[mythtv-users] VLANs, HDHomeruns and bears, oh my

Sun Apr 5 15:59:33 UTC 2020

On Sun, 5 Apr 2020 10:06:01 -0400, you wrote:

>With self-isolation and some time on our repeatedly washed hands, I'm sure
>many of us are tackling projects or even just thinking of future projects
>to distract ourselves.
>
>I was thinking about isolating IoT devices like the HDHomeruns, Rokus and
>Blu-ray player on a VLAN.
>
>Knowing the term VLAN is about the extent of my knowledge on the subject. I
>know I need a VLAN aware switch and a VLAN aware router.
>
>Just curious how you configure this so I can read more on the topic. Let's
>call the MythTV box letterman.
>
>Other computers in the home are on VLAN 1. HDHomeruns are on VLAN 2.
>
>letterman can see/access the HDHomeruns.
>
>letterman can see/access the other computers/NAS and vice versa.
>
>Also is it safe to have letterman be able to access VLAN1 or is it
>"compromised" because it can communicate with IoT devices?
>
>Thanks for any suggestions and I wish that you and yours are safe and
>healthy during this time.

First, it pays to understand just how VLANs work.  A packet sent on a
VLAN has a VLAN header attached to the front of the Ethernet packet
which says which VLAN it belongs to.  This extra VLAN header is known
as a "tag" and VLAN traffic is said to be "tagged".  Packets with no
VLAN header are "untagged" and are the normal Ethernet packets that
you currently are using on your network.  There can be multiple tags
on Ethernet packets, with the outermost one being the one that a
switch or router will look at to see which VLAN it belongs to.  This
allows you to send VLANs transparently anywhere on your network, over
another VLAN if necessary.

If you want to properly control the access between VLANs, you need to
set things up so that the only place where traffic gets routed between
the VLANs is in your router.  If letterman is on both VLAN 1 and VLAN
2, then it is vulnerable to an IoT device that is on VLAN 2 and has
been hacked (eg there are a lot of security cameras that are
vulnerable like that).  So ideally, letterman is connected to the
router on VLAN 1 (or just ordinary untagged Ethernet subnet), and to
talk to VLAN 2 it sends the traffic via the router.  The router is set
up so that nothing on VLAN 2 can connect to any other subnet or VLAN
on your network.  Other things on your network are able to initiate
connections to the VLAN 2 devices, and then traffic on such an
established connection is allowed back to the source of that
connection, as is any related traffic (such a ICMP packets related to
that connection).  Any attempt by the VLAN 2 devices to initiate
connections to other parts of your network would be blocked by the
router.

There is a big security hole in using VLANs.  If you have VLAN 1 and
VLAN 2 traffic on the same Ethernet cable, then an IoT device on VLAN
2 that has been hacked can just set its Ethernet port in promiscuous
mode and see all the packets going by on both VLANs.  So it is
important that your VLAN capable switch is set up so that any VLAN 2
only device has its switch port set to only send VLAN 2 packets to
that device.

The way a VLAN capable switch is normally used is that all the VLAN 2
devices are on ports that are set up to add a VLAN 2 tag to any packet
that they receive from the device, and when the ports see a VLAN 2
packet sent from another device, to the device attached to that port,
the port will strip the tag from the packet before it sends it to the
device.  That way, the device does not know it is on a VLAN (and does
not need to be VLAN capable).  Only the switch and router need to
handle the operation of the VLANs.  When operated like this, the VLANs
make the switch work as though it was several different switches, each
physically separate from each other and each only carrying the traffic
for one VLAN.

It is also possible to have a port set up so that it will receive all
VLAN 2 packets for the device connected to it, but will not strip the
tags.  That way, the device itself will need to be VLAN capable, but
can be connected to more than one VLAN.  This is most often used with
PC Ethernet ports.  If you want a PC to be able to talk to more than
one part of your network, but it only has one Ethernet port, then you
just set it up with two VLANs on that one Ethernet port.  The traffic
seen on the PC will arrive on two different IP addresses, one for each
of the VLANs, and can be handled separately by the software on that
PC.  But see the security hole problem as above - it is better to have
the router handle things so that the PC does not have to have its own
full scale firewall on both VLANs.  The PC then just connects on one
VLAN and sends traffic via the router to devices on the other VLAN.
The router's (potentially quite complex) routing and firewall rules
define whether or not the PC can access the devices on the other
VLANs.  Having to have the same complexity of firewalling on the PCs
as well as the router is a nightmare - it is best to have all those
rules in just one place.

It all sounds a bit complex, but if you just think of a VLAN as a way
of having to not run another Ethernet cable to carry separate traffic,
and not to have to have separate switches for each subnet, it becomes
much easier.  And it is all pretty standard stuff these days, at least
on business networks.  Home users rarely use VLANs, usually because
they have rarely invested in a proper business class VLAN capable
switch, which is the basic thing you need to start using VLANs.  Some
home type routers and switches say they do VLANs, but it is much
better to invest in the proper business class devices that really have
all the proper capabilities for handling VLANs.  On my network, I have
two Ubiquiti routers and a Ubiquiti switch to do that, and my WiFi
router runs OpenWRT with also has full VLAN capability.

I would not recommend putting the more vulnerable IoT type devices on
the same VLAN as more trustworthy devices such as HDHomeruns.  They
should probably be put on different VLANs.  HDHomeruns are not
normally exposed to the wider Internet, so are unlikely to be hackable
(unless someone hacks their home site and sends them hacked firmware
updates).  IoT devices often have crappy code in them that is badly
broken and vulnerable, and they often call home, even when they do not
have any real need to.  So they can be very vulnerable, including
having a hacker send "updated" firmware to them and take complete
control of them.  Typically, they are WiFi connected, rather than
Ethernet, so I think the correct way to handle them is to have a
separate WiFi SSID for the IoT devices, and a good WiFi router that
does its very best to prevent any packets being directly exchanged
between devices on that SSID, instead requiring that any traffic
between the IoT devices go via the WiFi router, or even via the main
router (if they are separate).  The WiFi router would tag the IoT SSID
packets with a VLAN tag and send them to the main router and it would
decide what to do with them, including which of the IoT devices were
actually allowed to talk to each other, and which can phone home and
where they are allowed to talk to.