Page 1 of 1
Restricting IoT device
Posted: Tue Oct 31, 2017 2:20 am
by dan701
Hello, I have an RB2011UiAS-2HnD running OS 6.40.4. Within my network I have a security cam DVR which I would like to be able to access from different PCs within my network. BUT I do not want that device to be able to send traffic outside of my network. I have several security concerns regarding the online DVRs.
I have looked through the manual and my copy of RouterOS for a way to configure the firewall to do this, but apparently I'm a better programmer than router guru...... Also my wife will be PO'd if
"I break the Internet again !
"
Could someone point me to any examples of the best practice way to do this. I can work with winbox, webfig, or ssh........
Thank you in advance....
Re: Restricting IoT device
Posted: Tue Oct 31, 2017 12:45 pm
by bernd2
Hi,
quick and dirty:
/ip firewall filter add action=drop chain=forward dst-address=!192.168.0.0/24 in-interface=ether19
Assuming 192.168.0.0/24 is your network and the cam is connected at eth19.
Regards
Bernd
Re: Restricting IoT device
Posted: Tue Oct 31, 2017 9:17 pm
by dan701
Thank you for the quick reply! I will try this out tonight and post how it goes. Hopefully I can use this as an example to get my head around the FW information in the RouterOS book.
Best Regards,
Dan
Re: Restricting IoT device
Posted: Fri Nov 10, 2017 5:22 am
by dan701
Hello I attempted the command provided:
/ip firewall filter add action=drop chain=forward dst-address=!192.168.0.0/24 in-interface=ether19 Which I adjusted for my network and for the interface. I am using an RB2011UiAS-2HnD running OS 6.40.4 ...... this device has 10 Ethernet ports allocated to two switches......
# NAME
0 R ether1-gateway
1 RS ether2
2 RS ether3
3 S ether4
4 S ether5
5 RS ether6-master-local
6 S ether7-slave-local
7 S ether8-slave-local
8 XS ether9-slave-local
9 RS ether10-slave-local
10 XS sfp1
11 RS wlan1
12 R bridge-local
When I attempt to execute the command I receive the following:
"in/out-interface matcher not possible when interface (ether 7-slave-local) is slave - use master instead (bridge-local)" So apparently I am overlooking something fundamental to the port configuration ???????
Re: Restricting IoT device
Posted: Sat Nov 11, 2017 1:18 am
by allstarcomps
If the DVR has a static IP set the scr-ip to that IP address. Remove the in interface.
/ip firewall filter add action=drop chain=forward dst-address=!192.168.0.0/24 scr-address=192.168.0.250
250 is DVR.
Re: Restricting IoT device
Posted: Sat Nov 11, 2017 2:56 am
by dan701
Thank you, Changing the interface to the device IP rather than the actual port did the trick! Thank you both for the suggestions! Now I don't worry that someone outside of my network can access this device. And my wife is happy that I didn't break the Internet....again
!!