Audiocodes MP264 - isolating 1 network port from LAN for cheap security cameras

Forums › One NZ (including Farmside) › Audiocodes MP264 - isolating 1 network port from LAN for cheap security cameras

Niel

3267 posts

Uber Geek
+1 received by user: 80

Trusted

#208141 28-Jan-2017 12:57

I've got an Audiocodes MP264 modem from WXC. I've got a security camera with port forwarding working fine. I'm concerned about getting hacked as the cheap Chinese cameras have no real security and their Linux web servers have default passwords with root access... The camera does periodically ping a few IP addresses in China and Amazon.

I do not care about the cameras getting hacked, but I do care about the integrity of my network and devices on it. Is there a way that I can setup the MP264 so that 1 Ethernet port is accessible from the WAN but not the LAN? That way I can run multiple cameras with a switch through 1 port of the modem and no concerns that anyone from outside can get into my LAN through the cameras.

I guess as an alternative I can run my network on another router (with firewall) after the modem, but it would be more elegant if I can do it all on the MP264. Thanks in advance.

You can never have enough Volvos!

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#1711020 28-Jan-2017 13:00

To be perfectly honest you should never port forward to these cameras - put them in an IP address pool without internet access (you can indeed do this with the MP264) and use a Raspberry Pi with something like Monit for security monitoring.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

yitz

2238 posts

Uber Geek
+1 received by user: 594

#1711045 28-Jan-2017 14:54

Not sure about Audiocodes but I know on Broadcom based routers (so Netcomms, TP-Links) you can set up something like this under the Interface grouping menu. It is designed for multiservice access networks e.g. for IPTV STBs but can be manually configured as a way to set up multiple VLANs.

coffeebaron

6304 posts

Uber Geek
+1 received by user: 3566

Trusted

Lifetime subscriber

#1711046 28-Jan-2017 15:06

Not concerned about your camera's getting hacked? What about when the police come knocking at your door for being an origin of a DOS attack or a trading ring for objectionable material etc.? It's not so much a case of the camera's getting hacked, it's what they get hacked for.

Rural IT and Broadband support.

Broadband troubleshooting and master filter installs.
Starlink installer - one month free: https://www.starlink.com/?referral=RC-32845-88860-71
Wi-Fi and networking
Cel-Fi supply and installer - boost your mobile phone coverage legally

Need help in Auckland, Waikato or BoP? Click my email button, or email me direct: [my user name] at geekzonemail dot com

sbiddle

30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1711074 28-Jan-2017 15:46

You should never port forward to a camera. Period.

As pointed out the camera video being compromised is the least of your worries. It's when (not even if) your camera is compromised and becomes part of a DDoS attack.

If you need remote camera access it should only be via VPN.

Niel

3267 posts

Uber Geek
+1 received by user: 80

Trusted

#1711097 28-Jan-2017 16:06

Okay, thanks, I get the point, port forwarding was disabled hours ago. The only real reason for having port forwarding is so that my mum can from overseas see our kids play outside. I'll setup a reputable camera for that, got a few old D-Links which uses D-Link's server for remote viewing instead of port forwarding.

So I could setup VLANs on a specific Ethernet port and then significantly restrict that VLAN's access to only certain WAN IP address ranges which include say my place of employment and my mum's ISP?

You can never have enough Volvos!

richms

29097 posts

Uber Geek
+1 received by user: 10206

Trusted

Lifetime subscriber

#1711100 28-Jan-2017 16:26

Just means that only compromised servers on the mums ISP will be able to reach it, not the whole internet. Might buy you some time before they are hit.

VPN is the correct way to make services accessible to only some people remotely. Ive seen no evidence of my cameras connecting out to anywhere except NTP once all the cloud BS was unticked in their setup. VPN in and I just view them with their internal IP in the software as if I was at home, except I have to choose the low quality stream because the high quality is more than my outgoing bandwidth.

Richard rich.ms

Lenovo

Shop now for Lenovo laptops and other devices (affiliate link).

Talkiet

4819 posts

Uber Geek
+1 received by user: 3934

Trusted

#1711102 28-Jan-2017 16:31

As per further up the best and really only way to be comfortable with the cheap cameras is to break their internet access (Static IPs and no default gateway is an easy and good way) and have something you trust like a Pi running software of known origin to effectively proxy the streams.

Cheers - N

Please note all comments are from my own brain and don't necessarily represent the position or opinions of my employer, previous employers, colleagues, friends or pets.

Niel

3267 posts

Uber Geek
+1 received by user: 80

Trusted

#1711104 28-Jan-2017 16:44

Thanks, I'm awaiting an NVR which will record/access all the cameras and will then consider using a Pi. I have a friend that already does that for remote site support, he just couriers them a pre-configured Pi.

Any guidance on setting up VPN on the MP-264? I have never done this, and so far only found the L2TP server option greyed out.

You can never have enough Volvos!