Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 2 [3]

Author Topic: Safely networking TV on guest WLAN  (Read 882 times)

tubaman

  • Addicted Kitizen
  • *****
  • Posts: 8389
Re: Safely networking TV on guest WLAN
« Reply #30 on: November 22, 2021, 02:45:54 PM »

They use NAT.

Giving devices you don't trust a public, globally routeable IPV4 address isn't the place to start.

Quite agree, which I why I don't worry in the slightest about connecting these devices to my standard wireless network.
Logged
BT FTTC 80/20 Huawei Cab - Zyxel VMG8924-B10A

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 6665
Re: Safely networking TV on guest WLAN
« Reply #31 on: November 22, 2021, 04:39:44 PM »

They use NAT.

Giving devices you don't trust a public, globally routeable IPV4 address isn't the place to start.

Agreed,

Weaver can still audit by looking at the LAN addresses, potentially an option is separate virtual WIFI access point provided to each guest, that has its own DHCP allocation range via its own VLAN and as such each bit of traffic can be pinpointed to each guest room.
Logged
AAISP - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab - LINE STATISTICS CLICK HERE

Alex Atkin UK

  • Kitizen
  • ****
  • Posts: 3134
    • Thinkbroadband Quality Monitors
Re: Safely networking TV on guest WLAN
« Reply #32 on: November 22, 2021, 07:32:01 PM »

Agreed,

Weaver can still audit by looking at the LAN addresses, potentially an option is separate virtual WIFI access point provided to each guest, that has its own DHCP allocation range via its own VLAN and as such each bit of traffic can be pinpointed to each guest room.

Auditing may even be easier due to NAT session tracking?
Logged
INTAKE (ECI) Home Hub 5A (OpenWRT) on Zen, Hauwei B353-232 on Libera 4G, Hauwei CPE Pro 2 H122-373 on Three 5G Router: pfSense (i5-7200U) WiFi: Zyxel NWA210AX + Ubiquiti nanoHD (OpenWRT)
My Broadband History & Ping Quality Monitors

Weaver

  • Senior Kitizen
  • ******
  • Posts: 10272
  • Retd s/w dev; A&A; 3x7km lines; Firebrick; IPv6
Re: Safely networking TV on guest WLAN
« Reply #33 on: November 23, 2021, 03:08:24 AM »

Iím not sure I believe that no devices use IPv6. All IPv4-only still, even in these days? Perhaps so.

Looking at the Firebrickís session records, I can track the IPs be they IPv4 and IPv6. I can see the associated MAC addresses via the ARP/NDP records too. And I can capture traffic using AAís Firebricks (as opposed to my own), which is a handy little feature.

I was asking about the internal configuration of WAPs.

When I said guest, that was an extremely poor choice of words as itís highly misleading. I didnít necessarily mean a human, but rather a host in the guests SSID. My apologies for the confusion.

Therefore Iíve confused Alex completely.

To reply to what Alex said, Iíve no intention of delivering wifi to Janetís commercial guests, only to personal friends staying with us and to IoT things that Iím not allowing to access the rest of my LAN.

As I think I mentioned, each guest-SSID host is L2-isolated from the rest of the LAN, from all wired and wireless devices and such hosts are mutually isolated at L2 as well. An exception is made for access to the gateway, so they can access the internet and nothing else. Itís all done by the WAPs, the Firebrick used to handle some of it but now itís easier to do it a different way which is letting the WAPs alone do what they do best. There are two WAPs currently, and a third on standby as a spare.
Logged

Alex Atkin UK

  • Kitizen
  • ****
  • Posts: 3134
    • Thinkbroadband Quality Monitors
Re: Safely networking TV on guest WLAN
« Reply #34 on: November 23, 2021, 06:13:55 PM »

Iím not sure I believe that no devices use IPv6. All IPv4-only still, even in these days? Perhaps so.

I have plenty of devices which claim IPv6 support now, but I don't think any one of them can work without IPv4.

Microsoft claimed almost a decade ago Xbox Live was moving to an exclusively IPv6 stack, but the Xbox Series X wont go online at all if I put it on the IPv6 only VLAN.
Logged
INTAKE (ECI) Home Hub 5A (OpenWRT) on Zen, Hauwei B353-232 on Libera 4G, Hauwei CPE Pro 2 H122-373 on Three 5G Router: pfSense (i5-7200U) WiFi: Zyxel NWA210AX + Ubiquiti nanoHD (OpenWRT)
My Broadband History & Ping Quality Monitors

Weaver

  • Senior Kitizen
  • ******
  • Posts: 10272
  • Retd s/w dev; A&A; 3x7km lines; Firebrick; IPv6
Re: Safely networking TV on guest WLAN
« Reply #35 on: November 24, 2021, 06:56:12 AM »

When I saw the lecture given by Microsoftís sysadmin for their internal corporate network, she said that they had found no end of similar problems like this, where kit and software did not in practice work without IPv4 even though it does make substantial use of IPv6. This is due to lack of testing by their devs in an IPv6-only environment. They tested IPv6, but only in an environment that also has IPv4 available, so would miss any naughty IPv4 backsliding in such a setup.

BTW/FYI: AA supports customers who want to go all-IPv6 exclusively and they do this by having DNS64 tricky servers and NAT64 protocol converters. The DNS64 servers lie about IPv6 DNS lookups and return the address of the NAT64 protocol converter whenever a host asks for an IPv4 address.

The point is, with enough trickery you can get stupid software to work even though it doesnít want to.
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 6665
Re: Safely networking TV on guest WLAN
« Reply #36 on: November 25, 2021, 06:41:30 PM »

Interesting timing of article. 

Quote
Cyber-criminals are increasingly targeting products from phones and smart TVs, to home speakers and internet-connected dishwashers. Hackers who can access one vulnerable device can then go on to access entire home networks and steal personal data.

https://www.bbc.co.uk/news/technology-59400762

So yeah seems prudent to stick it on a isolated guest LAN and guest AP.
Logged
AAISP - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab - LINE STATISTICS CLICK HERE
Pages: 1 2 [3]
 

anything