Roku + Gentoo router (for privacy)

[grant123]

How should I configure my Gentoo router to handle a wired Roku for network privacy?

[pietinger]

It depends on your router (and its feautures), how yout want connect your Roku and if there is a dedicated firewall in your home network (or having a computer with two ethernet cards).

Usually a home router has only one uplink to your internet provider (ADSL?) and 4 (or 8 ) ethernet ports which act like a switch (on layer 2). Now the first question: Can you configure your router to "split off" one port (usually a home router cant do this). If yes, it should be easy

If no, then you have your roku in your LAN if you connect it to one of these ports. Now you have two choices:

1. Configure a personal firewall on every computer you have in this LAN,
OR - if you have a computer with two ethernet ports -
2. Set up this computer as a firewall and connect your roku to this system

[grant123]

My router is just a dedicated Gentoo system. It has an ethernet interface for the WAN and another for the LAN. I connect the LAN interface to a switch and everything connects to that switch. Should I be able to split off one port of the switch? Or maybe it would be best to connect a third ethernet interface to the router?

[pietinger]

[Ralphred]

[grant123]

Thank you. I'll use an extra physical NIC for the Roku.

Without implementing this, does the Roku see everything I do on the wired network that isn't encrypted?

[pietinger]

[NeddySeagoon]

grant123,

That depends on how you configure your router/firewall.
Separate LANS are supposed to be separate but anything is possible.

The Roku LAN should not be permitted ta start connections to your other (private) LAN.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[grant123]

[Hu]

If you are concerned, you could temporarily place a Linux system on the quarantined port and try to use network monitoring tools on it to snoop on other traffic. If your switch provides the desired level of isolation, the quarantined system should be unable to snoop anything from other systems. Once you have proved that the quarantine works, you can move the Roku onto that port.

[grant123]

Let me see if I have this right. Once I've put the Roku on a DMZ I'll have increased security/privacy in two ways:

1. I won't have to rely on my switch's proper functioning and security.
2. I'll have a more robust way of specifying that the Roku may not connect to the rest of the LAN.

Am I missing anything?

[grant123]

Am I thinking about this correctly?

[pietinger]

[grant123]

Should routefilter,nosmurfs (and maybe dhcp) be sufficient OPTIONS for every line in /etc/shorewall/interfaces? It looks like tcpflags is default and logmartians is implied by routefilter.

https://shorewall.org/manpages/shorewall-interfaces.html

[pietinger]

[NeddySeagoon]

grant123,

Is this embryonic page any help?
I'm a shorewall user too.

Shorewall does not change for being installed on a Pi4
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[grant123]

Yes, very helpful thank you!

Why no routefilter OPTIONS in your interfaces file?

Why set these without routefilter:

[NeddySeagoon]

grant123,

I was playing with running my own VPN end point at one time but the need for it went away.
The policy routings things are probably leftovers from that.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[grant123]

I tried creating /etc/sysctl.conf and adding these:

[NeddySeagoon]

grant123,

[grant123]

Ok but aren't you setting them to '1' here:

https://wiki.gentoo.org/wiki/User:NeddySeagoon/Pi4_Router#.2Fetc.2Fsysctl.d.2Frouter.conf

Also at the bottom of this section:

https://wiki.gentoo.org/wiki/Home_router#NAT_.28a.k.a._IP-masquerading.29