pfSense Block rules

Hey Tom,

I just watched your video on “Securing Surveillance Camera Networks” Securing Surveillance Camera Networks - YouTube and I noticed your block rule was on the top, when I attempted to do that it blocked all communication to all my devices in that network. Are my rules not working correctly?

The top block rule is blocking access to the management ports of the PFSense box, so devices on the camera network can not access PFSense GUI, SSH or NTOP (Port numbers have been changed from default)

For what it’s worth, I find sticking my cams on their own vlan and not allowing access to the internet to be the easiest approach. My other vlans can access the CAM vlan so viewing the cameras isn’t a problem.

That works unless you have doorbell and IP cameras that support remote P2P connections to receive push notifications and view streams/recordings. Without internet access, makes them dumb devices.

I use my NAS to “manage” notifications and viewing, the software on my old IP cams is a bit crappy now. There aren’t that many applications that I have found that manage ip cams very well beyond say QNAP or Synology which somehow do a decent job.

You ought to be able to get past p2p limitations using a VPN and a few crafted rules.

Lawrence did mention in the video that the Synology NVR only needs internet access, for accessing recording etc. This is probably the setup your require if you have an onsite NVR

If you do not have a onsite NVR or devices that need internet access this is not the firewall rules for your setup

The problem I see with your block rules is that you didn’t define any ports to block, but instead blocked everything () from everything (). You need to define an alias to include the ports you want to control and then define the block with the source set as the Network from which you want to block and the destination as “This Firewall” with the port range from the alias name you create to the same alias name. That way, you’re only blocking from that specific network going to the only the specific ports and only to the firewall.