I bought a Foscam IP camera, I want to disable telnet port 23. The camera is connected to the router, I can connect to the camera via telnet with my computer through the router. I would like the router to disable the telnet port, making it inaccessible from other devices.
How can I configure this in the firewall?
If all devices are on the same LAN, traffic isn't passing any firewall.
How can I forward all traffic from the camera so that it can be disabled in the firewall?
Unfortunately, I cannot disable it in the camera, there is no such option. It can only be done on the router side. I don't know how yet.
You could put them on a separate subnet.
That's not good, because if the computer's network card is moved to that domain, telnet connectivity will still be available.
I tried the factory firmware "acces control" built-in traffic control, but it didn't work. Even if I set exactly which ports should be blocked, it did not block them.
Application Requirement/Internet Access Control | TP-Link Magyarország
It was explained why this wouldn't work.
You'll have to configure LAN domains so traffic passes the router.
I've never done this before. Is that what you meant?
Make a separate network for cameras, so they are in a different VLAN and IP range. Then forward from the LAN to the cameras. Block port 23 from forwarding.
That rule doesn't do anything at all since the source and destination addresses are the same.
Your camera's telnet connection will not be available from the internet, but it will be accessible from your LAN.
If you wish to block your camera's connection to the internet, make the following changes to that rule:
As I said before, incoming connections are not allowed by default... but the above rule blocks everything that the camera can do on the internet, it that is desired.
You cannot block access to the camera (including telnet) from your LAN because the router/firewall is not involved in LAN-to-LAN connections. If you need to block telnet access from the LAN, as others have already said, you need to setup a VLAN so that you can put the camera on a different network -- at that point, you can block access to telnet (and/or anything else) from your main LAN to the camera.
So if I understand correctly, I need to create another network (for example: 192.168.1.2) I need to disable DHCP connection in the camera, I configure it manually for this network.
I would like to completely isolate the camera so that only the web interface of the camera is accessible from the 192.168.1.1 and 192.168.2.1 networks, and the camera receives internet.
Yes, this is the basic concept.
What specific router do you have, and what version of OpenWrt is running on that device? That may impact the method by which you create your VLANs.
I use a TP-Link 740N router. A NAS server is connected to the router and the camera records to it. The OpenWRT version is relatively old: 18.06.9
That router is really old and cannot be upgraded beyond your current version.
This version is no longer supported and has security vulnerabilities that are not patched. It would be wise to upgrade your hardware such that you can use the latest version.
But anyway, the setup you have will use the swconfig method of configuring VLANs. The link I provided above should hopefully give you an idea of how it all comes together. Start there and ask specific questions where you are confused or having difficulty.
Yes, it is indeed an old version. But I was thinking that I don't necessarily let the camera out to the internet, it's enough if the NAS server records the recordings. But for that I need to ensure that the network is protected, that it cannot be physically attacked, or if it is, that there is trace of it.
The issue with the older versions (18.06 and earlier in particular) is that they have unpatched vulnerabilities and could present a risk to your network as a whole.
However, that point aside, you can create a VLAN to separate your camera from the other network, and you can selectively filter your cameras from the internet, too.
" they have unpatched vulnerabilities and could present a risk" - what exactly does that mean? If it not connected to the internet, can it still be hacked? I don't necessarily want to be able to see what is happening in my home. It is important that the system is not physically vulnerable.
