rule. Since your only blocking those are really not needed unless you want to block and not log, and your logging default deny rule.

JayneCobb · Oct 19, 2016, 7:27 PM

Just the ZoneMinder server. I want it to have access through the NAT for updates. If the cameras need an update I can download them and apply or if necessary disable rules, let them download updates and then turn the rules back on. I have seen too many stories about lax standards for what seems to be all IP cameras. Better that they don't advertise themselves at all and better yet not "checking in" uploading anything to servers in China. (Taking off my tri-layered, heavy duty foil hat now.)

I guess I could write one rule to open up the server and then one rule, at the bottom, to block everything else.

Thanks for the help.

johnpoz · Oct 19, 2016, 8:25 PM

again there is a default deny on all interfaces.. You can not turn it off. So all you really need is allow rules. Only reason to put in specific block would be if you want to block something above an allow that it would fall into. And or you want a block rule at the end that does something special like not log or something, etc.