Block http access to IP camera, allow https

No. LAN to LAN traffic bypasses the router entirely. It may be switched at layer 2 (MAC addresses) if the physical topology demands it, but it is never processed by the firewall system which operates at layer 3 or IP addresses.

There have to be two separate networks with layer 3 routing between them because the IP ranges are different.

2 Likes

No way to bypass it by combining DDNS? Is it possible to create DDNS on a local network without a (paid) server?

It's kind of lame that this camera maintains two separate PORT. Too bad I can't set up automatic redirection in the camera server.

DDNS is not applicable here -- that is simply a means of creating DNS entries for dynamic devices. You can do the same thing in your OpenWrt's DNS configuration, but that still doesn't solve the issue of the ports.

Taking several steps back:

  • Does your camera support https
    • test this by using your web browser as follows: https://<device_ip> (critical here is the https part)

If that doesn't work, you can stop now... there is nothing more that you can do to improve your situation.

If it does work, you can create a separate network for your camera and only permit HTTPS traffic through the firewall.

1 Like

Or can I plug the camera into the WLAN port (set the IP address to DHCP in the camera settings), and then manually set the IP address in the router WLAN interface?

  • tesztelje ezt a webböngésző használatával az alábbiak szerint: https://<device_ip> (kritikus itt van a https rész)

Yes, it works

What do you mean by this? WLAN = wireless LAN. what port are you talking about?

The method of assigning the address to the camera is not the specific issue, although it does need to be done properly.

Again, not sure what you're talking about here, unless you already have different networks setup for your WLAN and you're LAN (as in different subnets). Since it is not clear what your current. configuration looks like, let's get that posted...

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

I apologise. Wrong spelling, not WLAN, WAN :slight_smile:

The WAN port is usually setup as a WAN (i.e. for the internet connection). How does your device get internet? DSL? Wireless (cellular or wifi-WAN)?

Yes, that port can be used, but it needs to be configured appropriately... as it stands now, it will not do what you want.

1 Like

Basically you're getting the same answers as in your previous thread, about telnet.
there's no difference, same applies.
what have changed ?

https://forum.openwrt.org/t/disable-telnet-port-ip-camera/121328/

1 Like

sorry but it is not really clear what you want to achieve and people are repeatedly suggesting the same approach, yet you try implement the same wrong idea.

let me sum up again: router is routing traffic between different networks, openwrt using iptables firewall and the zone concept therefore lan to lan rules will not work. also what your camera can or cannot do is up to the camera, owrt cannot control it. http and https are two different protocols, a.k.a. two different languages. if you access your camera via browser (firefox, chrome, edge ...) then browser should know what language to use, which is why you need to insert http:// or https:// prefix which will tell to browser which language to start talking and expecting the other end will speak the same language. so redirect default http tcp port 80 to default https tcp port 443 is not enough (and also lan to lan you cannot do anyway). if your camera support https then use that way, if your camera has a setting to only use https enable it -- but this is only configurable in your camera!

not sure from whom you want to protect your camera, but keep in mind by default from internet (=wan) the default owrt setup locks down access, nobody can enter from the outside world into your lan. you have to manually do port forward configuration to open ports of your choice and allow outside traffic in to a lan device. if you leave the default settings on nobody will able to touch your camera from outside world.

if you want to protect your camera from internal users then create new network/zone and as explained set the access rules as you need. but this means if you go with isolation mode but your nas is in your lan network, camera in iot network then you must also need to make sure to allow some traffic from camera to nas to transfer somehow camera recordings to nas , i.e. it will not be a fully isolated camera. or you can put your as well into iot network. it is up to you.

if you dont trust in your camera, e.g. you believe it may "phone to home" that's another issue, in that case you can create firewall rule that from any traffic from camera ip to wan zone should be rejected.

i hope your camera is not one with cloud configuration.

2 Likes