Block port 80 / Internet

SOLVED
tantony
Head in the Cloud

Block port 80 / Internet

One of our cameras is accessing the internet, and looks like it's slowing us down.  I created a group policy and applied it to that camera.  Is this correct?  I only want this group policy to block all internet, and only allow LAN traffic.

 

Capture.JPG

 

 

1 ACCEPTED SOLUTION

It will not only block internet access, it will block all access to other subnets. Unless you have a flat network with only one subnet you would need to add exceptions for your local subnets to be able to communicate with each other.

 

The rules below would cover all private ranges (but is likely overkill for you):

 

block_internet_access.PNG

View solution in original post

13 REPLIES 13
General-Zod
Getting noticed

Hi, it would be overkill to use group policies to only block internet traffic for a single host (camera)

 

you would be better off just using the standard firewall.

 

it would be wise to investigate why the camera initiates connections to the internet. Most probably to check into some vendor service.

 

You could also look at restricting the bandwidth for said device using the very group policy you have already created in the traffic shaping section.

 

hope this helps

 

 

BrechtSchamp
Kind of a big deal

Whether you do it in the regular firewall or in the group policies, 0.0.0.0/0 would be the catch-all, not /32. I'd also set the protocol as well as the port to any. Unless you know that the camera's traffic is specifically using TCP and destined for port 80.

 

Also keep in mind that this would effectively limit the camera to only being able to communicate with devices in its own subnet. Other subnets in your own network would also be blocked. So it would make sense to add your local IP ranges as exceptions.

I'm going to apply the group policy to a bunch of cameras and to some local computers that don't need internet access.

 

So for the layer 3 firewall I have

 

Deny Any Any Any

Allow Any Any Any

 

This should work right?  It will block internet, but will permit all other networks.

It will not only block internet access, it will block all access to other subnets. Unless you have a flat network with only one subnet you would need to add exceptions for your local subnets to be able to communicate with each other.

 

The rules below would cover all private ranges (but is likely overkill for you):

 

block_internet_access.PNG

PhilipDAth
Kind of a big deal
Kind of a big deal

Make sure your camera has up to date firmware.

 

Compromised cameras are the number #1 source of DOS attacks on the Internet.

 

It is one of th ebig benefits of Meraki security cameras - their firmware is updated automatically.

@PhilipDAth 

 

Thanks, I'll try updating camera firmware.  I wish we had all Meraki equipment so it's all on the dashboard.

Nick
Head in the Cloud

I second this. Keep an eye on those camera's

If you're going to get attacked. Thats likely to be the vector
tantony
Head in the Cloud

Thanks. Can the cameras cause intermittent internet outages?  I could put the policy to blocked on the cameras to stop them from leaving LAN traffic?  

If they’re compromised, absolutely. I would block the cameras internet access if it doesn’t prevent their operation.

 

i would also upgrade and factory reset them whilst referencing any security advisory’s from the camera vendor. 

 

cheers

I'm doing a packet capture on the MX Internet interface to Wireshark.  I'm noticing that I'm getting a lot of these RST flags.  What does that mean?  How can I stop this?  I think this is why the MX keep loosing internet connection till I unplug the cable from the modem and plug it back in.  The source is 10.1.10.4 (Mearki WAN)

 

 

reset flags.png

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Can you show the two way conversation?

 

It could just be the end of a TCP connection and it is getting a RST.  I can see a FIN being sent first.  So it seems ok to me.

The packets are out of order. It would be easier to diagnose if they were in order. RST can be caused by multiple things. Likely the MX is receiving packets for TCP connections that are already closed.

Thank you.  I'm not too familiar with Wireshark.  So just to make sure it's not the Meraki that's causing the Internet outage, I turned off all the content filtering, and AMP (Advanced Malware Protection).

 

I have the Meraki connected to the Comcast modem, and a laptop connected to the modem.  Now, I'm noticing that when ever the laptop connected to the modem looses internet, the Meraki looses internet also.

 

When I had AMP and content filtering on, the laptop connected to the modem never lost internet even when the Meraki lost internet.

 

It looks like it's the ISP now.  Plus, the Meraki is recovering from Internet outage much faster.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels