Incoming fixed IP rule

[rcmcmullen]

Hello

I have AC5300 running Merlin latest and have been hardening my network. I've setup a VPN server via a VPS and have set it up where I drop all incoming traffic by default and punched a hole in the firewall to allow from a fixed ip (my vpn connection).

The router just forwards the ssh traffic to my ssh box; all the magic happens using ufw to handle that.

I have a camera system NVR on my lan that I am wanting to do the same; to remote viewing is restricted to just my incoming fixed ip (vpn conection).

Two trails to go down here; one I am wanting to setup through the router if possible to only allow a certain IP to pass traffic to say port 85--thinking that can be done manually through iptables but I am not sure how to do that.

The 2nd trail, how can I go about putting that NVR on its own isolated lan so it can not access anything within my network (paranoia that if I have a aftermarket ip camera that gets hijacked).

Any advice? I am considering on down the road to find a better NVR but maybe I can make something work with what I have--without getting too complicated.

ty.

 

[eibgrad]

Why is your OpenVPN server running on a VPS rather than your primary router? I've seen this done in the past when the ISP doesn't support port forwarding, usually because he's given you a private IP or using CGNAT. I just want to be sure I correctly understand the rationale behind this config.

Assuming I do, I also assume you're routing ssh clients through the VPS, through its OpenVPN server, through the OpenVPN client on your router (i.e., site-to-site), and over to the target(s). And if you are, then it should be a simple matter to limit the ufw rule(s) to specific public source IP(s). IOW, there's no need to allow such traffic to get all the way to the *router* before you block it (which appears to be your present thinking).

As far as isolating the NVR or any other devices from the private network, the simplest solution is to use a guest network and deny intranet access. However, it wasn't clear from your post if you need remote access to those same devices using the VPS.

 

[rcmcmullen]

I set up the VPN server on a VPS for the static IP--then I can block all other IP's from accessing SSH and my nextcloud server.

My NVR manufacturer went belly up, now it's now going to be seeing anymore updates so I see this as a security problem. My thinking is to make use of what I've done with the SSH and nextcloud by blocking all other incoming traffic except from my VPN's static IP.

To my understanding with the merlin firmware, the guest network only applies to a wireless network; my NVR is wired.

I have some of the entware scripts running on the ASUS, I took a peak at the current iptables chain and with some of the scripts running, I think it might overwrite if I manually add some stuff to the iptables--that and I'm limited in my iptables knowledge.

AS FAR as the VLAN goes, I did some more digging after posting this and am seeing some methods using a smart switch for isolation.....checking the waters and seeing what other kind of ideas are out there.

 

[northumberland]

ipset & iptables for this. We've done it for years on our boxes. Be nice to see one of the firewall scripts expanded to allow this from the GUI. (Forwarding rules with explicit i.p addresses) Some ports need to be invisible to all but the most special IP addresses

 

[eibgrad]

If you require VLANs (so you can isolate wired devices from the private network), that will prove problematic w/ Merlin, unless you're willing to go down the third-party scripting path.

As I've said many times, all firmwares have their strengths and weaknesses. And one of Merlin's weaknesses is the lack of user-defined VLANs (at least from the user's perspective; from the developer's perspective, it's never been his intent to support it). That's why it's best to consider these issues *before* you commit to specific hardware and firmware.

I've used (and written my own) scripts to solve specific problems, so I'm not adverse to their usage. However, I have my limits, and I'm personally NOT a fan of having third-parties messing w/ low-level networking infrastructure (VLANs, VAPs, bridges, etc.) independently of the GUI. Just too many opportunities for conflicts and other problems imo. But that's a decision every user has to make for themselves.

FWIW, I use FT (FreshTomato) for my primary router precisely because it natively supports VLANs in the GUI, making it easy to create and isolate additional networks (and define exceptions). If it wasn't for this fact, I might very well have preferred Merlin, but I wasn't willing to make that compromise. Of course, FT has its own weaknesses compared to Merlin, or even dd-wrt. So it's just a matter of what compromises you're willing to make when choosing your hardware/firmware.

 

[eibgrad]

P.S. One way to continue using Merlin *and* isolate IOT is to place the latter on its own router, daisy-chained to the primary router (Merlin) WAN to LAN respecrtively, then adding firewall rules to this IOT router to prevent access to the upstream private network. At least this creates the isolation you need, while retaining access to Merlin and not having to resort to third-party VLAN scripting.