Block your IoT devices from the internet but allow Time Synchronization (Fritzbox)
(Last Updated On: February 4, 2023)If have cameras that you use as baby monitors and you are like me, you hate that those devices always try to “call home” to their cloud services where anyone has access to your video feeds.
💡 I am using cameras as an example, but this can be done with any WiFi-able IoT device.
Blocking all internet connections.
The first thing I do with my cameras (or really any “Stupid Smart Device”) is to block their access to the internet. I just want to make them accessible on the local network, and if for some reason I DO need to access them from outside, then I connect my remote device with a VPN to my local network, then I can see the cameras.
I do this on my Fritbox router in Internet -> Filters -> Access Profiles
This work as I want, but it has one problem. Most camera manufacturers configure their devices to get their time synchronization from their own servers or some public server, without any way to change that.
This means, the time and timestamp on the camera are impossible to adjust, and if you let it connect to the internet just for one minute to get the time synced, it will get unsynchronized after some days.
That was the case for some of my TP-Link cameras. Seems like TP-Link is not able to imagine people using their devices without a constant, uncontrolled internet connection.
Block all, but NTP 🧐.
Anyway, after some digging and learning, I got a better Idea, how about unblocking the port used for NTP but blocking everything else?
NTP uses UDP on port 123 for their connections. So it should be an easy task to do this. Do not? Well…
Fritbox routers have a way to define Network Applications with their ports inside: Internet -> Filters -> Lists -> Network Applications.
My first try was to create an NTP Network application there, that I could assign to my Cameras Access Profile:
- Protocol: UDP
- Source Port: any
- Destination Port: 123
But this showed to be not useful because Fritzboxes use those entries just to BLOCK content, so If I add the NTP Network Application, it will effectively just block NTP but allow all other traffic.
Fritzbox does not have a “just allow” option. But there is a workaround, that they themselves use for one of their Network Applications: “Everything except surfing and mail”
What they do there, is block all ports, except the ones needed for surfing and mail. We can do the exact same thing, block all ports on TCP, and then block all UDP from 1 to 122, and 124 to 65535.
Afterward, we just have to assign this Network application to our Access Profile and change the internet limit from Never to Always.
We have now achieved to Block the internet but allow Network Time Protocol (NTP) synchronization in your IotDevices. If your camera has its own app, you can test trying to access it from your WIFI and then from a mobile connection, In WIFI it should be visible, on the mobile connection the camera should not be available, but the time of your camera is now always correct.