BLOCK surveillance cam from accessing to the internet

prekecz · January 19, 2020, 8:52am

Hello,

I need your help on how to prevent my webcam from internet access.
The webcam is a cheap one from china with some shady apps... I do not trust them at all. So I want to use it within my Synology Surveillance Station only. The camera was found via ONVIF in my synology station (which is connected to my router via LAN) without any problems and is working just fine.
The webcam is connected via WLAN and is the only device allowed to connect to it (allow listed devices only / mac-addr filter).

Now I added the following rules to my firewall in openwrt luci:

config rule
option src lan
option dest wan
option src_ip 192.168.1.220
option proto all
option target REJECT

config rule
	option enabled '1'
	option src 'lan'
	option dest 'wan'
	option name 'Drop_device'
	option family 'ipv4'
	option proto 'all'
	option src_ip '192.168.1.220'
	option target 'DROP'

Now the funny thing is that I am still able to watch the live feed of the camera with my smartphone. (and no, I am not connected to my home WLAN)

How is it possible to 100% BLOCK the device from accessing to the internet? I just want my synology to get access within my home LAN.

Any help is appreciated.

THANKS

darksky · January 19, 2020, 10:04am

I created a firewall rule to block a specific IP from accessing the WAN:

eduperez · January 19, 2020, 10:07am

I went one step further, and created a separate "guest like" network for the cameras. This network cannot reach internet or my other networks, but I can reach it from my LAN.

prekecz · January 19, 2020, 11:54am

thanks darksky and eduperez.

well I cant find an option on luci to create traffic rules... I am only able to edit existing ones but there is no "add" button at the traffic rules section.

eduperez · January 19, 2020, 4:42pm

I can see at least three "Add" buttons in your screenshot...

Hegabo · January 19, 2020, 4:49pm

Three "Add*" buttons, so to speak...

trendy · January 19, 2020, 4:58pm

Did you restart the firewall service after you added these rules in the config?

Does the camera work with IPv6? Then you'd need to block that as well, or even better, use source mac of the camera instead of IP.

New Forward Rule (in Traffic Rules tab), "Add and edit" is the button.

lepidas · February 10, 2021, 6:29am

Hi, Iam on the same boat, I have a separate wifi network, how to make in aq way that cannot reach internet;

eduperez · February 10, 2021, 6:43am

Just disable forwarding from that network to the WAN network.

lepidas · February 10, 2021, 2:49pm

One question.
I have my router 192.168.1.1
If I make a guest interface 192.168.3.1 how is possible to access the devices connect it on that;

iplaywithtoys · February 10, 2021, 2:53pm

Put the new interface (192.168.3.1) in a separate zone. Configure the firewall to permit or deny specific traffic to and from that zone to meet your requirements.

system · February 20, 2021, 2:53pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.