Ipable to allow outgoing but block incoming...

[macster2075]

Is there a way to block incoming connections to specific devices, but allow outgoing only?
I was thinking iptables, but I am not sure.

 

[eibgrad]

Block from where? The internet (WAN)? If so, they're already blocked by default. And local devices have outbound access by default as well.

 

[macster2075]

I have security cameras, but apparently they don't like to be without internet access. If I completely block internet on them, they become very unstable. So I was told in a forum for these cameras that the reason is due to they auto try to connect to their servers every few minutes and if they cannot connect, they become unstable until it finds a connection.

So, I was thinking..maybe allow them outgoing connection, but block any incoming connection from the company servers...I don't know, Im just trying to figure something out until I can afford better cameras.

 

[eibgrad]

As I said, all devices already have the ability to establish outbound connections and receive replies from remote sites/servers. And the router's IP firewall on the WAN already prevents the *initiation* of new inbound connections from their servers and to the same device.

What's more likely the issue is that these devices are establishing a *tunnel* from which they can initiate inbound activity at any time. And if that's the case, there's not much you can do about it. That's how my OOMA voip adapter works. It uses OpenVPN to establish a persistent outbound connection. Then when a call comes in, it's routed from the far end of the tunnel and back to my VOIP adapter. I can't prevent it from doing this. That's how it works. And if that's how your device works, there's nothing you can do about it other than cutoff *all* internet access, even outbound.

 

[eibgrad]

P.S. This is why ppl are so interested these days in IOT networks. Although you may not be able to prevent internet access if you expect to keep a given device functional/stable, if you can at least keep those devices isolated on their own network, w/ no access to the private network, then it's much less of a concern.

 

[macster2075]

Ive tried to isolate the ap, but then the cameras wont connect to the nvr.

What’s the best way for me to isolate them on Asus router?

the wifi network they are right now..only cameras and iot devices are connected to it which is the 2.4ghz.

Im using the 5ghz band for my personal stuff…but If I isolate the 5ghz band, then I cant communicate with the cameras lol

 

[eibgrad]

Unfortunately, ASUS doesn't make it easy to properly support an IOT network. You're forced to use a guest network, which isn't ideal. For one thing, it doesn't provide wired support. And intranet access is an all or nothing choice; there's no granularity. Even the isolation it provides is NOT complete; what few people realize is that only TCP and ICMP (except for the router) are blocked; UDP and any other protocols are fair game. And at least on my RT-AC68U, guest #1 doesn't provide any isolation at all! Due to the mess ASUS made of guest networks to support AiMesh, it denies me access to guest #1 unless I have intranet access enabled.

Frankly, even within the definition of IOT (which is pretty loosely defined as it is), there are different sub-classifications of IOT. For example, there are devices that need absolutely NO access from any other local networks. But there are other devices that might occasionally need it (e.g., a smart TV w/ Chromecast). In this latter case, you still want to be able to "reach out" to that device for casting purposes. That's why a "one size fits all" solution based on the ASUS definition of a guest network is inadequate (at least for me).

To put it bluntly, the firmware was simply never designed to handle guest networks except exactly as ASUS defines it. And any other usage tends to come up short in important ways. It's one of the reasons I do NOT use ASUS OEM/Merlin for my primary router (I use it for other purposes, and for my other customers, but just not for me as my primary router). I use either FT (FreshTomato) or DD-WRT (but like any third-party firmware, they have their own advantages and disadvantages). These allow me to create additional networks (wired and/or wireless) to meet my own specific requirements.

Given all that, and assuming you want/need to stick w/ Merlin, I suggest using a secondary router daisy-chained behind the primary router, one which supports FT. The rationale for that suggestion is explained (by me) in the following link.

Alternatives to Guest Network for iot devices

First: My apologies if this has already been discussed. I honestly searched the threads. Like many, I created a guest network for all of my iot devices, with the access intranet disabled. However, I'm wondering if this is more trouble than it's worth. Several of my iot devices need to...

www.snbforums.com

It's a good compromise between maintaining what you have and otherwise like, while still being able to *properly* configure your IOT network(s) to meet your specific requirements.

 

[macster2075]

I have tried setting up another router with Tomato using different subnet, but if I remember correctly, devices connected to it would still have access to the router page even if I enabled isolation on it.

So far what I’ve done is connect the cameras to the 1st guest network and disable intranet access and seems to be working ok so far.
But, I still have another camera on the other side of the house connected to that 2nd router and I need to block access to the main network.

 

[eibgrad]

I have tried setting up another router with Tomato using different subnet, but if I remember correctly, devices connected to it would still have access to the router page even if I enabled isolation on it.

It just takes the proper application of firewall rules to allow/deny access to *anything*.