Hi all,
Could someone kindly give me some guidance on creating the right firewall rules for my IP camera network.
The end result I want is a completely seperate VLAN network that cannot be accessed from, or have access to any other network, with the following exceptions:
- The router should be able to service DHCP requests and resolve local DNS from the Video VLAN.
- The video recorder device (at IP 10.10.10.10) should be able to be accessed via HTTPS, only from the LAN network.
Progress so far: I have a managed switch taking care of the VLAN. Packets from this network are delivered to the router tagged 300 on eth0.
So I've create a new network (interface) as follows (/etc/config/network):
config interface 'video'
option type 'bridge'
option ifname 'eth0.300'
option proto 'static'
option ipaddr '10.10.10.1'
option netmask '255.255.255.0'
DHCP enabled like so (/etc/config/dhcp):
config dhcp 'video'
option interface 'video'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option rs 'server'
Here is why my knowledge starts to run a bit dry. I get very confused about zone forwarding settings (anyone link a good tutorial?).
My gut tells me I want to have everything 'Reject' like this:
config zone
option name 'video'
list network 'video'
option input 'REJECT'
option output 'REJECT'
option forward 'REJECT'
Then create specific rules for the DNS/DHCP and SSL to the recorder.
config rule
option name 'Allow DNS Queries'
option src 'video'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config rule
option name 'Allow DHCP request'
option src 'mgmt'
option src_port '67-68'
option dest_port '67-68'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Allow LAN Clients to access NVR'
option target 'ACCEPT'
option proto 'tcp'
option src 'lan'
option dest 'video'
option dest_ip '10.10.10.10'
option dest_port '8443'
Does that look about right?
Cheers