I realized I was at risk by having smart devices on my normal network, so decided to move them to my guest network.
I don’t like my smart tv, but it’s all I have to work with for now. I want to keep it on my guest network, but still stream using jellyfin. I see on my netgear router there is an option to “let devices on guest network see other devices and access local network” which would probably allow it to see my jellyfin server, but then doesn’t that defeat the point of a guest network? Maybe I need to learn what a reverse proxy is…jellyfin server is currently on windows (not my pc) but could move it to my linux pc if needed.
And yes, I plan to get a media center linux box in the future so I don’t have to deal with the garbage smart tv os!
Disclaimer: I’m not a networking guy, but I’ve worked with them.
If you’re looking for security, you set up vlans. I don’t know enough about your setup to know if you setup a vlan, or just a separate subnet.
The goal is to have separate vlans, to block all traffic between the two networks, and then add exceptions in the ACL. The ACL is essentially a firewall between the two vlans.
With this in place the smart device can’t scan your network to gather info. Also, if it gets infected, it can only attack through the opened routes or the other devices on the vlan.
I just saw that i have a vlan/iptv setup that I can apply as a bridge on the guest network the tv is on. That seems right ?
Unsure, does this answer help?
https://community.netgear.com/discussions/Orbi/what-is-vlanbridge-and-should-i-enable-it/1934301
If what that says looks right, then that’s probably not what you’re looking for.
Yeah this doesn’t seem right. Im not sure my router supports running a vlan and allowing certain services through to lan
I think netgear makes the guest network a subnet.
Im going to look into a vlan with all exceptions. It’s a nighthawk router so I think it has those features. Haven’t gotten around to putting dd wrt on it yet
A better solution is to use a pihole to block all domains that the TV pings, and only let through ones that allow you to use streaming apps (i.e. netflix API domain.)
Another good solution is to block WAN access for specific devices and only allow them to communicate over LAN. This would be done on your Router. This method would allow local streaming using Jellyfin but wouldn’t allow streaming apps like Netflix since that requires communication with the outside Internet.
I don’t think DNS blocking is sufficient for untrusted devices. A Pi-hole won’t stop or report on a device that doesn’t use it. WAN blocking is good when you can use it, but also not sufficient on its own and can render devices non-functional (which maybe they should be…). Virtual or physical LAN segregation and a firewall is required to both stop your trusted devices being accessed maliciously, and to block/sniff what the untrusted devices are doing with WAN access.
If you’re worried about your IoT devices on your LAN the problem isn’t necessarily that they can access WAN but rather that there’s a security vulnerability and that they can be accessed by the WAN. Once a device is compromised and attacker can then use it as a “beachhead” to access other devices on your network.
So for example, with my setup every IoT device is on a separate VLAN (the guest network acts similarly) which can’t get access to WAN, can’t be accessed from the WAN and can’t initiate any network calls to any other VLAN. Now my primary VLAN can talk to my IoT VLAN, and IoT can talk back, it just can’t start the communication.
This does pose a problem for TVs though that need to talk to Jellyfin as hinted at in the original post. So what you could do is create a specific firewall rule that allows the TVs to at least initiate communication to Jellyfin but not any other device on your primary VLAN. This will probably require a more sophisticated router though than most of the consumer ones out there. Just be mindful that if n IoT device is compromised they can then try to attack the jellyfin server to jump to your other VLAN and then the rest of your network.
I don’t understand your response. You’re essentially doing the exact same thing I am. Preventing iot devices from accessing wan. The end result in the same, except you’re blocking it from accessing other devices on lan as well. But access to wan is blocked which is the most important. If a device has a security vulnerability then by blocking wan access, you’re blocking an attacker from getting in, unless someone malicious is already on your local network, which in that case you’re fucked anyway. Apologies if i misunderstood your point.
With a Pihole, you aren’t preventing the device from reaching the internet, you’re just refusing to provide it answers to its DNS requests. That means that it can’t translate a domain name (example.com) to an IP address (1.2.3.4) using your DNS server. But there’s nothing stopping it from using a different DNS server whose IP it has hardcoded, and nothing stopping it from then talking to anything on the internet once it has the correct IP to use.
In contrast, the other poster sounds to be using a firewall to apply ACLs. That means that the only way to reach the WAN is by passing over the firewall, and the firewall can apply rules about what traffic it allows. That prevents the device talking to a hardcoded DNS server, or talking to something on the internet if it alreadt knows its IP.
The other poster also talks about adding specific exemptions to these ACLs for specific services. So, e.g. letting the TV reach Jellyfin, but only Jellyfin & not all the other devices on the network. That reduces the risk of an attacker using the IoT device as a way to attack the rest of the network, since there’s less stuff to attack. You’re right that this is a fairly marginal gain for an IoT device which doesn’t have WAN access anyway.
The downside of this approach is that the device enforcing the ACLs has to handle all the network traffic. That means it needs more processing power to take packets, apply the ACL rules and then decide whether or not to send it onward. The upside of a Pihole is that DNS is a relatively tiny amount of traffic, so it takes much less processing power to handle just DNS.
So most alternative router firmware comes with a feature that can be configured to re-route any hard coded DNS through the pihole. I.e., my Smart TV will switch to Google DNS if it can’t connect through your set DNS. The feature I mentioned will force this to always go through your configured DNS. This is completely solves that issue. I’ve thoroughly tested this and it 100% works. Also routers have a feature that can block a device from accessing the WAN at all, and only allow them to access the LAN. This is just a simple toggle in my router and extremely easy to use. I block certain devices that I don’t want to have intentet at all but that I want to access over the network (i.e. plex)
Just to be clear, my goal with my setup is limiting tracking, telemetry, and ads.
Sure, but that’s not the setup you described in the original post. I think that’s probably where your confusion is coming from - people are responding about a setup that’s just a PiHole, not a PiHole plus router features to ensure that it’s used.
Ultimately any setup that allows the device internet access is going to introduce some opportunities for tracking/telemetry/ads. If the vendor really wants to they could just channel all that data through a single HTTPS connection, along with the useful data you want to let the device access. You won’t have any way to inspect that traffic and selectively block it, so you end up having to chose between blocking everything or blocking nothing.
Your setup sounds like it’s reaching the privacy/functionality trade off that you want.
Yes, unless it lets you list exceptions, that would defeat the point. You might need to set up a full router and firewall.
