I am using the GL-MT6000 Flint 2 router. I want to block an IP camera on my network from accessing the internet, but I still need to access it within the local network. To do this, I add two rules under Luci > Network > Firewall > Traffic Rules. These settings prevent external access to the camera, but I can still access it locally.
However, when I connect to another VPN using OpenVPN through the router, the camera becomes accessible from the outside, even though the rules I mentioned are enabled. When I disable OpenVPN, the rules work as intended. How can I fix this issue? My software version is v4.6.2.
Yes, I would like to access the camera only within the local network. I don't want it to be accessible from outside my network or over the internet anymore. The camera has a feature that allows it to work in local network mode, but for security reasons, I want to enforce this setting through my router.
My configuration is actually working, but when I enable OpenVPN, the rule is applied, but I can still access the camera from the internet. It seems that OpenVPN is causing something to go wrong.
Thank you for your response. I ran the command you suggested in the router's terminal, and it successfully blocked the camera from accessing the internet. However, I believe this is a temporary rule because when I restart the router, the rule gets deleted, and the camera regains access. When I run the command again in the terminal, it blocks the camera once more.
To make the command run automatically at startup, I pasted it into the last line of luci > network > firewall > custom Rules and saved it. However, after restarting the router, the camera was still accessible from the internet. I used the command iptables -L FORWARD | grep 192.168.2.105 to check if the rule was applied after the restart, and it showed that the rule was in place with the following result:
But the camera was still accessible from the internet.
I ran the command once again in the terminal: iptables -I FORWARD -s 192.168.2.105 -o eth1 -j REJECT
and the camera was blocked. Am I adding this rule in the wrong place? This rule needs to be executed on every restart so that the camera is permanently blocked.
I would like to mention that I restarted OpenVPN with it enabled during these operations. When I disable OpenVPN, the camera loses access to the internet. If I enable OpenVPN again and run the command iptables -I FORWARD -s 192.168.2.105 -o eth1 -j REJECT in the terminal, the camera becomes inaccessible from the internet whether OpenVPN is enabled or disabled. In other words, the command you recommended works correctly in a strange way, but only until the system is restarted. Thank you for your attention, do you have any suggestions?
do you confirm if the router restart (or OpenVPN Client restart), the situation about the camera available to access to the Internet, does the camera Internet via the WAN interface or the OpenVPN Client interface?
If it goes to OpenVPN, try adding this one and leave that eth1:
I confirm that the command iptables -I FORWARD -s 192.168.2.105 -o eth1 -j REJECT successfully blocks the IP camera's internet access.
However, it does not block internet access after restarting the MT6000 Flint 2 router.
When I apply the iptables rule and the OpenVPN Client is ON, the camera continues to access the internet. When the OpenVPN Client is OFF, the camera's internet access is blocked.
The IP camera is accessing the internet via the WAN interface.
Hello, let me provide a bit more detail on the topic. This is an RLC-823A 16X model IP camera. When connected via the WAN ports, the camera can be viewed remotely through the iOS app without any router configuration. I believe the reason it can connect without opening ports is similar to how applications like Teamviewer or Anydesk work, where we don't need to open ports but can still perform remote desktop access. This camera uses a similar network protocol, allowing it to be viewed from outside the local network without opening any ports.
I believe the LUCI settings I mentioned in my first post are stored in the /etc/config/firewall file.
After completing the blocking process by IP, I plan to block by MAC address as you suggested.
I think you're misunderstanding how the connection works and over complicating it. Blocking the camera from accessing the internet should be enough.
The iptables command you're using works, but you're passing the wrong arguments. The command you're using specifies eth1, but OpenVPN could be another interface such as tun0 or tap0.
this is because iptables do not save it, not in OpenWrt.
however since iptables is part of firewall3 in OpenWrt you should have a option to /etc/firewall.user to make this rule persistent, just paste it there.
in case it doesn't work maybe something has been changed in the firmware (I just checked the mediatek SDK one in this case), then you need to add this in /etc/config/firewall
config include 'firewall'
option path '/etc/firewall.user'
option reload '1'
Thanks for all your help guys. I have run many tests from yesterday to today, and both the OpenVPN and WireGuard servers are working well @xize11 's solution . GL-MT6000 v4.6.2
