Camera Isolation from Internet

Philly

Getting the hang of it
Joined
Oct 22, 2018
Messages
113
Reaction score
13
Location
Philadelphia, PA
Could you please advise on how to isolate Cameras via Router settings from the Internet since they are connected via Switch directly to the Internet/Router (Netgear).
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,006
Location
USA
Look for firewall settings or parental controls in the router. For example in my router which runs open-source firmware, I can block specific IP addresses from accessing the internet on a schedule, so I added all my cameras to it and set it to be blocked 24/7.
 

Philly

Getting the hang of it
Joined
Oct 22, 2018
Messages
113
Reaction score
13
Location
Philadelphia, PA
Look for firewall settings or parental controls in the router. For example in my router which runs open-source firmware, I can block specific IP addresses from accessing the internet on a schedule, so I added all my cameras to it and set it to be blocked 24/7.
Thank you! Will I be able to get into Camera settings on the same network anyway if I block the camera from the internet?
 

awsum140

Known around here
Joined
Nov 14, 2017
Messages
1,254
Reaction score
1,128
Location
Southern NJ
You'll just be blocking them from the Internet. They'll be accessible through your local network, LAN, with no problem. While you're at it, it's a good idea to disable, uncheck, all services that aren't needed in the network configuration for each, individual, camera. Things like PnP for example.
 

Philly

Getting the hang of it
Joined
Oct 22, 2018
Messages
113
Reaction score
13
Location
Philadelphia, PA
You'll just be blocking them from the Internet. They'll be accessible through your local network, LAN, with no problem. While you're at it, it's a good idea to disable, uncheck, all services that aren't needed in the network configuration for each, individual, camera. Things like PnP for example.
Thank you!
 

awsum140

Known around here
Joined
Nov 14, 2017
Messages
1,254
Reaction score
1,128
Location
Southern NJ
Another thought, while you're in configuring the network in each camera, set the DNS address to a bogus address. All of this stuff helps keep them from "phoning home" as well as isolated from the WWW.
 

Philly

Getting the hang of it
Joined
Oct 22, 2018
Messages
113
Reaction score
13
Location
Philadelphia, PA
Another thought, while you're in configuring the network in each camera, set the DNS address to a bogus address. All of this stuff helps keep them from "phoning home" as well as isolated from the WWW.
Thank you! So, for DNS address I shall any numbers then?
 

awsum140

Known around here
Joined
Nov 14, 2017
Messages
1,254
Reaction score
1,128
Location
Southern NJ
I use the same basic network address and change the last three digits to "254", IE 198.1.1.254. Totally bogus, out of range, numbers won't be accepted.
 

toastie

Getting comfortable
Joined
Sep 30, 2018
Messages
254
Reaction score
82
Location
UK
What's the opinion here on the relative merits of this router firewall/parental control LAN solution, compared to having a second NIC for the cameras on a subnet?

Presumably both configurations work. I imagine that using the router's firewall is simpler to implement and accessing the cameras settings less complicated, while using a separate NIC method more complicated but probably more secure.
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,006
Location
USA
Well there's the remote possibility that a camera could spoof a different MAC address, get a new IP, and access the internet that way if you had blocked its real IP/MAC addresses. With a second NIC and keeping the cameras on a separate network, that would be impossible.
 

Philly

Getting the hang of it
Joined
Oct 22, 2018
Messages
113
Reaction score
13
Location
Philadelphia, PA
Well there's the remote possibility that a camera could spoof a different MAC address, get a new IP, and access the internet that way if you had blocked its real IP/MAC addresses. With a second NIC and keeping the cameras on a separate network, that would be impossible.
Thank you!
 

davej

Getting the hang of it
Joined
Apr 25, 2014
Messages
279
Reaction score
69
I had thought about entering bogus DNS addresses into my cameras but that doesn't make sense. A device would not need to use DNS to "phone home." It would have those ip addresses hard-coded.
 

awsum140

Known around here
Joined
Nov 14, 2017
Messages
1,254
Reaction score
1,128
Location
Southern NJ
It may or may not have it hard coded, but if you change the gateway to a bogus one, and configure the router to block the IP/MAC, that should stop it. A review of the router traffic log would show anything fishy going on.
 

davej

Getting the hang of it
Joined
Apr 25, 2014
Messages
279
Reaction score
69
Okay, I don't know what effect a bogus gateway address might have.
 

awsum140

Known around here
Joined
Nov 14, 2017
Messages
1,254
Reaction score
1,128
Location
Southern NJ
If it can"t find the "gateway", route to the internet, it can't find the Internet. DNS is just the name service
 

davej

Getting the hang of it
Joined
Apr 25, 2014
Messages
279
Reaction score
69
Uh, yeah, but I don't think it would take much cleverness to know what the gateway of the subnet is.
 

awsum140

Known around here
Joined
Nov 14, 2017
Messages
1,254
Reaction score
1,128
Location
Southern NJ
I guess if you leave your network at all the defaults that might be true. A list of only a hundred or so would probably work. Again, I doubt it's a serious problem, especially if the IP/MAC is blocked by the router.
 

Camit

Pulling my weight
Joined
Feb 7, 2017
Messages
412
Reaction score
122
Log into camera turn off ALL services like upnp .. set a static IP for each camera ... delete the gateway and dns in camera settings if it won’t let you just re type the lan ip. This way to has no gateway.. in router block the static IP address, in and out all ports. Turn off upnp on router .. also you can setup BI to only except certain lan ip adderss to log in. Make sure each camera as it’s own separate password ... use a vlan .. never ever port forward .. I’m messing some but good start
 
Top