Store for OPNsense & pfSense devices in Australia
Cart 0

Best Practise: Securing IP Cameras with pfSense

best practise pfsense

Introduction

IP based security cameras (Observation systems) are now commonplace and provide a wide variety of conveniences both at installation and during ongoing operation. Unfortunately, vendors commonly ship devices which are insecure by default, opening themselves to the internet, connecting to a cloud service which questionable security, and rarely if ever providing updated firmware.

Hikvision are extremely popular and known for all of the above problems. Swann, Arlo, and Uniden are among other brands popular here in Australia.

This guide will walk you through creating an isolated network for your IP based security camera system that you can still access from your local LAN network. The following steps will not be suitable if your device must communicate with an online service (i.e. cloud) in order to function.

Disclaimer

This guide should not be considered to endorse the suitability of any IP based camera system (Observation system). You should understand the risks then make this judgement yourself. The most secure IP based security camera system is a closed circuit system with no physical connection to any outside network, does not use wireless or WiFi, and has properly secured cabling.

Be sure to consult with your insurer, your land lord, and to review all legal and regulatory requirements that may be applicable to your business or premise before installation.

This guide is provided without warranty. 

Design Decisions

VLAN or dedicated switch

Which solution is best depends entirely on your scenario.

If you don't trust or aren't comfortable with VLAN configurations then using a dedicated switch makes sense.

If your switches have VLAN functions then you have the option of simply creating a new VLAN in your network infrastructure. Alternatively you might elect to install a brand new switch as it's own network, which may be the best option if PoE is required by the devices.

A camera system may be installed by a contractor with it's own PoE switch on new dedicated wiring. In which case it  would be sensible to connect this network on a dedicated port.

On a network with existing PoE switches used for VoIP, WiFi and other powered devices. Creating a VLAN for the Cameras may make better use of the existing infrastructure and reduce the need to run long new cabling.

Often, a Network Video Record will have it's own Camera network. Then having a separate dedicated port to connect to your LAN. In this scenario a VLAN configuration is recommended.

Dedicated port or Tagged VLANS?

If you have chose to use VLAN's to create a private network for your IP camera devices, you have the option of using a dedicated port on the firewall or configuring VLAN tags on traffic.

Which is best is largely up to you. Factors to consider: 

  • Availability of a spare port on the firewall and on a convenient network switch with VLAN functionality
  • Ease of site access
  • Interrupting LAN traffic
  • Existing VLAN configuration

For example, if site access is trivial with no existing VLAN configuration and ports are available - it may be simplest just to plug in another port and configure things.

On the other hand, if VLAN configuration is already in place. It will be trivial to add another VLAN.

With limited site access and no existing VLAN configuration. In this scenario be careful to ensure your order of operations when changing configuration does not break your access to management functions.

Note: It is not recommended to mix tagged and untagged traffic on a port.

Using ZoneMinder?

When using ZoneMinder or other software based network recorder products. We recommend the server have it's interface in the Camera network or have two interfaces, one in the LAN and one in the Camera network. These could be using VLAN tagged traffic or dedicated interfaces. 

This will avoid dragging network video traffic through the firewall 24x7.

What hardware should I run pfSense on?

For home, check out the A10 Dual Core or A10 Quad Core appliances in Desktop profile.

For business, check out the A10 Quad Core or the Xeon Quad Core Gen4 as Rackmount appliances.

Or anything that works for you.

Create dedicated Camera network

New pfSense Interface (dedicated port)

Log in to your pfSense firewall using the browser of your choice:

  • From the top menu select "Interfaces"
  • Then click "Assignments"
  • The Interface Assignments page will load

  • From the "Available network ports" drop down, select the port you will assign to the Camera network
  • Click "Add"
  • The page will reload with a confirmation message

A new interface configuration has been created and will be named OPTX, where X is a number. If ambiguous, the device name in the "Network port" column will help you identify this new configuration. Note: This new configuration is now enabled and has no significant settings. 

  • In the "Interfaces" column, click on the name of the new interface configuration
  • A new page will load with the interface settings

Enter the following settings next to their labels:

  • Enable: tick
  • Description: CAMERA
  • IPv4 Configuration Type: IPv4
  • IPv6 Configuration Type: None (default, we recommend not using IPv6 even if configured on your network)
  • MTU, MSS, Speed and Duplex: leave as default
  • IPv4 Address: Enter a new IP range that is appropriate to your network
  • IPv4 Upstream gateway: None (default)
  • Block private networks... : untick
  • Block bogan networks: untick
  • Click "Save"
  • The settings will be saved but not applied, and the page will reload

At the top of the page you are now prompted to apply the interface settings, new interfaces have no DHCP settings and the default deny rule, so it is safe to now click "Apply Changes".

The pfSense firewall will activate the interface with your setting and the page will reload.

Create Firewall Rules

By default, pfSense denies all traffic originating from the network of any new interface.

From the top menu:

  • Select "Firewall"
  • Then click "Rules"
  • The Firewall Rules page will load

  • From the tab-like links, click the "CAMERA" tab
  • Add a rule as above, that allows the "CAMERA net" to access the "CAMERA address". This will allow your devices to access services the firewall offers on the CAMERA interface, such as NTP and DNS
  • An additional rule might be added, to deny CAMERA network devices access to the pfSense web ui (typically port 80 and 443)
  • Note: As the pfSense firewall is inherently stateful, connections initiated from other networks will still work.
  • The LAN network will by default have a permissive rule that will allow it to make connections in to the CAMERA network. You may wish to adjust this to restrict based upon destination ports, destination IP address and/or other criteria
  • Other networks might also have their firewall rules adjusted to permit access to your camera devices
  • Ensure to apply the firewall rule changes when you have completed them.

As a micro-optimization, you can disable state tracking on the firewall rule just created.

Adjust UPNP & NAT-PMP

The UPNP and NAT-PMP protocols allow devices to request port forwarding. You should disable this in the configuration of all the devices in your CAMERA network. If you have the UPnP & NAT-PMP service enabled, let's also ensure that the service is no available on that network.

From the top menu:

  • Select "Services"
  • Click "UPnP & NAT-PMP"
  • The "UPnP & NAT-PMP Settings" page will load

  • In the "Interfaces" list, ensure that the CAMERA network is not selected, as pictured
  • Click the "Save" button

Configure DHCP

Our recommendation is to configure all your camera devices for DHCP then use pfSense to allocate their addresses. The devices may also accept other settings via DHCP, such as NTP server, time zone settings, and provisioning information - in which case it is convenient to also provide those details from pfSense.

  • From the top menu select "Services"
  • Then click "DHCP Server"
  • The DHCP Server page will load

  • From the tab-like links, click the "CAMERA" tab
  • The options for this interface will load
  • Next to "Enable" tick the box
  • The other settings can be left as defaults. You may wish to return to these settings and tick "Deny unknown clients" and "Ignore denied clients" - which will mean only devices with a static IP lease will receive an IP address.
  • Next to "Range" enter "From" and "To" values that are appropriate for your camera network
  • Scroll down

  • Assuming your pfSense firewall also functions as an NTP server...
  • Next to "NTP" click the "Display Advanced" button
  • Additional entry fields will appear
  • Next to "NTP Server 1" enter the IP address of new interface you just configured
  • Click the "Save" button
  • pfSense will apply the changes and the page will reload

  • It is recommended to configure static IP leases for all devices in your Camera network
  • Scroll to the bottom of the page to the section entitled "DHCP Static Mappings for this interface"
  • Click the "Add" button

  • Enter the details appropriate to your device
  • Click the "Save" button
  • Repeat for each additional device

You're Done!

From devices on your LAN network use a web browser to connect to and configure each device. In mobile applications, auto-discovery will not work so enter the configuration for each device manually and save.

Next Steps

For remote access to your CAMERA network you should configure a VPN and if supported use h265 encoding to minimize data throughput.

Port forwarding is not recommended and is strongly discouraged.

Stuck?

We offer commercial support, why not contact us

Thanks?

If these steps have helped you, please put a 5 star review on our Facebook page



Older Post Newer Post


Leave a comment

Please note, comments must be approved before they are published