Blocking IMOU (dahua) cameras from accessing internet and calling home.

[dbrannon79]

Hello all. after doing some reading and seeing all the security risks of some of these IP camera manufactures giving their cameras the ability to "phone home" and upload footage and pictures to the cloud, I set on a quest to completely block the ones I have from accessing the internet but still connect to LAN and stream only to my dedicated BI pc.

my current setup is a Dell Optiplex 9010 sff pc running only BI headless sitting in my server rack. I have a POE switch running ethernet to 4 IMOU cameras each with a POE splitter that supplies power and ethernet to them. my router is a Eero 6 pro from amazon. the Eero handles the routing and assigning IP addresses.

in the beginning I had each camera set in the routers interface as dhcp with eero reserving a specific IP for each camera. I also setup a profile within the eero app to block internet access 24/7 for any IP that I selected. putting all 4 of these cameras in this profile resulted in 3 of them working just fine and one camera would completely drop off (loose it's assigned IP) entirely. I had verified all the camera settings were the same using the Dahua config tool. factory reset the one camera several times, and even tried updating the firmware through the IMOU app but nothing seems to work for this one camera.

the camera models I have are 2ea of the IMOU Bullet 2C (with LED spotlights) and 2ea of the IMOU Bullet cameras (without LED spotlights) the camera in question is a IMOU Bullet (no LED spotlights) where the other identical camera continues to work without an internet connection.

during my diagnosis I also noticed that this one camera was very delayed from real time compared to the other three were within a couple of seconds from real time watching the web server.

I was at my wits end trying to figure out why this one camera had to have an internet connection where the others didn't. It almost seemed like it was uploading footage to the web somewhere and BI was pulling it back from wherever it was loading it to hence the longer delay in live footage.
Even though the settings in BI was set to connect directly to the IP that I assigned to the camera in the reservations from the router.

This has gone on all this week as I played with different settings between the router, BI and within the camera in both the IMOU app and in Dahua config tool.

Finally I got something..... in the Dahua config tool I tried one last thing. setting the IP in the camera settings to static using the same IP I had already assigned it in the router along with changing the gateway IP from the routers IP to the BI pc' IP address along with a reboot of the camera.

And bam! no more delay and checking with the IMOU app could no longer connect to the camera showing it offline. I did this change to all 4 cameras and they all seem to be working fine although I cannot verify if they can still reach out to the internet.

the BI pc does not have any setting in it's firewall to allow internet sharing so I am only assuming that these cameras are only streaming by LAN and not able to call home anymore.

Now with this current setting giving the camera static IP's if I enable the internet blocking through the eero app the one camera will still drop it's LAN IP completely until I restore the internet. This is puzzling to me why one does this and all 4 cameras are set in the eero profile.

Am I safe to say by changing the gateway IP to point away from my eero router and at the BI pc that they are officially NOT getting an internet connection?

I know the proper way to do this is to create a VLAN with a second NIC port on the BI pc and connect the cameras there on a separate subnet but I don't have a second POE switch to use for this.

 

[samplenhold]

I am not familiar with the IMOU cams. But I can say that the cam traffic should never route through a router. They each should be assigned a specific IP address. You can either use a managed POE switch to set up a VLAN or you can add a second network interface card to your BI pc to route your POE switch back to the BI PC. See the diagram below.

 

[dbrannon79]

Yes, that is the ideal setup. the IMOU cameras are basically a Dahau camera minus the web interface. they are chineese camera using Dahua's hardware.

my home network consists of an ATT fiber modem connected to one eero router and then to a 24 port switch on one end of the house supplying ethernet to several devices. that eero router has a second port that runs over to the other side of the house and then down to a 18 port POE switch inside my media server rack. from there branches out to several more devices including the 4 cameras the two eero routers connect to each other linking them as one single unit (mesh wifi) with 4 ports (two on each unit) weird I know but that was how the instructions say to connect them. a single 10gig cable runs across the attic connecting them together using port A on each. port B on each go to the unmanaged switches which then branch out to all the devices in the house, one just happens to be POE and the other is a regular non-POE switch. the entire network is on a single subnet 192.168.1.xxx.

I wish I had known that this eero wasn't able to do certain functions like this before I invested into it. I would have been better off with managed switches and simple wifi nodes rather than this all in one eero. the only reason I invested into it was for the wifi strength as our neighborhood has grown there are so many wifi networks around us that our phones and tablets would drop both 5g and 2.4g connections without even stepping out the front door. Way too much interference!!

Yeah I know it sounds like a business network, basically it is.

Here is a screenshot of the camera IP settings. notice the "Gateway" this was "192.168.1.1" pointing to the eero for internet access. I changed this to the IP of the BI pc. normally on a pc if you change this and point this to somewhere other than the internet gateway, the pc will no longer have outside the LAN access. I just don't know if this is true for LoT devices like cameras.

 

[dbrannon79]

Update: I tested my connection on my PC by entering the same gateway and checking if I can connect to the internet. Nope. I can still access anything on LAN but nothing outside of that. Maybe this did in fact stop the cameras from accessing the world wide web, but again it's not ideal. I am thinking that by enabling the profile in the eero, it isn't just blocking internet but forcing that one camera off the network through some protocol that isn't revealed to me since the eero doesn't have a real web interface to see logs.

Time to look into a better network setup. Becides I discovered a bottleneck transferring data from my media server through the 1gig switches. since I already have the house wired for 10gig net, replacing the two switches with 10 gig or even 5gig managed switches will fix all of this freeing up this unmanaged POE switch to use for the cameras solo.

 

[cm.]

I havent read all of your posts but vlans are simply the easiest and most secure method. Just buy a basic managed switch with a web interface. Then you need 2 nics on your nvr - one for the camera vlan and the other for your normal home lan. I have this exact setup at home and it works flawlessly. If i need to access my cameras i first rdp into my blue iris pc then i can access/configure as necessary.

 

[looney2ns]

You don't need another POE switch, use the one you have with this setup Dual NIC setup on your Blue Iris Machine
You can buy another nic card for $15.

 

[dbrannon79]

Can the existing unmanaged POE switch be used with devices on different subnets? an example is it I use the second uplink port for the BI machine's second nic on IP address 192.168.55.xxx and giving each camera a 192.168.55.xxx address with the gateway matching the IP of the BI machine's second NIC address. since my home network is on DHCP would this encounter issues using the same switch with both subnets?

the POE switch is an 18 port with two uplink ports and is almost full now with several devices throughout the house.

 

[looney2ns]

No, you would need to dedicate a POE switch to just your cameras.

 

[z3us]

I have like a similar problem.
The camera model is IPC-C22E-A
The firmware version is 2.680.0000000.27.R.221109
I have set a static IP and it is working with onvif protocol.
But in the same time, the DHCP IP is still there, communicating with the cloud.
I cannot set the Static IP to the DHCP IP (save fail).
@dbrannon79 both IPC-F42 have the same firmware?

 

[Perimeter]

Can't you just filter the device in the router? Deny it web access.

 

[dbrannon79]

I noticed this same behavior with all of the cameras I have regardless if you set the IP to static. it will randomly switch back to it's default IP for phoning home. this is why I reset them all so it doesn't use the wifi, connected them on a separate POE switch without internet access. I also added an older wifi router to that switch for the cameras that didn't have an Ethernet option to connect to. the only way to connect them via wifi though is to temporarily give the separate switch and router internet access, then setup the camera through the it's app and once setup and working disconnect the internet from it (used the wan port on the older router) Of course the BI PC also has a second nic port that is connected to this switch but doesn't share it's internet connection.

the older wifi router is controlling the separate switch as far as the IP assignment, I turned the DHCP off on it and assigned each camera it's own static IP there so it has no choice but to connect using the IP I assigned and nothing else. I also used the Dahau tools application to initialize each camera that has an Ethernet port and not the IMOU app. you can customize the camera settings as well through this tool.

 

[z3us]

This firmware is "evil"!
I had a little time last night to investigate more.
My camera has only the Wireless interface.
The firmware is trying to get multiple IP addresses from the DHCP server, using even random MAC addresses. (I have seen 4 different ones)
There are multiple Internet connections originating from the camera to different servers from Internet.
It is strange to me that it seems to do "unusual things" just to get out from the local LAN!
I will do a packet inspection and in deep analysis later, when I will have more time.

 

[dbrannon79]

if you are able to capture the server addresses it attempts to connect to and post a list that would be great. I have adguard home setup on a server within my local network. I can add those servers to my dns block lists for future use. if you have a spare older pc available that can run a linux OS, running applications in docker like adguard home can help monitor all of your devices and what outside servers they connect to while having the option to block each site. I run a truenas scale system for a hole lab which has this installed. it's a really nice addition.

something you might want to think about as far as home network security is setting up a guest network on your local router with a DHCP server. then on the main network side, add reservations for each and every device on your router. once the reservations are entered, disable the DHCP server for the main network so that un authorized devices won't be able to connect and receive an IP. Further more while using a not so common IP subnet for both the main and guest network while blocking known IP addresses the IMOU camera is attempting to use. Not all routers are capable of doing all of this. I usually try setting my home network up similar to how a business running high security would.

 

[dbrannon79]

as for cameras them selves, the last camera I installed was this one off amazon which is much better than the IMOU cameras, I wish I had found this one before spending all the money on the IMOU cameras in the beginning, but I can't do anything about that part. this camera isn't on the list here for the best for blue iris, but I had no issues setting it up and with only a POE Ethernet connection it can only connect using one mac address and IP that you setup. the down side is you will have to invest into a PO switch and run some Ethernet cable in your place. it seems to be a knock off version of Reolink. it also has a much better quality picture than the IMOU cameras even though the camera specs are the same. one of my requirements on cameras is it must have a built in mic to capture audio with the video recording. this one does.

https://www.amazon.com/gp/product/B0BBVNHMGC

 

[Perimeter]

something you might want to think about as far as home network security is setting up a guest network on your local router with a DHCP server. then on the main network side, add reservations for each and every device on your router. once the reservations are entered, disable the DHCP server for the main network so that un authorized devices won't be able to connect and receive an IP. Further more while using a not so common IP subnet for both the main and guest network while blocking known IP addresses the IMOU camera is attempting to use.

What happens after a short blackout?

 

[dbrannon79]

What happens after a short blackout?

Blackout as in a power outage or internet outage? if internet gose down the cameras and BI continue to operate normally only not having access outside of the lan, your phone app access won't work unless you are on the local lan network. power outage... well you'll need a battery backup powering the BI computer and the POE switch so it all continues to function.

if you use the ISP's provided router to handle your lan network, that is when you have problems like when internet goes down you loose all connectivity between devices on your internal lan network. hence why you always use a separate router to handle your devices and not the ISP's provided one.

 

[Perimeter]

if you use the ISP's provided router to handle your lan network, that is when you have problems like when internet goes down you loose all connectivity between devices on your internal lan network.

Really?? I have been using routers as switches without connecting them to anything WAN wise. So I somehow doubt this to be a very general truth.

 

[dbrannon79]

You can absolutely use a router or switch without using the wan port. but you didn't specify much about your question or in which configuration your were referring to. I was simply sharing some experiences I have came across and some simple things I did to solve them. this thread is on the subject of blocking internet access to a camera while on your network. since starting this thread I have solved it by running a separate network for them complete with a router and POE switch with the wan port connected in a server rack. if I need to allow internet on this network all that needs to be done is change a single setting in the router.

when setting up new china knock off cameras, some require to use their app via internet access to initialize for use. once working and configured properly, working in BI, then the internet can be shut off. this makes for a painless process without me not having to pull out the rack messing with more lan cables or configuration. My home network setup is not something you would normally find in a standard home. For a standard home setup I was pointing out how to deal with a "blackout" as you asked. most home networks only use the router modem combo provided their ISP which is not ideal when running cameras for security.

 

[Perimeter]

I was just thinking that a power blackout might prevent your plan from coming back to live, as now DHCP is turned off.

 

[z3us]

This is some traffic with internet connection, on camera boot:

IPC-C22E-A 8.8.4.4 DNS 133 Standard query 0x2362 A devaccess.easy4ipcloud.com
IPC-C22E-A 239.255.255.251 UDP 721 37810 → 37810 Len=679
IPC-C22E-A 239.255.255.251 UDP 768 37810 → 37810 Len=679
IPC-C22E-A 224.0.0.22 IGMPv3 60 Membership Report / Join group 239.255.255.251 for any sources
6x UDP Broadcasts on port 5050
IPC-C22E-A 255.255.255.255 UDP 340 5050 → 5050 Len=251
IPC-C22E-A 8.8.8.8 DNS 135 Standard query 0x885c A p2pregister.easy4ipcloud.com
IPC-C22E-A 128.14.225.150 UDP 411 55169 → 8800 Len=322
IPC-C22E-A 128.14.224.229 UDP 410 44200 → 8802 Len=321
IPC-C22E-A 128.14.225.150 UDP 141 16760 → 8800 Len=52
IPC-C22E-A 45.43.62.141 UDP 271 16761 → 8810 Len=182
IPC-C22E-A 45.43.62.141 UDP 271 16761 → 8811 Len=182
IPC-C22E-A 45.43.62.141 UDP 271 16761 → 8812 Len=182
IPC-C22E-A 45.43.62.141 UDP 271 16761 → 8813 Len=182
IPC-C22E-A 45.43.62.141 UDP 271 16761 → 8814 Len=182
IPC-C22E-A 45.43.62.141 UDP 271 16761 → 8815 Len=182
IPC-C22E-A 224.0.0.22 IGMPv3 60 Membership Report / Join group 239.255.255.251 for any sources
Communication with devaccess.easy4ipcloud.com on tcp port 10000
IPC-C22E-A 47.254.134.93 TCP 121 51050 → 10000 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=4294940464 TSecr=0 WS=8
IPC-C22E-A 128.14.225.150 UDP 411 39566 → 8800 Len=322
IPC-C22E-A 128.14.224.229 UDP 410 44200 → 8802 Len=321
IPC-C22E-A 8.8.8.8 DNS 127 Standard query 0xccb5 A www.easy4ipcloud.com
Communication with p2pregister.easy4ipcloud.com on tcp port 12337
IPC-C22E-A 8.209.112.209 TCP 121 40862 → 12337 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=4294940579 TSecr=0 WS=8
IPC-C22E-A 45.43.62.27 UDP 409 47815 → 8800 Len=320
IPC-C22E-A 45.43.62.62 UDP 270 16763 → 8810 Len=181
IPC-C22E-A 45.43.62.62 UDP 270 16763 → 8811 Len=181
IPC-C22E-A 45.43.62.62 UDP 270 16763 → 8812 Len=181
IPC-C22E-A 45.43.62.62 UDP 270 16763 → 8813 Len=181
IPC-C22E-A 45.43.62.62 UDP 270 16763 → 8814 Len=181
IPC-C22E-A 45.43.62.62 UDP 270 16763 → 8815 Len=181
Communication with 8.209.90.193 on tcp port 42045
IPC-C22E-A 8.209.90.193 TCP 121 43550 → 42045 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=4294940722 TSecr=0 WS=8
IPC-C22E-A 8.8.8.8 DNS 142 Standard query 0x4ac5 A devicehttpproxy-fk.easy4ipcloud.com
IPC-C22E-A 47.254.129.92 TCP 121 44698 → 15301 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=4294940742 TSecr=0 WS=8
IPC-C22E-A 8.209.90.193 TLSv1.2 698 Application Data
IPC-C22E-A 8.209.90.193 TCP 113 43550 → 42045 [ACK] Seq=1016 Ack=2104 Win=36048 Len=0 TSval=4294940748 TSecr=280763131
IPC-C22E-A 128.14.224.229 UDP 599 44168 → 8802 Len=510

A lot more traffic is to be analyzed.
I will try to see if there is a chance to access RTSP stream without camera Internet access.