Block internet access to POE nvr camera system

Installing and Using OpenWrt
1

I have HiSeeu poe security nvr with four cameras. The recorder has a hisilicon Hi 3536 A17 quad core cpu running embedded linux. I want to use the cameras on my network but I want to block access to or from the internet. I have been using luci/network/firewall/Traffic Rules to block the various ip and mac address of the nvr and cameras bysetting use forward reject to "Refuse forward" for the various mac and ip addresses as they appear.

However the router in the embedded linux is creating new addresses which then have to be identified and blocked. The nvr unit is communicating with the attached poe cameras with the NETIP protocol on port 34567. The nvr unit originally connected to the internet via 192.168.1.182 assigned by openwrt which I blocked and it then created a connection at 192.168.1.10 which I also blocked.

An nmap scan of one of the cameras shows
nmap 192.168.1.12
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-24 09:23 AEST
Nmap scan report for cam.lan (192.168.1.12)
Host is up (0.022s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
80/tcp open http
554/tcp open rtsp
8000/tcp open http-alt
8899/tcp open ospf-lite

An nmap scan of the nvr unit on its self assigned address shows
nmap 192.168.1.10
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-24 09:24 AEST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.04 seconds
trev@Nvmeno:~$ nmap -Pn 192.168.1.10
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-24 09:25 AEST
Nmap scan report for 192.168.1.10
Host is up (0.074s latency).
All 1000 scanned ports on 192.168.1.10 are filtered

looking at my connections under luci/Status/real time graphs /connections I see ICMP connections like
IPV4 ICMP cam.lan:undefined public1.114dns.com:undefined 221.32 KB (2698 Pkts.)

as well as
IPV4 UDP 192.168.1.190:60329 ec2-13-250-71-188.ap-southeast-1.compute.amazonaws.com:8765 29.11 KB (560 Pkts.)

This is from a network address I have blocked under the firewall rules.

I have installed Kali linux on a virtualbox machine but I have no knowledge of using more than basic forensics.

I have openwrt OpenWrt 18.06.4 r7808-ef686b7292 / LuCI openwrt-18.06 branch (git-19.170.32094-4d6d8bc) runnning on
TP-Link TL-WDR3600 v1
Architecture Atheros AR9344 rev 2

I have considered using the /luci/network/switch settings to try and put the nvr on a separate lan setting but I am usure if this would work or how I should proceed.
Do I have to give in and run the system without a connection to my network or what more can I do to prevent access to and from the internet?
Any advice or assistance would be appreciated.

2

I would create a separate LAN, definitively.

3 Likes
3

It sounds strange for a device to change its IP by itself. You could try to assign static dhcp lease. In any case you should block the devices by using only mac in the rule options. If the devices are spoofing the mac, then your only solution is to isolate them in a separate lan where you'll reject all communication from/to outside and allow only what you need.

2 Likes
4

Thank you and eduperez for your replies. I had hoped to avoid a separate lan because my nbn connection and router are under the house. I have a 1GB switch next to my computer upstairs and have my computer and the unit connected to that and I have been using my computer screen as a display to view and make adjustments to its settings. These units are marketed with software for windows and mac and connections to android and ios phones via the internet. I don't trust the internet connection and want to have then available only on my lan. I have ammended the firewall rules to include both address and mac and will see what the result is before I move the recorder.

5

If you can somehow set manual IP address in your NVR, set the gateway IP address to 0.0.0.0 then it will work only on LAN.