Luci firewall rule does not work - Trying to block IP camera from Internet

Hi!

Situation: TP-Link TL-WDR4300 v1 running OpenWrt Chaos Calmer 15.05.1 as my main router with IP 192.168.1.1 behind my internet provider's modem (192.168.0.1). IP camera connected via wifi with IP 192.168.1.152. Trying to block IP camera from accessing WAN.

I have configured the following traffic rule, but the IP camera is still able to access WAN:

2018-05-24%2008_18_29-jw-net-openwrt-router%20-%20Traffic%20Rules%20-%20LuCI

Under System --> Startup, firewall is enabled..

I have even tried setting the destination zone to any, but I can still access the IP cameras web interface and the camera can still access - for example - NTP time servers...

Please help,

thanks!

The router itself can act as a time-server. Are you sure your camera gettin' outside?

Thanks for your reply. I know I can configure OpenWrt as NTP server. Still, I need to restrict WAN access for that camera. Yes, I am pretty sure as I am currently viewing the cameras image via the vendors app on my phone using 4G. So the camera is sending its image to their servers. Also, as I said, the camera is able to connect to time.nist.gov for the NTP signal. Somehow the firewall rule just isn't working at all...

Consider creating a dedicated "guess LAN / WLAN" for those cameras.

2 Likes

Is there an earlier rule allowing it? Move your rule up near the top. Also, reboot the router, perhaps existing connection from before the rule is being allowed

1 Like

Thanks for your replies. After I restarted the camera it seems to be working. At least the app is not able to connect to the camera anymore which tells me that the signal is no longer being sent to the vendors servers. Weirdly, the camera still says it is able to synchronize with time.nist.gov but that may or may not be true. For the moment, I'm trusting it isn't able to send data to the cloud...

@eduperez: Thanks for the tip, good idea!

1 Like

I've got some "unruly" TP-Link devices that "phone home" even when set not to. I've got them on their own "dead-end" VLAN (as @eduperez suggested) with it's own NTP and DNS servers (unbound). All they can get from DNS is their pre-defined list of NTP servers that redirect to the on-link NTP server. Past that, the VLAN is isolated from everything else, except the host that communicates directly with them.

1 Like