Blocking IOT inbound access
-
Hello everyone,
I'm looking for some guidance/ clarification. I have a vlan on pfsense/wifi with a robot vacuum and a security camera on it. My main network has access to it. Both devices require outbound access to function (without outbound access, they didn't work or functionality is very limited).
I thought outbound only access was "safe" for IOT devices but I found some things still didn't work locally on my network even with rules in place. Randomly I tried on my phone over 4G and was surprised I was able to reach these devices (and actually use them better than from within the network). So is this what cloud based access normally does with IOT devices? I tried googling and found "hole punching" but not sure if that's what this is or if there's a way to stop it (other than throwing these devices in the trash). Ideally I'd like to only be able to access these devices locally and not from the outside at all.
Additional info: I use pfblocker and use 3rd party DNS filtering. I know there's a lot of detail missing and was just looking for generic information to get me onto the right path. I just need a nudge in the right direction if possible to see if I'm missing deny rules somewhere or if it sounds like my rules are just wrong. I'm assuming that since they have outbound access, they are using that connection response to gain inbound connectivity somehow.
Thanks.
-
@kineticspl said in Blocking IOT inbound access:
I thought outbound only access was "safe" for IOT devices
Noop.
On the contrary.
With free outbound access you can't be sure what the camera does with all the info (images) it collects.
Storing all these videos on a 'cloud' => great. You really have to trust that cloud storage.
That's why cameras are (should !) be using a local NAS or DVR, with big disks (+UPS because this is /privacy security related).
Or you rent your own cloud "NAS", a place where you are the admin (root ) and no one else. Best would be to open a VPN tunnel between your pfSense and this off site cloud/disk space storage facility.@kineticspl said in Blocking IOT inbound access:
didn't work locally on my network even with rules in place
What rules ? Where / on what interface ?
@kineticspl said in Blocking IOT inbound access:
I tried googling and found "hole punching"
Also called : NATting (actually PATting) : this is needed so you or some one else can initiate a connection to the IOT from 'anywhere on the Internet'.
This is ok, if it was 'you' using, for example, your phone, to client to 'home' to look at the camera.Normally, you don't NART anymore. Activate the OpenVPN server on pfSense.
On your phone : use an OpenVPN app.
When needed, activate the phone openvpn app fist : your phone is now connected safely with your pfSense, and you can access all local resource 'as if you were at home' without any security issue.
When done, stop the OpenVPN connection.@kineticspl said in Blocking IOT inbound access:
robot vacuum
What is that ?
@kineticspl said in Blocking IOT inbound access:
Ideally I'd like to only be able to access these devices locally and not from the outside at all.
That's what you obtain by default.
Put them, IOT stuff, on a separate network, and if needed, block outgoing traffic on that network, with the exception of, for example, NTP-to-pfSense, if these IOT need real time.