Results 1 to 10 of 10
  1. #1
    Master Untangler
    Join Date
    Jun 2015
    Posts
    154

    Default IP Cameras on VLAN blocked but still accessing cloud web site?

    Recently setup a pi-hole as DNS server only (UT still managing DHCP). Have my IP cameras separated onto their own CCTV VLAN which is blocked from accessing both my Internal and External interfaces.

    However my top blocked sites in Pi-Hole appear to be amcrestcloud.com and amcrestview.com originating from my IP cameras yet they should be accessing any such site. These sites are not currently blacklisted in pi-hole as I thought the Untangle Firewall block to External interface would be sufficient.

    Is this simply an indication that the cameras are still attempting to phone home although their VLAN is blocked from accessing my External (WAN) interface?

    Thanks.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,288

    Default

    Two utterly separate things, and yes since your DNS server is local the cameras can still get to it. So they're asking the DNS server to do something, you're reading those logs. If Untangle has a firewall rule that would prevent access from that subnet to something outside, then you should see blocks in those logs too.

    In other words, it's working as configured. If you'd like different behavior, configure it differently. What do you want to have happen?
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Master Untangler
    Join Date
    Jun 2015
    Posts
    154

    Default

    Thanks sky-knight. This makes sense. I suppose what I need to do next is block this IP camera subnet (VLAN) from even accessing the DNS altogether? I'll try that next.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,288

    Default

    Quote Originally Posted by miles267 View Post
    Thanks sky-knight. This makes sense. I suppose what I need to do next is block this IP camera subnet (VLAN) from even accessing the DNS altogether? I'll try that next.
    If you do not want your PiHole logging DNS queries from those devices, then yes you'll either have to configure that IP network to use different DNS, or use the firewall to block access to the DNS.

    Though again I'm not sure what you're trying to accomplish, the cameras are network devices for a reason.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Master Untangler
    Join Date
    Jun 2015
    Posts
    154

    Default

    My intent is for my IP cameras not to be able to phone home or even attempt to. Whereas I can still access them from my Internal interface.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,288

    Default

    Quote Originally Posted by miles267 View Post
    My intent is for my IP cameras not to be able to phone home or even attempt to. Whereas I can still access them from my Internal interface.
    If you've got them on a dedicated IP network, and you've got a firewall rule that says anything sourced from that network and destined to a WAN interface is blocked... you've done that. The DNS lookups they are doing are irrelevant.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Master Untangler
    Join Date
    Jun 2015
    Posts
    154

    Default

    Ok. Good to know. Ironically I see many port 80 and 8080 requests being made by the IP cameras back to their cloud server. However, no outbound traffic on port 53 (DNS). Yet somehow pi-hole DNS was indicating that my top allowed traffic was to the cloud servers. So Iíve gone ahead and blacklisted that traffic on the pi-hole as well. Not what I had expected.


    Sent from my iPhone using Tapatalk

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,288

    Default

    I'd need to see the rule you're using to block it, but if you've got an interface on Untangle handing out your PiHole for DNS, the requests going from one LAN segment to another will not be blocked by default. They are however, logged. And if you have a block rule that says something like source interface or source address, and destination interface WAN, that rule will not trigger on traffic going from the cameras to the pihole. The DNS traffic leaving the network is coming from the PiHole.

    Also double check your bypass rules because there are some default DNS bypass rules on some installs that if you tweaked with them, would possibly exempt DNS from the firewall, because it's all bypassed.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,669

    Default

    Some things to keep in mind here:

    Handing out your pi-hole as the DNS server means the Pi-Hole is the location your cameras will go to when first asking how to connect to an outside address such as amcrestcloud.com and amcrestview.com.

    Depending on what is doing inter-vlan routing in your network, it's very likely your cameras can reach the pi-hole directly without the traffic needing to pass through Untangle at all.

    Because access to the the pi-hole itself is not blocked, the pi-hole will be able to resolve those names to IP address and return correct responses to the cameras. This is true even though the cameras themselves never connect to anything outside your network.

    Blocking the cameras from using DNS through Untangle won't accomplish anything unless you also block them from connecting to the pi-hole.

    Blocking DNS in general for the cameras might not be a good idea. I have heard some good results where setting a port forward rule redirecting port 53 for everything internal [i]except your pi-hole[i](that part is important) back to your pi-hole can be effective. It prevents devices from using their own DNS setting in order to bypass your internal DNS. In this way, you can be sure your pi-hole is the only DNS server your cameras can use.

    Blocking the cameras from connecting outside or otherwise phoning home won't prevent them from continuing to try to phone home. That's just part of the camera. When everything is working properly, you should still expect to continue to see to blocked attempts in your logs. And that is fine.

    The best option available to you right now might be adding a fake static address in your pi-hole for your unwanted cloud domains. Set them so the pi-hole resolves those addresses as something like 127.0.0.1. I might use something else in the same subnet like 127.0.1.1, so if I see that address somewhere I'll know what it means. This way, when a camera tries to phone home, the traffic will be on the loopback interface and never even get on the wire.
    Last edited by jcoehoorn; 02-14-2019 at 03:32 PM.
    miles267 likes this.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.1.1 to protect 500Mbits for ~400 residential college students and associated staff and faculty

  10. #10
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,669

    Default

    Thinking about this more... I understand what you talk about when you don't want your web filter report cluttered such that a large percentage of your events are for one source like this which you need to wade past to see the "real" block events you actually want to monitor. It's another reason I'd love to see Untangle add a new "Telemetry Control" app into the rack, that is basically just another copy of of the Web Filter app, but with a different set of categories, all focused on telemetry, and such that the reports in that area are monitored independently.
    miles267 likes this.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.1.1 to protect 500Mbits for ~400 residential college students and associated staff and faculty

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2