I have a series of Reolink IP cameras that use p2p (https://reolink.com/p2p-ip-camera/) and I want to block these cameras from being able to communicate over the Internet. I’m using RB4011iGS+RM as my gateway and firewall. Hoping somebody could let me know how I could block p2p from these IP cameras with a firewall rule. I currently have up2p turned off but they are still able to get through the RB4011 router. Thanks!
Step 1: Set IP-Static
If DHCP-Server is active, make lease for Camera Static.
Step 2: Create List (Optional)
If you have or planning to have multiple Camera’s …
Exemple:
/ip firewall address-list
add address=192.168.178.1 list=ReolinkCamera
add address=192.168.178.2 list=ReolinkCamera
add address=192.168.178.3 list=ReolinkCamera
Step 3: Firewall
Exemple:
/ip firewall filter
add action=drop chain=forward comment="Drop: Reolink-Data (LAN -> Internet)" \
out-interface-list=WAN src-address-list=ReolinkCamera
Thanks for this reply. I will definitely want to restrict them completely from the Internet. Is there also a way to block p2p for all other devices (ones that I may not know of)?
The easy answer is no…
It isn’t unusual for Devices (and Software-Products) to use alternate Ports to communicate with the Internet.
For Exemple to use UDP:5060 (VOIP) or TCP:53 (DNS) to circumvent Firewall or QoS Limitations
The Solution is simply to follow Firewall best Practices
Rule 1: Only Allow the Traffic you want (and understand) and Block everything else…
Rule 2: Don’t have any devices in your Network you don’t trust
Rule 3: …
I would put all devices that should not have internet access on their own vlan(s)/
Then simply block vlans from internet…
I like the idea of using a VLAN and then just blocking Internet access to that VLAN. The problem is the IP cameras I have are a mix of both wired and wireless, and they are connected to different switches and different access points. This kind of setup will not work with a VLAN will it? Do you think creating a separate subnet for all the IP cameras is a better option?
Generally speaking, you don’t necessarily need a dedicated VLAN for each subnet, so yes, a dedicated subnet for the cameras sharing a common (V)LAN with another subnet is also an option.
But things complicate quickly if you want addresses from both subnets to be assigned dynamically using DHCP, as you need to assign the leases in all but one subnet based on attributes of the devices known in advance - whatever device whose identifiers in the DHCPDISCOVER do not match some pre-defined criteria must get a lease from the “default” subnet with the highest limitations. So it depends on the size of your network whether you will provide a static lease for each camera or whether you will create static leases for the other devices.
But once you start dealing with static leases, you can instead make them add the leased addresses to an address-list, and let the firewall rules match on that address-list, so effectively you don’t need a dedicated subnet for the cameras if you use static leases.
I created this rule provided by ConnyMercier but the Reolink WiFi cameras are still able to connect to the Internet. Any ideas what can be wrong? Did I miss something important?
He provided only example rules, it would require you to modify them to suit your situation.
You’d likely need to post your full config and provide extra information so someone can craft the rules specifically for you.
Use /export hide-sensitive to provide your config.
Did you add your Internet-Interfaces in the “WAN” list ?
To check:
/interface list member print
If you need to add interfaces to List :
Exemple for Ether1:
/interface list member
add interface=ether1 list=WAN
@joegoldman is right, if you need more help, we are going to need your config-File!
Are the switches smart switches? Can read vlan tags etc…
Are the access points smart access points?
Thank you all very much, I really appreciate your help with this. I’m new to all of this, but learning slowly. My router config is below, with all identifiers and other potentially sensitive information removed. If you notice anything else that you would recommend I change to make my router/firewall more secure, I’d be very happy to hear your recommendations.
[date/time] by RouterOS 6.49
software id = [software id]
model = RB4011iGS+
serial number = [S\N]
/interface bridge
add admin-mac=[mac address] auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=[user num]
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.39 client-id=[client id] mac-address=[mac addr] server=defconf
add address=192.168.88.22 client-id=[client id] mac-address=[mac addr] server=defconf
add address=192.168.88.79 mac-address=[mac addr] server=defconf
add address=192.168.88.85 mac-address=[mac addr] server=defconf
add address=192.168.88.88 mac-address=[mac addr] server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.88.39 list=IP-cameras
add address=192.168.88.22 list=IP-cameras
add address=192.168.88.79 list=IP-cameras
add address=192.168.88.85 list=IP-cameras
add address=192.168.88.88 list=IP-cameras
/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=“Drop: IP cameras (LAN → Internet)” connection-limit=100,32 out-interface-list=WAN src-address-list=IP-cameras
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2221
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Edmonton
/system identity
set name=pittsburgh
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I’m not really sure what smart access points are. How would I know? I’m using Mikrotik CRS112-8P-4S-IN and netPower 16P switches, and I’m using Ubiquiti Unifi access points.
I don’t know if the “connection-limit” parameter does something, but i would remove it if you don’t need it !
Then restart your router, and test if the IP-Camera’s still have internet !
add action=drop chain=forward comment=“Drop: IP cameras (LAN → Internet)” connection-limit=100,32 out-interface-list=WAN src-address-list=IP-cameras
Give the devices a bad gateway.
Block the devices in forwarding.
I didn’t realize I needed to reboot the router in order for the new firewall setting to take effect. Was that the step I was missing? The cameras all seem to be blocked from the Internet now. I also changed the connection-limit parameter from the default to “0,0”
You don’t always have to reboot your Router, when adding Firewall-Rules…
It was just a simple and error-proof way to terminate all “established” connections =)
It has something to do with your Firewall Setup…
The Firewall works Top-Down and very the first Firewall-Rule for Foward-Traffic is
“action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked”
So even if your new Firewall-Rule blocked all IP-Camera Traffic (new, established,related and untracked traffic)
established Traffic was still getting accepted from the TOP.
@ConnyMercier, this has been working perfectly, but for debugging purposes I wanted to re-enable Internet access for a couple of the cameras. I tried removing their IP addresses from the list and restarted the router, but they were still blocked from the Internet. So, I then tried disabling the firewall rule completely and restarted the router but still no Internet access for those cameras. Any idea what’s going on here and how I could re-enable their Internet access temporarily? Thanks! (they have static IP addresses and they have not changed)
Q1. Did you reboot the Camera after editing the Firewall?
Q2. How do you know that the Internet access for the Camera’s isn’t working ?
Q3. Can you Post the Latest config of your Router ? (/export hide-sensitive)
This is wrong on your config…
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
SHOULD BE
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
Dont see DNS noted on the config although it may be selected on the router and simply doesnt show on the print
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1