Camera Isolation from Internet

P

Philly

Getting the hang of it
Oct 22, 2018
113
13
Philadelphia, PA
Could you please advise on how to isolate Cameras via Router settings from the Internet since they are connected via Switch directly to the Internet/Router (Netgear).
 
Look for firewall settings or parental controls in the router. For example in my router which runs open-source firmware, I can block specific IP addresses from accessing the internet on a schedule, so I added all my cameras to it and set it to be blocked 24/7.
 
  • Like
Reactions: SouthernYankee, J Sigmo and Philly
bp2008 said:
Look for firewall settings or parental controls in the router. For example in my router which runs open-source firmware, I can block specific IP addresses from accessing the internet on a schedule, so I added all my cameras to it and set it to be blocked 24/7.
Click to expand...

Thank you! Will I be able to get into Camera settings on the same network anyway if I block the camera from the internet?
 
You'll just be blocking them from the Internet. They'll be accessible through your local network, LAN, with no problem. While you're at it, it's a good idea to disable, uncheck, all services that aren't needed in the network configuration for each, individual, camera. Things like PnP for example.
 
  • Like
Reactions: Philly
awsum140 said:
You'll just be blocking them from the Internet. They'll be accessible through your local network, LAN, with no problem. While you're at it, it's a good idea to disable, uncheck, all services that aren't needed in the network configuration for each, individual, camera. Things like PnP for example.
Click to expand...
Thank you!
 
Another thought, while you're in configuring the network in each camera, set the DNS address to a bogus address. All of this stuff helps keep them from "phoning home" as well as isolated from the WWW.
 
I use the same basic network address and change the last three digits to "254", IE 198.1.1.254. Totally bogus, out of range, numbers won't be accepted.
 
  • Like
Reactions: Philly
What's the opinion here on the relative merits of this router firewall/parental control LAN solution, compared to having a second NIC for the cameras on a subnet?

Presumably both configurations work. I imagine that using the router's firewall is simpler to implement and accessing the cameras settings less complicated, while using a separate NIC method more complicated but probably more secure.
 
Well there's the remote possibility that a camera could spoof a different MAC address, get a new IP, and access the internet that way if you had blocked its real IP/MAC addresses. With a second NIC and keeping the cameras on a separate network, that would be impossible.
 
  • Like
Reactions: Walrus
bp2008 said:
Well there's the remote possibility that a camera could spoof a different MAC address, get a new IP, and access the internet that way if you had blocked its real IP/MAC addresses. With a second NIC and keeping the cameras on a separate network, that would be impossible.
Click to expand...
Thank you!
 
I had thought about entering bogus DNS addresses into my cameras but that doesn't make sense. A device would not need to use DNS to "phone home." It would have those ip addresses hard-coded.
 
  • Like
Reactions: bp2008 and Philly
It may or may not have it hard coded, but if you change the gateway to a bogus one, and configure the router to block the IP/MAC, that should stop it. A review of the router traffic log would show anything fishy going on.
 
  • Like
Reactions: Philly
If it can"t find the "gateway", route to the internet, it can't find the Internet. DNS is just the name service
 
Uh, yeah, but I don't think it would take much cleverness to know what the gateway of the subnet is.
 
I guess if you leave your network at all the defaults that might be true. A list of only a hundred or so would probably work. Again, I doubt it's a serious problem, especially if the IP/MAC is blocked by the router.
 
  • Like
Reactions: Philly
Log into camera turn off ALL services like upnp .. set a static IP for each camera ... delete the gateway and dns in camera settings if it won’t let you just re type the lan ip. This way to has no gateway.. in router block the static IP address, in and out all ports. Turn off upnp on router .. also you can setup BI to only except certain lan ip adderss to log in. Make sure each camera as it’s own separate password ... use a vlan .. never ever port forward .. I’m messing some but good start
 
  • Like
Reactions: icecoffee and Philly
You must log in or register to reply here.
Top Bottom