Blocking IP camera from WAN. Will it affect Alexa and VPN?

[Ted Danson]

I have two Netvue WiFi 1080p Home Cam IP cameras I would like to add to my network. They are being placed in bedrooms so for privacy and security reasons I have the following requirements:

• No access to the Internet at all except if I run a VPN server in order to connect home and access the cameras on the LAN.
• I have a Netgear GS716T smart switch attached to a port on my ASUS RT-AC5300 so would like to create a separate VLAN just for IOT devices. This is probably straying off topic but it's just when I've created VLAN's on the switch before I lose access to the devices put in that VLAN. I'm assuming I need to set up the trunk port or something on the switch pointing to the router but I'm not too clued up for it. If I can do this then I'd like to separate my IOT devices too at a later stage so learning this would be a bonus.
• I'd like to ensure that the cameras can pickup NTP transmissions so a flat out parental filter block won't really do.
• With regards VLAN's can I segment 2.4 and 5ghz SSID's in to separate VLAN's e.g. IoT devices, Mobile devices etc?
• I'm adding a Logitech Circle 2 (WiFi version) to the network this week too. I'd like that to have full access to the outside world as it is going to be located outside and won't be in sensitive rooms. So I'm thinking I might need another VLAN for that so it doesn't get a firewall rule it shouldn't.
• The three cameras all have Alexa capabilities so I don't want that to be affected by any meddling.

I did have a look at this thread here and got a few pointers but I don't think it covers everything I'm looking to achieve.

https://www.snbforums.com/threads/how-to-block-ip-camera-from-accessing-the-internet.29693

The main thing is I don't want folk using Shodan (purely as an example) and what have you and trying to access these cameras due to some backdoor in them.

Thanks a million all.

 

[JDB]

I would see if they use the same port for the video stream every time and block just that with a simple rule on the router by giving the cameras fixed IPs via the DHCP Server and then blocking traffic from that source IP/Port (no need for VLAN etc).

Alexa services rely heavily on the internet so if you go for a blanket block that won’t work anymore.


Sent from my iPhone using Tapatalk

 

[Ted Danson]

I would see if they use the same port for the video stream every time and block just that with a simple rule on the router by giving the cameras fixed IPs via the DHCP Server and then blocking traffic from that source IP/Port (no need for VLAN etc).

Alexa services rely heavily on the internet so if you go for a blanket block that won’t work anymore.


Sent from my iPhone using Tapatalk

Yeah I figured the Alexa element may prove problematic. I'll have to run a packet capture and see exactly what the cameras are doing. The cameras are wireless though and I guess I can't create wireless VLAN's with my router, I don't know to be honest.

What happens if the cameras use a different ports or the same port as other devices on my network? Or do you mean I'd be blocking, say, 192.168.1.100:3333 across the board if they all used the same port for example.

 

[pattiri]

well, I'm not sure if this works for you but you can think about it. Just remove DNS IP address on your IoT devices, and give them an NTP IP address (not a domain name for NTP) this way you can access them via VPN, alexa will be able to connect them and they will not able to connect anywhere on WAN and you don't need to do any change on your router.

 

[JDB]

Yea blocking the iport combo explicitly would be ideal. Have to see if it’s the same port though (it usually is)


Sent from my iPhone using Tapatalk