Home > Uncategorized > Blocking Foscams from phoning home using DD-WRT

Blocking Foscams from phoning home using DD-WRT

5898230e60ae0

I just bought myself a couple of Foscam FP9821P’s, and found that they phone home to a cloud server. That was kinda of expected – if you offer an easy app that scans a QR code and automatically connects you to the camera, then there must be a cloud service in-between.

What was more surprising, is that there’s absolutely no way to turn this off. Even if you toggle everything off, it will still phone out via UDP. I had expected that maybe I could disable UPNP for it and that would help, but it’s irrelevant – the cameras ‘phone’ out to several domains using UDP outbound, and there’s no configuration option to stop it. Foscam support confirm this.

So – it looks like I’ll have to block it at the firewall instead. One reason for using DD-WRT was that I would have this kind of granular control on specific devices. I would also VLAN them too, but am taking my DD-WRT config a step at a time.

 

So, this was the traffic reported by DD-WRT beforehand (from the Foscam’s wired ethernet)

Screen Shot 2017-06-28 at 11.25.58

Locking down the IP range

First, I set up static DHCP addresses for the WiFi MAC addresses printed on the back of the cameras, so that their IP addresses sit within a tight range altogether. On my router, this is at http://192.168.0.1/Services.asp.

Untitled

Blocking those IPs

Then, I create a policy under http://192.168.0.1/Filters.asp (again, my router address) to block any outbound internet traffic from the Foscam IP’s. Rather than try to reverse-engineer the domains those IPs are resolving from and block those domains, which might end up as a wild goose chase if there are fallback domains or even additional hardcoded IPs, I’m just blocking all internet-bound traffic – which is really a more accurate representation of what I’m trying to achieve.

This is the main page at the top, and the sub-page/window at the bottom which pops up when you click Edit List of clients.

 

Screen Shot 2017-06-28 at 11.29.29

I’ve changed the fields boxed in red – I’m setting a 24/7 Access Restriction to the internet from the Foscam WiFi IP addresses.

Now this is in place, I unplugged the ethernet cable, and watched how the outbound IP addresses went.

Screen Shot 2017-06-28 at 11.35.31

All outbound attempts via the router are dropped. And nothing else.

And can I access it within my LAN still?

Screen Shot 2017-06-28 at 11.37.19

Yes! Sorted!

 

Advertisements
Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: