[Solved] Blocking IP camera to get online

kilko

I have installed squid and see that my camera is often sending request like this:

10.04.2018 22:09:55 192.168.103.32 TCP_MISS/200 http://hzweb2.s1.seetong.com/dev/devreg.php - 121.40.148.79
10.04.2018 22:09:53 192.168.103.32 TCP_MISS/200 http://hzweb2.s1.seetong.com/comm/getrand.php - 121.40.148.79

10.04.2018 22:07:05 192.168.103.31 TCP_MISS/200 http://bjweb1.s1.seetong.com/dev/devregv2.php - 182.92.160.245
10.04.2018 22:07:03 192.168.103.31 TCP_MISS/200 http://bjweb1.s1.seetong.com/comm/getrand.php - 182.92.160.245

I have tried blocking from LAN with these IMG: LAN_RULES.png

Why is this block not working ? or do I have to reset squid to "empty cache" first ?

jahonix

Fist of all because "WAN net" is not the internet but the transit network between you and your provider.

If your cameras don't need to go anywhere (which they usually don't) you can just use "*" as destination.
Create an alias for all cameras and use that one as source. Saves you two rules.

kilko

Thank you,
I have created alias. IMG: Alias.png

Aha, the camera needs to access LAN and store files on the NAS drives (Synology).
But they dont need to access the internet.

(I have tried searching forum I see a lot of people want their camera to go online, but not able to be able to access the the local network)

jahonix

As by your rules, the cameras are on Lan already. Every traffic on lan is handled by your switch and never reaches pfSense.
If your NAS is on your Lan (where it usually is…) everything is fine with blocking destination "*" for your cameras.

kilko

Super!  ;D - now the blocking works :-)