Hi OWRT Community,
I just bought a IP Camera that runs it's own webserver and I have an app that allows me to connect to it. However, I was expecting the app to only be able to access the camera when on the LAN not from outside via the WAN. I've checked port forwards and I have none configured so how can I find out how this webserver is allowing itself to be visible outside of my LAN (feels like a big security issue). According to the documentation it runs RTSP on 554, ONVIF on 8080 and HTTP on 80. I was under the impression that OpenWrt is only allowed to forward requests to an internal webserver if I explicitly configure a port forward.
Are there commands that I can run via terminal that could provide some insight or should I simply block the camera?
if there's an app, it probably connects via an external server/service, which the camera connects to, too.
Thanks Frollic, that's what I thought so basically IP Camera <> External Service < App...just odd as I was not asked to register with the service it just did it on it's own. So is the best way to prevent external access to this camera to block this device in the firewall to only allow LAN access? Is there a command I can run to find out which service the IPCamera is connecting to? I've tried iftop but the traffic that comes into my network is coming from directly my phone IP on EE (connected to mobile network 4g - to see what I can do on the camera) and this is using a high port to then connect to my camera (is it possible that upnp is being used? Even though I've set the camera not to? - how can I check? I have luci app installed and not showing connections on upnp).
let's do a simple test.
disconnect your phone from your wifi, and make sure it uses the carriers 4G/5G
network. does the app still work ? if it does, it's communicating with some server
you can block the cameras internet access, but if the above is true, your app
will cease to work.
yes - that's what I've done my phone is connected to carrier network (not wifi). I can access the camera - now I want to block the camera I'm happy with no internet access as I'll setup wireguard to get access to the camera remotley. I tried setting up a Firewall rule to block any inbound from WAN > LAN with that specific MAC address but still managed to use the camera when on carrier network and deffo not connected to wifi.....wow these Chinese products are serious security problems.
Good luck finding a camera not made in China ....
Block the outgoing traffic from the cameras IP/MAC in the FW, or don't provide it with a gateway IP, omitting the DNSes, or using bogus IPs, would work too, but it might use hardcoded ones.
Awesome the FW rule worked a treat blocked out going traffic. So in essence it connects to a service LAN > WAN then the service (this effectively opens ports on my router even though I've not setup a port foward) when I use the App it connects to the service and this in turn connects to my camera. What threw me is in all other IOT Chinese devices I've had - you always have to "register" the device with the service for this camera it doesn't ask for any of this just spins up a set of streams and communicates with the service (no permission from me - massive security risk!). I was panicking thinking that the FW wasn't doing it's job or i'd opened it somehow but shieldups showed "Stealth" hence my concern.
Thanks as always to you and the community for helping me understand more about networking (been doing it for years but still learning).
P.S. I'm working on building my own IP Camera initially on Raspberry Pi Zero W but would love ESP32 version to make a UK security friendly IP Camera.
One final thing to ask. Is there a command I can run to see what IP address (the camera service) the camera is connecting to? Something like iftop on the ip of the device in the LAN to see what it's going out to?
You can trace the data flow with wireshark.
The camera streams to the server, the app connect to the same server, not to the camera.
Nothing is getting opened, outbound traffic from LAN to internet have always been allowed.
Now that you've blocked the internet access, does the app still work ? it shouldn't.
I can confirm that my FW rule is working and the camera is no longer accessible via the WAN. I have configured Wireguard (nightmare but done) on the router to provide VPN access so that I can view the camera remotely.
Thanks for your help and to the others for their contributions.
conntrack -L | grep <CAMERAIP>
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.