Community discussions

MikroTik App
 
zorrua
newbie
Topic Author
Posts: 37
Joined: Sun Sep 17, 2017 4:32 pm

BLock IP camera output connection

Mon Apr 02, 2018 2:11 pm

Hello,

I have a IP camera in my LAN that I use to acces from LAN network to the 554 port. The problem is that I check with Torch and the camera is doing some connection to Internet:

Image

How could I block this output connection?

Thanks for your help.

Kind regards.
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1180
Joined: Fri Jul 28, 2017 2:53 pm

Re: BLock IP camera output connection

Mon Apr 02, 2018 2:52 pm

Firewall forward drop rule with source and destination. But you better google about these connections, maybe it needs these cameras.
 
zorrua
newbie
Topic Author
Posts: 37
Joined: Sun Sep 17, 2017 4:32 pm

Re: BLock IP camera output connection

Mon Apr 02, 2018 5:40 pm

Thanks!

I configure this way:
/ip firewall filter add action=drop chain=forward out-interface=pppoe-out1 src-address=192.168.1.18
I made tests with ping and wget from the camera and it works.

Kind regards.
 
solar77
Long time Member
Long time Member
Posts: 577
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: BLock IP camera output connection

Tue Apr 03, 2018 6:38 pm

My guess is that the camera is reporting to its server so that you can connect to the camera from a mobile APP when you are not home.
MTCNA MTCTCE UEWA
 
jarda
Forum Guru
Forum Guru
Posts: 7763
Joined: Mon Oct 22, 2012 4:46 pm

Re: BLock IP camera output connection

Tue Apr 03, 2018 10:54 pm

... And exactly this is the thing to be blocked. Camera should not be allowed to actively connect anywhere.
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1127
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: BLock IP camera output connection

Wed Apr 04, 2018 6:34 pm

If it is accessed only on the LAN could you reconfigure it with static IP and not use a gateway IP or use it's own IP as the gateway? Saves creating firewall rules for "messy" devices.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
anavds
newbie
Posts: 38
Joined: Wed Apr 04, 2018 2:47 pm

Re: BLock IP camera output connection

Wed Apr 04, 2018 6:55 pm

... And exactly this is the thing to be blocked. Camera should not be allowed to actively connect anywhere.
Jarda, that is only a valid comment if the OP has no intention of accessing the video camera through the phone app and ONLY through the house LAN.
Personally, I think it makes far more sense to simply ensure that the vidcamera has access to the internet but NOT to the rest of the LAN.
 
solar77
Long time Member
Long time Member
Posts: 577
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: BLock IP camera output connection

Wed Apr 04, 2018 8:05 pm

Well, if the camera is from a trusted manufacturer then yes, I don't mind it access it from their portal. If not, I'd rather access it through my own Mikrotik. In any case it should have access to the Internet. Blocking its access to the rest of my network would be nice though, just in case.
MTCNA MTCTCE UEWA
 
mkx
Forum Guru
Forum Guru
Posts: 4976
Joined: Thu Mar 03, 2016 10:23 pm

Re: BLock IP camera output connection

Wed Apr 04, 2018 9:09 pm

If you'd like to access camera through your own mikrotik, then camera doesn't need internet access. Mikrotik needs appropriate dst-nat rules instead.
BR,
Metod
 
jarda
Forum Guru
Forum Guru
Posts: 7763
Joined: Mon Oct 22, 2012 4:46 pm

Re: BLock IP camera output connection

Wed Apr 04, 2018 10:35 pm

That's it. Cameras should be passive devices in the network accepting connections from NVR and local stations only. If I want to see the cameras from outside then vpn is the only way. Giving unknown access to the cameras to unknown persons from who-knows-where is the direct way to let everyone to see them. Security and ease of use are not usually going together.
 
jaytcsd
Member Candidate
Member Candidate
Posts: 295
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: BLock IP camera output connection

Sun Apr 15, 2018 7:10 am

I put my security camera DVR on a separate Mikrotik, the DVR is 192.168.100.245 with a 255.255.255.248 subnet, that way it can't see into my
PCs and NAS addresses from .1 to .100. The 'insecure' Mikrotik is 192.168.100.241, it's on LAN port 5 on my main Mikrotik.

Who is online

Users browsing this forum: markwien, mcgoebel, promethium, vasilevdim and 79 guests