ADFHogan
Regular Contributor
Hey all,
I have a cheap, crappy IP surveillance cam, and an old laser printer - both connected to my network. The laser printer hasn't had firmware updates available in awhile, and the last one available won't run on Windows 10 (vendor's "solution" - have you tried plugging it in with USB?)... The IP cam's "brand" has decided to move to some BS windows/android app for firmware updates (you can no longer just browser a folder of them), presumably for some good ol' security through obscurity.
Subsequently, I don't think these devices should have or need internet access. The laser printer can receive print jobs from the local network as expected , but cannot access the outside world. The IP camera can relay "alerts" through a local SMTP relay and get its clock from a local NTP daemon.
What I've found, however, is that even when I'm connected to OpenVPN - I can't access the camera or the printer, unless I proxy through a machine explicitly on the LAN. This would seem to arise from the block on internet access to the devices being implemented as a MAC based block on the restricted devices communicating outside the br0 network and not just blocking the "internet". OpenVPN provides IPs on a range attached to tun21 interface.
How might one continue to block these "internet of sh**" devices from the internet, but cleanly allow VPN clients to speak with them?
Exerpt from iptables -nvL: (actual MAC addresses redacted)
I have a cheap, crappy IP surveillance cam, and an old laser printer - both connected to my network. The laser printer hasn't had firmware updates available in awhile, and the last one available won't run on Windows 10 (vendor's "solution" - have you tried plugging it in with USB?)... The IP cam's "brand" has decided to move to some BS windows/android app for firmware updates (you can no longer just browser a folder of them), presumably for some good ol' security through obscurity.
Subsequently, I don't think these devices should have or need internet access. The laser printer can receive print jobs from the local network as expected , but cannot access the outside world. The IP camera can relay "alerts" through a local SMTP relay and get its clock from a local NTP daemon.
What I've found, however, is that even when I'm connected to OpenVPN - I can't access the camera or the printer, unless I proxy through a machine explicitly on the LAN. This would seem to arise from the block on internet access to the devices being implemented as a MAC based block on the restricted devices communicating outside the br0 network and not just blocking the "internet". OpenVPN provides IPs on a range attached to tun21 interface.
How might one continue to block these "internet of sh**" devices from the internet, but cleanly allow VPN clients to speak with them?
Exerpt from iptables -nvL: (actual MAC addresses redacted)
Code:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- br0 * 0.0.0.0/0 0.0.0.0/0 MAC PRINTERMAC
163 24678 ACCEPT all -- tun21 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- br0 * 0.0.0.0/0 0.0.0.0/0 MAC IPCAMMAC
44669 18M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state INVALID
5 660 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
2554 324K SECURITY all -- eth0 * 0.0.0.0/0 0.0.0.0/0
5575 611K NSFW all -- * * 0.0.0.0/0 0.0.0.0/0
2554 324K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
3021 287K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
