What's new

[Solved] Blocking network cameras accessing the internet

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.

liukuohao

Regular Contributor
Hi guys,

I have successfully blocked 3 of my network cameras from accessing the internet.

I know there is an easy way to block network devices by following this method:

Network Map > Clients >Under Client Status > Click the network devices for its on the Ethernet icons > Block Internet Access

2022-06-04_18-08-54.jpg


However, I am interested to know whether Firewall > Network Services Filter works?

As I am confused about whether the filter works for incoming traffic or outgoing traffic?
(I am confused about the Source IP & Destination IP)

Does the configuration below block all traffic in both ways? Incoming & Outgoing?
See below:

2022-06-04_18-08-06.jpg


Thanks.

Appreciate someone can clarify.
 
Last edited:
Does the configuration below block all traffic in both ways? Incoming & Outgoing?
No, the NSF does not block both ways. As stated in the description on that page: "The Network Services filter blocks the LAN to WAN packet exchanges...".

That said, usually it's sufficient to only block LAN to WAN traffic because if a LAN device can't send any traffic out to the internet it won't be getting a reply.

The main difference between "Block Internet Access " and the NSF is that the first works on MAC address and the latter works by IP address(s).

P.S. Don't use "TCP ALL" it doesn't do what you think it does. If you want to block TCP traffic select "TCP".
 
That said, usually it's sufficient to only block LAN to WAN traffic because if a LAN device can't send any traffic out to the internet it won't be getting a reply.
Can I confirm whether the setting is right? :rolleyes:

Block LAN to WAN, so it is outgoing traffic so....

Source IP = my network cameras
Port Range = 1:65535 --> correct?
Destination = Blank /Any (don't care)
Port Range = 1:65565 --> correct?
Protocol = TCP

The main difference between "Block Internet Access " and the NSF is that the first works on MAC address and the latter works by IP address(s).
Alright, thanks for the info. ;)
 
You don't need to explicitly specify the port range as the default is "all ports".

Untitled.png

If you need to block UDP traffic as well you will have to create separate rules for that.

Because the NSF blocks by IP address you still need to bind your cameras' MAC addresses to their IP addresses to make sure they don't change. If their IP addresses change the NSF rule won't work. That's why using the "Block Internet Access" option may be better, because it's not reliant on the IP address.
 
You don't need to explicitly specify the port range as the default is "all ports".

View attachment 41560

If you need to block UDP traffic as well you will have to create separate rules for that.

Because the NSF blocks by IP address you still need to bind your cameras' MAC addresses to their IP addresses to make sure they don't change. If their IP addresses change the NSF rule won't work. That's why using the "Block Internet Access" option may be better, because it's not reliant on the IP address.
Ok I complete the steps. Thank you :)

2022-06-04_20-37-16.jpg
 
1654346321822.png


Stick anything needing a block in this range, no need to think about it anymore once a device is in this range.
 
@ColinTaylor, since you are on the subject of MAC addresses,

I have done MAC & IP address Binding for all my 3 cameras.

However, the weird thing is my router RT-AC86U is seeing a different set of MAC addresses that
are not the same as Advanced IP scanner and by running "arp -a" in windows command prompt.

Do you know why?

MAC addresses1.jpg
MAC addresses2.jpg
 
I am using wireless client adapter.
It is a TPLink WA1201.
The adapter act as wireless client and
communicate to my WiFi AP.
The cameras are hooked to the adapter network port.
That'll be the reason then. I know some TP-Link devices in Range Extender (repeater) Mode use virtual MAC addresses. It sounds like they're doing something similar in Client Mode.
 
That'll be the reason then. I know some TP-Link devices in Range Extender (repeater) Mode use virtual MAC addresses. It sounds like they're doing something similar in Client Mode.
No wonder, the Advanced IP scanner detected 3 manufacturers are identified as TP-Link (see the pic)
But my Asus router is able to detect the real MAC addresses. :)
 
View attachment 41562

Stick anything needing a block in this range, no need to think about it anymore once a device is in this range.
Hi, @itpp20 I didn't understand the filters at 1st glance. I got stumped until
I sat there for a few minutes, then I realize what you are trying to block.

My question is regarding the last filter (in yellow letters), did you mean to key in 1 more filter?

The last filter only blocks all outgoing traffic from LAN to WAN with ports: 124 to 65535.
So, what about ports from 1 to 122? Did you forget to key in? Or was it intentionally left out?


Thanks for your sharing. :)

Asus RT-AC86U-Router-Firewall-Network Services Filter.jpg
 
Last edited:
Some devices can send an email, port 2525 is an alternate port for sending email (other then 25), so yes this port is left open for example for a NAS who sends warning emails or a Cam via motion detection.
Nb. here 2525 (with starttls) works next to 25 but that is ISP dependent.

Post 53 is left open because if you close it some devices will get stuck in a loop while attempting internet access, allowing a dns name to be resolved is no threat as the next step fails anyway and the device is left assuming there is access.

Port 123 is left open so devices can get time, its handy to have a Cam recording with the right time stamp :D

"So, what about ports from 1 to 122? Did you forget to key in? Or was it intentionally left out?"

Look again, 2 TCP filters with 1 exception and 3 UDP filters with 2 exceptions.
 
Status
Not open for further replies.

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top