So I have two Tp-Link Tapo cameras which have built in cloud service. I only wish for them to be accessible from my home, not from internet. I’m trying to achieve this with firewall rules but fail to do so. Can someone help?

So my network consists of 3 VLANS: 10 Home, 20 Guest and 30 IoT. Cameras are on IoT. Their IPs are 10.3.1.6 and 10.3.1.7. The firewall rule is disabled because it seems to be also blocking access from LAN. See attached picture for my firewall rules. Also VLANs shouldn’t be able to communicate with each other other than 10 to 30.

Firewall forward rule, source address list consisting of your cameras. Destination address !YourLan and drop it.

You drop anything not going to your lan from the cameras. JD.

Not working, are these right? Home network is 10.1.1.1-254 which should have access to cameras.

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
I know brits prefer pictures but us colonials need the detail.

If your VLAN interface list contains Home, IoT and Guest interfaces, insert the following rules between the last two at your initial screenshot:

chain=forward action=drop src-address=10.1.3.6/31 out-interface-list=WAN
chain=forward action=accept in-interface=Home out-interface=IoT
chain=forward action=drop in-interface-list=VLAN out-interface-list=!WAN

I prefer to use address lists for such cases in the first rule:

chain=forward action=drop src-address-list=ipcam out-interface-list=WAN

With these rules, I also lost control to see the camera from LAN.
Here’s the current config attached in full:
cameravlan.rsc (8.39 KB)

To make this clear,
These cameras can be accessed by you the admin from the LAN.
They are designed to be accessible while away from home via the cloud.
You want to stop them talking to the cloud.

+++++++++++++++++++++++++++++++++++++++++++++

You didnt make it clear what is connected on each port, but you will get the idea.
whatever is simply going to a dumb device is an access port and needs a pvid on /interface bridge port and to be untagged on /interface bridge vlans
whatever is going to a smart device is a trunk port and has no pvid assigned, and is tagged along with the bridge on /interface bridge vlans.

ALSO Keep names distinct, its better on the reader and for the router..........
Bridge is no longer required for participation in LAN interface list.

model = RB5009UG+S+

serial number = *************

/interface bridge
add admin-mac=***************** auto-mac=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no name=sfp speed=
10G-baseSR-LR
/interface vlan
add interface=bridge name=Guest20 vlan-id=20
add interface=bridge name=Home10 vlan-id=10
add interface=bridge name**=IoT30** vlan-id=30
/interface list
add name=WAN
add name=LAN
add name=TRUSTED
/ip pool
add name=Home ranges=10.1.1.4-10.1.1.254
add name=Guest ranges=10.1.2.2-10.1.2.254
add name=IoT ranges=10.1.3.2-10.1.3.254
/ip dhcp-server
add address-pool=Guest interface=Guest20 name=Guest-dhcp
add address-pool=IoT interface=IoT30 name=IoT-dhcp
add address-pool=Home interface=Home10 name=Home-dhcp
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-tagged-vlans interface=ether2 comment="trunk port'
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether3 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether5 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether6 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether7 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether8 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-only-tagged-vlans interface=sfp comment="trunk port'
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,sfp untagged=ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=10
add bridge=bridge tagged=bridge,ether2,sfp vlan-ids=20,30
/interface list member { note we do NOT make the IOT vlan a member of the LAN interface list !! }
add interface=ether1_WAN list=WAN
add interface=Home10 list=LAN
add interface=Guest20 list=LAN
add interface=Home10 list=TRUSTED
/ip address
add address=10.1.1.1/24 comment=Home interface=Home10 network=10.1.1.0
add address=10.1.2.1/24 comment=Guest interface=Guest20 network=10.1.2.0
add address=10.1.3.1/24 comment=IoT interface=IoT30 network=10.1.3.0
/ip dhcp-client
add comment=defconf interface=ether1_WAN
/ip dhcp-server lease
add address=10.1.1.10 lease-time=1d mac-address=9C:6B:00:39:A9:AE server=Home
add address=10.1.3.3 client-id=1:0:a0:de:8f:5d:c7 mac-address=
00:A0:DE:8F:5D:C7 server=IoT
add address=10.1.1.11 client-id=1:ac:5f:ea:12:de:f9 mac-address=
AC:5F:EA:12:DE:F9 server=Home
add address=10.1.3.4 client-id=1:78:5d:c8:ab:b5:ab mac-address=
78:5D:C8:AB:B5:AB server=IoT
add address=10.1.3.2 client-id=1:a8:93:4a:67:d6:f6 comment=Tulostin
mac-address=A8:93:4A:67:D6:F6 server=IoT
add address=10.1.3.6 client-id=1:54:af:97:dc:f5:d comment=*** mac-address=
54:AF:97:DC:F5:0D server=IoT
add address=10.1.3.7 client-id=1:5c:a6:e6:7e:c8:c comment=*** mac-address=
5C:A6:E6:7E:C8:0C server=IoT
/ip dhcp-server network
add address=10.1.1.0/24 comment=Home dns-server=10.1.1.1 gateway=10.1.1.1
netmask=24
add address=10.1.2.0/24 comment=Guest dns-server=10.1.1.1 gateway=10.1.2.1
add address=10.1.3.0/24 comment=IoT dns-server=10.1.1.1 gateway=10.1.3.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.1.1.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=10.1.3.6/31 list=Camera
add address=10.1.1.X list=TRUSTED comment="admin pc"
add address=10.1.1.YY list=TRUSTED comment="admin device2"
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access" in-interface=Home10 { one should use an address list here (source) to limit to admin only TRUSTED }
_add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp comment="users to router services"
add action=accept chain=input in-interface-list=LAN** dst-port=53 protocol=tcp comment="users to router services"
add action=drop chain=input comment="drop all else_** __ { add this rule last or you will lock yourself out }
++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Accept Home to IoT traffic" in-interface=Home10 out-interface=IoT30
src-address=10.1.1.0/24 dst-address=10.1.3.0/24
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat { disable or remove if not required }
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute"
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=input comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
add action=accept chain=forward comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1"
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=forward comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
/system clock
set time-zone-name=Europe/Helsinki
/system identity
set name=r1
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN

If not using IPV6 remove address list and disable ipv6 in settings and remove all rules save
add chain=input action=drop
add chain=forward action=drop

Yes, exactly this. But other devices on IoT 30 VLAN should be able to access internet.

Everything is connected via managed switch that is connected to Mikrotik sfp port.
Thanks, I will try to work out with the config you posted.

Well when you hide requirements expect an incomplete or incorrect answer…

Then we take a different approach ensuring IOT vlan is part of LAN interface list.

/interface list member
add interface=ether1_WAN list=WAN
add interface=Home10 list=LAN
add interface=Guest20 list=LAN
add interface=IoT30 list=LAN
add interface=Home10 list=TRUSTED

/ip firewall address-list
add address=10.1.3.AA list=BlockCamera comment=“camera location X”
add address=10.1.3.BB list=BlockCamera comment=“camera location Y”
add address=10.1.3.CC list=BlockCamera comment=“camera location Z”

add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=forward comment=“internet access” in-interface-list=LAN out-interface-list=WAN src-address-list=!BlockCamera
add action=accept chain=forward comment=“Accept Home to IoT traffic” in-interface=Home10 out-interface=IoT30
src-address=10.1.1.0/24 dst-address=10.1.3.0/24
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat { disable or remove if not required }
add action=drop chain=forward comment=“drop all else”

Firewall rules are processed top down, I think the LAN > IOT rule is interfereing, try dragging the rule you created on my reccommendation to the top, if it works, presto, knit it back in to somewhere sensible (or drop it down the list until it stops working and then move it bac up one.

Thanks @anav and @Steveocee. I got it working now with your help. The only problem is that now I can’t seem to access the cameras from local net. The cameras are TP-Link Tapo C100 and I’ve read that they have to be on same subnet for local access to work so I have to figure something out what I want to do.

Please explain, “cannot access cameras from local net” ???
Do you mean you cannot view cameras in t he 10.1.3.0/24 subnet from your PC in the 10.1.1.0/24 subnet ??

Please post latest complete config!!

Yes, exactly this. I can access other devices in 10.1.3.0 subnet from 10.1.1.0 but these cameras don’t work from the Tapo app. I can ping them but not see the video stream. There’s multiple discussions about this same matter.

https://community.tp-link.com/en/smart-home/forum/topic/579572

https://community.tp-link.com/en/smart-home/forum/topic/501882

https://www.reddit.com/r/TpLink/comments/17xjc2j/tapo_app_cant_communicate_to_cameras_on_iot_vlan/

https://www.reddit.com/r/OPNsenseFirewall/comments/rrmy6s/tplink_tapo_cameras_in_separate_vlans_with/

I’m thinking I will simply connect the cameras to Home 10.1.1.0 subnet, block their internet access and only allow them to be accessed from trusted phones as needed. It should be safe enough.

If you are blocking the Cameras access to the internet it makes sense no APP will find them as the APP is probably designed to go to the cloud server and then down to the camera and not for local access direct. You would have to need access the camera directly by its LANIP somehow… maybe on a PC??

No, I know they will work fine. Before I bought this Mikrotik, I was running everything on same network and had their internet access blocked and everything worked just fine. The Tapo app can access the cameras even when there’s no internet connection, as long as they are on the same subnet.

https://www.tapo.com/my/faq/66/

"Q6: Can I use my Tapo camera anywhere if there is no internet?

A: You can use the camera or watch the live view without an internet connection, but please ensure both your phone and the camera are connected to the same wireless network."

Then if on a different subnet (vlan ) with permissions to the camera, it would normally work.
I suspect that cameras are hard wired internally to only respond to requests from the same LAN, its not a mikrotik issue.

The only thing I can recommend is to assign yourself a static dhcp lease on the iot network from one of your devices and when you log into that wifi with that device onto the iot SSID,
then you should be able to access the camera.