Hey guys, I'm trying to connect a Hikvision ipcam that needs to be accessable only from lan (Wan blocked). So far i tried switching between dhcp and static addressing, reseting network, rebooting, reflashing, i tried few firewal rules but nothing seems to work, i can't connect to or ping the cam from my pc.

http and rtsp streams to other wireless devices work flawelesly, and cctv connects without issues on ddwrt, so we can rule out malfunctioning device.

Since it streams to wireless devices i assume physical lan ports and wifi are on the same vlan, so i guess i'll need to setup a firewall rule for the port 80 and vlans properly, but i don't have much experience with vlans or Openwrt. What would be a simple generic setup/rule that would allow other lan-plugged devices to connect to the lan cam over http, assuming a basic setup where:

• Router ip: 192.168.2.1
• Cam ip: 192.168.2.20 (Lan port 2)
• Default Openwrt firewall settings

If the OpenWrt is with default settings any lan to lan traffic is not blocked.
If you have changed the lan configuration post here the configuration files to see how they are like.

Hi trendy,

Sure, thanks for taking time to look into this, saying that it drives me crazy would be an understatement..

Here's the config:

Network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd3a:30fe:0ac4::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'lan1 lan2 lan3 lan4 lan5 lan6 lan7 lan8 extsw eth2.101'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '1.1.1.1'
	list dns '8.8.8.8'
	option ipaddr '192.168.2.1'
	option gateway '192.168.1.1'
	option broadcast '192.168.2.255'

config interface 'wan'
	option type 'bridge'
	option ifname 'wan eth2.102'
	option proto 'dhcp'
	option hostname 'Openwrt'

Firewall:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config include 'bcp38'
	option type 'script'
	option path '/usr/lib/bcp38/run.sh'
	option family 'IPv4'
	option reload '1'

config forwarding
	option src 'lan'
	option dest 'cctv'

config rule
	option name 'cctv'
	option proto 'tcp udp'
	option src_ip '192.168.2.20'
	option dest 'lan'
	option target 'ACCEPT'
	option src 'lan'

It works the same with or without the last two (leftowers of several i tried) custom rules which i'm sure do nothing.

This is broken unless you have a separate CCTV network and zone. That is usually a good way to do that, though then you have to add routes to allow reaching the camera from the LAN, and apps that search for cameras may have trouble finding it automatically.

Probably the simplest approach to this would be a default configuration where the camera is part of the LAN. Then add a rule based on the camera IP address which blocks it from connecting to the Internet. This is secure against basic manufacturer "call home" schemes. But you would have to trust the camera not to try to hack your LAN devices, or that it would change its IP address to circumvent the rule.

I don't see any wireless configuration, but if the wifi is connected to the lan, then the traffic flows without any blocks among the lan ports.
Some mistakes:

	list dns '1.1.1.1'
	list dns '8.8.8.8'

Should be in wan interface.

	option gateway '192.168.1.1'

Wrong, remove it.

	option broadcast '192.168.2.255'

Unnecessary, you can remove it.

config interface 'wan'
	option type 'bridge'

Bridged wan is 99% wrong.

Thanks so much for your advice, i changed the settings as per your advice but still can't connect to cam.

As for the bridged interface i will do a fresh install later on to confirm it, but i'm almost 100% sure that's all part of default config of this npcomplete's build 2020-01-02 that i'm using.

Should i simply uncheck 'bridge interfaces' option and leave only 'Ethernet adapter :"wan" (wan)' checked, without any other interface or..?

This is broken unless you have a separate CCTV network and zone

That's pretty much my ultimate goal but i'd be happy to get it working anyhow now.

Probably the simplest approach to this would be a default configuration where the camera is part of the LAN. Then add a rule based on the camera IP address which blocks it from connecting to the Internet. This is secure against basic manufacturer "call home" schemes.

That's basically what my ddwrt setup was. I've sniffed it with wireshark on several occasions and didn't notice any weird traffic.

Thanks for your reply mk24.

Can you change the above line to below and try?

option ifname 'lan1 lan2 lan3 lan4 lan5 lan6 lan7 lan8 extsw wlan0 wlan1 wlan2 eth2.101'

Hi npcomplete, thank you for replying to post. I've rebooted the router after applying the suggested config but no difference so far. (Devices over Wifi connect to cam without issues).

Ps. If i'm not mistaken bridged wan is 'on' by the default in this build? Any benefits in changing that config?

I just flashed it with your bleeding edge build, reset everything to default and it all works finally, i have no idea why it wouldn't wanna work with previous build but i'm happy to stay on this one.

Thanks again and of course thanks a bunch for making the build! Linksys' 'smart wifi' is abomination and if you didn't make it i would've probably sold my router.

I'm glad it works for you. Stay safe!