Block Xiaomi camera from calling home
-
Hi to all,
first of all I must say I'm new in the pfsense world. Last few days I'm struggling with a rule to block internet traffic for Xiaomi camera.
Xiaomi camera always wants to call home so video from that camera is available from the internet without any port forwarding or so. Obviously that's not ok.
So I made a rule on LAN interface to block traffic from source 10.10.10.5 (IP of camera) to destination any. That works fine, now I cannot access camera from internet. But now I have a problem because I cannot access camera from LAN too.
I created a rule to allow traffic from LAN subnet as a source to camera's IP as destination and also inverted that source and destionation but no success. Is that possible to work at all? Any advice would be great.
Thanks in advance. -
@blaz23 Clients on the same LAN talk directly to each other without going through pfSense. pfSense only gets involved if the traffic needs to be routed or redirected between interfaces. Post a screenshot of your LAN rules and we can see what you have done.
-
@blaz23 said in Block Xiaomi camera from calling home:
So I made a rule on LAN interface to block traffic from source 10.10.10.5 (IP of camera) to destination any.
I wouldn't get much sleep if such a cam was in my LAN.
You should isolate it in a separate network segment.That works fine, now I cannot access camera from internet. But now I have a problem because I cannot access camera from LAN too.
Traffic between LAN devices does not pass the router. So obviously the cam need some other things to allow access.
Edit: @KOM mentioned already.How do you access the camera? By IP or name?
-
Thanks guys,
the camera is in separate network segment, that's not an issue, and I can ping it, that's all fine. The only problem that I have is that I cannot see the stream from that camera.
Rules for that camera:
-
@blaz23 Please post rules on your lan and this vlan you put your camera in.
That first rule you have there posted is pretty pointless. As mentioned already pfsense has nothing to do with traffic internal to a network/vlan - only to get off of it.
That rule would allow this 10.10.10.5 to talk to pfsense IP in 10.10.10.0/25 - but better to use the alias optX address.
Is 10.10.10.0/25 your lan or this network/vlan?
Rules are evaluated as traffic enters pfsense from the network attached. Top down, first rule to trigger wins, no other rules are evaluated.
Return traffic is allowed via state. But if you want to allow unsolicited traffic from vlan A to B, the rules need to be on vlan A.
Understanding the IP ranges you using for your 2 different networks/vlans and the rules on each will help us help you figure out what is not correct. So are you using say 10.10.10.128/25 on this other network?
-
@blaz23 said in Block Xiaomi camera from calling home:
the camera is in separate network segment, that's not an issue
If so, it's not clear, how your rules should work.
Are both network segments on one interface?Basically the camera shouldn't need any access.
You only need to allow your LAN devices to access the cam, if the traffic has to pass pfSense. -
@johnpoz thank you for that explanation. Let me explain this a bit more. I have separate subnet for devices like this camera, and in this subnet I have one PC from which I'm trying to access this camera. That PC is able to ping camera and to access internet, and that is ok. As I said, the issue is because I'm not able to see the stream from that camera. In the direction that you guys are going with all the answers I think the problem is not the firewall or any of the rules, but maybe that camera's software.
-
@blaz23 How exactly do you access this stream? Via browser to the camera's IP address, or to some external domain?
-
@kom it's actually an app, it's called Mi Home. In that app I tried to find an option to just change default gateway for that camera to some random IP, but that's not possible. And because of that now I'm trying to block internet access on pfsense
-
@blaz23 I'm willing to bet that you need to let that camera talk to its home server as that's how the app gets access to it. Check the technical details of those cameras to see exactly how they're supposed to work.
-
@kom probably you're right. The way you guys explained all this to me, now I'm also pretty sure the issue is in that app. But I think I'm not willing to share the video from my home with some server in China or somewhere else. So I will replace this camera.
-
@blaz23
Check if there is a way to access it by its IP in a web browser.Apps will mostly need to connect to their home servers to establish a connection to the devices.
I would never buy a camera which requires an app for watching its video stream. -
Yeah some shitty apps might require L2 discovery only, and have to be on the same network to find the camera.
Depending on your setup functionality.. You could join say your phone or tablet to wifi that is same L2 as the camera.
You prob want to look for a camera that software allows for just IP or FQDN without having to use discovery protocols if your go is to not let it use the internet and then use locally via browser or app..
