Network clarifications first camera

Hello all,

I am new in the IP cameras world and there are some things that i still don't understand, and for this first camera i would like to do things the proper way.

I am living in a home and i would like to install one or two external cameras. The goal is to be able to check outside the home when i am not present, and receive notifications on motion detection.

I read the wiki and the cliff notes but there still be some things that i do not get...

My installation is pretty simple, i have ISP router box for basic internet usage, then i connected WAN port of my old WRT54G v2 running on Tomato to one of the network port of the box. And then, i will connect the camera to the Tomato router.
For security reasons as suggested on the cliff notes, i configured VPN Server on Tomato, and DDNS.
This is working, i am able to reach the router inside and outside my network using, for example, my Android phone with OpenVPN connect app. I had to forward OpenVPN port on ISP box to have it working.

But, i do not understand how to configure the firewall on Tomato to block internet access of the camera, and how the camera can send me notifications on motion detection if it do not have internet access?
I would like to know if from now i did things the right way or not? I did not receive the camera yet but i am preparing the network.

For VPN server, i followed randy's tutorial and another one more specific for Tomato. Configured as TUN, TCP 1194, AES-128-CBC cipher: https://www.howtogeek.com/60774/connect-to-your-home-network-from-anywhere-with-openvpn-and-tomato/
I expect to not buy additional hardware like NVR or software like Blue Iris or android app.

I attached a schematic but i am not sure it was really necessary for understanding^^

Thanks.

Bonjour Mike, you are on the right path, however you made one decision which makes your life difficult. The subnet (of your CAMS) is identical to the subnet behind your ISP router. I suggest to change the first (or the latter) to something else. If you change the first, you don't need to change your VPN server configuration .

Then you'll need to add one IP tables line in tomato (cfr iptables block client ip internet access and keep LAN access)

Good luck!
CC

If you want email notices from the camera(s) then you can't have all ports blocked.

When I had my system sending email from each camera, on an otherwise all traffic blocked LAN, I had to open ports 587 for email TLS and port 53 for DNS. I also has NTP port 123 open so the cameras could keep their time updated.

If the routers can provide DNS and/or NTP for the cameras then you wouldn't need to open port 53 or 123.

@catcamstar: Do you mean change subnet of camera by 255.255.0.0 instead of 255.255.255.0 and then IP to 192.168.100.208 for example? This will still work with VPN and ISP box? Ok i will have a look for iptables on Tomato thanks
@Whoaru99: This have to be done on the WRT54G router or on ISP router?

Sorry if i ask stupid questions but honestly it is really not easy at all to understand for most of "end users" (and 90% of us made huge security breach without being aware of it)

I am not sure for your system where the forwarding needs to be.

For me, it could be only one place (the router) because connection to the ISP is just a plain cable modem/pass-through interface without any firewall/blocking.

mike31 said:

@catcamstar: Do you mean change subnet of camera by 255.255.0.0 instead of 255.255.255.0 and then IP to 192.168.100.208 for example? This will still work with VPN and ISP box? Ok i will have a look for iptables on Tomato thanks
@Whoaru99: This have to be done on the WRT54G router or on ISP router?

Sorry if i ask stupid questions but honestly it is really not easy at all to understand for most of "end users" (and 90% of us made huge security breach without being aware of it)

Click to expand...

@mike31: what I'm saying is: change the ip indeed to another subnet (like the 192.168.100.x), so you can quickly identify your CAM-LAN. In your drawing, both the cams are looking at the "same" gateway (192.168.1.1), which are, off course, duplicate IPs on your network (both the ISP router and your asus), which is a definite no-go. Having your cams on another subnet facilitates the use of iptables: in your tomato you can open "all port from 192.168.0.x TO 192.168.100.x) but block all packets coming FROM 192.168.100.x to ANY (except for - and you can pick - eg NTP (for clock sync, but this can be limited to the tomato), SMTP (for outbound mails is you'd like to), or port 2195 (in case you want dahua cams to send notifications) etc etc).

Hope this helps!
CC

Ok so you mean, at the WRT router on Tomato, keep WAN settings with gateway of ISP box (192.168.1.1) to be able to reach the VPN, and then, separate the LAN by changing ip of the router with 192.168.100.2 for example and 192.168.100.x on cameras that's it? This means it will be necessary to modify the VPN configuration?
And for iptables, you mean that all taffic from the camera to internet except necessary ports for notifications/emails etc... will be blocked right? I guess this join what Whoaru99 said.
This is not a security breach to let some ports open, even on one way only?

mike31 said:

This is not a security breach to let some ports open, even on one way only?

Click to expand...

Probably a bit cliché, but being connected to the Internet is a potential security breach. It comes down to minimizing exposure as best possible yet still accomplishing what you want/need to do.

I've since made some changes when I started using Blue Iris, but when I was having notices sent directly from my cameras the firewall rules showing in the link below I set up to allow it to work.

The rules shown as Priority 1-4 process in the order listed. 1 , 2, and 3 allow DNS, NTP, and email TLS, respectively. Bear in mind when stacking rules they work in order listed and stop being processed at the first match. For example, when the cameras needed to resolve smtp.google.com to an IP address, it matched Priority 1 rule so that's all the farther it went. But, the DNS rule had to come before the TLS rule otherwise the cameras could not resolve the domain to IP to know how to get to the email server.

If the traffic does not match rule 1, 2, or 3 then it gets blocked by rule 4.

Email notifications not working - firewall settings?

mike31 said:

Ok so you mean, at the WRT router on Tomato, keep WAN settings with gateway of ISP box (192.168.1.1) to be able to reach the VPN, and then, separate the LAN by changing ip of the router with 192.168.100.2 for example and 192.168.100.x on cameras that's it?

Click to expand...

No, your main ISP router's internal Gateway is 192.168.1.1. Your WAN port of the ASUS will get 192.168.1.2 (put this static / non-dhcp to avoid hopping around later on). So far, this remains like in your drawing in post#1, nothing new. THEN you change the "LAN" settings in the ASUS router - this is pretty straight forward: you change the existing 192.168.1.x/255.255.255.0 to 192.168.100.x/255.255.255.0. Which means that your cams, in the 192.168.100.x subnet will have as default gateway 192.168.100.1 (which is the internal LAN gateway of your ASUS in the second subnet).

mike31 said:

This means it will be necessary to modify the VPN configuration?
And for iptables, you mean that all taffic from the camera to internet except necessary ports for notifications/emails etc... will be blocked right? I guess this join what Whoaru99 said.
This is not a security breach to let some ports open, even on one way only?

Click to expand...

If you disable "server1" configuration on the ASUS and activate a new one, it will use the newly configured 192.168.100.x subnet.
Indeed, I said in different words what @Whoaru99 already said. This is, in my humble opinion, the best way forward: single rules "allow fancy stuff" followed by a hard "drop all".

Good luck!
CC

Hum ok i think we said the same thing but it is my fault, in the drawing, ip 192.168.1.2 was the LAN ip not the WAN^^
So i did the modification, WAN still be 192.168.1.23 and is fixed and just in case also forced in ISP box using mac filter. LAN ip is now 192.168.100.2 and cam ip will be 192.168.100.208.
It seems that the VPN still working like that.
No i need to check for iptables which is not really user-friendly... I never used it and it does not seems to be a GUI on Tomato to do that :/.

Edit: Is it something like that for firewall script?

Hello all,

I tried something with iptables to see the result but unfortunately it does not work:
For the check i connected my laptop on the Tomato router with IP 192.168.100.208, before iptable rules, i was able to reach internet, but after applying the rules above too... and iptables -L displays properly this rules.

But i saw "access restriction" in Tomato which is working, my laptop was blocked, but i am not sure that is really use the firewall like iptables.
I attached this menu and the default iptables rules of the router, i think the problem is with the order of something like that.

Any help would be appreciated .

Thanks.

If you have double NAT going on, which to me it appears you do, wouldn't you need to set up forwarding on both routers?

Use port 587 for the example...

In the 1st (ISP) router would you forward 587 to 192.168.1.23, then in the 2nd router (WRT54G) again forward 587 but this time to the cam IP 192.168.100.208?

Yep it sounds good for using port, because, for example, when i configured the VPN server, it was not working until i forward 1194 on ISP box to WRT router and then an automatic iptable rules have been also created in the WRT, and then it worked.
If it can works like that and is secured enough, i will try to use ports that way, and use "access restriction" function to block internet access of the camera. I am just worried about this function because i am not sure it is really a firewall rule.

I think it's two separate considerations. The VPN should allow you to see the camera streams more or less like you are directly on the LAN without any other open ports. But, if you want those email notifications, I don't know any other way than opening the additional ports for that service (if all traffic is otherwise blocked).

I guess the other things might be if you could put the ISP modem/router in pass-through/bridged mode, or set up the WRT54G on the DMZ of the ISP modem/router. That would, I think, eliminate the need to double up the port forwarding.

Hum, ok, for the blocking rules, it seems that iptable -I works better thant iptable -A, i guess this is the same for opening ports.
But is seems that 53 and 443 are already opened on WRT router, so, if i am right, i should only open 587 for mail because push notifications can goes through 443 for what i found.
I guess maybe another one will be necessary for live stream.

If you already have the VPN working to access the camera LAN then you shouldn't need any more ports opened to see the camera streams...as long as you first connect to the VPN.

If openvpn is connected. Then you're at home with you're phone everywhere in the world. Vpn is a secured connection. You can also configure how you want to use the vpn on you're phone. I use a Asus router and configured that my internet browsing on my phone is also going over the vpn when vpn is connected. So first my website request goes to my vpn server at home and at home I enter the open www, the data comes back through the vpn back to my phone. So in a hotel with a not trusted open Wi-Fi network they can't see what I'm doing because the data is going through the vpn connection.

Problem with most services is that they use a server from the manufacture company... the app connects with that.

Alarm system apps can use camera streams from a Dahua or hikvision server if you enter the qr code and the correct password.

The future is that all private data goes to servers online.... very bad idea i think....

For whatever it's worth, I think the stated dangers of forwarding ports to the camera on this forum are greatly exaggerated. I've been forwarding ports for HTTP and RTSP for awhile now without any problems. It's easy enough to keep an eye on router logs if you're worried, especially with Tomato and it's variants.

FYI the two ports you would need to forward are ports 80 for PTZ commands and port 554 for RTSP (video). An easy extra level of security is to make those ports different on the outside, for example forward port 9080 to port 80 and 9554 to port 554. This makes it much harder for automated scripts to find your camera.

The massive amount of extra convenience that gives me is well worth the miniscule risk, especially since a lot of people have access to my cameras, many of whom aren't techy.

What i cannot understand is if it is that a bad idea to forward ports, how can you use the full potential of an ip camera through internet? I mean, if it is just to have a live view or local record on SD, it is not worth for home users.
You have to let the camera communicate on some ports to let it send email, notifications and synchronize with a time server.
Hope i did it right using FORWARD chain with iptables:
Anyway, thanks all for your explanations .

mike31 said:

What i cannot understand is if it is that a bad idea to forward ports, how can you use the full potential of an ip camera through internet? I mean, if it is just to have a live view or local record on SD, it is not worth for home users.
You have to let the camera communicate on some ports to let it send email, notifications and synchronize with a time server.
Hope i did it right using FORWARD chain with iptables:

Code:

iptables -I FORWARD -p tcp --dport 587 -j ACCEPT
iptables -I FORWARD -s 192.168.100.208 -j DROP

Anyway, thanks all for your explanations .

Click to expand...

I agree to disagree with you : creating a port forward rule in your WAN router is like putting a big red sign at your front door, stating "FREE CAKE IN MY FRIDGE". Everybody, but then really EVERYBODY can enter your house, go to the fridge and take some cake. But what you do know is that there are bad people out there, and they will try to open your bedroom door too. And if you have locked it, they will for sure try to breach - nobody at the street can see what they are doing, right?

It is exactly the same with a port forward rule: even if you say: this port X goes to internal LAN IP port Y, if you aren't sure whether (or not) secured access can be guaranteed, EVERYBODY can hammer your device to hell.

On my devices, OpenVPN is running all the time, if I need real time live view, or view some footage, I can open the apps just like being at home. You just have to make sure you don't run out of (mobile) quota (tip-of-the-day: use substreams with less resolution for mobile viewing). So it is worth the "investment" for home users too!

Your iptables look fine, except that if you connect a second cam (eg on 192.168.100.209), you have to configure all again. It might be easier to simply block a (full?) subnet.

Hope this helps!
CC