Prevent Dahua Starlight (IPC-HDW5231R-Z) from accessing internet

LandofTomorrow · May 28, 2017

Hi,
I recently received 6 of the starlights from andy and am thankful to all those who contribute to this forum to getting me started. I wanted to check something with you. Just yesterday i had an installer run wires and install the 6 cams around my home. I should be receiving a computer in the next 3 or 4 days to install BI. In the meantime I wanted to ensure that the cams are blocked from accessing the internet.

I setup the cams yday on chrome by adding the NACL web plug (Dahua web interface needs a plug in on chrome to see the videos). I changed the admin passwords for all 6 cams. I do not have port forwarding on my asus router (running tomato USB BTW). Are there additional steps to take on the cameras through the web GUI to block them from accessing the internet?

I noticed in web GUI for the cameras, under "network", and in "connection" tab, there are a bunch of ports listed. I tested these ports on canyoseeme.org and looks like the ports are not accessible.

Anything else i need to do?
Thanks

P.s I am reading the VPN for noobs primer which I will hopefully setup once i get my computer and have setup blue iris and waded through all of BI's fun stuff!!

Juppers · May 28, 2017

Manually assign IPs and don't assign a gateway. They will only be able to talk to devices on the same subnet.

LandofTomorrow · May 28, 2017

Juppers said:
Manually assign IPs and don't assign a gateway. They will only be able to talk to devices on the same subnet.

Thank you. I did manually assign a static IP earlier. I cant delete the default gateway or change it much as it keeps giving me a message "IP and default gateway are not in the same network segment" if i choose a number other than in the same network when i hit save. Is it Ok if i choose a far off last number eg 192.168.1.250 (since i have nothing in that Ip on my router)?

Should I leave the rest as default (preferred DNS server, ports in "connection")

thanks

Mike A. · May 29, 2017

You also should block Internet access for those devices by MAC address/IP on your router. I'm sure that Tomato provides that functionality. That will stop all outgoing traffic and prevent whatever you might miss, isn't provided for in the camera's setup, random open ports, or stuff that continues to run in the background even after you've turned it off (as many of these cams tend to do).

LandofTomorrow · May 29, 2017

Mike A. said:
You also should block Internet access for those devices by MAC address/IP on your router. I'm sure that Tomato provides that functionality. That will stop all outgoing traffic and prevent whatever you might miss, isn't provided for in the camera's setup, random open ports, or stuff that continues to run in the background even after you've turned it off (as many of these cams tend to do).

Thank you. I didnt think of that. I did that now and yes it is an option in tomato also. Do i need to reverse this once i institute a VPN on the router?

looney2ns · May 29, 2017

LandofTomorrow said:
Thank you. I didnt think of that. I did that now and yes it is an option in tomato also. Do i need to reverse this once i institute a VPN on the router?

No

Mike A. · May 29, 2017

No. Once you've successfully connected via VPN you're inside your own network. It would not work if you were trying to access the cameras directly via port forwarding, DMZ, etc.

LandofTomorrow · May 29, 2017

looney2ns said:
No

Mike A. said:
No. Once you've successfully connected via VPN you're inside your own network. It would not work if you were trying to access the cameras directly via port forwarding, DMZ, etc.

Thanks!!

Mike A. · May 31, 2017

Just realized that I was wrong after trying something on my own system here. It will depend on what you use and how you have things set up. Using Open VPN out of the box with default settings on my Asus AC68R, it does block direct access to those devices if they're blocked from the Interwebs. Been a while since I used it but I don't think that my previous N66U router using the PPTP VPN server did that. Not sure how Tomato handles things.

In any case using Blue Iris it won't be much of a problem even if blocked since you'll point the cams internally to it and can access them that way. If you need to get to the camera directly for some reason, then you can access your router while in VPN, unblock it momentarily, make whatever changes, and then flip it back off again.

Sorry, didn't want you banging your head against the wall trying to make it work after I said that it would if yours works the same way. Easy to test by coming in via VPN and toggling the block on/off on your router while trying the address.

LandofTomorrow · May 31, 2017

Mike A. said:
Just realized that I was wrong after trying something on my own system here. It will depend on what you use and how you have things set up. Using Open VPN out of the box with default settings on my Asus AC68R, it does block direct access to those devices if they're blocked from the Interwebs. Been a while since I used it but I don't think that my previous N66U router using the PPTP VPN server did that. Not sure how Tomato handles things.

In any case using Blue Iris it won't be much of a problem even if blocked since you'll point the cams internally to it and can access them that way. If you need to get to the camera directly for some reason, then you can access your router while in VPN, unblock it momentarily, make whatever changes, and then flip it back off again.

Sorry, didn't want you banging your head against the wall trying to make it work after I said that it would if yours works the same way. Easy to test by coming in via VPN and toggling the block on/off on your router while trying the address.

Thank you for the followup and testing it out. Fortunately I will be accessing the BI server only. I setup BI yday with basics and need to work on it (catches cars on the street but not people walking on the sidewalk, picks up changing shadows from roof etc). After I have worked on that, I do plan to change routers to an Asus ac68 that i purchased last year when i was having some issues on my older asus rt N16 that I have been running tomato on. Current tomato version also does not have VPN so that is a reason to move to the newer asus and either use the asus firmware or the merlin version.

Thank you again!

TVT73 · Jun 1, 2017

Juppers said:
Manually assign IPs and don't assign a gateway. They will only be able to talk to devices on the same subnet.

he received a international cam from a trustful seller. Using a secure admin password is the only thing to do. These cams have no official or known talking home (backdoor), no upnp or easy4ip / p2p by default active. So dont´t be afraid.
But i would advice also to add minimum a second user with admin rights. If you have a password problem you wouldn´t be blocked accessing the cam. For Blue Iris p.e. create a user BlueIris and give him only User rights, this should be enough.

I wouldn´t remove internet access, ntp and several other useful functions need internet. This has nothing to do with open vpn accessing the cam.

Mike A. · Jun 1, 2017

TVT73 said:
he received a international cam from a trustful seller. Using a secure admin password is the only thing to do. These cams have no official or known talking home (backdoor), no upnp or easy4ip / p2p by default active. So dont´t be afraid...

At least some do appear to attempt to "phone home" ignoring Easy4IP/UPnP/other applicable settings as does a SD29204T-GN that I recently bought:

Dahua Starlight IPC-HDW5231RN-Z not working :(

None of these things really are trustworthy no matter where they come from and all are subject to potential exploits and vulnerabilities.

TVT73 · Jun 7, 2017

@Mike A.
I read this also. I hasn't proven this yet. I would rather like to speak about proven facts. I don't want to put a blame on Dahua, writing those things can cause for many users misunderstandings as long as the facts are maybe only rumours or examinations from only a handful persons without the description for redoing it.
It has nothing to do with yourself, this is a normal problem of internet forums, where the truth is difficult to find between many self-made professionals with half truth
I like this article about the internet truth
mobile.nytimes.com/2016/11/03/technology/how-the-internet-is-loosening-our-grip-on-the-truth.html

Mike A. · Jun 7, 2017

TVT73 said:
@Mike A.
I read this also. I hasn't proven this yet. I would rather like to speak about proven facts. I don't want to put a blame on Dahua, writing those things can cause for many users misunderstandings as long as the facts are maybe only rumours or examinations from only a handful persons without the description for redoing it.
It has nothing to do with yourself, this is a normal problem of internet forums, where the truth is difficult to find between many self-made professionals with half truth
I like this article about the internet truth
mobile.nytimes.com/2016/11/03/technology/how-the-internet-is-loosening-our-grip-on-the-truth.html

It's proven by the logs and captures from my own network and similar results from others. e.g.:

Dahua latest stable firmware + Best Practice Reminder

Search

Prevent Dahua Starlight (IPC-HDW5231R-Z) from accessing internet

LandofTomorrow

Young grasshopper

Juppers

n3wb

LandofTomorrow

Young grasshopper

Mike A.

Known around here

LandofTomorrow

Young grasshopper

looney2ns

Mike A.

Known around here

LandofTomorrow

Young grasshopper

Mike A.

Known around here

LandofTomorrow

Young grasshopper

TVT73

Pulling my weight

Mike A.

Known around here

TVT73

Pulling my weight

Mike A.

Known around here