1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Blocking Camera Access from WAN

Discussion in 'Asuswrt-Merlin' started by cdikland, May 15, 2019.

  1. cdikland

    cdikland Regular Contributor

    Joined:
    Dec 7, 2013
    Messages:
    171
    Location:
    Ontario, Canada
    I am running Merlin FW v384.11 on an Asus RT-AC86U with OpenVPN 1 enabled. Recently, I added 4 IP Wansview cameras and noticed when using their app I was able to access each camera remotely. The app does not provide any capability to restrict wan access and when talking to Wansview support they suggested adding a FW rule. I added the following rules, which I borrowed from another post, for each camera:
    iptables -I FORWARD 2 -s cam-lan-ip -o eth0 -j DROP

    Success so far. Each camera is still accesible from within the LAN and no longer accessible from the WAN. Problem is, it is also no longer accessible when I connect to my VPN. I can (& have) connect each camera to other video app such as BlueIris or iSpy and most of my problems are solved. The only problem is that I must use the Wansview app to modify camera settings which, with the above rules enabled, is only possible when connected to the LAN.

    Is there any additional rule(s) I should or could add that would permit access to each camera when connected to VPN?

    Hope this makes sense
     
  2. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,175
    Location:
    UK
    Add rule for inbound OpenVPN server access to cameras
     
  3. cdikland

    cdikland Regular Contributor

    Joined:
    Dec 7, 2013
    Messages:
    171
    Location:
    Ontario, Canada

    Maybe I am missing something here or I have got it all wrong but adding the following didnt seem to make any difference.

    From your post I modified :

    Firewall $ACTION FORWARD -s $CAMERA -i br0 -o $(nvram get wan0_ifname) -m state --state NEW -j DROP
    Firewall $ACTION FORWARD -s $CAMERA -i br0 -o tun2+ -j ACCEPT

    to

    iptables -I FORWARD -s 192.168.1.248 -i eth0 -o $(nvram get wan0_ifname) -m state --state NEW -j DROP
    iptables -I FORWARD -s 192.168.1.248 -i eth0 -o tun2+ -j ACCEPT

    and/or

    iptables -I FORWARD -s 192.168.1.248 -i br0-o $(nvram get wan0_ifname) -m state --state NEW -j DROP
    iptables -I FORWARD -s 192.168.1.248 -i br0-o tun2+ -j ACCEPT

    If that is what you meant that I assume the problem lies within the Wansfield app itself
     
  4. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,175
    Location:
    UK
    The thread How to block ip camera from accessing the internet covers this, and whilst the script now creates its own chain (to ensure it keeps the FORWARD chain clean of clutter, and is also easier to ensure that the rules are inserted in the approprate ranking.)
    Code:
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    num   pkts bytes target     prot opt in     out     source               destination        
    1        0     0 ACCEPT     udp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            match-set Skynet-IOT src udp dpt:123
    2        0     0 LOG        all  --  br0    !tun2+  0.0.0.0/0            0.0.0.0/0            match-set Skynet-IOT src LOG flags 7 level 4 prefix "[BLOCKED - IOT] "
    3        0     0 DROP       all  --  br0    !tun2+  0.0.0.0/0            0.0.0.0/0            match-set Skynet-IOT src
    4     560K  275M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    5    33663 4193K MyVLANs    all  --  *      *       0.0.0.0/0            0.0.0.0/0          
    6    26944 3719K MyIPCAMs   all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
    7     6656  356K MyAlexa    all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Alexa src,dst
    8        2    88 MyLifx     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Lifx src,dst
    9       86  5342 MyHive     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Hive src,dst
    10       3   278 MyTplink   all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Tplink src,dst
    11       0     0 MyIot      all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Iot src,dst
    12    5500  400K other2wan  all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0          
    13    1859  195K ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0          
    14    2015 92295 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
    15    9122 2610K NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0/0          
    16    9121 2609K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
    17       1    44 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT
    18       0     0 OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
    19       0     0 DNSFILTER_DOT  tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:853
    20       0     0 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0

    So two rules are inserted for each IPCAM device
    i.e. ALL unsolicited inbound requests from the WAN are DROP'd, but the IPCAMs can always respond outbound via the OpenVPN servers.
    Code:
    iptables -A MyIPCAMs -d xxx.xxx.xxx.xxx -i eth0 -m state --state NEW -j DROP
    iptables -A MyIPCAMs -s xxx.xxx.xxx.xxx -i br0 ! -o tun2+ -j DROP
    Code:
    Chain MyIPCAMs (1 references)
    num   pkts bytes target     prot opt in     out     source               destination        
    1     1822  138K ACCEPT     udp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            udp dpt:123
    2        0     0 DROP       all  --  eth0   *       0.0.0.0/0            10.88.8.120          state NEW
    3     1187 71220 DROP       all  --  br0    !tun2+  10.88.8.120          0.0.0.0/0          
    4        0     0 DROP       all  --  eth0   *       0.0.0.0/0            10.88.8.121          state NEW
    5        0     0 DROP       all  --  br0    !tun2+  10.88.8.121          0.0.0.0/0          
    6        0     0 DROP       all  --  eth0   *       0.0.0.0/0            10.88.8.122          state NEW
    7        0     0 DROP       all  --  br0    !tun2+  10.88.8.122          0.0.0.0/0          
    8        0     0 DROP       all  --  eth0   *       0.0.0.0/0            10.88.8.123          state NEW
    9     2091  125K DROP       all  --  br0    !tun2+  10.88.8.123          0.0.0.0/0          
    10       0     0 DROP       all  --  eth0   *       0.0.0.0/0            10.88.8.125          state NEW
    11    2163  130K DROP       all  --  br0    !tun2+  10.88.8.125          0.0.0.0/0          
    12       0     0 DROP       all  --  eth0   *       0.0.0.0/0            10.88.8.148          state NEW
    13       4   240 DROP       all  --  br0    !tun2+  10.88.8.148          0.0.0.0/0

    P.S. I think there was a similar thread about another bespoke IPCAM management utility, not sure if the root cause was because the App was only able to use broadcast on the LAN, or there were other firewall rules with a higher priority?
    Not sure if the OP managed to resolve/identify if that was the issue as ALL Ports should be allowed unrestricted.
     
    cdikland likes this.