P2p setting contacts foreign IPs - Foscam and Reolink Cameras

[craigc]

I recently bought a new router that has a lot of really good tools to seperate my camera network from my home network (ubiquity EdgeRouter). In the process of setting this up, I was shocked to learn that two of my cameras were constantly accessing networks in Germany (I logged connections to internet and found unusual IPs).

Turns out that these cameras by default have P2P turned on. This feature allows people to access their cameras remotely and may be useful for those who do not use Blue Iris. However, if you're using Blue Iris, there's no need to do this because Blue Iris manages all your remote connections. Personally I don't like the idea of my cameras automatically accessing foreign IPs, even if the manufacturers say they don't get actual camera data and it's "safe".

My cameras both had ability to disable this by unchecking boxes for P2P or UID in their network admin settings, and now I have successfully eliminated this constant external access (though my router also blocks it - I set up a VLAN camera network with firewall that blocks cameras from accessing the internet other than NTP and from accessing any of my internal network)

Anyway, just thought I'd share a recommendation to disable this fetaure on all your cameras or see if anyone has any additional commentary around this.

[TimG]

Another good reason to think of network security.

I put my cameras on a second NIC primarily to remove the camera load from my home network, and use OpenVpn for remote mobile connections so the ports can be closed. That ensures the cameras are unable to call home, even if they want to.

There are many ways to secure your network, and it's something we all need to think about.

[MikeBwca]

Let me understand this...
Are you saying that even unchecking the P2P option, the camera will STILL go out to some (as of yet) unknown server?

I'll need to check the router logs, nd set up some traces.

[Matts1984]

Let me understand this...
Are you saying that even unchecking the P2P option, the camera will STILL go out to some (as of yet) unknown server?

I'll need to check the router logs, nd set up some traces.

I believe the OP was reporting that, at least for his (I am pretty sure "his"), disabling P2P stopped the attempts. That said.... I 100% have documented proof that my Amcrests do NOT respect this setting. They shall remain blocked.

That said, yep craigc, my cameras are on an isolated network with zero outbound access. Even the DNS/NTP traffic is translated so my firewall is the one responding. I have a secondary NIC on my BI server so it sits on the same VLAN to avoid the hop of server -> firewall -> cameras. I do still allow my primary computer to connect TO the cameras for firmware and GUI access.

[MikeBwca]

Yes, I had tested this with a second NIC and my cameras on it to isolate them from going to the internet. I was still able to update firmware via the host computer.

Wouldn't a VLan do the same same thing?

[Matts1984]

Yeah thats pretty much tomato/tomatoe. The cameras are on an isolated network