Community discussions

MikroTik App
 
knat53
newbie
Topic Author
Posts: 28
Joined: Fri Oct 15, 2021 4:53 am

Block p2p from IP cameras - RB4011iGS+RM

Fri Oct 15, 2021 5:06 am

I have a series of Reolink IP cameras that use p2p (https://reolink.com/p2p-ip-camera/) and I want to block these cameras from being able to communicate over the Internet. I'm using RB4011iGS+RM as my gateway and firewall. Hoping somebody could let me know how I could block p2p from these IP cameras with a firewall rule. I currently have up2p turned off but they are still able to get through the RB4011 router. Thanks!
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Block p2p from IP cameras - RB4011iGS+RM

Sun Oct 17, 2021 3:45 am

Step 1: Set IP-Static
If DHCP-Server is active, make lease for Camera Static.

Step 2: Create List (Optional)
If you have or planning to have multiple Camera's ...
Exemple:
/ip firewall address-list
add address=192.168.178.1 list=ReolinkCamera
add address=192.168.178.2 list=ReolinkCamera
add address=192.168.178.3 list=ReolinkCamera
Step 3: Firewall
Exemple:
/ip firewall filter
add action=drop chain=forward comment="Drop: Reolink-Data (LAN -> Internet)" \
out-interface-list=WAN src-address-list=ReolinkCamera
 
knat53
newbie
Topic Author
Posts: 28
Joined: Fri Oct 15, 2021 4:53 am

Re: Block p2p from IP cameras - RB4011iGS+RM

Sun Oct 17, 2021 11:58 am

Thanks for this reply. I will definitely want to restrict them completely from the Internet. Is there also a way to block p2p for all other devices (ones that I may not know of)?
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Block p2p from IP cameras - RB4011iGS+RM

Sun Oct 17, 2021 1:28 pm

The easy answer is no....

It isn't unusual for Devices (and Software-Products) to use alternate Ports to communicate with the Internet.
For Exemple to use UDP:5060 (VOIP) or TCP:53 (DNS) to circumvent Firewall or QoS Limitations


The Solution is simply to follow Firewall best Practices
Rule 1: Only Allow the Traffic you want (and understand) and Block everything else...
Rule 2: Don't have any devices in your Network you don't trust
Rule 3: ....
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block p2p from IP cameras - RB4011iGS+RM

Sun Oct 17, 2021 4:49 pm

I would put all devices that should not have internet access on their own vlan(s)/
Then simply block vlans from internet.........
 
knat53
newbie
Topic Author
Posts: 28
Joined: Fri Oct 15, 2021 4:53 am

Re: Block p2p from IP cameras - RB4011iGS+RM

Sun Oct 24, 2021 10:44 pm

I like the idea of using a VLAN and then just blocking Internet access to that VLAN. The problem is the IP cameras I have are a mix of both wired and wireless, and they are connected to different switches and different access points. This kind of setup will not work with a VLAN will it? Do you think creating a separate subnet for all the IP cameras is a better option?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Block p2p from IP cameras - RB4011iGS+RM

Sun Oct 24, 2021 11:03 pm

Generally speaking, you don't necessarily need a dedicated VLAN for each subnet, so yes, a dedicated subnet for the cameras sharing a common (V)LAN with another subnet is also an option.

But things complicate quickly if you want addresses from both subnets to be assigned dynamically using DHCP, as you need to assign the leases in all but one subnet based on attributes of the devices known in advance - whatever device whose identifiers in the DHCPDISCOVER do not match some pre-defined criteria must get a lease from the "default" subnet with the highest limitations. So it depends on the size of your network whether you will provide a static lease for each camera or whether you will create static leases for the other devices.

But once you start dealing with static leases, you can instead make them add the leased addresses to an address-list, and let the firewall rules match on that address-list, so effectively you don't need a dedicated subnet for the cameras if you use static leases.
 
knat53
newbie
Topic Author
Posts: 28
Joined: Fri Oct 15, 2021 4:53 am

Re: Block p2p from IP cameras - RB4011iGS+RM

Mon Oct 25, 2021 12:19 am

I created this rule provided by ConnyMercier but the Reolink WiFi cameras are still able to connect to the Internet. Any ideas what can be wrong? Did I miss something important?
Step 1: Set IP-Static
If DHCP-Server is active, make lease for Camera Static.

Step 2: Create List (Optional)
If you have or planning to have multiple Camera's ...
Exemple:
/ip firewall address-list
add address=192.168.178.1 list=ReolinkCamera
add address=192.168.178.2 list=ReolinkCamera
add address=192.168.178.3 list=ReolinkCamera
Step 3: Firewall
Exemple:
/ip firewall filter
add action=drop chain=forward comment="Drop: Reolink-Data (LAN -> Internet)" \
out-interface-list=WAN src-address-list=ReolinkCamera
 
joegoldman
Forum Veteran
Forum Veteran
Posts: 766
Joined: Mon May 27, 2013 2:05 am

Re: Block p2p from IP cameras - RB4011iGS+RM

Mon Oct 25, 2021 12:35 am

He provided only example rules, it would require you to modify them to suit your situation.

You'd likely need to post your full config and provide extra information so someone can craft the rules specifically for you.

Use /export hide-sensitive to provide your config.
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Block p2p from IP cameras - RB4011iGS+RM

Mon Oct 25, 2021 12:35 am

Did you add your Internet-Interfaces in the "WAN" list ?
To check:
/interface list member print

If you need to add interfaces to List :
Exemple for Ether1:
/interface list member
add interface=ether1 list=WAN

@joegoldman is right, if you need more help, we are going to need your config-File!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block p2p from IP cameras - RB4011iGS+RM

Mon Oct 25, 2021 1:12 am

Are the switches smart switches? Can read vlan tags etc...
Are the access points smart access points?
 
knat53
newbie
Topic Author
Posts: 28
Joined: Fri Oct 15, 2021 4:53 am

Re: Block p2p from IP cameras - RB4011iGS+RM

Mon Oct 25, 2021 1:34 am

Thank you all very much, I really appreciate your help with this. I'm new to all of this, but learning slowly. My router config is below, with all identifiers and other potentially sensitive information removed. If you notice anything else that you would recommend I change to make my router/firewall more secure, I'd be very happy to hear your recommendations.

# [date/time] by RouterOS 6.49
# software id = [software id]
#
# model = RB4011iGS+
# serial number = [S\N]
/interface bridge
add admin-mac=[mac address] auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=[user num]
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.39 client-id=[client id] mac-address=[mac addr] server=defconf
add address=192.168.88.22 client-id=[client id] mac-address=[mac addr] server=defconf
add address=192.168.88.79 mac-address=[mac addr] server=defconf
add address=192.168.88.85 mac-address=[mac addr] server=defconf
add address=192.168.88.88 mac-address=[mac addr] server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.88.39 list=IP-cameras
add address=192.168.88.22 list=IP-cameras
add address=192.168.88.79 list=IP-cameras
add address=192.168.88.85 list=IP-cameras
add address=192.168.88.88 list=IP-cameras
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop: IP cameras (LAN -> Internet)" connection-limit=100,32 out-interface-list=WAN src-address-list=IP-cameras
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2221
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Edmonton
/system identity
set name=pittsburgh
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN


Did you add your Internet-Interfaces in the "WAN" list ?
To check:
/interface list member print

If you need to add interfaces to List :
Exemple for Ether1:
/interface list member
add interface=ether1 list=WAN

@joegoldman is right, if you need more help, we are going to need your config-File!
 
knat53
newbie
Topic Author
Posts: 28
Joined: Fri Oct 15, 2021 4:53 am

Re: Block p2p from IP cameras - RB4011iGS+RM

Mon Oct 25, 2021 1:38 am

I'm not really sure what smart access points are. How would I know? I'm using Mikrotik CRS112-8P-4S-IN and netPower 16P switches, and I'm using Ubiquiti Unifi access points.
Are the switches smart switches? Can read vlan tags etc...
Are the access points smart access points?
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Block p2p from IP cameras - RB4011iGS+RM

Mon Oct 25, 2021 1:43 am

I don't know if the "connection-limit" parameter does something, but i would remove it if you don't need it !
Then restart your router, and test if the IP-Camera's still have internet !

add action=drop chain=forward comment="Drop: IP cameras (LAN -> Internet)" connection-limit=100,32 out-interface-list=WAN src-address-list=IP-cameras
 
gotsprings
Forum Guru
Forum Guru
Posts: 2087
Joined: Mon May 14, 2012 9:30 pm

Re: Block p2p from IP cameras - RB4011iGS+RM

Mon Oct 25, 2021 1:50 am

Give the devices a bad gateway.
Block the devices in forwarding.
 
knat53
newbie
Topic Author
Posts: 28
Joined: Fri Oct 15, 2021 4:53 am

Re: Block p2p from IP cameras - RB4011iGS+RM

Mon Oct 25, 2021 4:01 am

I didn't realize I needed to reboot the router in order for the new firewall setting to take effect. Was that the step I was missing? The cameras all seem to be blocked from the Internet now. I also changed the connection-limit parameter from the default to "0,0"

I don't know if the "connection-limit" parameter does something, but i would remove it if you don't need it !
Then restart your router, and test if the IP-Camera's still have internet !

add action=drop chain=forward comment="Drop: IP cameras (LAN -> Internet)" connection-limit=100,32 out-interface-list=WAN src-address-list=IP-cameras
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Block p2p from IP cameras - RB4011iGS+RM

Mon Oct 25, 2021 5:15 am

You don't always have to reboot your Router, when adding Firewall-Rules...
It was just a simple and error-proof way to terminate all "established" connections =)

It has something to do with your Firewall Setup....
The Firewall works Top-Down and very the first Firewall-Rule for Foward-Traffic is
"action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked"

So even if your new Firewall-Rule blocked all IP-Camera Traffic (new, established,related and untracked traffic)
established Traffic was still getting accepted from the TOP.
 
knat53
newbie
Topic Author
Posts: 28
Joined: Fri Oct 15, 2021 4:53 am

Re: Block p2p from IP cameras - RB4011iGS+RM

Sun Nov 21, 2021 6:29 pm

@ConnyMercier, this has been working perfectly, but for debugging purposes I wanted to re-enable Internet access for a couple of the cameras. I tried removing their IP addresses from the list and restarted the router, but they were still blocked from the Internet. So, I then tried disabling the firewall rule completely and restarted the router but still no Internet access for those cameras. Any idea what's going on here and how I could re-enable their Internet access temporarily? Thanks! (they have static IP addresses and they have not changed)
You don't always have to reboot your Router, when adding Firewall-Rules...
It was just a simple and error-proof way to terminate all "established" connections =)

It has something to do with your Firewall Setup....
The Firewall works Top-Down and very the first Firewall-Rule for Foward-Traffic is
"action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked"

So even if your new Firewall-Rule blocked all IP-Camera Traffic (new, established,related and untracked traffic)
established Traffic was still getting accepted from the TOP.
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Block p2p from IP cameras - RB4011iGS+RM

Sun Nov 21, 2021 8:51 pm

Q1. Did you reboot the Camera after editing the Firewall?
Q2. How do you know that the Internet access for the Camera's isn't working ?
Q3. Can you Post the Latest config of your Router ? (/export hide-sensitive)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block p2p from IP cameras - RB4011iGS+RM

Mon Nov 22, 2021 2:33 am

This is wrong on your config..........
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0

SHOULD BE
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0

Dont see DNS noted on the config although it may be selected on the router and simply doesnt show on the print
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block p2p from IP cameras - RB4011iGS+RM

Mon Nov 22, 2021 2:41 am

To answer your question I believe all the switches and Access points you are using are smart devices which can read vlans.
In this case it gives you much flexibility in that you can create and put the vlans to any ports or wlans you want and thus segregate traffic effectively.
Its a layer of magnitude of work to set it up, in that one has to plan, map and execute them across multiple devices but its not too too bad.
Much easier than ipsec or mangling or the like and is a bit tedious but not complex.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block p2p from IP cameras - RB4011iGS+RM

Mon Nov 22, 2021 2:42 am

IF your task is simply to block a list of cameras from accessing the internet as you have done seems good to go!
The only thing I dont understand is why you have some sort of connection limits, why have them.???

add action=drop chain=forward comment="Drop: IP cameras (LAN -> Internet)" connection-limit=100,32 out-interface-list=WAN src-address-list=IP-cameras

add action=drop chain=forward comment="Drop: IP cameras (LAN -> Internet)" in-interface-list=LAN out-interface-list=WAN src-address-list=IP-cameras
 
knat53
newbie
Topic Author
Posts: 28
Joined: Fri Oct 15, 2021 4:53 am

Re: Block p2p from IP cameras - RB4011iGS+RM

Wed Nov 24, 2021 7:08 am

What are the implications of having interface=ether2 instead of interface=bridge? To help me better understand, could you elaborate on how this is adversely affecting my network?

This is how I have my DNS is currently configured. What are the implications of having DNS configured like this instead?

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

Thanks so much for your help. I really appreciate it! (I still have a lot to learn about network configuration and Mikrotik.)
This is wrong on your config..........
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0

SHOULD BE
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0

Dont see DNS noted on the config although it may be selected on the router and simply doesnt show on the print
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1

Who is online

Users browsing this forum: No registered users and 82 guests