Firewall problems

[FredsterNL]

Hi all,

Hope that someone can help me with a this issue, as I can't find the answer in earlier posts.

I have an Asus RT 1900u with the 384.13 firmware active (With a WAN IP of 77.123.123.123 for example)

On the local LAN (192.168.x.x) I have two IP camera's that are connected wireless to the router (Neo Coolcam), that currently can be reached from my phone (Not connected to the LAN, but the phone has internet access over 4G, with an example IP of 188.123.123.123)

I suspect that the camera's are very unsafe and just about everybody could access them, which I'd like to prevent

My goal is to ONLY allow traffic from my phone's IP (188.123.123.123) to the camera's (192.168.1.100 & 192.168.1.101 using port 1234) that are active on the LAN

It is not important that the router has to do any other tasks, only accept the traffic from/to my phone to the camera's for remote monitoring and drop everything else

Is this at all possible with the router/IPTABLES and can anyone help me protect the camera's from all other IPs??? Unfortunately I can't use OPENVPN on my phone (or router for that matter)

Thanks for any help you might be able to provide!

 

[ColinTaylor]

You could do this with the router's Network Services Filter. But the problem would normally be that the IP address of your phone will change frequently.

 

[Grisu]

And you would have to use 2 different ports one for each cam. Just port forward the incoming port to the IP and port used for the cam.
You can use Asus DDNS to overcome the problem of changing IP at home.
BUT very unsecure like it is now as everyone worldwide can access your cams.
You could limit IP to the range used by your phone provider, but still all other customers of this provider will be able to access your cams and wont work while roaming.

Thats why you should use VPN, than you dont open the cam ports to the web but your phone will be part of your intranet like when it's connected via Wifi.

 

[martinr]

Welcome to the forum, FredsterNL.

You’ve pre-empted the obvious question by stating you can’t use OpenVPN on your ‘phone or router. (Out of interest, why ever not?)

Have you considered blocking outbound connections from the cameras and tunnelling using SSH local port forwarding to connect from your ‘phone to the cameras (as a ‘poor man’s vpn’), using perhaps an obscure port for the SSH connection instead of Port 22?

That said, some forum members would be against, for security reasons, using SSH even on an obscure port and with public key infrastructure.

 

[martinr]

And you would have to use 2 different ports one for each cam. Just port forward the incoming port to the IP and port used for the cam.
You can use Asus DDNS to overcome the problem of changing IP at home.
BUT very unsecure like it is now as everyone worldwide can access your cams.
You could limit IP to the range used by your phone provider, but still all other customers of this provider will be able to access your cams and wont work while roaming.

Thats why you should use VPN, than you dont open the cam ports to the web but your phone will be part of your intranet like when it's connected via Wifi.

Is the Asus DDNS not still broken?

 

[Grisu]

not with last firmwares 81351 released last week (for some). Or without letsencrypt.

 

[DAVID LONG]

Is the Asus DDNS not still broken?

It was never broken, for me.

 

[Grisu]

because you obviously didnt use LetsEncrypt.

 

[DAVID LONG]

Ok

 

[martinr]

not with last firmwares 81351 released last week (for some). Or without letsencrypt.

Is that Letsencrypt as in the certificate for HTTPS router webui access (LAN access only, if one has any sense)? In that case, I didn’t need to switch to Afraid for my DDNS. Nevertheless, Merlin has, in the past, advocated using Afraid in preference to Asus, so maybe I’ll stick with it.

 

[Grisu]

LE changed from ACMEv1 to v2 in spring and turned v1 off last month, so it had to be fixed before working again now - Merlin sowewhat later.

 

[dave14305]

So how is the external access configured today? UPNP? Or do the cams talk to the cloud and the app talks to the cloud?

 

[FredsterNL]

Hi,
First of all, thanks all for your help and input!

To be honest I'm quite a n00b at networking (but I guess you all figured that out by now )

I will try to explain the issue a bit further.

The cameras were installed, by first connecting them to ethernet on one of the lan ports, and then configuring the SSID to make them wireless.

Each camera has, nicely gets an IP, but I never have to use it oddly enough. Each camera has a QR code at the underside if the camera. Scanning that QR code with the NEO COOLCAM app adds it into the app and one can see the image on my phone, whether I am at the camera's LAN or anywhere else, having a totally different IP, not even on some WIFI lan but anywhere in the country: it just can connect to the camera's. Cloud? I have no idea if they are using sone cloud service and I have not enough knowledge to find out for sure...

I photographed the QR codes and scanned them on someone elses phone, also after first installing the coolcam app. The cameras get added (just a pwd is needed), without issue and the second phone can ALSO see the cameras footage (hence me thinking security isn't at all present or very weak at the least). The cameras are essential for monitoring my elderly mom, as none of us live nearby.

My goal is to have only a limited set of phones or LAN connected computers to connect to the cameras, before half of China can access them and footage ends up God knows where on Facebook

The OpenVPN can't be used, because I have configured it to access the router remotely, as the cams are not secured yet. The VPN can neither be used by the other people that are to monitor, as they are computer illeterate and it would cause enormous issues.

When I have my phone viewing images from remote using the app, I have no idea what port it is using to access the cameras (a NETSTAT on the routervdoesn't show my phones IP at all, even though I obviously have a connection viewing the live footqge).

From all your comments I gather that adding the cams to the VPN subnet 10.8.x.x would be the safest, as a working OPENVPN tunnel would need to be active to access that 10.8.x.x lan). I suppose all I have to do then is get them of the 192.168.x.x net by changing their IP to some free static afdress in 10.8.x.x???

Remains the problem of teaching someone with no ideas of VPNs on how to start one, do the monitoring, and then disconnect the VPN... Heh, maybe I am overestimating that issue.

Have you considered blocking outbound connections from the cameras and tunnelling using SSH local port forwarding to connect from your ‘phone to the cameras (as a ‘poor man’s vpn’), using perhaps an obscure port for the SSH connection instead of Port 22?

That said, some forum members would be against, for security reasons, using SSH even on an obscure port and with public key infrastructure.​

I have literally no idea how to do that, but am I correct if I get to use the OpenVPN another certificate (LetsEncrypt?!? Is that where I can get non Asus certificates?) that I can use to configure a most secure OpenVPN server?

Will try and upload some pics from the cam and App (where I can't even see what IP the cam has!)

Note: Accessing the Cams webpage from local LAN does offer more configuration items

Thanks!

 

[FredsterNL]

Underside of one of the cams

 

[FredsterNL]

Coolcam screen 1

 

[FredsterNL]

All I can see from the phone app, pretty much only a, reboot option...