Security considerations for new camera

Nowadays everybody buy and install lots of different types of home cameras.

What do people think about security considerations in doing so?

Thx

Put them on their own network is my solution.

I keep all WiFi and TVs on separate network yes

I wonder if you do anything, e.g. block rules to IPs they use, in my case its accessing Alibaba IP

As Tom said, and has videos on, separate networks/vlans and use rules to disallow all except to the wan for internet. I’m not sure if you’d really want to go down the rabbit hole of trying to figure out everywhere the cameras connect to and disallow them access, but I’d imagine pfBlocker or Surricata would work for the initiated.

I like “use rules to disallow all except to the wan for internet” !

Need to add this (share of you have an example, pls)

Thx!

Just set up an Alias for all local networks, then use the Invert option on the destination firewall rule and use the alias there. Tom has shown this in a few of his video’s and it’s very simple and works well to keep traffic bound to the gateway.

any chance you remember/have the Tom’s video URL ?

My YouTube-Foo must be decent today… LoL

How to Setup An Alias In pfsense To Simplify Firewall Rules

Just instead of using ip’s, use entire subnets. eg. 192.168.0.0/24

Thx

I found that I have similar rule, see attached

But I think I will do more by adding to allow only web access

Rule looks good. As long as the Alias list is good, the only thing more you could do, I think, would be to force the gateway from Default, to WAN (or whichever you want). Well, you could also do a Port Alias as well, but unless they, the cameras, stick to a set list of ports, it’s not worth the hassle trying imo.

I do not allow any devices on WiFi interface to access anything on LAN or VPN networks, so that’s ok. If I need to access my LAN from iPhone connected to WiFi I need to vpn first

Now I actually never messed with gateways

Here is what I have

Can you elaborate on your thinking ?

If your at home on your iPhone, there’s no reason you should have to VPN in. I’d make a rule just for your iPhone that gives access. Unless you enjoy more routing than required. :stuck_out_tongue:

In your rule, if you click the Advanced button near the bottom, it will bring up more rule options, one of which is Gateway. By default this is left Default and shows as * in the rule. Means that pfSense is the Gateway, you can further block it by choosing WAN which should force all traffic out the WAN instead of the pfSense routing table. It’s a bit overkill for most, including you I think. You’re better off using a Port Alias and locking them down that way, provided the camera’s have listed ports and not chaos ranges. Otherwise just leave well enough alone and call it job done.

I’m an edge case with gateways, so I tend to think differently, I don’t always remember most people only have one WAN Gateway. That’s on me… my bad. :crazy_face:

That’s good to know, I enabled it too !

Since you are ‘edge case with gateways‘, let me ask, after I looked at gateways options in pfSense

Does it make sense to have more then one gateway with single external IP by ISP?

If yes, how can be utilized in light of this thread ?

Thx

Short and sweet answer for most, Nope.