Do you guys restrict cameras from accessing internet?

Discussion in 'Dahua' started by MakeItRain, Jan 10, 2019.

Share This Page

  1. MakeItRain

    MakeItRain Getting the hang of it

    Joined:
    Aug 7, 2017
    Messages:
    83
    Likes Received:
    35
    I am currently using a home VPN to access my NVR to access the cameras. So there is no reason/purpose for the NVR/cameras to have direct access to the internet any further. (i.e. ET phone home to china).

    My router has the ability to restrict certain IP ranges from ever reaching the internet. This is great as I can prevent the NVR/cameras from trying to phone home. However, when enabled, I realized that the downside to doing so means I can no longer receive iDMSS push notifications.

    How do you guys get around this?
     
  2. SouthernYankee

    SouthernYankee IPCT Contributor

    Joined:
    Feb 15, 2018
    Messages:
    939
    Likes Received:
    412
    Location:
    Houston Tx
    Cameras do not access the internet ever !!!!
     
  3. Mr_D

    Mr_D Getting comfortable

    Joined:
    Nov 17, 2017
    Messages:
    478
    Likes Received:
    360
    Location:
    Southern California
    My cameras do not have internet access but blue Iris does so I get notifications.
     
  4. c hris527

    c hris527 Known around here

    Joined:
    Oct 12, 2015
    Messages:
    792
    Likes Received:
    461
    Location:
    NY
    If you block internet access to your NVR, your VPN will not be able to access it. I have a home ASUS VPN router and using open VPN. All my cams are blocked.
     
    Nitedaze likes this.
  5. taz420nj

    taz420nj n3wb

    Joined:
    Oct 14, 2018
    Messages:
    29
    Likes Received:
    23
    Location:
    KS
    Not necessarily, you just need a better firewall. ;) pfSense allows "one way" rules in its firewall. You can allow access from the VPN and main LAN to the security LAN, but still block all outbound traffic on the security LAN. However this only works if you have the LANs physically separated or use a managed switch capable of VLANs.
     
    Last edited: Jan 10, 2019
    permaN3wb and c hris527 like this.
  6. c hris527

    c hris527 Known around here

    Joined:
    Oct 12, 2015
    Messages:
    792
    Likes Received:
    461
    Location:
    NY
    This is true, The OP asked about blocking internet access (I was assuming total block through his firewall). Using a Asus router, you can create rules to just do as you were saying. However Im lazy and good with my VPN setup, have all the crap turned off on the NVR.
     
    taz420nj likes this.
  7. taz420nj

    taz420nj n3wb

    Joined:
    Oct 14, 2018
    Messages:
    29
    Likes Received:
    23
    Location:
    KS
    Yeah I don't know anything about ASUS firmware, I haven't used stock firmware in any router since Sveasoft released Alchemy like 15 years ago lol! Today you know it as DD-WRT. But I started using pfSense bout 5 years ago and it's hands down the best and most versatile (although not always the most user friendly lol) firewall/router you can build/buy.
     
    Last edited: Jan 10, 2019
  8. c hris527

    c hris527 Known around here

    Joined:
    Oct 12, 2015
    Messages:
    792
    Likes Received:
    461
    Location:
    NY
    Yea a handfull of guys here swear by it for sure. Their is a bunch of things I would like to screw with someday..that might be on my list. Most DYI here are usually just happy if they can get their VPN running and be secure, every system NOT port forwarding on the internet is a plus for everybody on the Internet and the security of our National infrastructure. IPcamtalk has done a GREAT service of pounding this home.
     
    looney2ns and taz420nj like this.
  9. taz420nj

    taz420nj n3wb

    Joined:
    Oct 14, 2018
    Messages:
    29
    Likes Received:
    23
    Location:
    KS
    I dont know Soho routers do it but setting up a VPN on pfsense is pretty easy.

    Set up DDNS
    Set up a user
    Set up a certificate for that user (simple)
    Add VPN and set up which LANit should connect to
    Save

    Download new OVPN config file (profile) that pfsense will create to all your devices (phone, tablet, laptop) and import into OVPN.
    Connect

    I've had one running for years to funnel my traffic back through my home connection if I'm using hotspots or hotel wifi. Now I have it on permanently because it funnels everything through my Pihole and blocks ads even on my phone over LTE, and bypasses the YouTube and facebook filter on the network at work haha!;)
     
    Last edited: Jan 10, 2019
    SquareEyes and JDWX like this.
  10. MakeItRain

    MakeItRain Getting the hang of it

    Joined:
    Aug 7, 2017
    Messages:
    83
    Likes Received:
    35
    Okay. I guess I wasn't clear on my setup.

    I am currently using a Raspberry Pi as my Open VPN server. The Raspberry Pi listens to any incoming requests from VPN clients from "the internet" and then establishes a connection to my home network. The VPN server (raspberry pi) will then assign my client (let's say my work computer) an IP address. At that point, I can now access ALL the devices on my home network from my work office computer, as if I'm at home. So I can now remotely access the NVR, each individual camera, ping my TVs, etc. So the NVR is not really sending traffic out to the internet, it's sending it over local IP to the Raspberry Pi (VPN server), which is then encrypting the data and tunneling it over to me through the internet to my work computer.

    Let's say my NVR lives on my local network at 192.168.10.50. I can then set up a rule in my router to block 192.168.10.50 from ever reaching outside to the internet and thus the NVR won't be able to fetch firmware update, fetch the NTP clock server, etc. However, the NVR can still send traffic to the Raspberry Pi device, which say, lives at 192.168.10.20 because it is on LAN and there is no restrictions by the router. So I can still get a Live feed from all cameras so long as I'm connected to the LAN whether physically or with the assistance of VPN.

    Of course, I guess the challenge is how to tunnel push notifications through the VPN server (Raspberry PI) out into Dahua's servers?

    Does this make sense?

    I know you guys said cameras don't access the internet ever, but that's not exactly true though right? If you use DDNS service provider or Sync with NTP server, all that requires talking "through" to the internet. Not to mention whatever backdoor "phone home" firmware code the camera could have.
     
    Last edited: Jan 11, 2019 at 3:38 AM
  11. Whoaru99

    Whoaru99 Getting the hang of it

    Joined:
    Dec 22, 2018
    Messages:
    114
    Likes Received:
    33
    Location:
    MN
    I'm trying to do just that, although with smtp notifications from the cameras.

    The blocking firewall rule works great; too good in a way. Problem is can't seem to come up with an overriding rule that allows out the notifications.
     
    Last edited: Jan 11, 2019 at 7:00 AM
  12. redfive

    redfive Getting the hang of it

    Joined:
    Apr 13, 2016
    Messages:
    227
    Likes Received:
    91
    I often use edgerouters, with zone-based firewall, for the videousurveillance zone (here zone 011nvr) to the wan zone (here zone 001wan), I use the zone-pair 011nvr to 001 wan, with this fw policy
    Code:
    jonatha@er6p# show firewall name 011nvr_2_001wan
     default-action drop
     rule 10 {
         action accept
         state {
             established enable
             related enable
         }
     }
     rule 20 {
         action accept
         destination {
             group {
                 network-group GOOGLE_SMTP
             }
             port 587
         }
         protocol tcp
         source {
             address 10.0.7.4
         }
     }
    [edit]
    
    jonatha@er6p# show firewall group network-group GOOGLE_SMTP
     network 64.18.0.0/20
     network 64.233.160.0/19
     network 66.102.0.0/20
     network 66.249.80.0/20
     network 72.14.192.0/18
     network 74.125.0.0/16
     network 108.177.8.0/21
     network 108.177.96.0/19
     network 172.217.0.0/19
     network 173.194.0.0/16
     network 207.126.144.0/20
     network 209.85.128.0/17
     network 216.58.192.0/19
     network 216.239.32.0/19
    [edit]
    
    10.0.7.4 is the NVR's ip addess.
    Cheers,
     
  13. puppyfrog

    puppyfrog Young grasshopper

    Joined:
    Jun 8, 2018
    Messages:
    39
    Likes Received:
    14
    Location:
    Austin, TX
    I use Ubiquiti stuff so I'm able to setup pretty complex firewall rules, but many routers can do the same. I have all my cameras and NVR live on their own VLAN and don't allow that VLAN any access to my main LAN where my important files servers, VPN server, etc. live. The main LAN can access the VLAN so the NVR can always be accessed from my computers at home as well as devices connected to the VPN server. I only need SMTP and NTP for the camera's VLAN so I just open those outbound ports. HTH
     
  14. taz420nj

    taz420nj n3wb

    Joined:
    Oct 14, 2018
    Messages:
    29
    Likes Received:
    23
    Location:
    KS
    So how does their push notification work? Is it a standalone service on it's own port or is it something that's sent to the China servers over http/s and then back to the app? If it's the latter then you're screwed as far as allowing that while blocking everything else.
     
  15. TechBill

    TechBill Getting comfortable

    Joined:
    Nov 1, 2014
    Messages:
    981
    Likes Received:
    325
    Pretty much all of my camera are outdoor uses only and on it own network (Edgerouter Lite) so I don't do anything different or set up special firewall to block traffic etc. I don't care if it have access to internet or not and I stopped using VPN with it some time ago.

    Right now, I am using P2P feature and I seem to to get a good reliable push notification with it after the recent update. I do check on cameras network log from time to time to make sure that none of the camera are being used to host or torrent some bad porn files :)

    My home is not a Fort Knox so I am sure there no elite hacker out there looking for weakness in my security setup to break into my home when all they need is a good ole crowbar. :) All of my neighbors sees what all my camera see so there nothing private done in front of all of my cameras.
     
  16. taz420nj

    taz420nj n3wb

    Joined:
    Oct 14, 2018
    Messages:
    29
    Likes Received:
    23
    Location:
    KS
    Theres a big difference between people using your IP cams to case your house (which rarely happens anyway, it's more common with 2.4Ghz wireless cams that can be scanned on a driveby) and leaving it wide open to cyber voyeurs which is just creepy. And people ARE interested in whatever they can find, useful or not. I have the firewall logs to prove it. I get scanned literally a thousand times a day by IPs in Russia, China, India, Pakistan, etc. Offer nothing.
     
  17. TechBill

    TechBill Getting comfortable

    Joined:
    Nov 1, 2014
    Messages:
    981
    Likes Received:
    325
    Our home network is scanned every day from those countries as well too.

    Almost all of those scans are from autonomous software scanning on every possible ip addresses probing for computers with operation system that haven't been up to date and filled with security holes to inject trojans into it. Hackers are far more interested in your personal, bank and credit cards information than they are seeing you naked.

    I am aware that there are autonomous software which scan for ip cameras and security system on network but those much rarer compared to autonomous software scanning for computer to exploit with.
     
  18. taz420nj

    taz420nj n3wb

    Joined:
    Oct 14, 2018
    Messages:
    29
    Likes Received:
    23
    Location:
    KS
    I know they're bots. But like I said, offer nothing.
     
  19. Mr_D

    Mr_D Getting comfortable

    Joined:
    Nov 17, 2017
    Messages:
    478
    Likes Received:
    360
    Location:
    Southern California
    They're also looking for anything they can draft into a bot army for mining cryptocurrency or performing DDOS attacks. IOT devices are usually the low hanging fruit because there's so many of them, security is poor to non-existent, and they're often unmaintained.
     
    mat200 and taz420nj like this.
  20. redfive

    redfive Getting the hang of it

    Joined:
    Apr 13, 2016
    Messages:
    227
    Likes Received:
    91
    @TechBill Nothing is Fort Knox ... Everything is Fort Knox !! :)
    Cheers,