block cameras to internet

Started by robertkwild, December 17, 2025, 02:32:06 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3
User actions
December 19, 2025, 10:17:01 PM #30 Last Edit: December 19, 2025, 10:19:06 PM by TheAutomationGuy
Quote from: TheAutomationGuy on December 19, 2025, 10:10:19 PM
Quote from: coffeecup25 on December 17, 2025, 03:29:50 PMThere's a good chance I am missing the point entirely, but you may be doing something unnecessary.

The RFC1918 addresses are non-routable by design. This system allows you, me and the man behind the tree to all have 192.168.1.1/24 subnets without crashing into each other. The three ranges normally are associated with various sized networks, with the 192.168.x.x ranges for home networks by convention. Nothing prevents a home network from using one of the other ranges.

Find out the app that's sending the videos outside of your home and shut it down.

https://netbeez.net/blog/rfc1918/

I googled this. It seems to be a good definition.

Did you even bother reading the link you posted?  It clearly says,
Quote"These IP addresses compose the majority private networks, which are networks not available, or reachable, from the Internet. The reason these hosts are not reachable from the Internet is due to a fundamental requirement: each host must possess a unique IP address. RFC1918 removes this requirement. Common RFC 1918 addresses, like 192.168.1.1, are available in multiple networks without causing any disruption. The key requirement is that they stay within the boundaries of a network."

You do understand the difference between incoming and outgoing data, correct?  Because this entire conversation has been about data traveling TO THE INTERNET from the local network (via the camera itself), not data FROM THE INTERNET trying to connect to to the camera......

The article goes on to say,
Quote"To isolate RFC1918 address from the Internet, network administrators configure their border routers to discard IP packets with private addresses.  As a result, IP packets carrying private addresses can only flow within internal, or private, networks.

How do network administrators configure their border router to discard UP packets with private addresses?  WITH THE EXACT RULE that meyermu suggested to the OP  and you have continually tried to say that it is not necessary.  Your own link contradicts you assumptions and says that it IS necessary and a normal rule for network administrators to add to their routers.

It's fine to be ignorant on a variety of topics (no one knows everything), but it's not OK when you start trying to teach and correct others (who are 100% correct BTW) when you don't understand the material yourself.  Therefore I would suggest that you stop posting in this thread until you learn a little bit more about how data travels through a network.
Just a hobbyist trying to figure all this out.
December 20, 2025, 03:01:22 AM #31 Last Edit: December 20, 2025, 03:41:47 AM by coffeecup25
I had planned to end my time here so you kids have an exclusive playground. But, you got me. Hopefully nobody else will draw me back again.

I just watched all the packets that escaped from your network and now I know all your secrets. I guess you were right. I can't get into your system since it uses non-routable addresses. But somehow your frames and packets (inside joke) found their way to me of all people.

Seriously. Reddit has normal people on the OPNsense forum. What's wrong with you and the other little princes?

Why not explain how your 192.168.x.x or whatever gets out and gets into trouble? Without using NAT and SPI, which is the traditional way traffic goes from a network to a destination and finds it's way back. NAT and SPI are actual firewalls. Look up NAT / SPI and your hesitation and apprehensions about Internet Leakage might lessen.

Mull this over .... why does the real pro or the prince need to write a rule to prevent Internet Leakage, while almost nobody has even heard of this terrible situation? Why isn't it an OPNsense default? Millions of routers are out there without any owner or manufacturer awareness. This should become yours and that other's guy's crusade to wake everyone up. Hopefully, this will be my last post here.

At least you will still have the newbies to impress.
December 20, 2025, 04:58:35 AM #32
Quote from: coffeecup25 on December 17, 2025, 03:29:50 PMThere's a good chance I am missing the point entirely
Correct.

Quote from: coffeecup25 on December 17, 2025, 03:29:50 PMFind out the app that's sending the videos outside of your home and shut it down.

Effective if that were the question but it was not.

Correct solutions were provided. The rest is unhelpful waffle.
Deciso DEC697
December 23, 2025, 07:26:46 PM #33 Last Edit: December 23, 2025, 08:18:41 PM by TheAutomationGuy
Quote from: coffeecup25 on December 20, 2025, 03:01:22 AMMull this over .... why does the real pro or the prince need to write a rule to prevent Internet Leakage, while almost nobody has even heard of this terrible situation? Why isn't it an OPNsense default?
The fact that you even ask that question proves you have zero idea what we are talking about here and can only point at what other people do or say to support your "theories" - which turn out aren't based on actual personal experience other than internet search results you have read through.

That rule isn't a default rule on ANY firewall/router device because that rule stops all devices on that network subnet from accessing the internet.  That is NOT what people want to do by default.  By default, people want to access the internet from their local network.

Therefore, by default most (I dare say all, but there probably is some strange outlier device that acts differently) firewalls/routers will by default block all traffic initiated outside of the local network (ie the internet) from getting into the local network and it will by default allow all traffic that is initiated on the local network to exit your local network and travel to it's final destination (ie go to the internet).  However the default rules are not going to work in every single situation, and therefore users can add or modify their rules to change the default behavior.

In this particular use case for example, the OP does not want their cameras initiating communication with non-local servers via code built into their firmware code (which does happen and therefore it is completely reasonable to want to block this traffic).  Therefore adding this rule - while only useful in specific use cases where you want to BLOCK devices on your network from being able to communicate with devices outside of your local network (ie the "internet") -  to the "CCTV VLAN" network is exactly what needs to happen. Meanwhile the LAN and other VLANs without this rule will still be able to initiate communication with devices outside of the local network like normal.

Again, I would implore you to stop posting/arguing points about concepts you clearly don't fully understand. 
Just a hobbyist trying to figure all this out.
December 23, 2025, 07:50:32 PM #34 Last Edit: December 23, 2025, 08:15:34 PM by TheAutomationGuy
Duplicate post removed.....
Just a hobbyist trying to figure all this out.
Print
Go Up Pages 1 2 3
User actions