Hi,
How is it possible when IP camrea is blocked in firewall and I still can see the video from that camera?
1. IP adress to the camera is static
2. UPnP is not allowed
3. Forward drop on IP camera is not working
Re: Firewall not blocking Hikvision
Since my crystal ball is broken could you post your config with hide sensitive option?
Re: Firewall not blocking Hikvision
This question must be asked: do you see it from the internal LAN or from outside your LAN?
Re: Firewall not blocking Hikvision
outside of my LAN... I will post my config later...no need to quote preceding post - use "Post Reply"
Re: Firewall not blocking Hikvision
Hi,
please see my config and be aware some public IP has been changed...
please see my config and be aware some public IP has been changed...
Code: Select all
# aug/29/2022 21:56:46 by RouterOS 7.4.1
# software id = D7SA-MDTW
#
# model = RBD53iG-5HacD2HnD
# serial number =
/disk
set usb1 disabled=no
set usb1-part1 disabled=no name=disk2
/interface bridge
add admin-mac=2C::79 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=04::79
set [ find default-name=ether5 ] poe-out=off
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=2ghz-n .width=20/40mhz \
configuration.country=Czech .mode=ap .ssid=ASUS_50_2G disabled=no name=\
ASUS_50_2G security.authentication-types=wpa-psk,wpa2-psk \
.group-encryption=tkip
/interface wireguard
add listen-port=443 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifiwave2 channel
add band=5ghz-ac name=5Ghz width=20/40/80mhz
/interface wifiwave2 configuration
add channel=5Ghz channel.band=5ghz-ac .frequency=5700 .skip-dfs-channels=all \
.width=20/40/80mhz country=Czech mode=ap name=cfg5 ssid=ASUS_50_5g
/interface wifiwave2 security
add authentication-types=wpa-psk,wpa2-psk name=sec1
/interface wifiwave2
set [ find default-name=wifi2 ] channel=5Ghz channel.band=5ghz-ac \
.skip-dfs-channels=all .width=20/40/80mhz configuration.country=Czech \
.mode=ap .ssid=ASUS_50_5G disabled=no name=ASUS_50_5G security=sec1
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=pool1 ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=pool1 interface=bridge lease-time=4w2d23h59m name=defconf
/queue type
add kind=fq-codel name="fq codel"
add cake-nat=yes kind=cake name=Cake
/queue simple
add bucket-size=0.01/0.01 limit-at=300M/22M max-limit=300M/22M name=Cake \
queue=Cake/Cake target=ether1
/queue tree
add disabled=yes max-limit=22M name="Cake Up" packet-mark=Up parent=global \
queue=Cake
add disabled=yes max-limit=300M name="Cake Down" packet-mark=Down parent=\
global queue=Cake
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
identity="" name=zt1 \
port=9993
/zerotier interface
add allow-default=no allow-global=no allow-managed=no disabled=yes instance=\
zt1 name=zerotier1 network=35969
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge ingress-filtering=no interface=ether2
add bridge=bridge interface=ASUS_50_5G
add bridge=bridge interface=ASUS_50_2G
/ip neighbor discovery-settings
set discover-interface-list=all lldp-med-net-policy-vlan=1
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10./24 endpoint-address=185 \
endpoint-port=443 interface=wireguard1 public-key=\
+omgc="
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
add address=10./30 interface=wireguard1 network=10.5.0
/ip dhcp-client
add default-route-distance=2 interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.1.11 client-id=1:24:5e:be:48:ae:c4 comment=QNAP \
mac-address=24:5E:BE:48:AE:C4 server=defconf
add address=192.168.1.12 client-id=1:d4:b7:61:6c:95:bd comment=Kamera \
mac-address=D4:B7:61:6C:95:BD server=defconf
add address=192.168.1.19 client-id=1:4c:2:20:64:56:51 comment=Mi10T \
mac-address=4C:02:20:64:56:51 server=defconf
add address=192.168.1.20 client-id=1:3a:e1:f3:4c:3b:45 comment=iPhone \
mac-address=3A:E1:F3:4C:3B:45 server=defconf
add address=192.168.1.17 client-id=1:b0:e4:d5:b9:7c:cc mac-address=\
B0:E4:D5:B9:7C:CC server=defconf
add address=192.168.1.13 mac-address=54:48:E6:29:CE:FE server=defconf
add address=192.168.1.21 mac-address=54:48:E6:41:36:0A server=defconf
add address=192.168.1.15 client-id=1:6c:88:14:65:29:5c mac-address=\
6C:88:14:65:29:5C server=defconf
add address=192.168.1.22 client-id=1:64:bc:58:ec:82:59 comment="ITW notebook" \
mac-address=64:BC:58:EC:82:59 server=defconf
add address=192.168.1.10 client-id=1:fc:3:9f:2:98:5e comment="Samsung TV" \
mac-address=FC:03:9F:02:98:5E server=defconf
add address=192.168.1.14 client-id=1:c8:e2:65:45:78:a6 mac-address=\
C8:E2:65:45:78:A6 server=defconf
add address=192.168.1.23 client-id=1:84:c5:a6:9c:21:bf mac-address=\
84:C5:A6:9C:21:BF server=defconf
add address=192.168.1.25 client-id=1:d4:86:60:32:6b:18 mac-address=\
D4:86:60:32:6B:18 server=defconf
add address=192.168.1.35 client-id=1:1c:69:7a:68:a5:4d mac-address=\
1C:69:7A:68:A5:4D server=defconf
add address=192.168.1.36 client-id=1:dc:a6:32:a1:d0:17 mac-address=\
DC:A6:32:A1:D0:17 server=defconf
add address=192.168.1.26 client-id=1:62:9a:3d:52:c8:17 comment=OnePlus9 \
mac-address=62:9A:3D:52:C8:17 server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=8.8.8.8 gateway=\
192.168.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=drop chain=forward log=yes src-address=192.168.1.12
add action=drop chain=forward dst-address=192.168.1.12 log=yes
add action=jump chain=forward comment="jump to kid-control rules" disabled=\
yes jump-target=kid-control
add action=accept chain=input dst-port=443 protocol=udp src-address=\
185..240 src-port=""
add action=accept chain=forward disabled=yes dst-address=10..0/24 \
src-address=10..0/24
add action=accept chain=forward disabled=yes dst-address=10.0/24 \
src-address=10..0/24
# zerotier1 not ready
add action=accept chain=forward in-interface=zerotier1
# zerotier1 not ready
add action=accept chain=input in-interface=zerotier1
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-packet chain=forward disabled=yes new-packet-mark=Up \
out-interface-list=WAN passthrough=yes
add action=mark-packet chain=forward disabled=yes in-interface-list=WAN \
new-packet-mark=Down passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=yes distance=1 dst-address=10.1.168.0/24 gateway=wireguard1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ip smb
set domain=workgroup
/ip smb shares
add directory=/disk1 name=share1
/ip upnp
set show-dummy-rule=no
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=TAPAC3
/system logging
add topics=wireguard
/tool graphing interface
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatchRe: Firewall not blocking Hikvision
How is it possible that Hikvision 192.168.1.12 has still internet and I can see the video online?
Re: Firewall not blocking Hikvision
Is this hAP ac³ your Internet router, with the modem in bridge mode, connected to ether1? If not, my best guess is that your RouterOS bridge configuration bypasses the firewall by offloading everything it can to the built-in switch chip.
A related possibility is all that VPN stuff you've got going in there: the camera might be seeing a VPN connection and is connecting out through that.
If neither of those is the problem, and the overall goal is to get the camera to record to a local DVR (such as that QNAP device you've got at .11) then my suggestion is to stop trying to work out why it's bypassing the router's firewall and set up VLANs. Put the camera on a single dedicated "IPcam" VLAN, put the DVR on that one and any other VLANs it needs to see, and then configure the router to refuse Internet access for traffic originating from the IPcam VLAN.
With suitable use of VLAN tagging and ingress rules, this is much harder to bypass.
A related possibility is all that VPN stuff you've got going in there: the camera might be seeing a VPN connection and is connecting out through that.
If neither of those is the problem, and the overall goal is to get the camera to record to a local DVR (such as that QNAP device you've got at .11) then my suggestion is to stop trying to work out why it's bypassing the router's firewall and set up VLANs. Put the camera on a single dedicated "IPcam" VLAN, put the DVR on that one and any other VLANs it needs to see, and then configure the router to refuse Internet access for traffic originating from the IPcam VLAN.
With suitable use of VLAN tagging and ingress rules, this is much harder to bypass.
Re: Firewall not blocking Hikvision
Hi,
yes, HAP AC3 is my internet router. ether1 is WAN and it is not part of the bridge. I do not uderstand it...firewall should block everythink from 192.168.1.12
yes, HAP AC3 is my internet router. ether1 is WAN and it is not part of the bridge. I do not uderstand it...firewall should block everythink from 192.168.1.12
Re: Firewall not blocking Hikvision
If you're unwilling to implement VLAN boundaries, my next suggestion is to run Torch on the camera's network interface to see what it's saying. It might not be using the IP you're blocking, thus giving the behavior you observe, for example.
Who is online
Users browsing this forum: Majestic-12 [Bot] and 36 guests