IP Camera Rule

Started by psilospiral, June 05, 2021, 03:37:33 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 05, 2021, 03:37:33 AM
Greetings Forum:

I am a new user with OPNsense.  I am looking for suggestions / help with creating a rule that would allow outside WAN requests in to an 'ipcamzone' alias I have setup.  The goal is to block any outgoing requests initiated from cameras in the ipcamzone alias (they shouldn't be talking out on their own), yet allow outside WAN requests in for connections when the camera is connected to for normal use.  Any suggestions?

June 05, 2021, 11:29:52 AM #1
First thing to be conscious of is that poking holes in your WAN interface presents risks. Your connection will start getting probes straight away. So if you go down this path you'd want to be sure that the connection to your cameras is as secure as possible.

A probably better solution is to create a VPN into your home network, and then connect to the cameras over that.

But if you still want to connect directly...

I assume that your cameras have a management interface that you connect to in order to view all the camera vision?

If so, create a port forward rule on your WAN interface, forwarding from the WAN address on the relevant port to the internal IP on the relevant port. The default port forward setup will create a corresponding firewall rule on the WAN interface.

To block outgoing traffic initiated by the cameras, create a block rule on the interface that the cameras are connected to (eg LAN), with the camera IP alias as the source and the destination as any.
June 06, 2021, 06:58:18 PM #2
Greelan:

Thank you for the word of caution and advice.  I already use OpenVPN on my pfsense box, but primarily for LAN access to my home network while away from home. 

QuoteTo block outgoing traffic initiated by the cameras, create a block rule on the interface that the cameras are connected to (eg LAN), with the camera IP alias as the source and the destination as any.

I will give this a try.  For some reason I thought this approach would also block responses from the cameras initiated from the WAN side.  I am also experimenting with creating a block rule to keep the devices within my ipcamzone alias isolated from the rest of the LAN.  I'll report back how it goes.  Thank you for the quick reply!
Print
Go Up Pages1
User actions