Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block Wifi Cameras Outbound Traffic

    Scheduled Pinned Locked Moved Firewalling
    8 Posts 4 Posters 5.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Fahrenhe1t
      last edited by

      Hi, I have two Foscam wifi cameras I would like to block from initiating outbound communication.  I put both camera IP's in a firewall alias.  I've set up a firewall rule on the LAN tab to block all camera traffic going to the WAN interface, and log when the communication occurs:


      I've rebooted pfSense, and also the cameras…yet they are still able to communicate out (I can test an email and ftp connection successfully).  Shouldn't this rule block traffic?

      I've also tried putting in a rule on the Floating tab, but same thing, the cameras can communicate out:


      Which rule should I keep, and what am I doing wrong?  Thanks!

      1 Reply Last reply Reply Quote 0
      • chpalmerC
        chpalmer
        last edited by

        Do you have UPNP turned on?

        Look at the cameras as servers.  If a client from the outside trys to connect and is successful then the outbound block does nothing because the connection attempt is initiated from the outside.

        You have to block the connection attempts to the cameras.  I just implemented a firewall at a new clients house after they found out their cams were being accessed. Their previous router had UPNP turned on by default and the cameras were set to utilize it. (By default).

        The camera is not going out and looking for people to see it.

        Triggering snowflakes one by one..
        Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

        1 Reply Last reply Reply Quote 0
        • F
          Fahrenhe1t
          last edited by

          I have UPnP turned off.  Actually, these Foscam cameras do initiate outbound communication.  They actively connect to IP's overseas for their P2P network (it helps novices set up a camera and manage them from a mobile app).  Even though you turn off the P2P network option, they still communicate out.  http://krebsonsecurity.com/2016/02/this-is-why-people-fear-the-internet-of-things/

          pfSense should be blocking incoming traffic by default.  But I need to block all camera-initiated outbound traffic.  For whatever reason, the rules above aren't working for me.  Are they wrong?

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Delete the floating rule, and change the LAN rule's destination to "any", and you'll have what you want.

            1 Reply Last reply Reply Quote 0
            • chpalmerC
              chpalmer
              last edited by

              Interesting.  My clients models were not Foscam so didn't deal with that directly but good to know.

              Triggering snowflakes one by one..
              Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

              1 Reply Last reply Reply Quote 0
              • F
                Fahrenhe1t
                last edited by

                @cmb:

                Delete the floating rule, and change the LAN rule's destination to "any", and you'll have what you want.

                Wow that did the trick!  Can you explain why changing destination to "any" blocks outbound traffic, while destination "WAN address" does not?

                Thanks much cmb!  Sorry, I thanked the wrong post, and the board won't let me take it back :(

                1 Reply Last reply Reply Quote 0
                • C
                  cmb
                  last edited by

                  "WAN address" is your WAN IP address. That just blocked the cameras from reaching your WAN IP.

                  1 Reply Last reply Reply Quote 0
                  • M
                    mer
                    last edited by

                    @cmb:

                    "WAN address" is your WAN IP address. That just blocked the cameras from reaching your WAN IP.

                    And the traffic was not destined to your WAN IP, the destination was beyond that.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.