Making a http request to a server's port 443 which wants a SSL connection, will fail to connect.
There are two usual ways a connection gets promoted to https.
The site replies on port 80 with a 302 Moved Permanently response, with https in the new URL.
The browser finds no reply or TCP connection refused on port 80 then tries a https connection to otherwise the same URL on port 443.
With two networks you can block forwarding of port 80 and force users to use https / 443, which should be reasonably transparent to the user due to the second method above. What cannot be done is somehow translate port 80 to port 443, simply because the protocol is different.
assuming you are doing lawful stuff here only, not sure why it is matter if you access your own camera internally over your own lan via http or https. also, if your camera supports both and there is no built-in redirect from http to https, which is capability of your ip camera, not something you can force via owrt with your current setup, then yes, the only way to separate the camera into it a different network and zone (e.g. called iot). it is important to be in different zone, different network is not enough.
if browser and the camera are in different zones than you can configure firewall rules to police access.
but still the problem remains that if you enter http://ip in your browser even if you redirect the port in the background the browser will think it is an http traffic so will not establish tls connection. so you must anyhow should use https://ip. so why not just use this way? why create an overkill setup instead of pressing one more button?
Now I understand why this solution won't work: " LAN1 (192.168.1.1:443) to --> LAN2 (192.168.2.1:443) THEN LAN2 (192.168.2.1:443) to LAN1(192.168.1.1:80)"
I do not consider the http protocol to be secure. I should disable it somehow. I don't know how to disable it on the router side.
It's not. But that's why HTTPS was created -- the S is "secure" -- and this required a new protocol.
If your camera supports HTTPS, it may have a feature to disable plain HTTP. If your camera does not support HTTPS, there is nothing you can do, period.
This is not something that can really be done on the router. Others have explained (a few times now) that you could configure a separate network for the camera and then only permit traffic via port 443. However, the camera itselfmust support HTTPS. The router cannot magically add HTTPS functionality to your camera.
With two LANs in the same router (separate zones), first enable forwarding generally from the user side (lan) to the camera side lan2. Don't forward the other way, as you don't want the cameras initiating connections to the trusted LAN. Then set up a traffic rule (not a port forward) that rejects port 80 from lan to lan2.
I think it would also work to not have a config forward and only a traffic rule allowing port 443 but haven't tried that.
I was thinking of a similar solution. The question is, how can I implement it? Do I place the camera on LAN1 (192.168.1.1) port forward the 443 port to LAN2?
Leave the port as 443, so that an ordinary https://cameraip/ will make the connection without needing to specify a non-standard port. Put the camera(s) into a new LAN network. Allow port 443 to forward from the network of PC viewers to the cameras. Do not allow port 80 to forward between the two networks. If you cannot turn off the http server in the camera, leave it as port 80 so that it is blocked by the network.
No. LAN to LAN traffic bypasses the router entirely. It may be switched at layer 2 (MAC addresses) if the physical topology demands it, but it is never processed by the firewall system which operates at layer 3 or IP addresses.
There have to be two separate networks with layer 3 routing between them because the IP ranges are different.
DDNS is not applicable here -- that is simply a means of creating DNS entries for dynamic devices. You can do the same thing in your OpenWrt's DNS configuration, but that still doesn't solve the issue of the ports.
Taking several steps back:
Does your camera support https
test this by using your web browser as follows: https://<device_ip> (critical here is the https part)
If that doesn't work, you can stop now... there is nothing more that you can do to improve your situation.
If it does work, you can create a separate network for your camera and only permit HTTPS traffic through the firewall.
Or can I plug the camera into the WLAN port (set the IP address to DHCP in the camera settings), and then manually set the IP address in the router WLAN interface?
What do you mean by this? WLAN = wireless LAN. what port are you talking about?
The method of assigning the address to the camera is not the specific issue, although it does need to be done properly.
Again, not sure what you're talking about here, unless you already have different networks setup for your WLAN and you're LAN (as in different subnets). Since it is not clear what your current. configuration looks like, let's get that posted...
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
sorry but it is not really clear what you want to achieve and people are repeatedly suggesting the same approach, yet you try implement the same wrong idea.
let me sum up again: router is routing traffic between different networks, openwrt using iptables firewall and the zone concept therefore lan to lan rules will not work. also what your camera can or cannot do is up to the camera, owrt cannot control it. http and https are two different protocols, a.k.a. two different languages. if you access your camera via browser (firefox, chrome, edge ...) then browser should know what language to use, which is why you need to insert http:// or https:// prefix which will tell to browser which language to start talking and expecting the other end will speak the same language. so redirect default http tcp port 80 to default https tcp port 443 is not enough (and also lan to lan you cannot do anyway). if your camera support https then use that way, if your camera has a setting to only use https enable it -- but this is only configurable in your camera!
not sure from whom you want to protect your camera, but keep in mind by default from internet (=wan) the default owrt setup locks down access, nobody can enter from the outside world into your lan. you have to manually do port forward configuration to open ports of your choice and allow outside traffic in to a lan device. if you leave the default settings on nobody will able to touch your camera from outside world.
if you want to protect your camera from internal users then create new network/zone and as explained set the access rules as you need. but this means if you go with isolation mode but your nas is in your lan network, camera in iot network then you must also need to make sure to allow some traffic from camera to nas to transfer somehow camera recordings to nas , i.e. it will not be a fully isolated camera. or you can put your as well into iot network. it is up to you.
if you dont trust in your camera, e.g. you believe it may "phone to home" that's another issue, in that case you can create firewall rule that from any traffic from camera ip to wan zone should be rejected.
i hope your camera is not one with cloud configuration.
