how do you isolate cameras from the inetent?

Joined
May 1, 2019
Messages
2,215
Reaction score
3,504
Location
Reno, NV
I access my cameras by a VPN that runs on a UDM-Pro and a POE Switch by the same Mfg all my cameras have a static IP, Is there a simple way to stop these cameras form getting online? and do you need to do more like keep them from seeing my local shared content? I have a content server.

I think this can be done with VLANs but i don't know where to start and once you do isolate them how do you test it?

Thanks in advanced!
how far have achieved since last month?
Due to the technical aspects, getting into firewall rules, allow, deny, established, etc.... I mean, it took me a couple months of serious digging around to understand as an amateur how to do things. Took me a week just to get my Dahua villa VTO working for VPN notification & calls through the firewall.
Lots of headaches and scratching of the head. But I learned alot.
Not many folks have that time nor stamina to tinker with networking.
I have a UDM and UniFi 48port POE managed switch. I upgraded from an ASUS router for the more robust'ness of VLANS and subnets as I have home network, Blue Iris / camera network, Home Automation network, guest network, VPN network, FBI/CIA network... you name it!
If you have the time to tinker... we all can help you here.
If you do not wish to tinker... the 2 NIC card setup is they way to go as it's simple and effective.
 

icpilot

Getting comfortable
Joined
Feb 1, 2018
Messages
293
Reaction score
394
The easiest way to block a camera from getting out of your network is add the MAC address of the camera to your routers firewall and block all traffic from this MAC address AND to that MAC address.

It's the first thing I do before I plug the camera into my network,
I guess this is router dependent? I don't see that option in my current router (Netgear Nighthawk), but I do have the option to Block Services to specific IP's. In my case, I put all the cameras into a block of IPs from 110 to 130. When setting a static IP the router does record the MAC address. Then I told the router to block ALL services (TCP, UDP, DNS, FTP, HTTP, etc, etc.) on ALL ports for that block of IPs -- see attached screenshot. I'm not sure if this is to block inbound or outbound traffic or both, but it's the only option I've found which seems to address this issue.

RouterBlkSvcs.JPG

In looking at the router logs, it seems this is blocking outbound traffic from that block of IPs, as well as some inbound DOS traffic - again, see attached screenshot.

RouterLog.JPG

Suggestions and comments welcomed.
 

icpilot

Getting comfortable
Joined
Feb 1, 2018
Messages
293
Reaction score
394
how far have achieved since last month?
Due to the technical aspects, getting into firewall rules, allow, deny, established, etc.... I mean, it took me a couple months of serious digging around to understand as an amateur how to do things. Took me a week just to get my Dahua villa VTO working for VPN notification & calls through the firewall.
Lots of headaches and scratching of the head. But I learned alot.
Not many folks have that time nor stamina to tinker with networking.
I have a UDM and UniFi 48port POE managed switch. I upgraded from an ASUS router for the more robust'ness of VLANS and subnets as I have home network, Blue Iris / camera network, Home Automation network, guest network, VPN network, FBI/CIA network... you name it!
If you have the time to tinker... we all can help you here.
If you do not wish to tinker... the 2 NIC card setup is they way to go as it's simple and effective.
Are you using a dedicated firewall? My plan is to do something similar to what you have done. I have already removed the unmanaged switches from the network and replaced them with a managed POE switch (Aruba S2500) plus added a couple of WAPs. But my Netgear router is still performing double duty as a firewall and a DHCP server. I want to remove it and replace it with a firewall appliance running pfSense, but I'm having some difficulty wrapping my head around how the VLAN setup is supposed to work between the Firewall/Switch/WAPs. I can see it in my mind, but getting it translated into the language these various devices will understand has proven to elude me at the moment. The other thing I am trying to do is set up a Trunk/LAGG between the cable modem to the firewall (on the WAN side) - from the firewall to the switch (on the LAN side) - and from the switch to the NAS.

Suggestions welcomed.
 

Gargoile

Getting comfortable
Joined
Oct 18, 2021
Messages
812
Reaction score
3,012
Location
Straight Outta Mayberry
@icpilot I do not know the inter-workings of that brand of router. But what it looks like it blocks all traffic in and out. I use a Synology a RT2600AC. My internet provider initially provided me the modem/router all-in-one but I have since gave back that junk and bought my own modem and router that I can lock them down.

Here is just a portion of the items and hit counts that I block.
Photo001.JPG

Also visit GRC and use their tests to see if your network has any leaks or open ports too. GRC.COM
 

SpacemanSpiff

Known around here
Joined
Apr 15, 2021
Messages
1,456
Reaction score
2,431
Location
USA
... I'm not sure if this is to block inbound or outbound traffic or both, but it's the only option I've found which seems to address this issue.
Yes, rules via MAC address versus IP address are router specific. Most use IP based rules. Your screenshot is a great example of the benefits of IP based rules, you effectively blocked 20 devices with a single rule.

By default, routers blocks all unsolicited inbound traffic. When a device on your LAN makes a request of the Internet, the request is allowed out (LAN --> WAN) and the response to the (solicited) request is allowed in (WAN --> LAN) to the device that made the original request.

The rule you created applies to traffic out (LAN --> WAN)
 
Joined
May 1, 2019
Messages
2,215
Reaction score
3,504
Location
Reno, NV
Are you using a dedicated firewall? My plan is to do something similar to what you have done. I have already removed the unmanaged switches from the network and replaced them with a managed POE switch (Aruba S2500) plus added a couple of WAPs. But my Netgear router is still performing double duty as a firewall and a DHCP server. I want to remove it and replace it with a firewall appliance running pfSense, but I'm having some difficulty wrapping my head around how the VLAN setup is supposed to work between the Firewall/Switch/WAPs. I can see it in my mind, but getting it translated into the language these various devices will understand has proven to elude me at the moment. The other thing I am trying to do is set up a Trunk/LAGG between the cable modem to the firewall (on the WAN side) - from the firewall to the switch (on the LAN side) - and from the switch to the NAS.

Suggestions welcomed.
One suggestion I could toss out, have a testing laptop nearby with all sorts of networking programs installed such as Wireshark, Advanced Port Scanner, etc. Watch some videos on how to use these programs. Create your VLAN and/or subnet (all of my subnets are on their own VLAN), attach your testing laptop and do some ... well... testing :)
 

SpacemanSpiff

Known around here
Joined
Apr 15, 2021
Messages
1,456
Reaction score
2,431
Location
USA
But my Netgear router is still performing double duty as a firewall and a DHCP server. I want to remove it and replace it with a firewall appliance running pfSense, but ...
DHCP services does not generate a lot of traffic, especially if you bump the lease time up (8 days or more). Are you seeing evidence of a performance loss with your current appliance performing firewall and DHCP services? If you replace it with a pfsense appliance, won't the new device perform the same services? Or will you add an additional separate device for DHCP?
 

icpilot

Getting comfortable
Joined
Feb 1, 2018
Messages
293
Reaction score
394
DHCP services does not generate a lot of traffic, especially if you bump the lease time up (8 days or more). Are you seeing evidence of a performance loss with your current appliance performing firewall and DHCP services? If you replace it with a pfsense appliance, won't the new device perform the same services? Or will you add an additional separate device for DHCP?
You raised a really good question. Yes, the pfSense firewall would perform DHCP routing and firewall services. In a broad sense, it is a direct swap. My rationale for the change is as follows:

* Netgear currently provides firewall protection through the Nighthawk router. Separately Netgear sells a subscription to a service they call "Armor." I don't subscribe to that service, but I have had trial periods where it was operational for a brief time (30 days). Reports from Armor indicated it did, indeed, block a variety of threats. Presumably, once the trial period expired, those threats were allowed into my network - though I've not seen evidence of damage or affect. Still, it is a concern.

* pfSense, as I understand it, has the ability to do much more in-depth screening of incoming traffic to ferret out threats. I think it's called deep packet inspection. My limited (VERY limited) understanding is that this should provide much better protection from outside threats, and it isn't subscription based.

* pfSense also has what appears to be an intuitive setup for VLANs. While it seems straight-forward with pfSense, I am admittedly struggling with how to configure VLANS in pfSense plus the managed POE switch and associated WAPs so that they all play nicely together.

* Similarly, pfSense has an intuitive setup for link aggregation. And again the struggle I have at the moment is configuring the other devices (cable model, POE switch, NAS) so that the network may be optimized for traffic flow and/or failover.

* Some time back I tried to configure link aggregation between the cable model and a different Nighthawk router (on the WAN side). It seemed simple enough to configure. When I rebooted the router, it went into some kind of loop where it tries to start up and then cycles back to boot over and over. Resetting the router had no effect. It is essentially a brick. I expect the pfSense appliance (running on a HP T620+) to be more robust.

Countering all that is the fact that I know the Nighthawk pretty well now. Everything else is a learning curve. AND - I cannot point to any specific problem that is driving the change. I've run Shields-Up several times over the past couple of months and it always turns out a clean report. Occasionally I will find something in some of the logs that concern me. The WAPs occasionally show activity I don't expect, such as network traffic to an unrecognized IP. My current level of knowledge isn't sufficient to be able to track those down to find out if I should be concerned or not.

Anyway, those are my thoughts. Again, I welcome any comments or suggestions.
 

SpacemanSpiff

Known around here
Joined
Apr 15, 2021
Messages
1,456
Reaction score
2,431
Location
USA
Looks like their armor product is simply bitdefender installed on your computers and mobile devices. I think bitdefender makes decent software. I'd like to see the cost difference between buying a multi-device package straight from bitdefender vs netgear armor. I looked briefly on the netgear armor pages, but did not see any prices listed.
I also like pfsense, in part for the reasons you spoke of. So far, my experience has been with their appliances (Netgate sg-1100) v. running on a PC. The management and GUI are pretty much the same regardless of what hardware it runs on.

You mention link aggregation, are you maintaining two internet connections?
 

icpilot

Getting comfortable
Joined
Feb 1, 2018
Messages
293
Reaction score
394
Looks like their armor product is simply bitdefender installed on your computers and mobile devices. I think bitdefender makes decent software. I'd like to see the cost difference between buying a multi-device package straight from bitdefender vs netgear armor. I looked briefly on the netgear armor pages, but did not see any prices listed.
I also like pfsense, in part for the reasons you spoke of. So far, my experience has been with their appliances (Netgate sg-1100) v. running on a PC. The management and GUI are pretty much the same regardless of what hardware it runs on.

You mention link aggregation, are you maintaining two internet connections?
Taking your last question first - no, I don't have 2 internet connections. I thought configuring link aggregation between the cable modem and the router would be straight forward since they are both Netgear products. The pipe coming in is only 1Gb, but as I understand link aggregation, it essentially opens up 2 lanes of traffic so on the WAN side conceivably the upload max and download max speeds, which would exceed 1Gb, could be achieved, plus the failover aspect. Link aggregation is much less an issue on the WAN side than the LAN side. On the LAN devices I anticipate seeing significant improvement on some device interfaces, the NAS being the main one. I just stated with that WAN interface because I thought it would be the easiest. It wasn't.

Armor does, indeed, include Bitdefender, but it does more. Actually, it is their inclusion of Bitdefender that initially made my look askance, as I use ESET products for virus protection on my PC's. It seems Armor is primarily intended to be used in combination with their Nighthawk phone app. Here is a screenshot of the Armor security from the Nighthawk app:

Screenshot_20211113-120405.jpg

When I visit the Notification page on the app, it shows a number of threats it says were blocked ....

Screenshot_20211113-120330.jpg

As I say, with expiration of the Armor trial, I presume it will allow those same exploits to run amok inside my network, which sort of sucks, I think. :)

In terms of pricing, it lists for $99 per year, but they keep offering me discounts, the latest being a 70% discount ...

Screenshot_20211113-120459.jpg


It may be that I am growing anxious about network security threats that are not really there. In the area of cyber-threats, it seems the greatest threats are those you don't know about. so I am hoping pfSense will provide solid protection without tying me into a subscription model. $30 is trivial, but free is even better.
 

smoothie

Pulling my weight
Joined
Dec 19, 2015
Messages
223
Reaction score
178
I use BI on my flat network at home. Flat being that there are no vLANs or subnets but is instead a single private IP range of 192.168.73.x/24 which includes the cameras. I statically assign the cameras and simply set the default gateway to the wrong value. On my network the gateway is 192.168.73.1 but on the cameras I set the gateway to 192.168.73.254 which means they can never speak to the internet.

I am able to view my cameras remotely across my VPN because the BI Windows box is set with internet access and the correct gateway. I also have a firewall rule prohibiting outbound traffic from the group of private IP addresses my cameras are assigned to just in case. I have an NTP server on my private home network which the cameras can talk to so the frankly horrific Dahua time drift is kept to a minimum.

A simple solution I would say. Just my 2 cents on how I isolate my cameras.
 

Teken

Known around here
Joined
Aug 11, 2020
Messages
1,521
Reaction score
2,747
Location
Canada
I use BI on my flat network at home. Flat being that there are no vLANs or subnets but is instead a single private IP range of 192.168.73.x/24 which includes the cameras. I statically assign the cameras and simply set the default gateway to the wrong value. On my network the gateway is 192.168.73.1 but on the cameras I set the gateway to 192.168.73.254 which means they can never speak to the internet.

I am able to view my cameras remotely across my VPN because the BI Windows box is set with internet access and the correct gateway. I also have a firewall rule prohibiting outbound traffic from the group of private IP addresses my cameras are assigned to just in case. I have an NTP server on my private home network which the cameras can talk to so the frankly horrific Dahua time drift is kept to a minimum.

A simple solution I would say. Just my 2 cents on how I isolate my cameras.
Simple & Effective!
 

xmfan

Getting the hang of it
Joined
Nov 30, 2017
Messages
187
Reaction score
96
I use BI on my flat network at home. Flat being that there are no vLANs or subnets but is instead a single private IP range of 192.168.73.x/24 which includes the cameras. I statically assign the cameras and simply set the default gateway to the wrong value. On my network the gateway is 192.168.73.1 but on the cameras I set the gateway to 192.168.73.254 which means they can never speak to the internet.

I am able to view my cameras remotely across my VPN because the BI Windows box is set with internet access and the correct gateway. I also have a firewall rule prohibiting outbound traffic from the group of private IP addresses my cameras are assigned to just in case. I have an NTP server on my private home network which the cameras can talk to so the frankly horrific Dahua time drift is kept to a minimum.

A simple solution I would say. Just my 2 cents on how I isolate my cameras.

@smoothie Thank you !!! Your feedback is more at my speed. :p
There's a wealth of details posted, starting from the original post, and I plan to go back and re-read them to gain that advanced knowledge. Meanwhile, I do need to get my cameras operational. What you wrote sounds very straight forward.

In addtion to your feedbak I read in another post where it was suggested to block internet access by MAC address. Then, another post suggested to group the Cam IPs and block that group from accessing the internet.
As a beginner to configuring the BI setup, these three things are easy and quickly to accomplish.

So, networking experts - If I do the above, Am I protecting myself good by blocking the cameras talking to the internet ?
 
Last edited:

DanDenver

Getting comfortable
Joined
May 3, 2021
Messages
488
Reaction score
781
Location
Denver Colorado
I just went into the settings for my Orbi router and turned off internet access for each of my cameras. That of course was after I set each camera to a static IP.
 

ARAMP1

Pulling my weight
Joined
Feb 13, 2018
Messages
242
Reaction score
171
Location
Memphis, TN
It's pretty easy in pfSense but I may have made it a little more complicated than necessary. I have a VLAN setup where only my cameras and Blue Iris machine are members...VLAN30. I set up an alias for an ip range 192.168.30.10-192.168.30.100 called "CAMERAS". When I get a new camera, I give it an address that falls in that range. (Front of the house cameras are 192.168.30.1Xs, backyard cameras are 192.168.30.4Xs, etc)

First rule in VLAN30 is to allow port 123 for NTP. Second rule is to block "CAMERAS" (everything in the ip range of 192.168.30.10 through192.168-30-100) from accessing anything else. It seems to have worked well so far.

Camera Rulz.jpg
 

xmfan

Getting the hang of it
Joined
Nov 30, 2017
Messages
187
Reaction score
96
It's pretty easy in pfSense but I may have made it a little more complicated than necessary. I have a VLAN setup where only my cameras and Blue Iris machine are members...VLAN30. I set up an alias for an ip range 192.168.30.10-192.168.30.100 called "CAMERAS". When I get a new camera, I give it an address that falls in that range. (Front of the house cameras are 192.168.30.1Xs, backyard cameras are 192.168.30.4Xs, etc)

First rule in VLAN30 is to allow port 123 for NTP. Second rule is to block "CAMERAS" (everything in the ip range of 192.168.30.10 through192.168-30-100) from accessing anything else. It seems to have worked well so far.

View attachment 108338
Thank you for the screenshot and the details you provided. This is my speed to learn from. I do have some questions. Thank you for clarifying about the NTP port, granting it access.

1) Why did you choose to put the BI server along with the cams then blocked that server? From what I've seen others have done is only put the cams in the group then blocked it from internet access
2) With BI machine denied access, how are you applying windows updates to that machine ?

thank you !!
 

ARAMP1

Pulling my weight
Joined
Feb 13, 2018
Messages
242
Reaction score
171
Location
Memphis, TN
Thank you for the screenshot and the details you provided. This is my speed to learn from. I do have some questions. Thank you for clarifying about the NTP port, granting it access.

1) Why did you choose to put the BI server along with the cams then blocked that server? From what I've seen others have done is only put the cams in the group then blocked it from internet access
2) With BI machine denied access, how are you applying windows updates to that machine ?

thank you !!
Only the cameras are in the blocked IP range. The Blue Iris computer is outside of that range and has fairly full internet access.
 
Top