Menu
What's new
By:
Filters Better Search

Blocking Camera Access from WAN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

C

cdikland

Regular Contributor
I am running Merlin FW v384.11 on an Asus RT-AC86U with OpenVPN 1 enabled. Recently, I added 4 IP Wansview cameras and noticed when using their app I was able to access each camera remotely. The app does not provide any capability to restrict wan access and when talking to Wansview support they suggested adding a FW rule. I added the following rules, which I borrowed from another post, for each camera:
iptables -I FORWARD 2 -s cam-lan-ip -o eth0 -j DROP

Success so far. Each camera is still accesible from within the LAN and no longer accessible from the WAN. Problem is, it is also no longer accessible when I connect to my VPN. I can (& have) connect each camera to other video app such as BlueIris or iSpy and most of my problems are solved. The only problem is that I must use the Wansview app to modify camera settings which, with the above rules enabled, is only possible when connected to the LAN.

Is there any additional rule(s) I should or could add that would permit access to each camera when connected to VPN?

Hope this makes sense
 
cdikland said:
I am running Merlin FW v384.11 on an Asus RT-AC86U with OpenVPN 1 enabled. Recently, I added 4 IP Wansview cameras and noticed when using their app I was able to access each camera remotely. The app does not provide any capability to restrict wan access and when talking to Wansview support they suggested adding a FW rule. I added the following rules, which I borrowed from another post, for each camera:
iptables -I FORWARD 2 -s cam-lan-ip -o eth0 -j DROP

Success so far. Each camera is still accesible from within the LAN and no longer accessible from the WAN. Problem is, it is also no longer accessible when I connect to my VPN. I can (& have) connect each camera to other video app such as BlueIris or iSpy and most of my problems are solved. The only problem is that I must use the Wansview app to modify camera settings which, with the above rules enabled, is only possible when connected to the LAN.

Is there any additional rule(s) I should or could add that would permit access to each camera when connected to VPN?

Hope this makes sense
Click to expand...

Add rule for inbound OpenVPN server access to cameras
 
Martineau said:
Add rule for inbound OpenVPN server access to cameras
Click to expand...


Maybe I am missing something here or I have got it all wrong but adding the following didnt seem to make any difference.

From your post I modified :

Firewall $ACTION FORWARD -s $CAMERA -i br0 -o $(nvram get wan0_ifname) -m state --state NEW -j DROP
Firewall $ACTION FORWARD -s $CAMERA -i br0 -o tun2+ -j ACCEPT

to

iptables -I FORWARD -s 192.168.1.248 -i eth0 -o $(nvram get wan0_ifname) -m state --state NEW -j DROP
iptables -I FORWARD -s 192.168.1.248 -i eth0 -o tun2+ -j ACCEPT

and/or

iptables -I FORWARD -s 192.168.1.248 -i br0-o $(nvram get wan0_ifname) -m state --state NEW -j DROP
iptables -I FORWARD -s 192.168.1.248 -i br0-o tun2+ -j ACCEPT

If that is what you meant that I assume the problem lies within the Wansfield app itself
 
cdikland said:
Maybe I am missing something here or I have got it all wrong but adding the following didnt seem to make any difference.

From your post I modified :

Firewall $ACTION FORWARD -s $CAMERA -i br0 -o $(nvram get wan0_ifname) -m state --state NEW -j DROP
Firewall $ACTION FORWARD -s $CAMERA -i br0 -o tun2+ -j ACCEPT

to

iptables -I FORWARD -s 192.168.1.248 -i eth0 -o $(nvram get wan0_ifname) -m state --state NEW -j DROP
iptables -I FORWARD -s 192.168.1.248 -i eth0 -o tun2+ -j ACCEPT

and/or

iptables -I FORWARD -s 192.168.1.248 -i br0-o $(nvram get wan0_ifname) -m state --state NEW -j DROP
iptables -I FORWARD -s 192.168.1.248 -i br0-o tun2+ -j ACCEPT

If that is what you meant that I assume the problem lies within the Wansfield app itself
Click to expand...

The thread How to block ip camera from accessing the internet covers this, and whilst the script now creates its own chain (to ensure it keeps the FORWARD chain clean of clutter, and is also easier to ensure that the rules are inserted in the approprate ranking.)
Code: 
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1        0     0 ACCEPT     udp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            match-set Skynet-IOT src udp dpt:123
2        0     0 LOG        all  --  br0    !tun2+  0.0.0.0/0            0.0.0.0/0            match-set Skynet-IOT src LOG flags 7 level 4 prefix "[BLOCKED - IOT] "
3        0     0 DROP       all  --  br0    !tun2+  0.0.0.0/0            0.0.0.0/0            match-set Skynet-IOT src
4     560K  275M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
5    33663 4193K MyVLANs    all  --  *      *       0.0.0.0/0            0.0.0.0/0          
6    26944 3719K MyIPCAMs   all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
7     6656  356K MyAlexa    all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Alexa src,dst
8        2    88 MyLifx     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Lifx src,dst
9       86  5342 MyHive     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Hive src,dst
10       3   278 MyTplink   all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Tplink src,dst
11       0     0 MyIot      all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Iot src,dst
12    5500  400K other2wan  all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0          
13    1859  195K ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0          
14    2015 92295 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
15    9122 2610K NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0/0          
16    9121 2609K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
17       1    44 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT
18       0     0 OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
19       0     0 DNSFILTER_DOT  tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:853
20       0     0 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0

So two rules are inserted for each IPCAM device
i.e. ALL unsolicited inbound requests from the WAN are DROP'd, but the IPCAMs can always respond outbound via the OpenVPN servers.
Code: 
iptables -A MyIPCAMs -d xxx.xxx.xxx.xxx -i eth0 -m state --state NEW -j DROP
iptables -A MyIPCAMs -s xxx.xxx.xxx.xxx -i br0 ! -o tun2+ -j DROP
Code: 
Chain MyIPCAMs (1 references)
num   pkts bytes target     prot opt in     out     source               destination        
1     1822  138K ACCEPT     udp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            udp dpt:123
2        0     0 DROP       all  --  eth0   *       0.0.0.0/0            10.88.8.120          state NEW
3     1187 71220 DROP       all  --  br0    !tun2+  10.88.8.120          0.0.0.0/0          
4        0     0 DROP       all  --  eth0   *       0.0.0.0/0            10.88.8.121          state NEW
5        0     0 DROP       all  --  br0    !tun2+  10.88.8.121          0.0.0.0/0          
6        0     0 DROP       all  --  eth0   *       0.0.0.0/0            10.88.8.122          state NEW
7        0     0 DROP       all  --  br0    !tun2+  10.88.8.122          0.0.0.0/0          
8        0     0 DROP       all  --  eth0   *       0.0.0.0/0            10.88.8.123          state NEW
9     2091  125K DROP       all  --  br0    !tun2+  10.88.8.123          0.0.0.0/0          
10       0     0 DROP       all  --  eth0   *       0.0.0.0/0            10.88.8.125          state NEW
11    2163  130K DROP       all  --  br0    !tun2+  10.88.8.125          0.0.0.0/0          
12       0     0 DROP       all  --  eth0   *       0.0.0.0/0            10.88.8.148          state NEW
13       4   240 DROP       all  --  br0    !tun2+  10.88.8.148          0.0.0.0/0

P.S. I think there was a similar thread about another bespoke IPCAM management utility, not sure if the root cause was because the App was only able to use broadcast on the LAN, or there were other firewall rules with a higher priority?
Not sure if the OP managed to resolve/identify if that was the issue as ALL Ports should be allowed unrestricted.
 
You must log in or register to reply here.

Similar threads

thegios
ASUS XT(8 2 node mesh: troubleshoot IP camera dosconnection issues
Replies
8
Views
354
glens
G
A
New camera wiring problem - hope someone can help!
Replies
7
Views
546
coxhaus
C
E
Christmas & Boxing Day 2023 are approaching, how to secure against the IOT app?
Replies
3
Views
401
ElonMusty
E
R
RT-AX88U Pro - Blocked Internet Access on Guest Network Not Working!
Replies
17
Views
1K
routerNewb87
R
GShlomi
Two WANs but not dual-WAN, with port-forwarding
Replies
7
Views
443
GShlomi
GShlomi
Similar threads
Thread starter Title Forum Replies Date
S VPN blocking MMS text messages Asuswrt-Merlin 8
B Time Scheduling blocking internet access on newest firmware Asuswrt-Merlin 9
I Blocking a device from sending DNS requests? Asuswrt-Merlin 1
macster2075 Solved Help blocking incoming traffic Asuswrt-Merlin 23
halcy0n9001 Time scheduling not blocking devices Asuswrt-Merlin 2
D Blocking GoogleDNS & others via Diversion, Firewall-NSF &/or static routing Asuswrt-Merlin 11
J AX86U constantly blocking repeated inbound connections Asuswrt-Merlin 7
drinkingbird Where is asus blocking ARP for guests? Asuswrt-Merlin 1
H Asus RT-AC86U problem wyze camera Asuswrt-Merlin 18
Lee MacMillan My IP camera shows a static IP Asuswrt-Merlin 3

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 604 (members: 15, guests: 589)
Top