BLOCK surveillance cam from accessing to the internet


I need your help on how to prevent my webcam from internet access.
The webcam is a cheap one from china with some shady apps... I do not trust them at all. So I want to use it within my Synology Surveillance Station only. The camera was found via ONVIF in my synology station (which is connected to my router via LAN) without any problems and is working just fine.
The webcam is connected via WLAN and is the only device allowed to connect to it (allow listed devices only / mac-addr filter).

Now I added the following rules to my firewall in openwrt luci:

config rule
option src lan
option dest wan
option src_ip
option proto all
option target REJECT

config rule
	option enabled '1'
	option src 'lan'
	option dest 'wan'
	option name 'Drop_device'
	option family 'ipv4'
	option proto 'all'
	option src_ip ''
	option target 'DROP'

Now the funny thing is that I am still able to watch the live feed of the camera with my smartphone. (and no, I am not connected to my home WLAN)

How is it possible to 100% BLOCK the device from accessing to the internet? I just want my synology to get access within my home LAN.

Any help is appreciated.


I created a firewall rule to block a specific IP from accessing the WAN:

1 Like

I went one step further, and created a separate "guest like" network for the cameras. This network cannot reach internet or my other networks, but I can reach it from my LAN.


thanks darksky and eduperez.

well I cant find an option on luci to create traffic rules... I am only able to edit existing ones but there is no "add" button at the traffic rules section.

I can see at least three "Add" buttons in your screenshot...


Three "Add*" buttons, so to speak...

Did you restart the firewall service after you added these rules in the config?

Does the camera work with IPv6? Then you'd need to block that as well, or even better, use source mac of the camera instead of IP.

New Forward Rule (in Traffic Rules tab), "Add and edit" is the button.

Hi, Iam on the same boat, I have a separate wifi network, how to make in aq way that cannot reach internet;

Just disable forwarding from that network to the WAN network.


One question.
I have my router
If I make a guest interface how is possible to access the devices connect it on that;

Put the new interface ( in a separate zone. Configure the firewall to permit or deny specific traffic to and from that zone to meet your requirements.


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.