Hallo,
i have this devices:
OpenWrt (192.168.1.0/24) -> Fritzbox (192.168.1.10 <-NAT-> 192.168.2.0/24) -> Camera (192.168.2.2)
I want to block the camera to access the internet but keep it accessible by the OpenWrt subnet clients. The Fritzbox cannot distinguish between OpenWrt subnet clients and internet traffic so i have to do some tricks here.
The plan is to set the camera default gateway to a fictitious (non-existing) IP like 192.168.10.10 (in the hope OpenWrt can identify packets by this) and create a static route in the Fritzbox that redirects that to OWrt. OpenWrt has an iptables rule that drops all packets going to 192.168.10.10 not targeting OpenWrt subnet (192.168.1.0/24).
Is this possible? How would an iptables rule look like?
I'm not sure if i fully understand the gateway routing here:
The camera asks "Who has 192.168.10.10?", gets a positive respond from the Fritzbox (due to static route) and sends it to the Fritzbox. Then the Fritzbox asks OpenWrt the same and it... probably says "I don't know" and all is over.
What could be done here? Create a dummy nic on OpenWrt? Or a custom netfilter rule? That's where i'm stuck.
I doubt you’ll be able to block the camera from the internet in the existing configuration unless you can create a firewall rule on the fritzbox, move the camera to the OpenWrt router, or put the OpenWrt router behind the fritzbox.
I'm not sure if this is possible, based on the OP's comment:
It is true that the network could be NAT'd and not masqueraded, but my impression (possibly mistakenly) is that the Fritzbox needs to be in standard NAT-masquerade mode.
As ultima ratio i could create a dummy nic (ip link add dummy0 type dummy) with that ip that should allow to accept the ARP request. Netfilter should be able to handle layer3 then.
If your camera system allows you to set the gateway address to 0.0.0.0 then this is all you need. This is what I did to my camera system as I found out last month it was trying to contact 47.91.131.102 every minute.
log in to your fritz box
on the left side menu ...
go to > internet > "Filters"
on the right side tabs select the "Parental Controls" tab
under that will be listed the devices in your network
in my listing for example is a desktop I do not want to allow web access ..
so just to the right of its name is the word "block" which is a hyperlink (blue lettering)
click on "block" .. the fritz will after a few moments change "block" to show "unblock" and to the right of that will show device block enabled ..
the button below will change to "changing access profiles" click on it .. ( hourglass shows ) click on it and it will change again to "apply" click again ( hourglass shows ) ..
when the page refreshes look again to confirm for yourself that the desired device indeed shows device block enabled ..
.. job done ..
hope that helps ..
..
from John
located in rural Miranda, roughly 1.5hrs south east of Auckland, NZ in the direction of Coromandel ...
Today has been a super sunny warm day enjoying the beach and the great grankids ...
best wishes and health to all and merry xmas & new year to all
An invalid gateway is no solution as the external subnet is unreachable then as well.
Fritzbox parental control function doesn't work either. The whitelist doesn't honor IP/CIDR notation, just URLs. I can block the traffic completely by that but i cannot create an exception rule.
I will set up the fake gateway by dummy now. Will keep you updated how far i get.
I just need "the other subnets to reach the camera". But you can't have one without the other. The initial SYN packet might reach the camera indeed but the camera won't be able to answer. It has no gateway and doesn't know where to send the answer to.
Because i cannot distinguish the camera traffic from the regular internet traffic that comes from the Fritzbox. Its just a client/ip in the primary subnet sending packets. Its NAT'ed and consolidates/abstracts all secondary traffic.
I need to "mark" the traffic somehow. I want to do that by targeting the camera packets to a fake gateway. By this, i can identify the packets and handle them correspondingly.
Now, if your fritzbox firewall allows you to write granular rules, you can make 2 rules:
allow, src IP of the camera, dest network OpenWrt subnet
deny (drop or reject), src IP of camera, dest network < unspecified or wildcard >
Or even better, make rule 1 only allowing established/related traffic, meaning that your camera can respond to connections made from the upstream network, but cannot initiate any connections outside the LAN.
Alternatively, move your camera to the OpenWrt subnet
There is a more convoluted idea I can think of, but not sure if it would work... create a VLAN on the OpenWrt router and then connect the LAN of the Fritzbox to that VLAN. On the fritzbox, you could block the camera from internet access (total block), but the clients on the OpenWrt network would actually have a route to the camera via the OpenWrt VLAN (this might not work if the camera doesn't know how to send data back since it wouldn't have a static route back to the other net, but you could try).
