Securing cameras

cam26

Getting the hang of it
Joined
Jan 21, 2019
Messages
233
Reaction score
97
Location
USA
Good evening guys,

So my network is all set up and locked down tight with my router in bridged mode to an Asus 1900 and a VPN to remotely connect to my network while off the LAN.

My Dahua cams came in today and my next step is securing them on my network so they cannot be accessed by anyone outside of it. From everything I've read in the Wiki's/Primer, I believe I have to either 1) set up a VLAN (which I believe is outside my networking abilities) or 2) change the IP's of the cameras outside of my network range so they'll work with BI but not be able to be viewed outside of that program.

Am I thinking correctly and, if so, is it as simple as changing the 3rd and 4th sets of digits in the cameras IP to something different than my network's?
 

pozzello

Known around here
Joined
Oct 7, 2015
Messages
2,270
Reaction score
1,117
If you've already got your router blocking all access into your LAN (except for via the VPN), then you are all set, in terms of coming in from outside.

You do want to make sure tho, that your cams are not making outbound connections (unless you want them to, of course.)
this can be done in your router by specifying a range of IPs not allowed to go out to the internet and then put all your cams in that IP range.
also, make sure you have UPNP disable in your router to prevent the cams opening ports allowing access from outside.

Then you can also make sure your cams all have UPNP disabled, as well as any 'cloud' services they may try to contact.
If the cams were allowed to previously open ports via UPNP, you may need to reboot your router to clear those previously opened ports.

VLAN's can also be used (if your switch and/or router support it,) but are more to prevent access between the cams and other machines on your LAN (not outside)...
 

cam26

Getting the hang of it
Joined
Jan 21, 2019
Messages
233
Reaction score
97
Location
USA
@pozzello awesome, thanks. I do have UPNP disabled through the router, but I'll have to make sure I do that through the cams, too.

Would setting each cam to have it's own static IP be helpful?

Having trouble figuring out where that setting is to limit outbound connections from certain IP's on my router. I'll have to do some digging.
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
5,170
Reaction score
5,320
Location
Houston Tx
if you have an asus router you can use the parental controls to block the camera mac address 24 hours a day from the internet.

On BI you can install an additional NIC card. So the BI PC has 2 NIC cards. One NIC is connected to your home network and the ASUS router. The other NIC card is connected to a switch that is connected to the cameras. Your cameras can only be accessed from the BI PC
 
Last edited:

cam26

Getting the hang of it
Joined
Jan 21, 2019
Messages
233
Reaction score
97
Location
USA
Thanks @SouthernYankee , I'll check out parental controls. Making note of all the mac addresses now.

NIC card sounds like a goal to attain. I'll have to do that, just to be safe.
 

J Sigmo

Known around here
Joined
Feb 5, 2018
Messages
997
Reaction score
1,333
I currently use the parental controls in my Asus router to block various IP devices from accessing the internet. Not only cameras, but printers, Programmable Logic Controllers and their distributed I/O brains, and other gadgets are better off being blocked from direct internet access.

And this means that I have more devices that I want to block than the parental controls feature in the router allows me to define.

@pozzello mentioned that you could set aside a range of IP addresses and block that entire range. That would be a method that would let me block plenty of devices and get past the limit in the Parental Controls. I wonder if @pozzello could describe how to go about setting this up, or point me to a tutorial or instructions for this feature. It sounds like a good way to block more addresses.
 

pozzello

Known around here
Joined
Oct 7, 2015
Messages
2,270
Reaction score
1,117
depends on your router and the features it present in the UI, but on my (openwrt netgear) unit,
it's under the firewall/restrictions tab where there are controls for allowing specific IP's or ranges
to go out to (or be blocked from) specific ports at any (or specific) times of day.
Poke around in your router's UI and see if there is such a feature or equivalent...

Best practice is to give your cams specifically assigned IP's (in the cam GUI), or your DHCP may some day get reset
and renumber everything. yes, dhcp clients typically will be reassigned the same IP as last time,
but if the server loses track (or you replace your router serving dhcp), it might renumber things not statically assigned, causing havoc...
 

J Sigmo

Known around here
Joined
Feb 5, 2018
Messages
997
Reaction score
1,333
Yes, I have all devices except phones, tablets, and other wireless devices assigned fixed IP addresses in my system. The address range I have assigned to DHCP is quite small, actually, and everything else uses a fixed IP address. It's a lot more robust and a lot easier to administer things if you get as much as you can on fixed IP addresses. The programmable automation controllers I use won't even allow you to set them up as DHCP.

I'm using an Asus RT-AC68U router. I do see a "network services filter" menu, and this might work. I need to read up on how to use this, though, and it does have a limit of 32 entries in the data table. If one entry can cover a range of addresses, and/or I can whitelist only those devices that I want to allow to have internet access, perhaps this will work. I just wish the "parental controls" allowed me to restrict more devices. It's easy to use.

Edit to add: I just read the tiny bit of information on setting up the Network Services Filter in the manual, and that didn't tell me as much as the UI itself does! I need to do a bit of searching online for a better description.
 
Last edited:

looney2ns

IPCT Contributor
Joined
Sep 25, 2016
Messages
15,521
Reaction score
22,657
Location
Evansville, In. USA

Whoaru99

Pulling my weight
Joined
Dec 22, 2018
Messages
422
Reaction score
159
Location
Here
Bear in mind if you want your cams to send you email notification of motion alerts, etc., you cannot have the cams totally blocked. Need to allow at least TLS / port 587, possibly DNS / port 53, and maybe NTP / port 123 if you want their time sync'd kept accurate.
 

pozzello

Known around here
Joined
Oct 7, 2015
Messages
2,270
Reaction score
1,117
or run internal services for that.
point cam DNS (port 53) to your router, not some server in the cloud.
run an NTP server (port 123) on your BI machine or on your router, if it supports it.
etc...
 

handinpalm

Getting comfortable
Joined
Sep 21, 2016
Messages
679
Reaction score
1,432
Location
Tampa Bay FL
I currently use the parental controls in my Asus router to block various IP devices from accessing the internet. Not only cameras, but printers, Programmable Logic Controllers and their distributed I/O brains, and other gadgets are better off being blocked from direct internet access.

And this means that I have more devices that I want to block than the parental controls feature in the router allows me to define.

@pozzello mentioned that you could set aside a range of IP addresses and block that entire range. That would be a method that would let me block plenty of devices and get past the limit in the Parental Controls. I wonder if @pozzello could describe how to go about setting this up, or point me to a tutorial or instructions for this feature. It sounds like a good way to block more addresses.
I too have more clients than Asus routers can block w/ parental controls. Evidently, ASUS only uses 1 Byte (16) of info to track these clients. That is a downfall for ASUS. I looked into the network service filters and saw where many people on other forums had problems with it from not working to having the logic backasswards. GUI does not let you set ranges of IP addresses for filtering from internet. Hopefully they come out w/ new router that supports more client filtering or firmware update. Firmware may not help if hardware limited. In the meantime I filter the highest priority clients.
 

lifeatredline

Getting the hang of it
Joined
Jul 4, 2016
Messages
102
Reaction score
73
Location
USA
Sounds like a good reason to turn the asus into an access point, and put an edgerouter in front of it.

Sent from my SM-S767VL using Tapatalk
 

J Sigmo

Known around here
Joined
Feb 5, 2018
Messages
997
Reaction score
1,333
Sounds like a good reason to turn the asus into an access point, and put an edgerouter in front of it.

Sent from my SM-S767VL using Tapatalk
And here, I thought the Asus unit was all I'd ever need. ;)

What model of edgerouter would you recommend? This hobby is as bad as photography or shooting! And as with the others, the forums are quite "enabling"!
 

lifeatredline

Getting the hang of it
Joined
Jul 4, 2016
Messages
102
Reaction score
73
Location
USA
And here, I thought the Asus unit was all I'd ever need. ;)

What model of edgerouter would you recommend? This hobby is as bad as photography or shooting! And as with the others, the forums are quite "enabling"!
I use the edgerouter "x" model, it has done well as my main home router and at a few other locations for me. The routing capacity steps up to insane levels with more expensive models, and the poe capabilities are expanded. Your unlikely to need more than the x in home and soho settings.
 

reaver

n3wb
Joined
Sep 29, 2018
Messages
7
Reaction score
0
Location
australia
if you have an asus router you can use the parental controls to block the camera mac address 24 hours a day from the internet.

On BI you can install an additional NIC card. So the BI PC has 2 NIC cards. One NIC is connected to your home network and the ASUS router. The other NIC card is connected to a switch that is connected to the cameras. Your cameras can only be accessed from the BI PC
I know this is an old thread but I just wanted to know if after connecting the cameras to the switch and the switch to the BI PC with 2 NIC cards, are there other settings that I need to update on the PC or will all this work after connecting them together?
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
5,170
Reaction score
5,320
Location
Houston Tx
If the second NIC and the cameras are on the same subnet address, then all should work. All addresses are static.
 
Top