Blocking IP cameras with firewall rules - Arris NVG589

anon71

Getting comfortable
Joined
Feb 20, 2018
Messages
26
Reaction score
8
I've just received my Dahua IP cameras, and I'm getting ready to test them. Following the cliff notes, I've temporarily disabled the camera's ability to access the internet by creating a false gateway IP address. The next step is to set firewall rules, but for the life of me, I cannot find anywhere in my router's firewall settings to enter the type of rules I see mentioned in the forum threads. The router in question is an Arris NVG589, and the manual is here: http://setuprouter.com/router/motorola/nvg589/manual-1741.pdf. Anyone have any ideas?

In case it matters, eventually I will have a router-behind-a-router setup, with the cameras and BI PC connected to a Linksys router, which will in be turn connected to the Arris router, which I need for cable tv. The Linksys router will have the VPN server, but otherwise it will be a dumb wireless access point and nothing more. I am assuming I will still need Arris firewall rules to block the cameras even with that set-up.

Thanks!
 

Barboots

Pulling my weight
Joined
Mar 15, 2018
Messages
408
Reaction score
241
Location
Perth, Western Australia
I found my provider's modem/router offered the ability to block MAC addresses in the parental filtering section. Like you, I'm looking at interim protection... this is not my best game plan.

Cheers, Steve
 

copex

Getting the hang of it
Joined
Feb 15, 2015
Messages
225
Reaction score
79
Location
Cumbria,England
you would add a drop rule in Packet Filter Rules using source ip and setting it to the ip address of the devices you wish to block, blocking by mac address would also do the job and may be easier to setup and if the camera went back to dhcp or the ip address was change the mac filtering would still be applied.
 

anon71

Getting comfortable
Joined
Feb 20, 2018
Messages
26
Reaction score
8
Thanks Steve - didn't realize what it was when I read it. Here is the rule I set up:

Drop packets that match:
IP Version of IPv4
(Greyed out when I added IP range below)
Source IP Address of 192.168.1.xx /24 - 192.168.1.xx /24 (The IP range of 4 cameras)
Egress Interface of "WAN"

Do I need anything else? I'm guessing that wouldn't need "Ingress Interface" or "LAN," but feel free to correct me. Nayr mentions here - Foscam Calling Home - that you could put a reject rule before that for TCP/UDP, but either (1) this router doesn't have a reject option (only add or drop) or (2) I don't know what I'm doing. I certainly wouldn't rule out #2.
 
Last edited:

NoloC

Getting comfortable
Joined
Nov 24, 2014
Messages
701
Reaction score
454
Well if the goal is to not let the cams see the internet (good goal), the simplest method might be to add another nic in the BI PC and just put your cams on that network with static IPs.
The other nic goes to the wan router. This allows vpn access to the BI machine when you have your router serving the vpn and the cams can't get to the world.
 

anon71

Getting comfortable
Joined
Feb 20, 2018
Messages
26
Reaction score
8
Thanks, but I'm trying, if at all possible, to do this with the equipment and network I already have.
 

Barboots

Pulling my weight
Joined
Mar 15, 2018
Messages
408
Reaction score
241
Location
Perth, Western Australia
Anon you might get more bites if you screenshot and posted every page of your router that offers some kind of filtering/blocking. It's work for you, but provides an "at a glance" the for potential helpers.

Just a thought from a noob.

Cheers, Steve
 

anon71

Getting comfortable
Joined
Feb 20, 2018
Messages
26
Reaction score
8
Happy to do it if it helps. Here it is. The first five pages are the firewall screens. The packet filter page is split into two screen shots because of its size. The first five packet rules are not mine; they were preset on the router and don't seem to be enabled. The sixth packet rule is the one I created and described above. The last page is the mac filtering settings. With the exception of the sixth packet rule, I've changed nothing in these settings.
 

Attachments

anon71

Getting comfortable
Joined
Feb 20, 2018
Messages
26
Reaction score
8
Thanks for checking, Barboots. I plan on using that sequential order. I will enable rule #6 and leave the rest of the rules alone.
 
Top