 Tom here from Learn Systems and we're going to talk about locking down your surveillance network. This is something really important when you set up a surveillance network along with a NVR recorder, such as the analogy we're going to be using today. And we do this a lot for our businesses and people ask, well, how do you trust those cameras, Tom? The HickVisions or all the Amcrest cameras you use and all these different varied models, aren't they? Well, at least a few of them listed on the do not install list for the government facilities. And while that's true, my solution is to lock them down, keep them off the internet. They do not require internet access to work. We focus on the Synology NVR. The Synology NVR, we do allow internet access. Now, you put these all in the same subnet, and it's pretty easy to set up. Now I've got a more in-depth video about setting up firewall rules for home or PF sense. So I'll leave that link down below if you're looking for a more expanded version. But this is just the basics of how to configure your surveillance network, allowing the Synology to have internet access, allowing the cameras to be on that network, but denying them external access. This mitigates any of the worries you may have about these cameras doing something or someone getting into these cameras, because I don't feel that the firmware is well written. I'm positive it's probably has a lot of bugs. This is a matter of, well, they're not the security researchers want to take the time to really poke at them. But why even have the opportunity not exposing these is my answer. So that's what we're going to cover today. We're going to be doing this with a PF sense firewall, but this would work with really any firewall that can control traffic between separate networks. So any modern firewall should be able to do this. We have my computer here 172 1616.9, and that's on the 172 1616 zero subnet. That network is what we'll call our trusted network where my devices and my computer is. Then we have the camera let network that we refer to as CAM LAN 192 168 60.0 slash 24. And we have it handing out addresses all in that range to these different cameras that are on here. There's actually five cameras that I have on my network, and they're all 20 21 so on and so forth with the GP reservations. Then we have the Synology DVA model. And this is set up at 192 168 60.15. Now the way firewalls work. I have a rule that allows this network here, the 172 network to talk to the 192 168 network. And that rule allows for an initiated connection. So I can view my Synology locally. I can even talk to these cameras locally. What they are not allowed to do is there's no rule that allows them to get back. And this is sometimes where some confusion can come in if you're unfamiliar with how firewalls work. If the connection was initiated from this network, it can initiate a connection to go to the other network. The reverse is not true. These devices, if they were made aware of my computer, for example, they are not allowed because the rules do not allow them to initiate a connection back through the other way. So let's talk about how those rules are set up. And those rules are very simple and technically one of them's not needed. But I'm leaving it in out of habit. And just in case I open up the internet to anything else on this network, or maybe don't want this RFC 1918 block, I will leave this firewall service port rule in. This is a deny rule that says deny hence the red X destination, this firewall and firewall service ports. I create these across all my networks, except for any networks I want to be able to admin the firewall on. So out of habit, I always put this one at the top, because PSN firewall rules work from the top down. So this denies SSH, the web admin and top and the WWE report, all of which are used for levels of administration on my PF sense system. The next one is allow DNS. Now you could use an external DNS server that would be an option. I prefer to allow it to use local DNS as assigned via DHCP to this analogy. This allows me to look at any lookups that may do if I wanted to do logging and tracing on that. But this allow rule here just as for DNS and is exclusive to our 192-168-60.15 our Synology only, not any of the cameras. They don't get DNS access. The next one down is going to be allow access 192-168-60.15 for my Synology and deny it to RFC 1918 networks. And let's just actually take a closer look at the rule itself. So if you go down here, you'll see it's an invert match rule. So single hosts are alias and we're throwing at the RFC 1918 alias. This allows the Synology to have internet access, but block local access. And RFC 1918, as you can see that I have in here, just means block all of these address ranges, which that way it covers any of the different subnets I not only have now, but maybe create the future. You can create just an alias for your existing subnets and put them all into an alias when you're not allowed to talk to these networks. And that's fine. But if you create another network, then your Synology would have access to it unless you also added that one to the block list. Because there's never any reason I have for the Synology to access any of my local networks, then I just leave this one here. Pretty simple to set up and you just create these aliases for RFC 1918, put a deny on there. And this is actually good for sitting up, for example, on guest networks as well. Now I want to mention the Synology settings that I have in here. I have the quick connect enabled. And I also have the permissions enabled for the mobile applications that allow for DS cam to work. I've actually used this for some file sharing, nothing that I consider really secure. It's actually a way I've shared some of my YouTube videos of people who needed some of the raw files for access and editing. So they end up on the internet anyway. So I'm less worried about them here and the Synology drive server. But if I didn't need those, I would uncheck them. But you can actually allow access to your cameras via the phone app, but not have DSM access on there. Now I bring all this up because I do have a port forward enabled that allows faster access. If you don't turn on a port forward, the quick connect service will go into relay mode and allow it to relay off of the Synology service without opening ports. The downside is it's going to be a lot slower. Now for a few final thoughts. Yes, I do have and frequently we do open up these to the internet as needed for clients. But this is also among the reasons that we have them on a dedicated box. So surveillance station can run alongside the other Synology services such as active backup, but I really don't recommend it. And I'm not saying this to sell more Synologies, we're saying this because if you have your Synology surveillance station open to the internet and you're remotely accessed to view the cameras, and somehow some flaw, a worst case scenario happens and someone gets into that surveillance station, you limit the damage by one, the network rules that I said that lock it down to that particular network. And two, you lock it down by not having those other services running on there. So if there was a way in and allow people to pivot to those other services, that could really expose a lot of data by not having that as an option, you mitigate those risks. Ultimately, it comes down to what your risk tolerance is. Obviously not opening to the internet is a better idea. Obviously using a VPN is a good idea. But sometimes for speed sake, people just want to be able to easily access such as my wife who says, I don't want to open a VPN every time. And don't you know how to lock it down to the separate network, which is the video I just explained here and those rules. So if that scenario happens, the damage is very minimal of what could be done can't leave that network. And I could always just restore my Synology and even the recordings I have backed up through hyper backup, it's pretty easy to do. So I could actually restore everything to a point before the incident occurred. If that incident even occurs, just some thoughts out there comes down to what your risk tolerance is. I just want to make people aware of how this works, how to set it up and what the risks are involved in it. Leave your comments and thoughts down below. I have plenty of videos linked down below for Synology surveillance station, the cameras I use, the setup I use and a couple of different models that I've tested and done reviews on and head on reforms if you'd like to have a more in-depth discussion about this or other topics on this channel. And thank you for making it all the way to the end of this video. If you've enjoyed the content, please give us a thumbs up. If you would like to see more content from this channel, hit the subscribe button and the bell icon. If you'd like to hire a short project, head over to laurancesystems.com and click the hires button right at the top. To help this channel out in other ways, there's a join button here for YouTube and a Patreon page where your support is greatly appreciated. For deals, discounts and offers, check out our affiliate links in the description of all of our videos, including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly, so check back frequently. And finally, our forums. Forums.LauranceSystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel. Thanks again for watching and look forward to hearing from you.