Do you guys restrict cameras from accessing internet?

[MakeItRain]

I am currently using a home VPN to access my NVR to access the cameras. So there is no reason/purpose for the NVR/cameras to have direct access to the internet any further. (i.e. ET phone home to china).

My router has the ability to restrict certain IP ranges from ever reaching the internet. This is great as I can prevent the NVR/cameras from trying to phone home. However, when enabled, I realized that the downside to doing so means I can no longer receive iDMSS push notifications.

How do you guys get around this?

 

[SouthernYankee]

Cameras do not access the internet ever !!!!

 

[Mr_D]

My cameras do not have internet access but blue Iris does so I get notifications.

 

[c hris527]

If you block internet access to your NVR, your VPN will not be able to access it. I have a home ASUS VPN router and using open VPN. All my cams are blocked.

 

[taz420nj]

If you block internet access to your NVR, your VPN will not be able to access it. I have a home ASUS VPN router and using open VPN. All my cams are blocked.

Not necessarily, you just need a better firewall. pfSense allows "one way" rules in its firewall. You can allow access from the VPN and main LAN to the security LAN, but still block all outbound traffic on the security LAN. However this only works if you have the LANs physically separated or use a managed switch capable of VLANs.

 

[c hris527]

Not necessarily, you just need a better firewall. pfSense allows "one way" rules in its firewall. You can allow access from the VPN and main LAN to the security LAN, but still block all outbound traffic on the security LAN. However this only works if you have the LANs physically separated or use a managed switch capable of VLANs.

This is true, The OP asked about blocking internet access (I was assuming total block through his firewall). Using a Asus router, you can create rules to just do as you were saying. However Im lazy and good with my VPN setup, have all the crap turned off on the NVR.

 

[taz420nj]

This is true, The OP asked about blocking internet access (I was assuming total block through his firewall). Using a Asus router, you can create rules to just do as you were saying. However Im lazy and good with my VPN setup, have all the crap turned off on the NVR.

Yeah I don't know anything about ASUS firmware, I haven't used stock firmware in any router since Sveasoft released Alchemy like 15 years ago lol! Today you know it as DD-WRT. But I started using pfSense bout 5 years ago and it's hands down the best and most versatile (although not always the most user friendly lol) firewall/router you can build/buy.

 

[c hris527]

Yeah I don't know anything about ASUS firmware, I haven't used stock firmware in any router since Sveasoft released Alchemy like 15 years ago lol! Today you know it as DD-WRT. But I started using pfSense bout 5 years ago and it's hands down the best (although not always the most user friendly lol) firewall/router you can build/buy.

Yea a handfull of guys here swear by it for sure. Their is a bunch of things I would like to screw with someday..that might be on my list. Most DYI here are usually just happy if they can get their VPN running and be secure, every system NOT port forwarding on the internet is a plus for everybody on the Internet and the security of our National infrastructure. IPcamtalk has done a GREAT service of pounding this home.

 

[taz420nj]

I dont know Soho routers do it but setting up a VPN on pfsense is pretty easy.

Set up DDNS
Set up a user
Set up a certificate for that user (simple)
Add VPN and set up which LANit should connect to
Save

Download new OVPN config file (profile) that pfsense will create to all your devices (phone, tablet, laptop) and import into OVPN.
Connect

I've had one running for years to funnel my traffic back through my home connection if I'm using hotspots or hotel wifi. Now I have it on permanently because it funnels everything through my Pihole and blocks ads even on my phone over LTE, and bypasses the YouTube and facebook filter on the network at work haha!

 

[MakeItRain]

Okay. I guess I wasn't clear on my setup.

I am currently using a Raspberry Pi as my Open VPN server. The Raspberry Pi listens to any incoming requests from VPN clients from "the internet" and then establishes a connection to my home network. The VPN server (raspberry pi) will then assign my client (let's say my work computer) an IP address. At that point, I can now access ALL the devices on my home network from my work office computer, as if I'm at home. So I can now remotely access the NVR, each individual camera, ping my TVs, etc. So the NVR is not really sending traffic out to the internet, it's sending it over local IP to the Raspberry Pi (VPN server), which is then encrypting the data and tunneling it over to me through the internet to my work computer.

Let's say my NVR lives on my local network at 192.168.10.50. I can then set up a rule in my router to block 192.168.10.50 from ever reaching outside to the internet and thus the NVR won't be able to fetch firmware update, fetch the NTP clock server, etc. However, the NVR can still send traffic to the Raspberry Pi device, which say, lives at 192.168.10.20 because it is on LAN and there is no restrictions by the router. So I can still get a Live feed from all cameras so long as I'm connected to the LAN whether physically or with the assistance of VPN.

Of course, I guess the challenge is how to tunnel push notifications through the VPN server (Raspberry PI) out into Dahua's servers?

Does this make sense?

I know you guys said cameras don't access the internet ever, but that's not exactly true though right? If you use DDNS service provider or Sync with NTP server, all that requires talking "through" to the internet. Not to mention whatever backdoor "phone home" firmware code the camera could have.

 

[Whoaru99]

I'm trying to do just that, although with smtp notifications from the cameras.

The blocking firewall rule works great; too good in a way. Problem is can't seem to come up with an overriding rule that allows out the notifications.

 

[redfive]

I often use edgerouters, with zone-based firewall, for the videousurveillance zone (here zone 011nvr) to the wan zone (here zone 001wan), I use the zone-pair 011nvr to 001 wan, with this fw policy

Spoiler

jonatha@er6p# show firewall name 011nvr_2_001wan
 default-action drop
 rule 10 {
     action accept
     state {
         established enable
         related enable
     }
 }
 rule 20 {
     action accept
     destination {
         group {
             network-group GOOGLE_SMTP
         }
         port 587
     }
     protocol tcp
     source {
         address 10.0.7.4
     }
 }
[edit]

jonatha@er6p# show firewall group network-group GOOGLE_SMTP
 network 64.18.0.0/20
 network 64.233.160.0/19
 network 66.102.0.0/20
 network 66.249.80.0/20
 network 72.14.192.0/18
 network 74.125.0.0/16
 network 108.177.8.0/21
 network 108.177.96.0/19
 network 172.217.0.0/19
 network 173.194.0.0/16
 network 207.126.144.0/20
 network 209.85.128.0/17
 network 216.58.192.0/19
 network 216.239.32.0/19
[edit]

10.0.7.4 is the NVR's ip addess.
Cheers,

 

[puppyfrog]

Okay. I guess I wasn't clear on my setup.

I am currently using a Raspberry Pi as my Open VPN server. The Raspberry Pi listens to any incoming requests from VPN clients from "the internet" and then establishes a connection to my home network. The VPN server (raspberry pi) will then assign my client (let's say my work computer) an IP address. At that point, I can now access ALL the devices on my home network from my work office computer, as if I'm at home. So I can now remotely access the NVR, each individual camera, ping my TVs, etc. So the NVR is not really sending traffic out to the internet, it's sending it over local IP to the Raspberry Pi (VPN server), which is then encrypting the data and tunneling it over to me through the internet to my work computer.

Let's say my NVR lives on my local network at 192.168.10.50. I can then set up a rule in my router to block 192.168.10.50 from ever reaching outside to the internet and thus the NVR won't be able to fetch firmware update, fetch the NTP clock server, etc. However, the NVR can still send traffic to the Raspberry Pi device, which say, lives at 192.168.10.20 because it is on LAN and there is no restrictions by the router. So I can still get a Live feed from all cameras so long as I'm connected to the LAN whether physically or with the assistance of VPN.

Of course, I guess the challenge is how to tunnel push notifications through the VPN server (Raspberry PI) out into Dahua's servers?

Does this make sense?

I know you guys said cameras don't access the internet ever, but that's not exactly true though right? If you use DDNS service provider or Sync with NTP server, all that requires talking "through" to the internet. Not to mention whatever backdoor "phone home" firmware code the camera could have.

I use Ubiquiti stuff so I'm able to setup pretty complex firewall rules, but many routers can do the same. I have all my cameras and NVR live on their own VLAN and don't allow that VLAN any access to my main LAN where my important files servers, VPN server, etc. live. The main LAN can access the VLAN so the NVR can always be accessed from my computers at home as well as devices connected to the VPN server. I only need SMTP and NTP for the camera's VLAN so I just open those outbound ports. HTH

 

[taz420nj]

So how does their push notification work? Is it a standalone service on it's own port or is it something that's sent to the China servers over http/s and then back to the app? If it's the latter then you're screwed as far as allowing that while blocking everything else.

 

[TechBill]

Pretty much all of my camera are outdoor uses only and on it own network (Edgerouter Lite) so I don't do anything different or set up special firewall to block traffic etc. I don't care if it have access to internet or not and I stopped using VPN with it some time ago.

Right now, I am using P2P feature and I seem to to get a good reliable push notification with it after the recent update. I do check on cameras network log from time to time to make sure that none of the camera are being used to host or torrent some bad porn files

My home is not a Fort Knox so I am sure there no elite hacker out there looking for weakness in my security setup to break into my home when all they need is a good ole crowbar. All of my neighbors sees what all my camera see so there nothing private done in front of all of my cameras.

 

[taz420nj]

Pretty much all of my camera are outdoor uses only and on it own network (Edgerouter Lite) so I don't do anything different or set up special firewall to block traffic etc. I don't care if it have access to internet or not and I stopped using VPN with it some time ago.

Right now, I am using P2P feature and I seem to to get a good reliable push notification with it after the recent update. I do check on cameras network log from time to time to make sure that none of the camera are being used to host or torrent some bad porn files

My home is not a Fort Knox so I am sure there no elite hacker out there looking for weakness in my security setup to break into my home when all they need is a good ole crowbar. All of my neighbors sees what all my camera see so there nothing private done in front of all of my cameras.

Theres a big difference between people using your IP cams to case your house (which rarely happens anyway, it's more common with 2.4Ghz wireless cams that can be scanned on a driveby) and leaving it wide open to cyber voyeurs which is just creepy. And people ARE interested in whatever they can find, useful or not. I have the firewall logs to prove it. I get scanned literally a thousand times a day by IPs in Russia, China, India, Pakistan, etc. Offer nothing.

 

[TechBill]

Theres a big difference between people using your IP cams to case your house (which rarely happens anyway, it's more common with 2.4Ghz wireless cams that can be scanned on a driveby) and leaving it wide open to cyber voyeurs which is just creepy. And people ARE interested in whatever they can find, useful or not. I have the firewall logs to prove it. I get scanned literally a thousand times a day by IPs in Russia, China, India, Pakistan, etc. Offer nothing.

Our home network is scanned every day from those countries as well too.

Almost all of those scans are from autonomous software scanning on every possible ip addresses probing for computers with operation system that haven't been up to date and filled with security holes to inject trojans into it. Hackers are far more interested in your personal, bank and credit cards information than they are seeing you naked.

I am aware that there are autonomous software which scan for ip cameras and security system on network but those much rarer compared to autonomous software scanning for computer to exploit with.

 

[taz420nj]

I know they're bots. But like I said, offer nothing.

 

[Mr_D]

Our home network is scanned every day from those countries as well too.

Almost all of those scans are from autonomous software scanning on every possible ip addresses probing for computers with operation system that haven't been up to date and filled with security holes to inject trojans into it. Hackers are far more interested in your personal, bank and credit cards information than they are seeing you naked.

I am aware that there are autonomous software which scan for ip cameras and security system on network but those much rarer compared to autonomous software scanning for computer to exploit with.

They're also looking for anything they can draft into a bot army for mining cryptocurrency or performing DDOS attacks. IOT devices are usually the low hanging fruit because there's so many of them, security is poor to non-existent, and they're often unmaintained.

 

[redfive]

@TechBill Nothing is Fort Knox ... Everything is Fort Knox !!
Cheers,