BLock IP camera output connection

zorrua · April 2, 2018, 11:11am

Hello,

I have a IP camera in my LAN that I use to acces from LAN network to the 554 port. The problem is that I check with Torch and the camera is doing some connection to Internet:

How could I block this output connection?

Thanks for your help.

Kind regards.

Anumrak · April 2, 2018, 11:52am

Firewall forward drop rule with source and destination. But you better google about these connections, maybe it needs these cameras.

zorrua · April 2, 2018, 2:40pm

Thanks!

I configure this way:

/ip firewall filter add action=drop chain=forward out-interface=pppoe-out1 src-address=192.168.1.18

I made tests with ping and wget from the camera and it works.

Kind regards.

solar77 · April 3, 2018, 3:38pm

My guess is that the camera is reporting to its server so that you can connect to the camera from a mobile APP when you are not home.

jarda · April 3, 2018, 7:54pm

… And exactly this is the thing to be blocked. Camera should not be allowed to actively connect anywhere.

Steveocee · April 4, 2018, 3:34pm

If it is accessed only on the LAN could you reconfigure it with static IP and not use a gateway IP or use it’s own IP as the gateway? Saves creating firewall rules for “messy” devices.

anavds · April 4, 2018, 3:55pm

Jarda, that is only a valid comment if the OP has no intention of accessing the video camera through the phone app and ONLY through the house LAN.
Personally, I think it makes far more sense to simply ensure that the vidcamera has access to the internet but NOT to the rest of the LAN.

solar77 · April 4, 2018, 5:05pm

Well, if the camera is from a trusted manufacturer then yes, I don’t mind it access it from their portal. If not, I’d rather access it through my own Mikrotik. In any case it should have access to the Internet. Blocking its access to the rest of my network would be nice though, just in case.

mkx · April 4, 2018, 6:09pm

If you’d like to access camera through your own mikrotik, then camera doesn’t need internet access. Mikrotik needs appropriate dst-nat rules instead.

jarda · April 4, 2018, 7:35pm

That’s it. Cameras should be passive devices in the network accepting connections from NVR and local stations only. If I want to see the cameras from outside then vpn is the only way. Giving unknown access to the cameras to unknown persons from who-knows-where is the direct way to let everyone to see them. Security and ease of use are not usually going together.

jaytcsd · April 15, 2018, 4:10am

I put my security camera DVR on a separate Mikrotik, the DVR is 192.168.100.245 with a 255.255.255.248 subnet, that way it can’t see into my
PCs and NAS addresses from .1 to .100. The ‘insecure’ Mikrotik is 192.168.100.241, it’s on LAN port 5 on my main Mikrotik.