Port forwarding could be okay... perhaps if you use MAC address filtering?

M

MakeItRain

Pulling my weight
Aug 7, 2017
418
225
Hi guys

I think it would be very safe for you guys to use port forwarding as long as you enable MAC address filtering. Certain routers allow this feature where, even if you port forward, you can set a firewall rule stating that the inbound device (such as a iPhone) must have this particular MAC address (i.e.): FC:BC:48:A3:55:92 before it can pass through to the internal device at: 192.168.1.200 (your NVR).

This means that before the router forwards the requests through the port to the NVR or a camera, the router is authenticating the MAC address.

You may ask, well, what if they are spoofing your MAC address. Yes, indeed that is also possible. But the odds of spoofing the correct MAC address is 1 in 281,474,976,710,656. That's 281 trillion! Again, this is just another layer of security. I think a good firewall can also blacklist an inbound IP that is trying to hammer a port with the wrong MAC address as well.

Thoughts??
 
what router manufacturer and model has this feature and what is the cost.

I have a mid range asus route and it does not have inbound mac filtering.
 
Here you go. This is the new AT&T router that I got which is an Arris.

I have not tried this yet but maybe I will tonight when I get home.

The page has a description for each explanation of what the "rules" are. Basically, each rule is called a "match". The router will either "Pass" or "Drop" packets that matches the rules that you specify.

In this case, I set the rule (#5) like this (all the values are EXAMPLES. not my real device ID's :) :

Ingress interface of "WAN" - this means if a connection comes in from the WAN (internet)
Egress interface of "LAN" - and is exiting to a local device on the LAN (your NVR attached to the subnet)
Source Mac Address - this is the incoming connection device's MAC address - THIS HAS TO MATCH!! This is like 1 in 281 Trillion combination
Destination IP address - this is the IP address of your NVR
Protocol of "TCP"
Source Port "37777" - the incoming device is trying to access port 37777
Destination Port "37777" - the port to enter the NVR (also 37777)


FIREWALL.JPG
 
MakeItRain said:
This means that before the router forwards the requests through the port to the NVR or a camera, the router is authenticating the MAC address.
Click to expand...
Sorry - but the MAC address features in network communications at layer 2.
MAC stands for 'Media Access Control'. Media is the wiring.

As soon as you go outside the local LAN IP address range, via the router, you are into layer 3 and the MAC address is no longer a feature in the communications.
 
  • Like
Reactions: fenderman, SouthernYankee and aristobrat
alastairstevenson said:
Sorry - but the MAC address features in network communications at layer 2.
MAC stands for 'Media Access Control'. Media is the wiring.

As soon as you go outside the local LAN IP address range, via the router, you are into layer 3 and the MAC address is no longer a feature in the communications.
Click to expand...

Thanks for the clarification. Can you confirm that the IP packet filtering from my router is doing what I think it is doing as I described?
 
I believe the hackers have an easy tool to spoof MAC addresses, common practice. I would never use that feature. Stick to VPN. Good try though.
 
MakeItRain said:
Can you confirm that the IP packet filtering from my router is doing what I think it is doing as I described?
Click to expand...
Sure, IP address packet filtering would be fine, that's what a firewall does.

But if you check an inbound packet from the internet that's been forwarded to a LAN host by the router, you will see the router's MAC address as the source.
That's how packets flow on the LAN, it's how layer 2 switches know what switch port to forward a packet on to under their switching task.
 
  • Like
Reactions: aristobrat
alastairstevenson said:
Sure, IP address packet filtering would be fine, that's what a firewall does.

But if you check an inbound packet from the internet that's been forwarded to a LAN host by the router, you will see the router's MAC address as the source.
That's how packets flow on the LAN, it's how layer 2 switches know what switch port to forward a packet on to under their switching task.
Click to expand...

Thank you, i got my answer here:

MAC filtering the internet traffic?
 
Last edited:
  • Like
Reactions: alastairstevenson
MakeItRain said:
So the above feature from my router is not going to work?
Click to expand...
It will work fine on the LAN.
That's where MAC addresses are used.

MakeItRain said:
MAC addresses from an internet device (iPhone) are not transmitted to your home router as an inbound connection, only the IP address?
Click to expand...
If you sniff a Packet that's come in via your router from an iPhone that's out on the internet, you will see the router LAN interface MAC address as the source.
And the iPhone's current public IP address as the IP address source.
 
  • Like
Reactions: MakeItRain and aristobrat
You must log in or register to reply here.
Top Bottom