Fake gateway (honeypot) to block internet access

i have this devices:
OpenWrt ( -> Fritzbox ( <-NAT-> -> Camera (

I want to block the camera to access the internet but keep it accessible by the OpenWrt subnet clients. The Fritzbox cannot distinguish between OpenWrt subnet clients and internet traffic so i have to do some tricks here.

The plan is to set the camera default gateway to a fictitious (non-existing) IP like (in the hope OpenWrt can identify packets by this) and create a static route in the Fritzbox that redirects that to OWrt. OpenWrt has an iptables rule that drops all packets going to not targeting OpenWrt subnet (

Is this possible? How would an iptables rule look like?

I'm not sure if i fully understand the gateway routing here:
The camera asks "Who has", gets a positive respond from the Fritzbox (due to static route) and sends it to the Fritzbox. Then the Fritzbox asks OpenWrt the same and it... probably says "I don't know" and all is over.
What could be done here? Create a dummy nic on OpenWrt? Or a custom netfilter rule? That's where i'm stuck.

Any ideas?

What purpose does the fritzbox serve? Can you remove it?

1 Like

The Fritzbox serves several other proprietary devices (DECT phones, MESH, etc) and should be kept in a NAT'ed network.

I doubt you’ll be able to block the camera from the internet in the existing configuration unless you can create a firewall rule on the fritzbox, move the camera to the OpenWrt router, or put the OpenWrt router behind the fritzbox.

  • Add a static route to via on OpenWrt.
  • Add a firewall rule denying access from to the WAN on OpenWrt.
  • Disable IPv4 masquerading on Fritzbox.

I'm not sure if this is possible, based on the OP's comment:

It is true that the network could be NAT'd and not masqueraded, but my impression (possibly mistakenly) is that the Fritzbox needs to be in standard NAT-masquerade mode.

As ultima ratio i could create a dummy nic (ip link add dummy0 type dummy) with that ip that should allow to accept the ARP request. Netfilter should be able to handle layer3 then.

If your camera system allows you to set the gateway address to then this is all you need. This is what I did to my camera system as I found out last month it was trying to contact every minute.

I've done the same, or technically, I didn't provide a gw at all....

log in to your fritz box
on the left side menu ...
go to > internet > "Filters"
on the right side tabs select the "Parental Controls" tab
under that will be listed the devices in your network
in my listing for example is a desktop I do not want to allow web access ..
so just to the right of its name is the word "block" which is a hyperlink (blue lettering)
click on "block" .. the fritz will after a few moments change "block" to show "unblock" and to the right of that will show device block enabled ..
the button below will change to "changing access profiles" click on it .. ( hourglass shows ) click on it and it will change again to "apply" click again ( hourglass shows ) ..
when the page refreshes look again to confirm for yourself that the desired device indeed shows device block enabled ..
.. job done ..
hope that helps ..
from John
located in rural Miranda, roughly 1.5hrs south east of Auckland, NZ in the direction of Coromandel ...
Today has been a super sunny warm day enjoying the beach and the great grankids ...
best wishes and health to all and merry xmas & new year to all

forgot to mention ...
internet access = blocked
your local network access .. will remain unchanged and active as it was before
keep smilin :wink: :wink:

An invalid gateway is no solution as the external subnet is unreachable then as well.

Fritzbox parental control function doesn't work either. The whitelist doesn't honor IP/CIDR notation, just URLs. I can block the traffic completely by that but i cannot create an exception rule.

I will set up the fake gateway by dummy now. Will keep you updated how far i get.

But do you want the camera(s) to reach the other subnets, or just the other subnets to reach the camera(s) ?

I just need "the other subnets to reach the camera". But you can't have one without the other. The initial SYN packet might reach the camera indeed but the camera won't be able to answer. It has no gateway and doesn't know where to send the answer to.

Correct, this is basic networking.

I don't understand this "fake gateway" idea. Why can't you just block the cameras from forwarding to WAN?

There's more convoluted setups as well (e.g. making a blackhole route and rule for these devices)...but a firewall rule seems easiest.

Because i cannot distinguish the camera traffic from the regular internet traffic that comes from the Fritzbox. Its just a client/ip in the primary subnet sending packets. Its NAT'ed and consolidates/abstracts all secondary traffic.

I need to "mark" the traffic somehow. I want to do that by targeting the camera packets to a fake gateway. By this, i can identify the packets and handle them correspondingly.

1 Like


OK...well, is there any way to do this on the Fritzbox?

  • SNAT for the camera; or
  • Drop NAT altogether and make a static route on the OpenWrt

In those sernarios, you will see the IP of the camera.

Put openwrt on the Fritz :wink:

1 Like

No, its a locked consumer-class device unless i put custom firmware on it. That's not an option.

I'm currently compiling a new OpenWrt snapshot before i will start tinkering.

Like I said earlier...

Now, if your fritzbox firewall allows you to write granular rules, you can make 2 rules:

  1. allow, src IP of the camera, dest network OpenWrt subnet
  2. deny (drop or reject), src IP of camera, dest network < unspecified or wildcard >

Or even better, make rule 1 only allowing established/related traffic, meaning that your camera can respond to connections made from the upstream network, but cannot initiate any connections outside the LAN.

Alternatively, move your camera to the OpenWrt subnet

There is a more convoluted idea I can think of, but not sure if it would work... create a VLAN on the OpenWrt router and then connect the LAN of the Fritzbox to that VLAN. On the fritzbox, you could block the camera from internet access (total block), but the clients on the OpenWrt network would actually have a route to the camera via the OpenWrt VLAN (this might not work if the camera doesn't know how to send data back since it wouldn't have a static route back to the other net, but you could try).