I have HiSeeu poe security nvr with four cameras. The recorder has a hisilicon Hi 3536 A17 quad core cpu running embedded linux. I want to use the cameras on my network but I want to block access to or from the internet. I have been using luci/network/firewall/Traffic Rules to block the various ip and mac address of the nvr and cameras bysetting use forward reject to "Refuse forward" for the various mac and ip addresses as they appear.
However the router in the embedded linux is creating new addresses which then have to be identified and blocked. The nvr unit is communicating with the attached poe cameras with the NETIP protocol on port 34567. The nvr unit originally connected to the internet via 192.168.1.182 assigned by openwrt which I blocked and it then created a connection at 192.168.1.10 which I also blocked.
An nmap scan of one of the cameras shows
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-24 09:23 AEST
Nmap scan report for cam.lan (192.168.1.12)
Host is up (0.022s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
80/tcp open http
554/tcp open rtsp
8000/tcp open http-alt
8899/tcp open ospf-lite
An nmap scan of the nvr unit on its self assigned address shows
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-24 09:24 AEST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.04 seconds
trev@Nvmeno:~$ nmap -Pn 192.168.1.10
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-24 09:25 AEST
Nmap scan report for 192.168.1.10
Host is up (0.074s latency).
All 1000 scanned ports on 192.168.1.10 are filtered
looking at my connections under luci/Status/real time graphs /connections I see ICMP connections like
IPV4 ICMP cam.lan:undefined public1.114dns.com:undefined 221.32 KB (2698 Pkts.)
as well as
IPV4 UDP 192.168.1.190:60329 ec2-13-250-71-188.ap-southeast-1.compute.amazonaws.com:8765 29.11 KB (560 Pkts.)
This is from a network address I have blocked under the firewall rules.
I have installed Kali linux on a virtualbox machine but I have no knowledge of using more than basic forensics.
I have openwrt OpenWrt 18.06.4 r7808-ef686b7292 / LuCI openwrt-18.06 branch (git-19.170.32094-4d6d8bc) runnning on
TP-Link TL-WDR3600 v1
Architecture Atheros AR9344 rev 2
I have considered using the /luci/network/switch settings to try and put the nvr on a separate lan setting but I am usure if this would work or how I should proceed.
Do I have to give in and run the system without a connection to my network or what more can I do to prevent access to and from the internet?
Any advice or assistance would be appreciated.