Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 2 [3]

Author Topic: Safely networking TV on guest WLAN  (Read 4199 times)

tubaman

  • Senior Kitizen
  • ******
  • Posts: 12519
Re: Safely networking TV on guest WLAN
« Reply #30 on: November 22, 2021, 02:45:54 PM »

They use NAT.

Giving devices you don't trust a public, globally routeable IPV4 address isn't the place to start.

Quite agree, which I why I don't worry in the slightest about connecting these devices to my standard wireless network.
Logged
BT FTTC 55/10 Huawei Cab - Zyxel VMG8924-B10A

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: Safely networking TV on guest WLAN
« Reply #31 on: November 22, 2021, 04:39:44 PM »

They use NAT.

Giving devices you don't trust a public, globally routeable IPV4 address isn't the place to start.

Agreed,

Weaver can still audit by looking at the LAN addresses, potentially an option is separate virtual WIFI access point provided to each guest, that has its own DHCP allocation range via its own VLAN and as such each bit of traffic can be pinpointed to each guest room.
Logged

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5261
    • Thinkbroadband Quality Monitors
Re: Safely networking TV on guest WLAN
« Reply #32 on: November 22, 2021, 07:32:01 PM »

Agreed,

Weaver can still audit by looking at the LAN addresses, potentially an option is separate virtual WIFI access point provided to each guest, that has its own DHCP allocation range via its own VLAN and as such each bit of traffic can be pinpointed to each guest room.

Auditing may even be easier due to NAT session tracking?
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Safely networking TV on guest WLAN
« Reply #33 on: November 23, 2021, 03:08:24 AM »

I’m not sure I believe that no devices use IPv6. All IPv4-only still, even in these days? Perhaps so.

Looking at the Firebrick’s session records, I can track the IPs be they IPv4 and IPv6. I can see the associated MAC addresses via the ARP/NDP records too. And I can capture traffic using AA’s Firebricks (as opposed to my own), which is a handy little feature.

I was asking about the internal configuration of WAPs.

When I said guest, that was an extremely poor choice of words as it’s highly misleading. I didn’t necessarily mean a human, but rather a host in the guests SSID. My apologies for the confusion.

Therefore I’ve confused Alex completely.

To reply to what Alex said, I’ve no intention of delivering wifi to Janet’s commercial guests, only to personal friends staying with us and to IoT things that I’m not allowing to access the rest of my LAN.

As I think I mentioned, each guest-SSID host is L2-isolated from the rest of the LAN, from all wired and wireless devices and such hosts are mutually isolated at L2 as well. An exception is made for access to the gateway, so they can access the internet and nothing else. It’s all done by the WAPs, the Firebrick used to handle some of it but now it’s easier to do it a different way which is letting the WAPs alone do what they do best. There are two WAPs currently, and a third on standby as a spare.
Logged

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5261
    • Thinkbroadband Quality Monitors
Re: Safely networking TV on guest WLAN
« Reply #34 on: November 23, 2021, 06:13:55 PM »

I’m not sure I believe that no devices use IPv6. All IPv4-only still, even in these days? Perhaps so.

I have plenty of devices which claim IPv6 support now, but I don't think any one of them can work without IPv4.

Microsoft claimed almost a decade ago Xbox Live was moving to an exclusively IPv6 stack, but the Xbox Series X wont go online at all if I put it on the IPv6 only VLAN.
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Safely networking TV on guest WLAN
« Reply #35 on: November 24, 2021, 06:56:12 AM »

When I saw the lecture given by Microsoft’s sysadmin for their internal corporate network, she said that they had found no end of similar problems like this, where kit and software did not in practice work without IPv4 even though it does make substantial use of IPv6. This is due to lack of testing by their devs in an IPv6-only environment. They tested IPv6, but only in an environment that also has IPv4 available, so would miss any naughty IPv4 backsliding in such a setup.

BTW/FYI: AA supports customers who want to go all-IPv6 exclusively and they do this by having DNS64 tricky servers and NAT64 protocol converters. The DNS64 servers lie about IPv6 DNS lookups and return the address of the NAT64 protocol converter whenever a host asks for an IPv4 address.

The point is, with enough trickery you can get stupid software to work even though it doesn’t want to.
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: Safely networking TV on guest WLAN
« Reply #36 on: November 25, 2021, 06:41:30 PM »

Interesting timing of article. 

Quote
Cyber-criminals are increasingly targeting products from phones and smart TVs, to home speakers and internet-connected dishwashers. Hackers who can access one vulnerable device can then go on to access entire home networks and steal personal data.

https://www.bbc.co.uk/news/technology-59400762

So yeah seems prudent to stick it on a isolated guest LAN and guest AP.
Logged
Pages: 1 2 [3]
 

anything