Hi !
I have some CCTV cameras and I don't want them to be able to reach my computers on my home network. These are closed firmware chinese cam and I'm afraid they'll be use as trojan.
I set up 2 lan interfaces. One for the cam with 192.168.20.X IPs, and another one for the computers with 192.168.10.X IPs.
Is that secure enough or should I go the vlan way?
If this is the configuration, you have already defined VLANs
from:
ps: security is a process, but in general if you have kept the firewall settings as I have been able to observe you should be quite safe ...
at most you can connect a pc in network cameras (10.0.30.x) and verify that you do not have access to your lan but only traffic to the internet (but from what you have posted it already seems so) at most include in this post your current configuration.
ps: I hope your switches are already management and you have already defined vlans on them
see these documents for possible attacks
Why did you dig up my old message from three years ago?
It was another network and another openWRT version. Today, the cameras are not yet in function and the switches are not manageable.
At the time, it was hard work for me configuring the vlan. Nowaday openWRT has switched to DSA and I cannot just replicate what I had done some years ago. So I wonder if it is mandatory to do the learning again or if subnet is enough.
VLANS are not needed nor adding any security since you have a dedicated switch and cabling for your camera segment. Keep it simple.
how so? switch and cabling by itself why would make the network isolated as OP requested?
one subnet can talk with other subnet with or without using dedicated switches (if they are not air gapped obviously) on a connected physical network if configuration is such.
@aruclim please share your current network and firewall config file. if you really want to isolate the two networks you should make sure they are in different firewall zones without forwarding enabled.
sorry to bother you ... (I didn't mean to do this)
can you show the current router configuration ...
The op will definitely need to have an additional subnet to achieve the goals. The term vlan is often used colloquially to refer to an additional subnet. VLANs probably apply here, but if the op is using a dsa device and only needs a single Ethernet port for this subnet, the dsa syntax doesn’t require explicit vlan configuration methods.
I didn't mean to hurt you
I'm sorry that I made you cry
Oh now, I didn't want to hurt you
I'm just a jealous guy 
Thanks for trying to help. Here is the current config:
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.73",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 0 (v7l)",
"model": "ASUS RT-AC88U",
"board_name": "asus,rt-ac88u",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.0",
"revision": "r28427-6df0e3d02a",
"target": "bcm53xx/generic",
"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
"builddate": "1738624177"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd03:34c0:83e8::/48'
option packet_steering '1'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config device
option type 'bridge'
option name 'br-trusted'
list ports 'lan1'
list ports 'lan2'
option mtu '1500'
option macaddr 'XX:XX:XX:XX:XX:XX'
option txqueuelen '1000'
option mtu6 '1500'
config interface 'trusted_lan'
option proto 'static'
option device 'br-trusted'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
config device
option type 'bridge'
option name 'br-iot'
list ports 'extsw'
list ports 'lan3'
list ports 'lan4'
option mtu '1500'
option txqueuelen '1000'
option mtu6 '1500'
option macaddr 'XX:XX:XX:XX:XX:XX'
config interface 'iot_lan'
option proto 'static'
option device 'br-iot'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'trusted_lan'
option interface 'trusted_lan'
option start '2'
option limit '150'
option leasetime '12h'
config dhcp 'iot_lan'
option interface 'iot_lan'
option start '2'
option limit '50'
option leasetime '12h'
config host
option name 'Optiplex'
list mac 'XX:XX:XX:XX:XX:XX'
option ip '192.168.10.100'
config host
option name 'hp-x360'
list mac 'XX:XX:XX:XX:XX:XX'
option ip '192.168.10.13'
config host
option name 'PC-Val'
list mac 'XX:XX:XX:XX:XX:XX'
option ip '192.168.10.19'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'trusted_zone'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'trusted_lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'trusted_zone'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'trusted_zone'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'trusted_zone'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'iot-LAN-DHCP'
list proto 'udp'
option src 'iot_zone'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'iot-LAN-DNS'
option src 'iot_zone'
option dest_port '53'
option target 'ACCEPT'
config zone
option name 'iot_zone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'iot_lan'
config forwarding
option src 'iot_zone'
option dest 'wan'
as said in my previous post:
connect a pc in network cameras:
"iot_lan" firewall zone "iot_zone" ip=192.168.20.x/255.255.255.0
and verify that you do not have access to your lan ( 'trusted_lan' )
and verify that you do not have access your "modem/router" (upstream of the Openwrt router)
but only traffic to the internet ...
If you find that you have this problem I suggest you add the following firewall rule (only ipv4 to private networks):
config rule 'iot_reject_private_ip'
option src 'iot_zone'
option name 'Reject forward iot zone to private nets'
option dest '*'
option family 'ipv4'
option target 'REJECT'
list proto 'all'
list dest_ip '192.168.0.0/16'
list dest_ip '172.16.0.0/12'
list dest_ip '10.0.0.0/8'
just to understand what it was for (if I had to read the configuration after a long time):
in 'br-iot'
list ports 'extsw'
your internal router switch:
After adding the rule to prevent to iot_zone to reach private IPs, everything is fine. Machines on the subnet 192.168.20.X are unable to ping anything in the house.
Thanks a lot.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.