How to restrict internet access with PTZ cam?

[vlct]

I have a PTZ cam connected to a TP-Link Archer 1200 router. The only WAN access I want is with my VPN.

How would I go about stopping all internet traffic other than the VPN?

I have added the cam to 'parental control' which didn't work, and tried a few other things.
I dont know much about how to go about this, but something is still accessing the cam over WAN.

Any ideas on what I need to do?

Thanks for any help.

 

[vandyman]

Are you using an app to access your camera?
If yes, then there is your problem. The app has setup a cloud service that will keep tabs on your camera.
Get rid of the app.

 

[vlct]

Yes you are right, I know its the cloud service trying to access my cam, which is what im trying to stop.

I do have an app but with my phone disabled from the net (wifi off and data off )and with any cam software im running turned off I can still see the traffic for the cam on my router.

So would getting rid of the app work even if its disabled? and not accessing the cam at all??

Or do I need to stop the cam/ cloud communication somehow through the router?? and how do I go about that??

 

[samplenhold]

How to Secure Your Network (Don't Get Hacked!)

Many camera networks are unsecure, even those installed by professionals. This guide gives basic instruction in how to secure a camera network from the most common types of attacks. Perhaps the most important rule of securing a computer network is to not forward ports to unsecure services...

ipcamtalk.com

 

[vlct]

I have already read that guide, I am using a VPN, have got UPnP turned off and not forwarding ports.

All I want to do is stop internet access to the cam and cloud or whatever its connecting to over the net.

I just want this connected to my LAN and VPN only.

What settings in the router do I need to configure??

 

[vandyman]

What camera brand, model are you using?

 

[vlct]

Its just a cheap PTZ Eyeplus_dev, so there is nothing in any of the limited setting for this thing, so I need to restrict its access to the web by the router.
Im just not sure what section in the router I need to configure??

 

[handinpalm]

I have an Asus router where it enables you to block specific LAN IP addresses from internet traffic. I looked at your router's manual online and did not see this function. I like the Asus routers.

 

[vlct]

Thanks handinpalm, thats something like im looking for, I dont know much about all those different router settings, maybe there is some other way this router can do this??

 

[Jessie.slimer]

I'm a big fan of the dual NIC method. Cheap, easy, reliable.

Dual NIC setup on your Blue Iris Machine

In making your system more secure this is a great option to eliminate your cameras calling home / connecting to the internet This is a great place to start to setup a bit more secure network and learn more about IP/Subnets etc. before adding dual NICs: Router Security - Subnets and IP addresses...

ipcamtalk.com

 

[vlct]

Have made some progress on this, in router settings I have blacklisted the cams ip so that has stopped any internet traffic with the cam.

So now I can still access the cam on the LAN just the same as before and stopping any traffic to the internet, (cam and router at the same house)

But now on the VPN remotely I can still access my router just like before but the cam wont connect now. It only works if I unblack list it which gives it internet access again.

So why would the cam need internet access to work on the VPN but works with no problem on the LAN with internet access blocked??

 

[Mike A.]

It's because of how the VPN works on most routers by default. You don't truly have a local IP address when connected over the VPN. It's routing an external address to an internal address. So the blacklist still blocks the external address.

What you'd need to do when you want to view the cam from outside your net is as you've seen - access the router, take cam off blacklist, do whatever you need to do, turn it back on.

Alternately, you maybe able to set up routing rules to allow access to that interface but kind of complicated and depends on lower level command line access to the router. Won't be something that you can do though the web interface typically.

 

[vlct]

Thanks Mike A.

So how secure is this cam since its needs open internet access to work on the VPN?

I have done everything in the 'How to Secure Your Network (Don't Get Hacked!)' post, so is this enough??

Like I can see the VPN side of this is secure (well I think that's the case??), but having open access to the internet also, what else could this cam be up to in the background with out me knowing?? How can I know this thing is not being used somehow in the wrong way from someone if that's possible??

Is there anyway of only the VPN having access and not anyone else being able to access this cam on the net in someway??

 

[Mike A.]

That will get you a long way there and avoid the biggest risk.

The VPN will secure the "front door" to your network. It doesn't necessarily prevent other ways of potentially getting in. e.g., You could have the VPN up and still have ports left open, a trojan on a computer or other device inside of your net, rogue cams phoning home or sending other info back, etc., etc.

The VPN should prevent someone from the outside having access to your cam. There are some other at least potential ways of coming from the cam or otherwise inside your net but less likely. The VPN won't let someone from the outside take advantage of an open vulnerability as they might if port forwarded which is the most common.

You could watch the cam using Wireshark or some other packet capture, IDS, or activity monitoring systems to see what the cams are doing.

The best approach is to assume that cams and other similar IoT devices are inherent risks and to block and/or segregate them from the rest of your network to the greatest extent that you can. Block Internet access to the devices at your router, VLAN into a separate segment, point gateways to non-functioning values, turn off all other communications functions that are not needed, P2P, FTP, etc.