IP camera with disabled internet from traffic rules cant get date

Hi to all,

I have an IP camera connected to the lan but I have disabled it to go out with firewall and traffic rules.
This camera because can't see the internet it can't get the correct time and date :slight_smile: what can I do about it to make it get the date and time;

Thank you :slight_smile: in advance

the corresponding /etc/config/firewall field:

config rule
	list proto 'all'
	option name 'webcams'
	option target 'REJECT'
	option src 'lan'
	list src_mac 'aa:aa:aa:aa:aa:aa:aa'
	list src_mac 'xx:xx:xx:xx:xx:xx:xx
	option dest '*'

The easiest way is to enable the NTP Server capabilities of your OpenWRT device and enter in the NTP Server menu of the cameras the LAN IP address of the router.

uci set system.ntp.enable_server="1"
uci commit system
/etc/init.d/sysntpd restart

Otherwise you should add a firewall rule, allowing the cameras to make NTP requests to the Internet (UDP 123).

4 Likes

I enabled the ntp server, but how to do the following;

See the owners manual of your cameras how to do that.

3 Likes

Ah, there is no such an option, they are very simple IP cameras.

@pavelgl can you give more details how to do that this firewall you are refering to....

Yes, I can, but first try to find out the better solution. Search for the right menu in your cameras. It should be something like that.

If you decide to open the firewall:

uci add firewall rule
uci set firewall.@rule[-1].name="Allow-IPCam-NTPsync"
uci set firewall.@rule[-1].src="lan"
uci set firewall.@rule[-1].dest="wan"
uci set firewall.@rule[-1].dest_port="123"
uci set firewall.@rule[-1].proto="udp"
uci set firewall.@rule[-1].famyly="ipv4"
uci set firewall.@rule[-1].target="ACCEPT"
uci commit firewall

Use luci to drag that rule before the one, forbidding everything coming from the cameras and restart the firewall.

2 Likes

Yes @lepidas, I use @pavelgl's method for NTP (i.e. use the OpenWrt as an NTP server) and then block [other] LAN to WAN traffic for the IP of the camera.

1 Like

For some reason the allow UDP 123 is not working. Time still stuck at the past.
Maybe because cameras are tplink tapo C100 and C200.

config rule
	option name 'Allow-IPCam-NTPsync'
	option src 'lan'
	option dest 'wan'
	option dest_port '123'
	option proto 'udp'
	option famyly 'ipv4'
	option target 'ACCEPT'

config rule
	list proto 'all'
	option name 'webcams'
	option target 'REJECT'
	option src 'lan'
	list src_mac 'yy:zz:XX:XX'
	list src_mac 'AA:BB:AA:BB'
	option dest '*'

Do you allow the DNS request?

1 Like

How to check that; I am not sure.

Did you block traffic to the router or to WAN DNS servers? :wink:

1 Like

Well everything works perfect with the additional firewall rule.
I had to set NORDVPN network instead of WAN at this additional rule. I route all traffic through this, had forgoten :smiley:

Thank you all people!

2 Likes

Allowing UDP 123 is not secure enough if you really want to disable internet access. Also, the fact that it actually worked without also alowing DNS is already worrying. If we (rather safely) assume that NTP server IP is not hardcoded in the camera, that means that camera actually successfully resolved a DNS querry, probably through the openwrt device itself as a relay. This could allow data exfiltration through DNS. Yes, quite unlikely, but possible. Please disable DNS resolution for your camera's IP.

The proper way would be to sniff camera's traffic to see which NTP server (by DNS name) is it trying to reach. Then, use openwrt (or pihole, whatever you are using as DNS) to resolve that querry to your openwrt device, which should be set up to act as NTP relay.

1 Like

I have set the gateway on my NVR to 0.0.0.0 and NTP server to 192.168.1.1 and it works flawlessly. I do not see any packets going towards WAN and the time updates every day.

Can you elaborate more into this; I don't understand very well. Also how to disable DNS resolution for the camera's IP;

Thank you.

Remove it from their config, if using fixed IPs, or don't provide any DNSes, if using DHCP.

These cameras are simple tapo tplink cameras C100 and C200, they don't provide any interface, only an android app (tplink tapo) from which someone can set username and password for the rtsp of each camera.
I have disabled the android app internet connection and setup the cameras not to be able to connect to the internet directly.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.