this post was submitted on 31 Jul 2023
20 points (83.3% liked)

Selfhosted

40154 readers
597 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hi Guys,

Need your help. I have a router to which all th devices are connected. Mostly wireless but the TV is connected via LAN cable. I have installed few apps on the TV from not trusted sources and I dont want the TV on the same network. How do I isolate the TV from the network so that it can still access the internet but cannot see anything on the network. Hope it makes sense.

all 24 comments
sorted by: hot top controversial new old
[–] [email protected] 11 points 1 year ago

Check if the router has the possibility to isolate the lan port. That way the port on the router can not talk to other devices in different ports or wlan.

Second possibility is to check if the router supports VLAN. If so you can put the TV or a port on a separate VLAN.

If all that is not possible, consider removing the cable and connect the tv wireless. That way you can put the tv on the guest WiFi network. That should come with isolation by default.

If you don’t want that either, you can resort to extra hardware. Any device with two lan ports could do. Make one port a dhcp based wan port connected to the current network and the other port goes to the tv. Run a dhcp server and nat and you have the tv isolated.

[–] [email protected] 7 points 1 year ago (1 children)

If you want to keep it wired then you'll need to put it on a separate VLAN from your other devices. A VLAN effectively allows you to create separate ethernet networks over the same physical network. We use them at work to keep factory hardware separate from office hardware and I use them at home to keep a vpn open for streaming geolocked content from another country. Traffic between the two VLANs has to be routed just like it would if they were separate physical networks.

I have an Edgerouter POE which has a small built in switch and supports VLANs so I can easily dedicate a port on the switch to a particular VLAN. In my case I route that traffic through wireguard, but in your case all you really need is setting up NAT for internet access and not route it with your other VLAN.

Any commercial grade routers support VLANs, i've seen it on unifi, aruba and fortigate and have never heard of it not being supported.

As others have pointed out, if you have a switch between your TV and Router then that'll need to be a managed switch that can trunk the vlan code back to the router, otherwise all the traffic will be comingled.

Other thoughts:

You might be able to arrange your IPs to sort of fake it. If your router is 192.168.1.1 and you make the TV be 192.168.1.2. Then you could give your TV a static IP configuration and tell it that it's subnet mask is 255.255.255.252. Then it'd only consider the IPs 192.168.1.1-192.168.1.2 as being in it's local network and if it tries to access something else on the LAN then it'll send it to the router for forwarding.

I'm not sure what your router would do in that situation, but it seems unlikely it'd manage to forward that packet. You'd have to avoid putting any device on 192.168.1.3 (as that'd be the routers broadcast address) but I think you could probably make that work. It's not really secure (as anyone that compromises the TV could change the subnet) and it'd still be possible for devices on your network to send UDP packets (but not get replies from) the TV. It's also not really extendable and you probably can't get a second TV to work like that (and definitely not three), but it wouldn't require switching to commercial routers.

[–] [email protected] 0 points 1 year ago (1 children)

Thank you so much. I think i'll have to buy a switch. I have a shitty iinet tgvac789 V2 router which I think is useless.

[–] [email protected] 3 points 1 year ago (1 children)

The switch on its own will do nothing for you. It's only useful with a router that supports VLANs

Unfortunately in your situation you'll need to replace your current router-modem combo with a dedicated modem, a commercial router (if you don't want to build your own linux one then EdgeRouters seems pretty good value for money) and a managed switch.

[–] [email protected] 1 points 1 year ago (2 children)

I logged in and found this

[–] [email protected] 1 points 1 year ago (1 children)

Can you enable multiple vlans?

[–] [email protected] 1 points 1 year ago

I only see one VLAN option but then I also found this

[–] [email protected] 1 points 1 year ago (2 children)

I believe that's the VLAN for the WAN, basically you only need to enable that if your ISP is using VLANs, but you want to enable VLANs on your LAN. I have the Telstra version of that modem (I recognise the Technicolor UI) and it doesn't allow you to use VLANs like you want to.

You could probably set up some routing stuff on a raspberry pi though, and use a switch.

Or if needed put your modem into bridge mode, and acquire a router that supports VLANs, I don't know of any cheap consumer ones, but I'm in the process of switching to OPNsense with an old computer. Unrelated, but in my experience technicolor has severe bufferbloat anyway.

[–] [email protected] 1 points 1 year ago

I just read some more of your comments and thought I might properly explain VLANs:

VLANs let you create a whole virtual network within your physical network, there can be upto 4096 of them that can be tagged and 1 untagged per port, the VLAN ID defines which one to use.

A tagged VLAN is often used between routers and switches, so the connected device can pick which VLAN to use, but an untagged VLAN dedicates that port to that VLAN making it appear to the connected device as if it's the physical network.

Since it's a whole new network you need some sort of router to route between them.

As a rough example you could have something like: Router --2T--> Switch --2U--> TV, where the T is for tagged and U for untagged. Or replace Router with Pi if you use that, the Pi will access the internet with the (technically untagged) physical network, and route between tagged VLAN 2, meaning you can do everything on the Pi with 1 ethernet port.

Disclaimer: Most of this was learnt from experience so it might not be completely correct.

[–] [email protected] 1 points 1 year ago

Yeah that makes sense. I can't see why there would be a vlan enabled on your local network right now as it would make lots of things not work

[–] [email protected] 6 points 1 year ago (1 children)

I've got myself a second router and created a second wifi and lan with it. All my smart home devices are in there and also the tv.

[–] [email protected] 2 points 1 year ago

that's exactly what i did for my tv and PCs that use it as a display (for media playback), with dietpi in a vm running pihole, too.

[–] [email protected] 4 points 1 year ago (1 children)

You are probably a lot more technical than I am, but I would solve it by putting the TV on my guest network that comes out of the box of my mesh network…

[–] [email protected] 1 points 1 year ago (1 children)

Lol I am dumb as a potato. I only have a router-moden iinet tg789vac v2.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

Is this your modem? https://help.iinet.net.au/how-setup-tg-789-broadband-gateway-nbn-fttbn

Can you access http://10.1.1.1 and log in as described? If so can you take a screenshot over that web site after you log in so we can see what settings are available to tweak? There might be a chance your modem-router will do just fine.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (2 children)

Yeap thats the one. I think this is the part that I need to configure but dont know how. The page is called "setup gateway" . VLAN was off which I just turned ON. How do we setup VLAN?

[–] [email protected] 1 points 1 year ago

I found the manual Can you get on that web site using a laptop? Can you log in, click on Internet, and take a screenshot (from a laptop)? Make sure to remove your public ip address form the screenshot. In your case it means remove ip addresses that does not start with 192.168.xxx.xxx

[–] [email protected] 1 points 1 year ago (1 children)

You should be able to assign that vlan to a port (ex. eth0, eth1)

[–] [email protected] 1 points 1 year ago

So should I type "eth0" in VLAN ID ? Eth0 is where the internet cable is connected ?

[–] [email protected] 1 points 1 year ago

How it's implemented can vary, but you're gonna take one of three approaches

  • Microsegmentstion - On a home network this is the hardest but ensures there's no overlap
  • Separate VLAN - this is usually good if your router can support it and have multiple gateways for each VLAN. Your router can then restrict traffic. Unifi gear does this well and I use this set up to segment my guest and IoT traffic
  • Separate subnets - if your router doesn't support multiple VLANs this can work, but you still need a router that supports it

The latter two can actually work with an unmanaged switch as long as you tag your vlans correctly. The key is having a router than can handle it.

[–] [email protected] 1 points 1 year ago