"Recent posts
#91
General Discussion / Re: block cameras to internet
Last post by coffeecup25 - December 17, 2025, 05:47:46 PMQuote from: meyergru on December 17, 2025, 05:42:22 PMRFC1918 IPs do go out over the internet if they are on your LAN and a NAT rule exists via the WAN IP - this is the default for any OpnSense installation as for LAN, there is a default "allow any -> any" rule and an automatic NAT rule for the WAN. If this were not so, you would not have internet access from your LAN.
And you still do not get what the firewall rule of the OP does: It is an "in" rule on (presumably) the LAN interface, which essentially blocks all outbound access for the cameras (as source) - the ONLY reason that in the destination, RFC1918 is exempted is to still allow local access (by virtue of the (presumably) existing "allow any" rule that comes further down in the list, but is not shown).
Stop the presses. OPNsense by default allows all local traffic to escape to the internet for all to see. Only a select few have firewall rules to prevent this.
That's what you just wrote. If it's true then I will immediately replace my Chinese router pcs with my spare TP-Link ER605-V2 and be safe once again. Please confirm.
Quick question: How does the internet differentiate my 192.168.1.xxx from yours or anyone else's? There must be millions to choose from all across the world with the same local IP address? Or is my leaked data just floating in the ozone? Again - look up NAT and SPI, they work hand in glove to separate the local network from the outside world. Except possibly in OPNsense, according to you.
#92
General Discussion / Re: block cameras to internet
Last post by meyergru - December 17, 2025, 05:44:25 PMQuote from: robertkwild on December 17, 2025, 05:32:29 PMbut trouble is my rule doesnt work and i dont understand why it doesnt work, i dont get how its going out even tho ive created a rule for it, do i need to create an outbound NAT rule aswell?
Then you need to show your rules in detail. What exactly is AllInt? Your LAN interface, an interface group or what?
What are the rules than are cut away in your screendump?
#93
General Discussion / Re: block cameras to internet
Last post by meyergru - December 17, 2025, 05:42:22 PMRFC1918 IPs do go out over the internet if they are on your LAN and a NAT rule exists via the WAN IP - this is the default for any OpnSense installation as for LAN, there is a default "allow any -> any" rule and an automatic NAT rule for the WAN. If this were not so, you would not have internet access from your LAN.
And you still do not get what the firewall rule of the OP does: It is an "in" rule on (presumably) the LAN interface, which essentially blocks all outbound access for the cameras (as source) - the ONLY reason that in the destination, RFC1918 is exempted is to still allow local access (by virtue of the (presumably) existing "allow any" rule that comes further down in the list, but is not shown).
And you still do not get what the firewall rule of the OP does: It is an "in" rule on (presumably) the LAN interface, which essentially blocks all outbound access for the cameras (as source) - the ONLY reason that in the destination, RFC1918 is exempted is to still allow local access (by virtue of the (presumably) existing "allow any" rule that comes further down in the list, but is not shown).
#94
General Discussion / Re: block cameras to internet
Last post by coffeecup25 - December 17, 2025, 05:35:18 PMQuote from: robertkwild on December 17, 2025, 05:32:29 PMbut trouble is my rule doesnt work and i dont understand why it doesnt work, i dont get how its going out even tho ive created a rule for it, do i need to create an outbound NAT rule aswell?
I just explained why the rule does not work. More than once. What are you really asking?
coffeecup25 exits the group chat.
#95
General Discussion / Re: block cameras to internet
Last post by coffeecup25 - December 17, 2025, 05:33:32 PMQuote from: meyergru on December 17, 2025, 05:27:55 PM@coffecup25: Your cameras and selected IoT devices may do that. Where does the OP say he uses exactly those devices?
The OP expressed concern and wanted to make sure his cameras do not connect outside - and he successfully achieved that goal by his firewall rule.
Besides that: If you can use your camera app from outside of your network, I can absolutely, 100% assure you that the cameras connect outside without your app started or active or you having asked for a cloud connection - if not for a standing connection, your app could not reach your cameras inside your home network in the first place. So, who would then tell your cameras to connect outside? See? BTW: This was exactly the case with my friend's UpCams.
Please note - I do not say YOUR cameras do this. I only say, SOME (if not most) do, so read the OP's request again in that light.
As RFC1918 states, non-routable addresses do not go out over the internet, so there's no need to block them from the WAN. I covered this in detail above. Anyone who wants to do a little intro to networking research can easily confirm this.
Agree nothing can connect to the internet without a standing connection. Also my point above in excruciating detail.
#96
General Discussion / Re: block cameras to internet
Last post by robertkwild - December 17, 2025, 05:32:29 PMbut trouble is my rule doesnt work and i dont understand why it doesnt work, i dont get how its going out even tho ive created a rule for it, do i need to create an outbound NAT rule aswell?
#97
General Discussion / Re: block cameras to internet
Last post by meyergru - December 17, 2025, 05:27:55 PM@coffecup25: Your cameras and selected IoT devices may do that. Where does the OP say he uses exactly those devices?
The OP expressed concern and wanted to make sure his cameras do not connect outside - and he successfully achieved that goal by his firewall rule.
Besides that: If you can use your camera app from outside of your network, I can absolutely, 100% assure you that the cameras connect outside without your app started or active or you having asked for a cloud connection - if not for a standing connection, your app could not reach your cameras inside your home network in the first place. So, who would then tell your cameras to connect outside? See? BTW: This was exactly the case with my friend's UpCams.
Please note - I do not say YOUR cameras do this. I only say, SOME (if not most) do, so read the OP's request again in that light.
The OP expressed concern and wanted to make sure his cameras do not connect outside - and he successfully achieved that goal by his firewall rule.
Besides that: If you can use your camera app from outside of your network, I can absolutely, 100% assure you that the cameras connect outside without your app started or active or you having asked for a cloud connection - if not for a standing connection, your app could not reach your cameras inside your home network in the first place. So, who would then tell your cameras to connect outside? See? BTW: This was exactly the case with my friend's UpCams.
Please note - I do not say YOUR cameras do this. I only say, SOME (if not most) do, so read the OP's request again in that light.
#98
General Discussion / Re: block cameras to internet
Last post by meyergru - December 17, 2025, 05:20:56 PMQuote from: robertkwild on December 17, 2025, 03:51:58 PMhow would i then go about blocking those cameras off the internet then please?
Your rule should do this, do not worry.
#99
General Discussion / Re: block cameras to internet
Last post by coffeecup25 - December 17, 2025, 05:12:28 PMmeyergru,
No, I called every shot correctly.
My TAPO doorbell and light bulbs and various cameras all use the TAPO App to communicate with TP-Link. They do not have minds of their own like little AI Terminators. I even have them on their own subnet (no VLANs anywhere). Very private on my network. If I want them to stop communicating with TP-Link, then I disconnect them from my local lan and they go silent. They will also probably stop working. My thermostat, on the same IOT subnet, works without a connection to the home office. When it is connected, I can change the temperature while never leaving my recliner - from anywhere in the world. the TP-Link TAPO app allows world wide access. So there's that.
Moral and absolute rule every time - turn off the app if you don't want it to go out over the internet. The little terminators may fume but a doorbell can't cause much harm without an internet or lan connection.
Putting non trusted apps or non-trusted people on separate networks, or separate broadcast domains using a VLAN, has ABSOLUTELY NOTHING to do with RFC1918.
NAT and SPI don't works as you think they do. Seriously, look it up. you will be embarrassed. But, as I said, the only people who don't make mistakes are the people who don't do anything. So good for you for putting yourself out there. So many 'experts' only lurk behind the scene and undermine those who do things.
So, back to the original poster. Shut down the app and you will end your concerns automatically. or block the ip assigned from DHCP from outgoing traffic. But first assign a fixed local ip otherwise it may get a new number after the lease expires.
No, I called every shot correctly.
My TAPO doorbell and light bulbs and various cameras all use the TAPO App to communicate with TP-Link. They do not have minds of their own like little AI Terminators. I even have them on their own subnet (no VLANs anywhere). Very private on my network. If I want them to stop communicating with TP-Link, then I disconnect them from my local lan and they go silent. They will also probably stop working. My thermostat, on the same IOT subnet, works without a connection to the home office. When it is connected, I can change the temperature while never leaving my recliner - from anywhere in the world. the TP-Link TAPO app allows world wide access. So there's that.
Moral and absolute rule every time - turn off the app if you don't want it to go out over the internet. The little terminators may fume but a doorbell can't cause much harm without an internet or lan connection.
Putting non trusted apps or non-trusted people on separate networks, or separate broadcast domains using a VLAN, has ABSOLUTELY NOTHING to do with RFC1918.
NAT and SPI don't works as you think they do. Seriously, look it up. you will be embarrassed. But, as I said, the only people who don't make mistakes are the people who don't do anything. So good for you for putting yourself out there. So many 'experts' only lurk behind the scene and undermine those who do things.
So, back to the original poster. Shut down the app and you will end your concerns automatically. or block the ip assigned from DHCP from outgoing traffic. But first assign a fixed local ip otherwise it may get a new number after the lease expires.
#100
General Discussion / Re: Stop automatic default rou...
Last post by Maurice - December 17, 2025, 05:06:34 PM@Monviech Exactly, "Upstream Gateway" is a preference setting, not a "this gateway will always / never be upstream".
Having two preference settings (numeric "Priority" and binary "Upstream Gateway") has always been a bit confusing.
Having two preference settings (numeric "Priority" and binary "Upstream Gateway") has always been a bit confusing.
