Here is the cli firewall setup that I decided to use on my Edgerouter-12 (ER-12) to isolate the vlan for my cameras. You still need a DHCP service defined on the ER-12, unless it comes from an external source. The basics are:
- the cameras are allowed to access the internet, they need this to connect to the Wyze servers
- the cameras cannot access each other on the vlan
- the cameras are not allowed to modify configuration on the Edgerouter-12 but can get their DNS and DHCP services from the ER-12
- the cameras are not allowed to access any other vlan on the ER-12
- this ruleset is patterned after a normal Guest vlan with limited access
First we need a Group of addresses for the RFC-1918 private addresses:
set firewall group address-group RFC-1918_GROUP address 192.168.0.0/16
set firewall group address-group RFC-1918_GROUP address 172.16.0.0/12
set firewall group address-group RFC-1918_GROUP address 10.0.0.0/8
set firewall group address-group RFC-1918_GROUP description 'RFC-1918 Group'
Next we need a vif off of switch0 for our vlan:
set interfaces switch switch0 vif <camera_vlan_tag> address <router_address_on_camera_vlan>/24
set interfaces switch switch0 vif <camera_vlan_tag> description Cameras
set interfaces switch switch0 vif <camera_vlan_tag> firewall in name CAMERA_IN
set interfaces switch switch0 vif <camera_vlan_tag> firewall local name CAMERA_LOCAL
set interfaces switch switch0 vif <camera_vlan_tag> firewall out name CAMERA_OUT
set interfaces switch switch0 vif <camera_vlan_tag> ip enable-proxy-arp
The rules for traffic from our camera vlan to the ER-12 [CAMERA_IN]:
set firewall name CAMERA_IN default-action accept
set firewall name CAMERA_IN description 'Guest In'
set firewall name CAMERA_IN rule 10 action accept
set firewall name CAMERA_IN rule 10 description 'accept established and related'
set firewall name CAMERA_IN rule 10 log disable
set firewall name CAMERA_IN rule 10 protocol all
set firewall name CAMERA_IN rule 10 state established enable
set firewall name CAMERA_IN rule 10 state invalid disable
set firewall name CAMERA_IN rule 10 state new disable
set firewall name CAMERA_IN rule 10 state related enable
set firewall name CAMERA_IN rule 20 action reject
set firewall name CAMERA_IN rule 20 description 'reject invalid packets'
set firewall name CAMERA_IN rule 20 log disable
set firewall name CAMERA_IN rule 20 protocol all
set firewall name CAMERA_IN rule 20 state established disable
set firewall name CAMERA_IN rule 20 state invalid enable
set firewall name CAMERA_IN rule 20 state new disable
set firewall name CAMERA_IN rule 20 state related disable
set firewall name CAMERA_IN rule 30 action drop
set firewall name CAMERA_IN rule 30 description 'Block RFC-1918 Traffic'
set firewall name CAMERA_IN rule 30 destination group address-group RFC-1918_GROUP
set firewall name CAMERA_IN rule 30 log disable
set firewall name CAMERA_IN rule 30 protocol all
The rules for traffic from our camera vlan to the ER-12 itself (DNS, DHCP, other services) [CAMERA_LOCAL]:
set firewall name CAMERA_LOCAL default-action drop
set firewall name CAMERA_LOCAL description 'Guest Local'
set firewall name CAMERA_LOCAL rule 10 action accept
set firewall name CAMERA_LOCAL rule 10 description 'accept established and related'
set firewall name CAMERA_LOCAL rule 10 log disable
set firewall name CAMERA_LOCAL rule 10 protocol all
set firewall name CAMERA_LOCAL rule 10 state established enable
set firewall name CAMERA_LOCAL rule 10 state invalid disable
set firewall name CAMERA_LOCAL rule 10 state new disable
set firewall name CAMERA_LOCAL rule 10 state related enable
set firewall name CAMERA_LOCAL rule 20 action reject
set firewall name CAMERA_LOCAL rule 20 description 'reject invalid packets'
set firewall name CAMERA_LOCAL rule 20 log disable
set firewall name CAMERA_LOCAL rule 20 protocol all
set firewall name CAMERA_LOCAL rule 20 state established disable
set firewall name CAMERA_LOCAL rule 20 state invalid enable
set firewall name CAMERA_LOCAL rule 20 state new disable
set firewall name CAMERA_LOCAL rule 20 state related disable
set firewall name CAMERA_LOCAL rule 30 action accept
set firewall name CAMERA_LOCAL rule 30 description 'Allow DHCP'
set firewall name CAMERA_LOCAL rule 30 destination port 67
set firewall name CAMERA_LOCAL rule 30 log disable
set firewall name CAMERA_LOCAL rule 30 protocol udp
set firewall name CAMERA_LOCAL rule 30 source port 68
set firewall name CAMERA_LOCAL rule 40 action accept
set firewall name CAMERA_LOCAL rule 40 description 'Allow DNS'
set firewall name CAMERA_LOCAL rule 40 destination port 53
set firewall name CAMERA_LOCAL rule 40 log disable
set firewall name CAMERA_LOCAL rule 40 protocol tcp_udp
The rules for traffic from the ER-12 to our camera vlan [CAMERA_OUT]:
set firewall name CAMERA_OUT default-action accept
set firewall name CAMERA_OUT description 'Guest Out'
set firewall name CAMERA_OUT rule 10 action accept
set firewall name CAMERA_OUT rule 10 description 'accept established and related'
set firewall name CAMERA_OUT rule 10 log disable
set firewall name CAMERA_OUT rule 10 protocol all
set firewall name CAMERA_OUT rule 10 state established enable
set firewall name CAMERA_OUT rule 10 state invalid disable
set firewall name CAMERA_OUT rule 10 state new disable
set firewall name CAMERA_OUT rule 10 state related enable
set firewall name CAMERA_OUT rule 20 action reject
set firewall name CAMERA_OUT rule 20 description 'reject invalid packets'
set firewall name CAMERA_OUT rule 20 log disable
set firewall name CAMERA_OUT rule 20 protocol all
set firewall name CAMERA_OUT rule 20 state established disable
set firewall name CAMERA_OUT rule 20 state invalid enable
set firewall name CAMERA_OUT rule 20 state new disable
set firewall name CAMERA_OUT rule 20 state related disable
set firewall name CAMERA_OUT rule 30 action drop
set firewall name CAMERA_OUT rule 30 description 'Drop Non-Guest Traffic'
set firewall name CAMERA_OUT rule 30 log disable
set firewall name CAMERA_OUT rule 30 protocol all
set firewall name CAMERA_OUT rule 30 source group address-group RFC-1918_GROUP
