FWIW, I have a mostly isolated network of Reolink cameras.
Initially it was completely locked down, but I discovered the cameras eventually refuse connections after their RTC drifts too much. I could not get them to use my router for NTP because they preferred pool.ntp.org. I had to open up that port as well as allow them to make DNS lookups on my router.
They have been working fine with that minimal amount of internet access, but curiously, the firewall logs show frequent blocked connections to Reolink IPs on port 9999.
If you have Reolink cameras, your network is open, and you're worried about data exfiltration, then 9999 is one port you may want to block.
Yeah, I really should do that. The current DNS setup is just using AdGuard Home. From what I can see, it doesn't support custom rules. Down the road I will setup something that provides this, most likely BIND forwarding to AdGuard.
Initially it was completely locked down, but I discovered the cameras eventually refuse connections after their RTC drifts too much. I could not get them to use my router for NTP because they preferred pool.ntp.org. I had to open up that port as well as allow them to make DNS lookups on my router.
They have been working fine with that minimal amount of internet access, but curiously, the firewall logs show frequent blocked connections to Reolink IPs on port 9999.
If you have Reolink cameras, your network is open, and you're worried about data exfiltration, then 9999 is one port you may want to block.