Just P2P, right?

[Bradfm]

This is just normal P2P traffic, right? Maybe just paranoid, but what's with the changing IP addresses? It seems on every subsequent log page the camera changes the outbound IP address. By the way- P2P is disabled on all these cameras on the web interface, but they are still hammering the firewall with ARP requests and traffic. (With the exception of the Amcrest camera, these are all Reolink RLC-410's.)

 

[bp2008]

Large-scale web services, such as those you'd expect to service millions of IoT devices, would typically have many IP addresses capable of providing service. Assuming the cameras are querying a DNS server to get those addresses, your firewall logs might be able to tell you what DNS queries the cameras are making, and that might give more information about what they are trying to accomplish with those connections.

Anyway you might also want to block DNS access from your cameras too. There still remains a small chance the cameras have some hard-coded IP addresses to reach out to, but that would generally be a terrible engineering decision so I'd say it is unlikely.

 

[Bradfm]

Makes sense, thank you. Good idea about the DNS queries to get a bit more insight. That's my next step with Wireshark.