Help securing IP cameras

Installing and Using OpenWrt Network and Wireless Configuration
1

I'm using Dahua IP cameras (with NVR), i've been hacked (the camera sent outgoing requests and an attacker used it to connect/reset other devices).
The hack was possible since the NVR somehow was able to figure out the gateway/DNS.
To fix this i'm using an openWRT router (TP LINK 1043 v1) as a managed swich.
I've created two VLANs:
1 - home network and all devices
2 - unused
4 - NVR + Raspberry Pi
The Raspberry PI is required to be on both networks, since it is used as a NTP server and more tasks (VPN server and some more).
Is this config is enough (it is working for me, but not sure if I missed something)?

cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd24:42ff:89fe::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'
	option enable_vlan4k '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option description 'home network'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5t'

config switch_vlan
	option device 'switch0'
	option description 'NVR-prevent internet access'
	option vlan '4'
	option ports '3t 4 5t'

config device
	option name 'eth0.4'
	option type '8021q'
	option ifname 'eth0'
	option vid '4'
	option ipv6 '0'

config interface 'NVR'
	option device 'eth0.4'
	option proto 'static'
	option ipaddr '192.168.101.1'
	option netmask '255.255.255.0'

config device
	option type 'bridge'
	option name 'br-4-1'
	list ports 'eth0.1'
	list ports 'eth0.4'

config bridge-vlan
	option device 'br-4-1'
	option vlan '1'
	list ports 'eth0.1'
	list ports 'eth0.4'

config bridge-vlan
	option device 'br-4-1'
	option vlan '4'
	list ports 'eth0.1'
	list ports 'eth0.4'
2

Some details you haven't stated may be more intrinsic to your solution.

  • Did the setup of the NVR require online registration?
  • Does the NVR come with built in Cloud storage?
  • Does the NVR have a Web Based frontend and/or App package for phones/computer?
  • If the NVR has Web Based frontend did you supply the device with DNS/Gateway?
  • Did you have access to documentation from the Manufacture to setup the NVR as a LAN only device?

Since you are running your OpenWrt as switch, you lose valuable tools to strictly route traffic. You must therefore configure your appliance to work on LAN only (as evident to your VLANS) yet NVR's networking setup portal/page is priority one.

Since we do not know your actual router, I'd suggest you get some "peace of mind" by disconnecting all devices from the ISP provide device and plug in a laptop and visit the link below. Run several test:

  • ISP > laptop test
  • ISP > Router > laptop test
  • ISP > Router > managed switch > current setup > test

https://www.grc.com/x/ne.dll?bh0bkyd2

3

Yes: firewall-rules to prevent the cameras and NVR from connecting to anything on the Internet.

1 Like
4
  • Did the setup of the NVR require online registration?
  • Does the NVR come with built in Cloud storage?
  • Did you have access to documentation from the Manufacture to setup the NVR as a LAN only device?

No

  • Does the NVR have a Web Based frontend and/or App package for phones/computer?
  • If the NVR has Web Based frontend did you supply the device with DNS/Gateway?

Yes, configured the Gateway/DNS as the IP of the openwrt router (the IP in VLAN 4)

5

Network config:

# cat /etc/config/network
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd24:42ff:89fe::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'
	option ipv6 '0'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option ipv6 '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'
	option enable_vlan4k '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option description 'home network'
	option ports '5t 1 2 3 0'

config switch_vlan
	option device 'switch0'
	option description 'NVR-prevent internet access'
	option vlan '4'
	option ports '5t 3t 4'

config device
	option name 'eth0.4'
	option type '8021q'
	option ifname 'eth0'
	option vid '4'
	option ipv6 '0'

config interface 'NVR'
	option device 'eth0.4'
	option proto 'static'
	option ipaddr '192.168.101.1'
	option netmask '255.255.255.0'

config device
	option type 'bridge'
	option name 'br-4-1'
	list ports 'eth0.1'
	list ports 'eth0.4'

config bridge-vlan
	option device 'br-4-1'
	option vlan '1'
	list ports 'eth0.1'
	list ports 'eth0.4'

config bridge-vlan
	option device 'br-4-1'
	option vlan '4'
	list ports 'eth0.1'
	list ports 'eth0.4'

Firewall config:

# cat /etc/config/firewall 

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wan'

config include
	option path '/etc/firewall.user'

config zone
	option name 'nvr'
	option output 'ACCEPT'
	list device 'eth0.4'
	option masq '1'
	option mtu_fix '1'
	list network 'NVR'
	option input 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'lan'
	option dest 'nvr'

Tried to reach the internet from a Raspberry Pi using vlan 4 - the vlan I want to isolate from internet (no inbound/outbound access).

rpi@rasp:/tmp $ curl --interface  eth0.4 142.251.37.46   # try direct access to internet host skipping DNS resolving
curl: (7) Failed to connect to 142.251.37.46 port 80: Connection refused
rpi@rasp:/tmp $ rping -c4 -I eth0.4 1.1.1.1
rpiNG 1.1.1.1 (1.1.1.1) from 192.168.101.134 eth0.4: 56(84) bytes of data.
From 192.168.101.1 icmp_seq=1 Destination Port Unreachable
From 192.168.101.1 icmp_seq=2 Destination Port Unreachable
^C
--- 1.1.1.1 rping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 2ms

rpi@rasp:/tmp $ ifconfig 
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.100.134  netmask 255.255.255.0  broadcast 192.168.100.255
        ether xx:xx:xx:xx:xx  txqueuelen 1000  (Ethernet)
        RX packets 2343935  bytes 2409529878 (2.2 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2027408  bytes 1795550401 (1.6 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0.1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.100.134  netmask 255.255.255.0  broadcast 192.168.100.255
        ether xx:xx:xx:xx:xx  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 41  bytes 7068 (6.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0.4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.101.134  netmask 255.255.255.0  broadcast 192.168.101.255
        ether xx:xx:xx:xx:xx txqueuelen 1000  (Ethernet)
        RX packets 1495878  bytes 2072021682 (1.9 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 721600  bytes 53106257 (50.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 20897  bytes 24127335 (23.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 20897  bytes 24127335 (23.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.0  destination 10.8.0.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 5005  bytes 380059 (371.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 9124  bytes 11827432 (11.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

rpi@rasp:/tmp $

Does the firewall config look good?
I want to prevent access from vlan 4 to the internet or to the rest of my lan.

6

You have multiple issues here:

Aside from the fact that this is, for some reason, repeated 3 times, this shouldn't be there at all... you've got a device that uses swconfig, not DSA.

What is connected to port 3? And what about port 4?

The above is wrong -- the wan network should not be part of the lan zone.

And the nvr zone should not be masqueraded, nor should the device be included here. Remove masq, mtu_fix, and device from the above.

It appears this device is connected to an upstream router... is that correct? Does that router have a static route defined for the NVR network? If not, does that upstream device have the capability to add static routes? There is more to be done, but this question is key to resolving the rest.

7

You are correct, I followed a DSA tutorial without understanding what it means.
How could I know the device does not support DSA?

I wanted to use the wan port as a Lan port (vlan 1), maybe this is the reason i've added this.
But, removing this.

Can you explain what these config do (not sure why did I set them)?

Not sure I've understand the question, NVR is the name I gave for Vlan 4, I used static IPs in VLAN 4.

My network layout:

A . Dahua NVR - has 8 port POE switch + 1 none POE port (uplink)
B. TP-Link 1043ND v1 - with 5 network ports, used as managed switch with two Vlans

  1. Vlan 1 - Home network (PC/Laptops etc') + Raspberry Pi
  2. Vlan 4 - Dahua NVR (A) + Raspberry Pi (same one from Vlan 1)

C. Hauwei AX 3 router - my main router
D. TP-LINK w9970 - used as a ADSL modem (in brdige mode, no routing)

[quote="psherman, post:6, topic:128159"]

Port 3 - Raspberry Pi
Port 4 - Dahua NVR (to which two IP camera are connected).

net
net876×841 25 KB

8

If you're relatively new to OpenWrt, this wouldn't be immediately obvious. There is a transition happening from swconfig to DSA, and only certain devices have been migrated thus far. You can see the list of targets in the release notes for 21.02.0... you have an ath79 based device, but not the one that has been moved to DSA.

Sure, you can do this, but the best way to do this is with the VLAN configurations since the WAN port is physically just another port on the built-in switch. Let's do this as the last step.

Masquerading is basically the idea of presenting one address for many devices that sit behind it. This is how most home networks interface with the internet -- the ISP provides you with a single IPv4 address, and you create a private network behind that... all of your devices get "masqueraded" behind that single IP. Typically masquerading is on the WAN, but it can be used whenever you need to present a single address to the upstream network. If this hasn't helped clarify things, just lookup 'IP masquerading' on google and read a few articles.

In your situation, you may need to use masquerading, but if you do, it'll be on the LAN in this configuration.

MTU fix is "maximum transmission unit" and is usually not required on the networks that don't need to be masqueraded.

This is what I was getting at... the 1043ND is not your main router.
Please login to your AX3 device and see if you can find any config options for "static routes" -- not all routers expose this functionality, but if it is there, we will want to use that feature. If not, we'll use masquerading on the lan zone of your OpenWrt firewall.

Thanks. As long as the Pi is configured for VLANs (VLAN 4) that should be fine. If your Pi isn't appropriately configured, it'll just ignore the tagged VLAN 4 network (and thus will not get an address on that subnet). But your DVR should be fine based on the topology and config.

So, please let me know about the static route config on your primary router (if it exists or not), and also please post your latest config files so I can review them before suggesting the final changes.

9

There is no way to configure static routes in my main router Hauwei AX3.
Network config:

# cat /etc/config/network
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'
	option ipv6 '0'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option ipv6 '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'
	option enable_vlan4k '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option description 'home network'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option description 'NVR-prevent internet access'
	option vlan '4'
	option ports '5t 3t 4'

config device
	option name 'eth0.4'
	option type '8021q'
	option ifname 'eth0'
	option vid '4'
	option ipv6 '0'

config interface 'NVR'
	option device 'eth0.4'
	option proto 'static'
	option ipaddr '192.168.101.1'
	option netmask '255.255.255.0'

Firewall config:

# cat /etc/config/firewall
config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config include
	option path '/etc/firewall.user'

config zone
	option name 'nvr'
	option output 'ACCEPT'
	list device 'eth0.4'
	list network 'NVR'
	option input 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'lan'
	option dest 'nvr'

Thank you for all the help and fast replies (funny that 10 years old router has so much features with openWRT over a router I bought last year).

10

ok... so, in that case, we need to enable masquerading on your lan firewall zone.

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option masq '1'

At this point, your NVR should have access to the upstream network and the internet, but your main network will not be able to talk to the NVR.

Do you want to block the NVR from reaching the internet?

Do devices on your main network (192.168.100.0/24) need to be able to access the NVR? If so, you'll want to setup port forwarding. So how does that access work (via a web browser? or something else)?

From the above, it looks like your physical WAN port should already be 'just another port' on the switch.

11

Yes.

Yes, I want to be able to access from my main lan to the NVR.
There are multiple ports that are used.
For managing the NVR - port 80 - HTTP
For watching the cameras - port 554 - RTSP ( I use VLC)
For connecting a specific camera A - 10080 - HTTP
For connecting a specific camera B - 10081 - HTTP

12

Actually, looking at your config again, it should not have access to the internet.
But you can remove the following, as it doesn't have any value:

Now, to allow your LAN to access your NVR:

create port forwarding rules for these.

  • Protocol TCP + UDP
  • source zone lan
  • destination zone nvr
  • internal IP address : 192.168.101.108 (your NVR)
  • external and internal ports: matching what you have above (one rule for each port, although for consecutive ports, you can make a single rule)
13

After applying the recent changes:

Also did:

Also, i've added one forwarding rule - to port 80.

Now I cannot open Luci, also I don't see the openWRT as a DHCP client in my main router.
However, I do have SSH access.
Network config:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'
	option ipv6 '0'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option ipv6 '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'
	option enable_vlan4k '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option description 'home network'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option description 'NVR-prevent internet access'
	option vlan '4'
	option ports '5t 3t 4'

config device
	option name 'eth0.4'
	option type '8021q'
	option ifname 'eth0'
	option vid '4'
	option ipv6 '0'

config interface 'NVR'
	option device 'eth0.4'
	option proto 'static'
	option ipaddr '192.168.101.1'
	option netmask '255.255.255.0'

Firewall config:


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'	
	list network 'lan'

config include
	option path '/etc/firewall.user'

config zone
	option name 'nvr'
	option output 'ACCEPT'
	list device 'eth0.4'
	list network 'NVR'
	option input 'ACCEPT'
	option forward 'REJECT'

config redirect
	option dest 'nvr'
	option target 'DNAT'
	option name 'manage-nvr'
	option src 'lan'
	option src_dport '80'
	option dest_ip '192.168.101.108'
	option dest_port '80'
14

We didn't change anything that should have impacted that. How were you accessing it before (what address)? Were you using 192.168.100.5?

15

yes, I used both Luci and SSH to:
192.168.100.5
Maybe the forwarding rule affected somehow?

16

oh... right, yes. Port 80 is now forwarded to the NVR.

Try https://192.168.100.5 (this will hopefully force your browser to use port https port 443)

17

HTTPS do work - i'm able to reach Luci.
Somehow, the forwarding works as well, when I use http, I reach to the NVR as I wanted, not sure what happened before.
It works exactly as I wanted, thanks.

I have a question:

How can you tell my wan port is just another lan port, and what is 5t?

18

Your device has 5 physical ports (1x WAN + 4x LAN as labeled on the case). Those map to logical ports 0-4. You've split the logical port 4 off to the NVR VLAN, but your VLAN 1 definition has 4 ports (0-3) -- so we know all 5 logical and physical ports are in use.

5t: 5 is the logical port that corresponds to the CPU. t means tagged -- the CPU is expecting the VLAN to be tagged (eth0.1) -- the .1 means eth0, VLAN 1 tagged.

19

Thanks for all the help and answers, everything work well.

1 Like
20

Glad you're all set!