Block Wifi Cameras Outbound Traffic



  • Hi, I have two Foscam wifi cameras I would like to block from initiating outbound communication.  I put both camera IP's in a firewall alias.  I've set up a firewall rule on the LAN tab to block all camera traffic going to the WAN interface, and log when the communication occurs:


    I've rebooted pfSense, and also the cameras…yet they are still able to communicate out (I can test an email and ftp connection successfully).  Shouldn't this rule block traffic?

    I've also tried putting in a rule on the Floating tab, but same thing, the cameras can communicate out:


    Which rule should I keep, and what am I doing wrong?  Thanks!



  • Do you have UPNP turned on?

    Look at the cameras as servers.  If a client from the outside trys to connect and is successful then the outbound block does nothing because the connection attempt is initiated from the outside.

    You have to block the connection attempts to the cameras.  I just implemented a firewall at a new clients house after they found out their cams were being accessed. Their previous router had UPNP turned on by default and the cameras were set to utilize it. (By default).

    The camera is not going out and looking for people to see it.



  • I have UPnP turned off.  Actually, these Foscam cameras do initiate outbound communication.  They actively connect to IP's overseas for their P2P network (it helps novices set up a camera and manage them from a mobile app).  Even though you turn off the P2P network option, they still communicate out.  http://krebsonsecurity.com/2016/02/this-is-why-people-fear-the-internet-of-things/

    pfSense should be blocking incoming traffic by default.  But I need to block all camera-initiated outbound traffic.  For whatever reason, the rules above aren't working for me.  Are they wrong?



  • Delete the floating rule, and change the LAN rule's destination to "any", and you'll have what you want.



  • Interesting.  My clients models were not Foscam so didn't deal with that directly but good to know.



  • @cmb:

    Delete the floating rule, and change the LAN rule's destination to "any", and you'll have what you want.

    Wow that did the trick!  Can you explain why changing destination to "any" blocks outbound traffic, while destination "WAN address" does not?

    Thanks much cmb!  Sorry, I thanked the wrong post, and the board won't let me take it back :(



  • "WAN address" is your WAN IP address. That just blocked the cameras from reaching your WAN IP.



  • @cmb:

    "WAN address" is your WAN IP address. That just blocked the cameras from reaching your WAN IP.

    And the traffic was not destined to your WAN IP, the destination was beyond that.


Log in to reply