Firewall rules for IP camera network

supersebbo · June 2, 2019, 8:34am

Hi all,

Could someone kindly give me some guidance on creating the right firewall rules for my IP camera network.

The end result I want is a completely seperate VLAN network that cannot be accessed from, or have access to any other network, with the following exceptions:

The router should be able to service DHCP requests and resolve local DNS from the Video VLAN.
The video recorder device (at IP 10.10.10.10) should be able to be accessed via HTTPS, only from the LAN network.

Progress so far: I have a managed switch taking care of the VLAN. Packets from this network are delivered to the router tagged 300 on eth0.
So I've create a new network (interface) as follows (/etc/config/network):

config interface 'video'
        option type 'bridge'
        option ifname 'eth0.300'
        option proto 'static'
        option ipaddr '10.10.10.1'
        option netmask '255.255.255.0'

DHCP enabled like so (/etc/config/dhcp):

config dhcp 'video'
        option interface 'video'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option rs 'server'

Here is why my knowledge starts to run a bit dry. I get very confused about zone forwarding settings (anyone link a good tutorial?).

My gut tells me I want to have everything 'Reject' like this:

config zone
        option name 'video'
        list network 'video'
        option input 'REJECT'
        option output 'REJECT'
        option forward 'REJECT'

Then create specific rules for the DNS/DHCP and SSL to the recorder.

config rule
        option name 'Allow DNS Queries'
        option src 'video'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule
        option name 'Allow DHCP request'
        option src 'mgmt'
        option src_port '67-68'
        option dest_port '67-68'
        option proto 'udp'
        option target 'ACCEPT'

config rule
    option name 'Allow LAN Clients to access NVR'
    option  target      'ACCEPT'
    option  proto       'tcp'
    option  src         'lan'
    option  dest        'video'
    option  dest_ip     '10.10.10.10'
    option  dest_port   '8443'

Does that look about right?

Cheers

dlakelan · June 2, 2019, 1:38pm

looking pretty good so far, does it work?

you might not want the video network to even have DNS...

trendy · June 2, 2019, 7:22pm

config interface 'video'
        option type 'bridge'

Remove the bridge, if you don't need it (like with some wireless interface)

output in firewall zone can be ACCEPT, best for troubleshooting.

option src 'mgmt'

change that to 'video'

Personally I would allow all traffic from LAN to VIDEO. If you insist to keep it locked, consider adding also icmp echo request and replies for troubleshooting.

supersebbo · June 2, 2019, 8:35pm

Ah yes thanks, that's some copy/paste errors from another guide I was following.

All seems to be working.

One thing, when making static IP reservations in /etc/config/dhcp, there is no option to specify the interface (as far as I can see). So I can set like:

config host
        option name 'network-video-recorder'
        option dns '1'
        option mac 'C0:3F:XX:XX:XX:XX'
        option ip '10.10.10.10'

But presumably that IP will get applied regardless of which interface the NVR is connected to. I was hoping that (for debug or recovery purposes) if I connected it to the regular LAN it would get a LAN IP.

Is it possible to specify DHCP reservations by interface? So if its connected to the 'video' interface (VLAN 300) it gets 10.10.10.10 and if its connected to the LAN interface it gets 192.168.1.10?

supersebbo · June 2, 2019, 10:19pm

So I've learned a few things here.

Firstly, DHCP wasn't working as I had the output chain set to Reject, so the DHCP server could not send responses to the devices on that VLAN (as spotted by @trendy).

Useful logs helped find this:
daemon.warn dnsmasq-dhcp[6471]: Error sending DHCP packet to 10.10.10.150: Operation not permitted

Presumably I could set up very tight rules to only allow DHCP responses, but that would seem overkill as traffic originating from the router should be 'trusted' (and in any case, if you'd compromised the router, you could just change the rules ).

Secondly, what I wanted achieve with dnsmasq (static reservation on one interface only) seems to work auto-magically. If I connect to VLAN 300, the nvr is assigned 10.10.10.10 per the host reservation in /etc/config/dhcp. If I plug the ethernet into the primary LAN it is assigned a pool address in the 192.168.1.x range. Not sure how the logic of this works, but glad it does!