Firewall Rule to limit IP cameras from getting internet access

richtj99 · Feb 13, 2019, 7:33 PM

Hi,

I have a few IP cameras with a VMS server - all connected inside my network. A bunch are very offbrand with likely security flaws (on purpose, etc).

I have a firewall rule which allows the IP cameras to be accessible from anywhere within LAN. I can access them on OpenVPN also. Very handy!

Here is the rule:

Protocol – IPv4*
Source – Cameras (using alias)
Port - *
Destination - ! Lan net
Port - *
Gateway - *
Queue - None
Schedule - BLANK
Description – Internal Access
no external access

So why am I looking for a new rule if it works so great? I bought some cheapie wifi cameras & they use a P2P access – very insecure. With the rule as it stands, when in my home wifi, the p2p works (yay!) - when on cellular – it doesn’t work (yay!) – for some reason over OpenVPN it doesn’t work on cellular (boo!).

So I think the reason its not working is its only allowing traffic to go through ! Lan net & I don’t see how to add OpenVPN to the rule.

Any suggestions on how to make this work?

Also - is the right way to allow internal access with no external access?

Thanks, Rich

chpalmer · Feb 14, 2019, 7:20 PM

Are your cameras on their own subnet? If so do not put any rule on your camera firewall tab.

The firewall blocks by default. Since the connection to the cams would be initiated by other subnets the connection will work that direction.

akuma1x · Feb 14, 2019, 6:35 PM

To the OP - @chpalmer is correct. Any new networks (subnets) you create, besides the 2 default WAN and LAN, get created with NO firewall rules. There's also no DHCP server turned on by default, but that's a different topic...

Anyway, no default rules means no traffic will move or be passed out of that single network/subnet. All machines (or cameras in this example) will only be able to talk to each other. Long story short - no internet access unless it's specifically programmed to do so.

Jeff

richtj99 · Feb 14, 2019, 7:20 PM

@chpalmer
Hi - I only have one Vlan for everything. Everything is on the same subnet.

I want to keep it semi simple in the event that the router breaks & I need to swap something in temporarily.

I dont get why !lan seems to work though in the rule.

richtj99 · Feb 14, 2019, 7:32 PM

@akuma1x
How do i give them no internet while being on the same subnet/single vlan?

akuma1x · Feb 15, 2019, 8:43 PM

@richtj99 said in Firewall Rule to limit IP cameras from getting internet access:

@akuma1x
How do i give them no internet while being on the same subnet/single vlan?

This is how I do it:

All of these cameras need to have static IP Addresses setup in the DHCP server section for the subnet/network your cameras are on.
Then make an Alias for all the cameras. This is found under the Firewall tab up at the top of the screen.
Once the alias is made, you can create a single firewall rule, on the subnet/network your cameras are on, and deny it access to the internet. Make this rule the top-most rule in the list, right under the anti-lockout rule.

Denying access to the internet is pretty simple, if in fact you want to deny access to ANY external internet service. On that last firewall rule, set your action to reject or block, set the protocol to ANY, your source to single host or alias using the ALIAS you created above, and the destination to ANY. This sets the rule up so no ALIAS traffic leaves the subnet/network, including traffic bound for the internet.

Jeff

richtj99 · Feb 15, 2019, 8:43 PM

Hi,

I have it setup with static IP's for each camera, then each camera has been added into an Alias (Cameras).

The only way I could get it working was with the !Lan part of my rule. I dont really understand why that works as it was trial and error to get it working.

@akuma1x said in Firewall Rule to limit IP cameras from getting internet access:

@richtj99 said in Firewall Rule to limit IP cameras from getting internet access:

@akuma1x
How do i give them no internet while being on the same subnet/single vlan?

This is how I do it:

All of these cameras need to have static IP Addresses setup in the DHCP server section for the subnet/network your cameras are on.

Then make an Alias for all the cameras. This is found under the Firewall tab up at the top of the screen.

Once the alias is made, you can create a single firewall rule, on the subnet/network your cameras are on, and deny it access to the internet. Make this rule the top-most rule in the list, right under the anti-lockout rule.

Denying access to the internet is pretty simple, if in fact you want to deny access to ANY external internet service. On that last firewall rule, set your action to reject or block, set the protocol to ANY, your source to single host or alias using the ALIAS you created above, and the destination to ANY. This sets the rule up so no ALIAS traffic leaves the subnet/network, including traffic bound for the internet.

Jeff