View previous topic :: View next topic |
Author |
Message |
grant123 Veteran
Joined: 23 Mar 2005 Posts: 1080
|
Posted: Mon Sep 26, 2022 12:30 pm Post subject: Roku + Gentoo router (for privacy) |
|
|
How should I configure my Gentoo router to handle a wired Roku for network privacy? |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4149 Location: Bavaria
|
Posted: Mon Sep 26, 2022 3:20 pm Post subject: |
|
|
It depends on your router (and its feautures), how yout want connect your Roku and if there is a dedicated firewall in your home network (or having a computer with two ethernet cards).
Usually a home router has only one uplink to your internet provider (ADSL?) and 4 (or 8 ) ethernet ports which act like a switch (on layer 2). Now the first question: Can you configure your router to "split off" one port (usually a home router cant do this). If yes, it should be easy
If no, then you have your roku in your LAN if you connect it to one of these ports. Now you have two choices:
1. Configure a personal firewall on every computer you have in this LAN,
OR - if you have a computer with two ethernet ports -
2. Set up this computer as a firewall and connect your roku to this system |
|
Back to top |
|
|
grant123 Veteran
Joined: 23 Mar 2005 Posts: 1080
|
Posted: Mon Sep 26, 2022 10:34 pm Post subject: |
|
|
My router is just a dedicated Gentoo system. It has an ethernet interface for the WAN and another for the LAN. I connect the LAN interface to a switch and everything connects to that switch. Should I be able to split off one port of the switch? Or maybe it would be best to connect a third ethernet interface to the router? |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4149 Location: Bavaria
|
Posted: Tue Sep 27, 2022 1:16 am Post subject: |
|
|
grant123 wrote: | My router is just a dedicated Gentoo system. |
Great !
grant123 wrote: | Should I be able to split off one port of the switch? |
Sorry for my old sayings ... but ... it depends on your switch If it is able to configure VLANs then this is one choice,
grant123 wrote: | Or maybe it would be best to connect a third ethernet interface to the router? |
This is a very personal decision and I can only tell what I would do ... YES ... make a fine DMZ
(like I draw in this setup: https://forums.gentoo.org/viewtopic-t-1114432.html ) |
|
Back to top |
|
|
Ralphred Guru
Joined: 31 Dec 2013 Posts: 501
|
Posted: Tue Sep 27, 2022 10:59 am Post subject: |
|
|
grant123 wrote: | Or maybe it would be best to connect a third ethernet interface to the router? |
There are 3 levels of "isolation" available for you to choose from, hacky, network and [virtual or physical], each building on the last and adding "better" isolation.
- Hacky
Easiest to achieve, just make the isolated device think it's in a smaller network than it is by setting a /30 (ideally, but larger network if you have to) address that only lets it talk to the router.
- Network
Similar to a above, but without "breaking protocol", add a second IP in a different network (subnet) to the the routers LAN port, and use an address on this network (again ideally /30) for the "isolated device". This gives you layer 3 isolation, but the isolated device can still see layer 2 broadcasts.
- Physical
Add a second LAN NIC to the router and keep everything literally separate (no using the switch unfortunately)
- Virtual
Same as above, but with a virtual separation between the "two networks". But this can be done two ways, the traditional (more secure) way where the switch is responsible for not forwarding packets from VLAN A to VLAN B and vice versa (and providing layer 2 isolation).
Or where devices on VLAN {A,B} know they are only looking for packets tagged for them (but I'd be surprised if you had that level of control over the Roku device) and ignore the ones that "aren't for them".
If it's only the Roku you don't trust then network isolation is fine (assuming you aren't anticipating a 3rd party messing with it's network settings). If you have a managed switch that is VLAN capable, then doing it that way is better (and free, as you can just config the switch and router to cope). If you don't have a managed switch then an extra NIC for the router is probably cheaper (and technically better/safer, but it's moot in a home set-up) than procuring a managed switch. |
|
Back to top |
|
|
grant123 Veteran
Joined: 23 Mar 2005 Posts: 1080
|
Posted: Sat Oct 08, 2022 12:23 pm Post subject: |
|
|
Thank you. I'll use an extra physical NIC for the Roku.
Without implementing this, does the Roku see everything I do on the wired network that isn't encrypted? |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4149 Location: Bavaria
|
Posted: Sat Oct 08, 2022 6:42 pm Post subject: |
|
|
grant123 wrote: | Without implementing this, does the Roku see everything I do on the wired network that isn't encrypted? |
No, if it is a (real) switch (->only broadcasts) - yes, if you would use a hub. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Sat Oct 08, 2022 6:50 pm Post subject: |
|
|
grant123,
That depends on how you configure your router/firewall.
Separate LANS are supposed to be separate but anything is possible.
The Roku LAN should not be permitted ta start connections to your other (private) LAN. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
grant123 Veteran
Joined: 23 Mar 2005 Posts: 1080
|
Posted: Sat Oct 08, 2022 8:35 pm Post subject: |
|
|
Quote: | No, if it is a (real) switch (->only broadcasts) - yes, if you would use a hub. |
I'm using a switch so it sounds like my traffic will be private from the Roku while I figure out the DMZ. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21633
|
Posted: Sat Oct 08, 2022 10:05 pm Post subject: |
|
|
If you are concerned, you could temporarily place a Linux system on the quarantined port and try to use network monitoring tools on it to snoop on other traffic. If your switch provides the desired level of isolation, the quarantined system should be unable to snoop anything from other systems. Once you have proved that the quarantine works, you can move the Roku onto that port. |
|
Back to top |
|
|
grant123 Veteran
Joined: 23 Mar 2005 Posts: 1080
|
Posted: Fri Oct 14, 2022 6:40 pm Post subject: |
|
|
Let me see if I have this right. Once I've put the Roku on a DMZ I'll have increased security/privacy in two ways:
1. I won't have to rely on my switch's proper functioning and security.
2. I'll have a more robust way of specifying that the Roku may not connect to the rest of the LAN.
Am I missing anything? |
|
Back to top |
|
|
grant123 Veteran
Joined: 23 Mar 2005 Posts: 1080
|
Posted: Wed Oct 19, 2022 10:59 am Post subject: |
|
|
Am I thinking about this correctly? |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4149 Location: Bavaria
|
Posted: Wed Oct 19, 2022 11:57 am Post subject: |
|
|
grant123 wrote: | Am I thinking about this correctly? |
Yes ! ... but please keep in mind: A DMZ is only as secure as your firewall rules are ... |
|
Back to top |
|
|
grant123 Veteran
Joined: 23 Mar 2005 Posts: 1080
|
Posted: Thu Oct 20, 2022 12:33 pm Post subject: |
|
|
Should routefilter,nosmurfs (and maybe dhcp) be sufficient OPTIONS for every line in /etc/shorewall/interfaces? It looks like tcpflags is default and logmartians is implied by routefilter.
https://shorewall.org/manpages/shorewall-interfaces.html |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4149 Location: Bavaria
|
Posted: Thu Oct 20, 2022 4:09 pm Post subject: |
|
|
grant123 wrote: | Should routefilter,nosmurfs (and maybe dhcp) be sufficient OPTIONS for every line in /etc/shorewall/interfaces? [...] |
Sorry, I am not a shorewall man and cannot help you here. Maybe open a new thread for it ? |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Thu Oct 20, 2022 5:46 pm Post subject: |
|
|
grant123,
Is this embryonic page any help?
I'm a shorewall user too.
Shorewall does not change for being installed on a Pi4 _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
grant123 Veteran
Joined: 23 Mar 2005 Posts: 1080
|
Posted: Thu Oct 20, 2022 8:39 pm Post subject: |
|
|
Yes, very helpful thank you!
Why no routefilter OPTIONS in your interfaces file?
Why set these without routefilter:
Code: | net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1 |
Why no OPTIONS for the net zone in your interfaces file?
Doesn't your firewall need to make some connections in your policy file? |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Sat Oct 22, 2022 3:07 pm Post subject: |
|
|
grant123,
I was playing with running my own VPN end point at one time but the need for it went away.
The policy routings things are probably leftovers from that. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
grant123 Veteran
Joined: 23 Mar 2005 Posts: 1080
|
Posted: Mon Oct 24, 2022 11:22 am Post subject: |
|
|
I tried creating /etc/sysctl.conf and adding these:
Code: | net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1 |
but after rebooting I still have this:
Code: | # cat /proc/sys/net/ipv4/conf/default/rp_filter
0
# cat /proc/sys/net/ipv4/conf/all/rp_filter
0 |
I'm using gentoo-kernel which I'm guessing has Sysctl support but there is no config or config.gz file in the installed sources. How best to check the config with gentoo-kernel? |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Mon Oct 24, 2022 1:33 pm Post subject: |
|
|
grant123,
Code: | pi_router ~ # cat /proc/sys/net/ipv4/conf/default/rp_filter
0
pi_router ~ # cat /proc/sys/net/ipv4/conf/all/rp_filter
0 |
Me too. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
grant123 Veteran
Joined: 23 Mar 2005 Posts: 1080
|
|
Back to top |
|
|
|