Securing low budget security cam with client AP

Ebeyw · December 28, 2024, 3:33pm

Hello there, hope you are having a happy holidays,

Ive been a long user of openwrt and learning in the process,

I have a situation where I need to install a security camera with an old tplink hardware (WR740N v6) and the less complicatee as posible.

Ive move recently, and I have FiberRouter with limited access for the configuration options where we all connect there via wifi, So i dont want the cameras have vision to some ports (main router and other clients ), so Ive been thinking to set up a WR740N as a clientAP conect PTZ cam and add some fw rules.

I know this isnt a great solution and the hardware hasnt the last wrt release , but Im trying to make some more neat changes.

What do you think about this "segementation" ? Does anyone has experiences with this camaras and ICSee software?

Thank you very much for reading.

ebyz.

frollic · December 28, 2024, 3:37pm

the connection between the WR740N and the main router's wireless then ?

Ebeyw · December 28, 2024, 4:06pm

Exactly, wr740 its a clientAp conected to the Wifi Router.

frollic · December 28, 2024, 4:08pm

create the wifi connection, and move it to the wan firewall zone.
make sure the WAN and LAN side subnets on the WN750 aren't the same.

create a firewall rule blocking access to the WAN side subnet, on the
WN750.

Ebeyw · December 28, 2024, 4:16pm

Thanks @frollic , it sounds easy.I will try to make it tomorrow an get here with an update.

psherman · December 28, 2024, 4:34pm

It is worth stating that this device is very old and can only run a version of OpenWrt (18.06) that has been EOL and unsupported for over 4 years now. That means that it has many known security vulnerabilities that will never be patched. And, it's also worth noting that the syntax of these old versions is materially different than modern OpenWrt versions and thus it may be more difficult to configure properly. While technically unsupported, some users may be willing to help, but it will be at best a 'best effort' activity and a test of their memory, too.

Meanwhile, if you go the approach that was suggested, you'll need to perform port-forwarding on the 740N in order to allow access to the camera. And if the camera requires internet access, your firewall config will need actually need to have a more specific rule to block access to your lan while still allowing internet access.

slh · December 29, 2024, 1:11am

Apart from the inherent failure of trying to secure your network with unsuitable -EoL and known vulnerable- hardware, it's only really possible to secure non-cloud cameras that can be used standalone, with local-only connectivity (via jailed networks, maybe incoming VPN to access them). Most contemporary security cameras are cloud based and require internet access, which makes it very hard to properly isolate them - well, futile, you can only try to jail the rest of your network against them, but 'security' is another topic altogether.