Keeping webcam isolated on Guest network but make it accessible on other networks with HomeKit

bastiancointreau · August 28, 2020, 7:07pm

Hello,
On my OpenWRT router (19.07.3) I have setup two wireless networks. One is 5Ghz and is connected to my LAN network (192.168.1.x). The other is a 2.4Ghz connected to my Guest network (192.168.0.x). The Guest WiFi is set to isolate clients.
My iPad is set as the HomeKit hub and is connected to the 5Ghz network (as my iPhone). The Eufy webcam instead is connected to the 2.4Ghz (because it does not support 5Ghz and because for security reasons I want to keep it isolated from the rest of the network).
I have added the webcam to HomeKit. With this setup, I can only access the camera’s stream when I am also connected to the 2.4Ghz network, not if I am connected to the 5Ghz network (or any other network).
I have tried temporarily to give the 2.4 WiFi access to the LAN network, and this makes the stream work also when I am on the 5Ghz network or on cellular.

Now, I don’t want to give the Guest WiFi access to my LAN network. Any ideas on how to keep the Guest network separated but make the stream work on different networks?

Thanks

Ramon · August 28, 2020, 7:23pm

Two suggestions:

Did you try setting the firewall such that it allows forwarding from main network to the guest net? I have something similiar myself where i have an internet radio on my guest network while I want to use it from openhab which is run on my Pi on my secure network. By alllowing forwarding from the main net to guest net this allows a connection to be made from main network to the guestnet. A connection cannot be made in the other direction.
To increase security even further conside making a separate SSID for the webcam. Or is there a reason to allow accessing from the guestnet to the webcam? Isolating clients may not be foolproof if they are on the SSID.

bastiancointreau · August 28, 2020, 11:24pm

Thanks Ramon,

this seems sensible.
To enable forwarding from LAN to guest do I just add a new rule to the config forwarding like:
```
 option src 'guest'
 option dest 'lan'
```

At the moment I have this

/etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option drop_invalid '1'
        option forward 'DROP'
        option flow_offloading '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'DROP'
        option forward 'DROP'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option family 'ipv4'
        list icmp_type 'echo-request'
        option target 'DROP'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'Guest'
        option output 'ACCEPT'
        option network 'Guest'
        option input 'DROP'
        option forward 'DROP'

config forwarding
        option src 'Guest'
        option dest 'wan'

config rule
        option name 'Allow DNS Queries'
        option src 'Guest'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule
        option name 'Allow DHCP request'
        option src 'Guest'
        option src_port '67-68'
        option dest_port '67-68'
        option proto 'udp'
        option target 'ACCEPT'

Also makes sense. But I think that comes after I make 1) work

Ramon · August 29, 2020, 4:42pm

I have the opposite:

config forwarding
        option dest 'guest'
        option src 'lan'

That works for me. Think of it in this way. The source of the connection (the requester) is on the lan. The destination of the connection request is on the guest.

Note you can also have the guest net and main net on both radios if you want.