Dear all,
hopefully you can help with my, probably easy, problem.
I have an internal network which includes 3 IP cameras (connected with wire and PoE and installed outside of my house) and a NAS for recording the images. For safety reason I would like to isolate the IP cameras from my internal network for the following reasons:
- I do not want my cameras to communicate with the internet
- In the event that somebody removes a camera from the wall and plugs in the cable I do not want the person to enter my internal network (IP range 192.168.0.xxx).
I have bought a MikroTik RB960PGS router for this. To this router I want to connect my internal network (via port 1), my 3 IP cameras and the NAS for recording. The NAS will be allowed to communicate with the internal network and internet. The IP cameras can only communicate with port 2-5 on the MikroTik router.
For now I put the MikroTik in router modus (IP range 192.168.1.xxx) and the cameras are working and communicating with the NAS.
From a PC in IP range 192.168.0.xxx I'm not able to connect to any device on the MikroTik, so that seems fine. However I still want to connect to the NAS with a PC to look back at recorded images.
But devices connected to the MikroTik can still connect to other devices outside the MikroTIk, which is not what I would like to have.
Would anybody be able to explain how I can takle this.
- Is it something with port forwarding for the NAS? And how should I do this then? I have tried something with dst-nat, but not get it to work.
- Should I actually put the MikroTik in bridge modus and prevent the IP cameras from communicating "outside" of the mikrotik? If this is the easiest route, how do I have to implement this?
Thank you very much for your help.
Kind regards from the Netherlands
Re: Preventing physical ports from using WAN port
It's what firewall filter is for. Example:
viewtopic.php?p=771682#p771682
So in your case, you'd simply not add rule to allow access from cameras to internet or internal network.
viewtopic.php?p=771682#p771682
So in your case, you'd simply not add rule to allow access from cameras to internet or internal network.
Re: Preventing physical ports from using WAN port
Basic philosophy behind default firewall rules is this: any LAN device can connect to router and WAN and none of WAN devices can connect neither to router nor LAN. And firewall filter does it by inspecting the ingress and egress interface, in particular interface list membership (by default there are two interface lists named LAN and WAN and default is ether1=WAN and the rest of interfaces=LAN).
To put your case into this perspective: cameras and revorder should not be able to connect to your LAN nor internet (served through your LAN) but your devices should be able to connect to cameras and recorder.
Which means that firewall rules are more or less correct, the only thing is to swap LAN and WAN. And the easiest way of doing it is to swap interface list membership ... move ether1 to LAN interface list, reconnect to router via ether1 and move bridge and ether2-ether5 to WAN interface list).
You might want to make some further minor adjustments, but I think you won't need any.
Ah, yes, at the end rename WAN interface list to something more appropriate, e.g. cameras.
To put your case into this perspective: cameras and revorder should not be able to connect to your LAN nor internet (served through your LAN) but your devices should be able to connect to cameras and recorder.
Which means that firewall rules are more or less correct, the only thing is to swap LAN and WAN. And the easiest way of doing it is to swap interface list membership ... move ether1 to LAN interface list, reconnect to router via ether1 and move bridge and ether2-ether5 to WAN interface list).
You might want to make some further minor adjustments, but I think you won't need any.
Ah, yes, at the end rename WAN interface list to something more appropriate, e.g. cameras.
Re: Preventing physical ports from using WAN port
Thanks all for thinking along!
For me personally this goes a bit to far for what I know of networks. Therefore I have decided to physically disconnect the MikroTik with IP cameras from my home network.
Disadvantages are that I cannot easily connect to the cameras and NAS without physically connecting to the MikroTik.
Advantage for me: Really absolutely sure that nobody can get into my home network. And no "difficult" changing parameters in the MikroTik.
So not the way I had it planned, but I'm too afraid of having the wrong settings in the MikroTik.
Regards,
Martijn
For me personally this goes a bit to far for what I know of networks. Therefore I have decided to physically disconnect the MikroTik with IP cameras from my home network.
Disadvantages are that I cannot easily connect to the cameras and NAS without physically connecting to the MikroTik.
Advantage for me: Really absolutely sure that nobody can get into my home network. And no "difficult" changing parameters in the MikroTik.
So not the way I had it planned, but I'm too afraid of having the wrong settings in the MikroTik.
Regards,
Martijn
-
-
CZFan
Forum Guru
- Posts: 2098
- Joined:
- Location: South Africa, Krugersdorp (Home town of Brad Binder)
- Contact:
Re: Preventing physical ports from using WAN port
I am afraid, you will then never learn networking. To learn / understand networking, especially in the beginning, there will always be lots of breaks, research, fix, rinse and repeat cycles... but I'm too afraid of having the wrong settings in the MikroTik.
Regards,
Martijn
Re: Preventing physical ports from using WAN port
Martijn,
If you are obsessed about things not getting into your home network, you better actually start
to try around (fail and error) and understand how networks and firewall work!
ANY device in your home network is a potential threat to your home network!
IOT devices (worst of all), Amazon echo, Sonos, printers, phones, old routers, TV's, NAS,
Old Windows PC (even new one can be an issue if you open a ransome email)
All this device can do what they want and can be an attack surface.
Mirkotik has great firewall capability even on the smallest 20euro device.
Right tool to play around, learn, and control your network and finally make your "home network" safe.
If you are obsessed about things not getting into your home network, you better actually start
to try around (fail and error) and understand how networks and firewall work!
ANY device in your home network is a potential threat to your home network!
IOT devices (worst of all), Amazon echo, Sonos, printers, phones, old routers, TV's, NAS,
Old Windows PC (even new one can be an issue if you open a ransome email)
All this device can do what they want and can be an attack surface.
Mirkotik has great firewall capability even on the smallest 20euro device.
Right tool to play around, learn, and control your network and finally make your "home network" safe.