[mythtv-users] VLANs, HDHomeruns and bears, oh my

Ian Evans dheianevans at gmail.com
Sun Apr 5 16:27:20 UTC 2020 

On Sun, Apr 5, 2020, 12:01 PM Stephen Worthington, <stephen_agent at jsw.gen.nz>
wrote:

> On Sun, 5 Apr 2020 10:06:01 -0400, you wrote:
>
> >With self-isolation and some time on our repeatedly washed hands, I'm sure
> >many of us are tackling projects or even just thinking of future projects
> >to distract ourselves.
> >
> >I was thinking about isolating IoT devices like the HDHomeruns, Rokus and
> >Blu-ray player on a VLAN.
> >
> >Knowing the term VLAN is about the extent of my knowledge on the subject.
> I
> >know I need a VLAN aware switch and a VLAN aware router.
> >
> >Just curious how you configure this so I can read more on the topic. Let's
> >call the MythTV box letterman.
> >
> >Other computers in the home are on VLAN 1. HDHomeruns are on VLAN 2.
> >
> >letterman can see/access the HDHomeruns.
> >
> >letterman can see/access the other computers/NAS and vice versa.
> >
> >Also is it safe to have letterman be able to access VLAN1 or is it
> >"compromised" because it can communicate with IoT devices?
> >
> >Thanks for any suggestions and I wish that you and yours are safe and
> >healthy during this time.
>
> First, it pays to understand just how VLANs work.  A packet sent on a
> VLAN has a VLAN header attached to the front of the Ethernet packet
> which says which VLAN it belongs to.  This extra VLAN header is known
> as a "tag" and VLAN traffic is said to be "tagged".  Packets with no
> VLAN header are "untagged" and are the normal Ethernet packets that
> you currently are using on your network.  There can be multiple tags
> on Ethernet packets, with the outermost one being the one that a
> switch or router will look at to see which VLAN it belongs to.  This
> allows you to send VLANs transparently anywhere on your network, over
> another VLAN if necessary.
>
> If you want to properly control the access between VLANs, you need to
> set things up so that the only place where traffic gets routed between
> the VLANs is in your router.  If letterman is on both VLAN 1 and VLAN
> 2, then it is vulnerable to an IoT device that is on VLAN 2 and has
> been hacked (eg there are a lot of security cameras that are
> vulnerable like that).  So ideally, letterman is connected to the
> router on VLAN 1 (or just ordinary untagged Ethernet subnet), and to
> talk to VLAN 2 it sends the traffic via the router.  The router is set
> up so that nothing on VLAN 2 can connect to any other subnet or VLAN
> on your network.  Other things on your network are able to initiate
> connections to the VLAN 2 devices, and then traffic on such an
> established connection is allowed back to the source of that
> connection, as is any related traffic (such a ICMP packets related to
> that connection).  Any attempt by the VLAN 2 devices to initiate
> connections to other parts of your network would be blocked by the
> router.
>
> There is a big security hole in using VLANs.  If you have VLAN 1 and
> VLAN 2 traffic on the same Ethernet cable, then an IoT device on VLAN
> 2 that has been hacked can just set its Ethernet port in promiscuous
> mode and see all the packets going by on both VLANs.  So it is
> important that your VLAN capable switch is set up so that any VLAN 2
> only device has its switch port set to only send VLAN 2 packets to
> that device.
>
> The way a VLAN capable switch is normally used is that all the VLAN 2
> devices are on ports that are set up to add a VLAN 2 tag to any packet
> that they receive from the device, and when the ports see a VLAN 2
> packet sent from another device, to the device attached to that port,
> the port will strip the tag from the packet before it sends it to the
> device.  That way, the device does not know it is on a VLAN (and does
> not need to be VLAN capable).  Only the switch and router need to
> handle the operation of the VLANs.  When operated like this, the VLANs
> make the switch work as though it was several different switches, each
> physically separate from each other and each only carrying the traffic
> for one VLAN.
>
> It is also possible to have a port set up so that it will receive all
> VLAN 2 packets for the device connected to it, but will not strip the
> tags.  That way, the device itself will need to be VLAN capable, but
> can be connected to more than one VLAN.  This is most often used with
> PC Ethernet ports.  If you want a PC to be able to talk to more than
> one part of your network, but it only has one Ethernet port, then you
> just set it up with two VLANs on that one Ethernet port.  The traffic
> seen on the PC will arrive on two different IP addresses, one for each
> of the VLANs, and can be handled separately by the software on that
> PC.  But see the security hole problem as above - it is better to have
> the router handle things so that the PC does not have to have its own
> full scale firewall on both VLANs.  The PC then just connects on one
> VLAN and sends traffic via the router to devices on the other VLAN.
> The router's (potentially quite complex) routing and firewall rules
> define whether or not the PC can access the devices on the other
> VLANs.  Having to have the same complexity of firewalling on the PCs
> as well as the router is a nightmare - it is best to have all those
> rules in just one place.
>
> It all sounds a bit complex, but if you just think of a VLAN as a way
> of having to not run another Ethernet cable to carry separate traffic,
> and not to have to have separate switches for each subnet, it becomes
> much easier.  And it is all pretty standard stuff these days, at least
> on business networks.  Home users rarely use VLANs, usually because
> they have rarely invested in a proper business class VLAN capable
> switch, which is the basic thing you need to start using VLANs.  Some
> home type routers and switches say they do VLANs, but it is much
> better to invest in the proper business class devices that really have
> all the proper capabilities for handling VLANs.  On my network, I have
> two Ubiquiti routers and a Ubiquiti switch to do that, and my WiFi
> router runs OpenWRT with also has full VLAN capability.
>
> I would not recommend putting the more vulnerable IoT type devices on
> the same VLAN as more trustworthy devices such as HDHomeruns.  They
> should probably be put on different VLANs.  HDHomeruns are not
> normally exposed to the wider Internet, so are unlikely to be hackable
> (unless someone hacks their home site and sends them hacked firmware
> updates).  IoT devices often have crappy code in them that is badly
> broken and vulnerable, and they often call home, even when they do not
> have any real need to.  So they can be very vulnerable, including
> having a hacker send "updated" firmware to them and take complete
> control of them.  Typically, they are WiFi connected, rather than
> Ethernet, so I think the correct way to handle them is to have a
> separate WiFi SSID for the IoT devices, and a good WiFi router that
> does its very best to prevent any packets being directly exchanged
> between devices on that SSID, instead requiring that any traffic
> between the IoT devices go via the WiFi router, or even via the main
> router (if they are separate).  The WiFi router would tag the IoT SSID
> packets with a VLAN tag and send them to the main router and it would
> decide what to do with them, including which of the IoT devices were
> actually allowed to talk to each other, and which can phone home and
> where they are allowed to talk to.
> _______________________________________________
> mythtv-users mailing list
> mythtv-users at mythtv.org
> http://lists.mythtv.org/mailman/listinfo/mythtv-users
> http://wiki.mythtv.org/Mailing_List_etiquette
> MythTV Forums: https://forum.mythtv.org


Thanks so much for the detailed primer. I had just come back from looking
for some YouTube videos on the topic and they talked about the established
and related connections too.

So properly configured, letterman on the private VLAN can establish a
connection to get a network tuner's TV programming, but a compromised tuner
can't access the private network. Zoneminder can access the cameras, but
the camera can't access the private network.

Or in non-computer terms, you can go to the store and buy something(*) but
the store can't enter your home and put stuff in your cupboards.

* this is obviously based on the "before times" when you would actually
visit a store and be able to find full shelves. :-)

Thanks again for the great primer. Best to you and yours.

>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mythtv.org/pipermail/mythtv-users/attachments/20200405/be9a51c8/attachment.htm>

More information about the mythtv-users mailing list