CCTV Security and Firewall Asus AX86U

[thewizard1241]

Hi everyone,

ll keep this short, im basically trying to setup a firewall rule within the asus router to ONLY allow my CCTV cameras to allow certain ports, and have anything else trying to open a port be blocked.

How do i go about doing this? Ive gone into Firewall - Network Services Filter > Whitelist

I assume thats correct? I just cannot get it working im unsure what to put as source ip and if should put a source port etc. Everything ive tried doesnt seem to work

 

[ColinTaylor]

Are you talking about blocking outbound connections from the cameras to the internet or inbound connections?

 

[thewizard1241]

Are you talking about blocking outbound connections from the cameras to the internet or inbound connections.

In a security sense i basically want to be able to prevent outside hackers from being able to access the cameras, while still maintaining MY access to the cameras + email notifcations. So i cant block complete outgoing connections from the NVR so i want to limit the specific ports which are only the mandatory ones so atleast that way itll make it harder for a hacker to access.

 

[ColinTaylor]

You don't need to block any outgoing ports. The only unsolicited incoming traffic that can reach your NVR is on the ports that you have forwarded in the firewall. All other unsolicited traffic will be dropped by the router's firewall as it has not be told where to forward it.

 

[thewizard1241]

You don't need to block any outgoing ports. The only unsolicited incoming traffic that can reach your NVR is on the ports that you have forwarded in the firewall. All other unsolicited traffic will be dropped by the router's firewall as it has not be told where to forward it.

Okay thanks! How do i go about setting this up then?

I have both UpnP and Port Forward OFF

 

[ColinTaylor]

I thought you already had this set up and working? You'll have to explain what you currently have set up and what is and isn't working.

 

[thewizard1241]

I thought you already had this set up and working? You'll have to explain what you currently have set up and what is and isn't working.

Sorry im kinda a noob at this.

Basically i want to secure my CCTV cameras and prevent them from being hacked into or have my home network compromised.

What do i need to setup in order to achieve this?

 

[ColinTaylor]

Do you want to access your NVR remotely from the internet? Does your NVR offer that as an option, and if so how does that work (there are various methods that might be used)?

 

[thewizard1241]

Do you want to access your NVR remotely from the internet? Does your NVR offer that as an option, and if so how does that work (there are various methods that might be used)?

Yes i need remote access simply due to email notifications via the app. It does this by connecting to some remote server through the app which then allows me to view the stream on my phone.

I tried setting up a VPN connection into my home and accessing the cameras that way however the issue with that is i miss out on the email notifications/push notifications.

So to my thinking is there a way i can only allow ports for email/push notifications, then i could just remote in via vpn to view them instead of the NVR going to its remote server first?

I could be completely wrong and confusing things lol

 

[ColinTaylor]

Sorry, I don't see why simply running a VPN server on your router would disable the NVR's ability to send you emails.

So to my thinking is there a way i can only allow ports for email/push notifications, then i could just remote in via vpn to view them instead of the NVR going to its remote server first?

Are the emails/notifications being sent to you directly from the NVR? I would imagine that this is actually a service being provided by the remote server.

 

[thewizard1241]

Sorry, I don't see why simply running a VPN server on your router would disable the NVR's ability to send you emails.


Are the emails/notifications being sent to you directly from the NVR? I would imagine that this is actually a service being provided by the remote server.

Sorry basically what i meant was the point of vpn in to LAN is only valid if i completely cut off internet access to the NVR. But now i realise i cannot completely cut off internet access as i need notifcation alerts when im out.

 

[ColinTaylor]

But now i realise i cannot completely cut off internet access as i need notifcation alerts when im out.

So the only way of connecting to the NVR from the internet is to go via the remote server. There is no possibility of direct access to the NVR (or any other device on your LAN) from a malicious source because you have disabled UPnP and Port Forwarding.

If you want to receive the email notifications you're going to have to trust in the security provided by the remote server.

That said, of course the most important thing is to run anti-virus software on your LAN clients because if one of those got infected then every device on your LAN is potentially at risk.

 

[thewizard1241]

So the only way of connecting to the NVR from the internet is to go via the remote server. There is no possibility of direct access to the NVR (or any other device on your LAN) from a malicious source because you have disabled UPnP and Port Forwarding.

If you want to receive the email notifications you're going to have to trust in the security provided by the remote server.

That said, of course the most important thing is to run anti-virus software on your LAN clients because if one of those got infected then every device on your LAN is potentially at risk.

yeah i figured itd be complicated.

So i guess the only way as you said is remote server. That being said, how can i atleast protect my lan from being hacked into or data theivery?

One way was using a switch to setup a VLAN to seperate the CCTV away from my home network, but then i have trouble connecting into my NVR over my lan which ofcourse duhh thats what happens when you setup different vlans.

Is there a way i could access the vlan NVR with my lpatop without the NVR being able to access my home network?

 

[ColinTaylor]

Is there a way i could access the vlan NVR with my lpatop without the NVR being able to access my home network?

You could make the port that the laptop is plugged into a member of both VLANs.

 

[thewizard1241]

You could make the port that the laptop is plugged into a member of both VLANs.

The issue it my laptop is wireless and so is my phones. Do asus routers support guest mode on aimesh + wired clients? If so that'd be a better route

 

[ColinTaylor]

The issue it my laptop is wireless and so is my phones. Do asus routers support guest mode on aimesh + wired clients? If so that'd be a better route

No, guest networks are for WiFi devices only.