<div dir="auto"><div><br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Apr 5, 2020, 12:01 PM Stephen Worthington, <<a href="mailto:stephen_agent@jsw.gen.nz">stephen_agent@jsw.gen.nz</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Sun, 5 Apr 2020 10:06:01 -0400, you wrote:<br>
<br>
>With self-isolation and some time on our repeatedly washed hands, I'm sure<br>
>many of us are tackling projects or even just thinking of future projects<br>
>to distract ourselves.<br>
><br>
>I was thinking about isolating IoT devices like the HDHomeruns, Rokus and<br>
>Blu-ray player on a VLAN.<br>
><br>
>Knowing the term VLAN is about the extent of my knowledge on the subject. I<br>
>know I need a VLAN aware switch and a VLAN aware router.<br>
><br>
>Just curious how you configure this so I can read more on the topic. Let's<br>
>call the MythTV box letterman.<br>
><br>
>Other computers in the home are on VLAN 1. HDHomeruns are on VLAN 2.<br>
><br>
>letterman can see/access the HDHomeruns.<br>
><br>
>letterman can see/access the other computers/NAS and vice versa.<br>
><br>
>Also is it safe to have letterman be able to access VLAN1 or is it<br>
>"compromised" because it can communicate with IoT devices?<br>
><br>
>Thanks for any suggestions and I wish that you and yours are safe and<br>
>healthy during this time.<br>
<br>
First, it pays to understand just how VLANs work. A packet sent on a<br>
VLAN has a VLAN header attached to the front of the Ethernet packet<br>
which says which VLAN it belongs to. This extra VLAN header is known<br>
as a "tag" and VLAN traffic is said to be "tagged". Packets with no<br>
VLAN header are "untagged" and are the normal Ethernet packets that<br>
you currently are using on your network. There can be multiple tags<br>
on Ethernet packets, with the outermost one being the one that a<br>
switch or router will look at to see which VLAN it belongs to. This<br>
allows you to send VLANs transparently anywhere on your network, over<br>
another VLAN if necessary.<br>
<br>
If you want to properly control the access between VLANs, you need to<br>
set things up so that the only place where traffic gets routed between<br>
the VLANs is in your router. If letterman is on both VLAN 1 and VLAN<br>
2, then it is vulnerable to an IoT device that is on VLAN 2 and has<br>
been hacked (eg there are a lot of security cameras that are<br>
vulnerable like that). So ideally, letterman is connected to the<br>
router on VLAN 1 (or just ordinary untagged Ethernet subnet), and to<br>
talk to VLAN 2 it sends the traffic via the router. The router is set<br>
up so that nothing on VLAN 2 can connect to any other subnet or VLAN<br>
on your network. Other things on your network are able to initiate<br>
connections to the VLAN 2 devices, and then traffic on such an<br>
established connection is allowed back to the source of that<br>
connection, as is any related traffic (such a ICMP packets related to<br>
that connection). Any attempt by the VLAN 2 devices to initiate<br>
connections to other parts of your network would be blocked by the<br>
router.<br>
<br>
There is a big security hole in using VLANs. If you have VLAN 1 and<br>
VLAN 2 traffic on the same Ethernet cable, then an IoT device on VLAN<br>
2 that has been hacked can just set its Ethernet port in promiscuous<br>
mode and see all the packets going by on both VLANs. So it is<br>
important that your VLAN capable switch is set up so that any VLAN 2<br>
only device has its switch port set to only send VLAN 2 packets to<br>
that device.<br>
<br>
The way a VLAN capable switch is normally used is that all the VLAN 2<br>
devices are on ports that are set up to add a VLAN 2 tag to any packet<br>
that they receive from the device, and when the ports see a VLAN 2<br>
packet sent from another device, to the device attached to that port,<br>
the port will strip the tag from the packet before it sends it to the<br>
device. That way, the device does not know it is on a VLAN (and does<br>
not need to be VLAN capable). Only the switch and router need to<br>
handle the operation of the VLANs. When operated like this, the VLANs<br>
make the switch work as though it was several different switches, each<br>
physically separate from each other and each only carrying the traffic<br>
for one VLAN.<br>
<br>
It is also possible to have a port set up so that it will receive all<br>
VLAN 2 packets for the device connected to it, but will not strip the<br>
tags. That way, the device itself will need to be VLAN capable, but<br>
can be connected to more than one VLAN. This is most often used with<br>
PC Ethernet ports. If you want a PC to be able to talk to more than<br>
one part of your network, but it only has one Ethernet port, then you<br>
just set it up with two VLANs on that one Ethernet port. The traffic<br>
seen on the PC will arrive on two different IP addresses, one for each<br>
of the VLANs, and can be handled separately by the software on that<br>
PC. But see the security hole problem as above - it is better to have<br>
the router handle things so that the PC does not have to have its own<br>
full scale firewall on both VLANs. The PC then just connects on one<br>
VLAN and sends traffic via the router to devices on the other VLAN.<br>
The router's (potentially quite complex) routing and firewall rules<br>
define whether or not the PC can access the devices on the other<br>
VLANs. Having to have the same complexity of firewalling on the PCs<br>
as well as the router is a nightmare - it is best to have all those<br>
rules in just one place.<br>
<br>
It all sounds a bit complex, but if you just think of a VLAN as a way<br>
of having to not run another Ethernet cable to carry separate traffic,<br>
and not to have to have separate switches for each subnet, it becomes<br>
much easier. And it is all pretty standard stuff these days, at least<br>
on business networks. Home users rarely use VLANs, usually because<br>
they have rarely invested in a proper business class VLAN capable<br>
switch, which is the basic thing you need to start using VLANs. Some<br>
home type routers and switches say they do VLANs, but it is much<br>
better to invest in the proper business class devices that really have<br>
all the proper capabilities for handling VLANs. On my network, I have<br>
two Ubiquiti routers and a Ubiquiti switch to do that, and my WiFi<br>
router runs OpenWRT with also has full VLAN capability.<br>
<br>
I would not recommend putting the more vulnerable IoT type devices on<br>
the same VLAN as more trustworthy devices such as HDHomeruns. They<br>
should probably be put on different VLANs. HDHomeruns are not<br>
normally exposed to the wider Internet, so are unlikely to be hackable<br>
(unless someone hacks their home site and sends them hacked firmware<br>
updates). IoT devices often have crappy code in them that is badly<br>
broken and vulnerable, and they often call home, even when they do not<br>
have any real need to. So they can be very vulnerable, including<br>
having a hacker send "updated" firmware to them and take complete<br>
control of them. Typically, they are WiFi connected, rather than<br>
Ethernet, so I think the correct way to handle them is to have a<br>
separate WiFi SSID for the IoT devices, and a good WiFi router that<br>
does its very best to prevent any packets being directly exchanged<br>
between devices on that SSID, instead requiring that any traffic<br>
between the IoT devices go via the WiFi router, or even via the main<br>
router (if they are separate). The WiFi router would tag the IoT SSID<br>
packets with a VLAN tag and send them to the main router and it would<br>
decide what to do with them, including which of the IoT devices were<br>
actually allowed to talk to each other, and which can phone home and<br>
where they are allowed to talk to.<br>
_______________________________________________<br>
mythtv-users mailing list<br>
<a href="mailto:mythtv-users@mythtv.org" target="_blank" rel="noreferrer">mythtv-users@mythtv.org</a><br>
<a href="http://lists.mythtv.org/mailman/listinfo/mythtv-users" rel="noreferrer noreferrer" target="_blank">http://lists.mythtv.org/mailman/listinfo/mythtv-users</a><br>
<a href="http://wiki.mythtv.org/Mailing_List_etiquette" rel="noreferrer noreferrer" target="_blank">http://wiki.mythtv.org/Mailing_List_etiquette</a><br>
MythTV Forums: <a href="https://forum.mythtv.org" rel="noreferrer noreferrer" target="_blank">https://forum.mythtv.org</a></blockquote></div></div><div dir="auto"><br></div><div dir="auto">Thanks so much for the detailed primer. I had just come back from looking for some YouTube videos on the topic and they talked about the established and related connections too. </div><div dir="auto"><br></div><div dir="auto">So properly configured, letterman on the private VLAN can establish a connection to get a network tuner's TV programming, but a compromised tuner can't access the private network. Zoneminder can access the cameras, but the camera can't access the private network. </div><div dir="auto"><br></div><div dir="auto">Or in non-computer terms, you can go to the store and buy something(*) but the store can't enter your home and put stuff in your cupboards. </div><div dir="auto"><br></div><div dir="auto">* this is obviously based on the "before times" when you would actually visit a store and be able to find full shelves. :-) </div><div dir="auto"><br></div><div dir="auto">Thanks again for the great primer. Best to you and yours. </div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
</blockquote></div></div></div>