Port forwarding could be okay... perhaps if you use MAC address filtering?

MakeItRain

Pulling my weight
Joined
Aug 7, 2017
Messages
401
Reaction score
218
Hi guys

I think it would be very safe for you guys to use port forwarding as long as you enable MAC address filtering. Certain routers allow this feature where, even if you port forward, you can set a firewall rule stating that the inbound device (such as a iPhone) must have this particular MAC address (i.e.): FC:BC:48:A3:55:92 before it can pass through to the internal device at: 192.168.1.200 (your NVR).

This means that before the router forwards the requests through the port to the NVR or a camera, the router is authenticating the MAC address.

You may ask, well, what if they are spoofing your MAC address. Yes, indeed that is also possible. But the odds of spoofing the correct MAC address is 1 in 281,474,976,710,656. That's 281 trillion! Again, this is just another layer of security. I think a good firewall can also blacklist an inbound IP that is trying to hammer a port with the wrong MAC address as well.

Thoughts??
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
5,170
Reaction score
5,320
Location
Houston Tx
what router manufacturer and model has this feature and what is the cost.

I have a mid range asus route and it does not have inbound mac filtering.
 

MakeItRain

Pulling my weight
Joined
Aug 7, 2017
Messages
401
Reaction score
218
Here you go. This is the new AT&T router that I got which is an Arris.

I have not tried this yet but maybe I will tonight when I get home.

The page has a description for each explanation of what the "rules" are. Basically, each rule is called a "match". The router will either "Pass" or "Drop" packets that matches the rules that you specify.

In this case, I set the rule (#5) like this (all the values are EXAMPLES. not my real device ID's :) :

Ingress interface of "WAN" - this means if a connection comes in from the WAN (internet)
Egress interface of "LAN" - and is exiting to a local device on the LAN (your NVR attached to the subnet)
Source Mac Address - this is the incoming connection device's MAC address - THIS HAS TO MATCH!! This is like 1 in 281 Trillion combination
Destination IP address - this is the IP address of your NVR
Protocol of "TCP"
Source Port "37777" - the incoming device is trying to access port 37777
Destination Port "37777" - the port to enter the NVR (also 37777)


FIREWALL.JPG
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
This means that before the router forwards the requests through the port to the NVR or a camera, the router is authenticating the MAC address.
Sorry - but the MAC address features in network communications at layer 2.
MAC stands for 'Media Access Control'. Media is the wiring.

As soon as you go outside the local LAN IP address range, via the router, you are into layer 3 and the MAC address is no longer a feature in the communications.
 

MakeItRain

Pulling my weight
Joined
Aug 7, 2017
Messages
401
Reaction score
218
Sorry - but the MAC address features in network communications at layer 2.
MAC stands for 'Media Access Control'. Media is the wiring.

As soon as you go outside the local LAN IP address range, via the router, you are into layer 3 and the MAC address is no longer a feature in the communications.
Thanks for the clarification. Can you confirm that the IP packet filtering from my router is doing what I think it is doing as I described?
 

handinpalm

Getting comfortable
Joined
Sep 21, 2016
Messages
679
Reaction score
1,432
Location
Tampa Bay FL
I believe the hackers have an easy tool to spoof MAC addresses, common practice. I would never use that feature. Stick to VPN. Good try though.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Can you confirm that the IP packet filtering from my router is doing what I think it is doing as I described?
Sure, IP address packet filtering would be fine, that's what a firewall does.

But if you check an inbound packet from the internet that's been forwarded to a LAN host by the router, you will see the router's MAC address as the source.
That's how packets flow on the LAN, it's how layer 2 switches know what switch port to forward a packet on to under their switching task.
 

MakeItRain

Pulling my weight
Joined
Aug 7, 2017
Messages
401
Reaction score
218
Sure, IP address packet filtering would be fine, that's what a firewall does.

But if you check an inbound packet from the internet that's been forwarded to a LAN host by the router, you will see the router's MAC address as the source.
That's how packets flow on the LAN, it's how layer 2 switches know what switch port to forward a packet on to under their switching task.
Thank you, i got my answer here:

MAC filtering the internet traffic?
 
Last edited:

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
So the above feature from my router is not going to work?
It will work fine on the LAN.
That's where MAC addresses are used.

MAC addresses from an internet device (iPhone) are not transmitted to your home router as an inbound connection, only the IP address?
If you sniff a Packet that's come in via your router from an iPhone that's out on the internet, you will see the router LAN interface MAC address as the source.
And the iPhone's current public IP address as the IP address source.
 
Top