My preference would be to require(allow) the various clients(windows, android,vlc, etc.) to send a username/password for access to a specific hdhr3-cc.
The existing tuner locking scheme COULD work, if it stayed locked indefinitely.
I've tried restricting access via Netgear FS526T at layer 2 mac level and while this does work, the cheaper managed switch kills the throughput so it's essentially unusable. I haven't tried jumbo frames or restriction at layer 3 but before I go down that road...
Any solutions(preferably known to work) that restrict access by tuner so only certain devices can access a particular hdhr3-cc would be greatly appreciated.
controlling lan access to multiple hdhr3-cc tuners
Re: controlling lan access to multiple hdhr3-cc tuners
I suppose it depends upon the router and/or firewall you are using. Using pf, you could do something like:My preference would be to require(allow) the various clients(windows, android,vlc, etc.) to send a username/password for access to a specific hdhr3-cc.
The existing tuner locking scheme COULD work, if it stayed locked indefinitely.
I've tried restricting access via Netgear FS526T at layer 2 mac level and while this does work, the cheaper managed switch kills the throughput so it's essentially unusable. I haven't tried jumbo frames or restriction at layer 3 but before I go down that road...
Any solutions(preferably known to work) that restrict access by tuner so only certain devices can access a particular hdhr3-cc would be greatly appreciated.
Code: Select all
prime1 = "192.168.0.33"
prime2 = "192.168.0.34"
primes = "{" $prime1 $prime2 "}"
table <allowed-prime1> { 192.168.0.65 192.168.0.66 }
table <allowed-prime2> { 192.168.0.67 192.168.0.68 }
...
block from any to $primes
pass from <allowed-prime1> to $prime1
pass from <allowed-prime2> to $prime2
Re: controlling lan access to multiple hdhr3-cc tuners
Thanks, but this is all lan, behind the router. This traffic never goes to the wan and is of course heavy so I don't want to put that burden on the router. I'd like something scalable to say 16 hdhr3-cc's.
Re: controlling lan access to multiple hdhr3-cc tuners
I understand that this is all on the LAN. The purpose of the router is to "route" traffic through networks, whether it is LAN-LAN, LAN-WAN or WAN-LAN. On the device that handles the routing for your local network, you create a default rule to block all traffic to your Primes. Then your create a rule for each Prime to only allow traffic from certain IP addresses to each Prime. The nature of pf is that last-rule-wins, so the pass rule (allowing traffic) will override the block rule only for IP addresses which are in the allow tables. You could further limit the rules by restricting them to he physical interface that handles the routing for your LAN. For instance, if your router has multiple ports, and they are all part of the virtual switch interface "switch0", then your ruleset could be:Thanks, but this is all lan, behind the router. This traffic never goes to the wan and is of course heavy so I don't want to put that burden on the router. I'd like something scalable to say 16 hdhr3-cc's.
Code: Select all
int_if = "switch0"
prime1 = "192.168.0.33"
prime2 = "192.168.0.34"
primes = "{" $prime1 $prime2 "}"
table <allowed-prime1> { 192.168.0.65 192.168.0.66 }
table <allowed-prime2> { 192.168.0.67 192.168.0.68 }
...
block from any to $primes
pass on $int_if from <allowed-prime1> to $prime1
pass on $int_if from <allowed-prime2> to $prime2
Re: controlling lan access to multiple hdhr3-cc tuners
Thanks very much. We mostly use pfsense but as I said my reservation is slowing down the router by routing heavy, constant video traffic through it. If we could filter at the switch port the router would never see those packets. Guess I'll just have to try it and see if there's any appreciable degradation to other traffic. Logically, it makes more sense to have some rudimentary ACL capability at the hdhr3-cc but it sounds like that does not exist.
Re: controlling lan access to multiple hdhr3-cc tuners
The situation you are asking about would only seem to reduce network traffic, not increase it. You can even set the block rule to drop, which would just silently ignore all traffic from unauthorized devices from even entering the router. (That's why pf rules are best defined on "in", which is the default for OpenBSD ... I'm not sure if that change was made before FreeBSD's fork of pf.)Thanks very much. We mostly use pfsense but as I said my reservation is slowing down the router by routing heavy, constant video traffic through it. If we could filter at the switch port the router would never see those packets. Guess I'll just have to try it and see if there's any appreciable degradation to other traffic. Logically, it makes more sense to have some rudimentary ACL capability at the hdhr3-cc but it sounds like that does not exist.
If you truly need some form of ACL, I'm afraid your only option is to use some sort of (reverse-)proxy, such as relayd or similar. Unfortunately there is not sort of authentication on the device itself. (Of course, the Prime does support lockkeys, which function as a sort of restriction mechanism ...)
Personally, I cannot understand the need for the situation that you are asking about. Usually one would use a sort of DVR software to handle the scheduling of the tuners; in turn, the DVR software would handle the ACL/authorization you are asking about. Is there some odd particular use case that necessitates the separation and segregation of tuners in the manner you seek?
Re: controlling lan access to multiple hdhr3-cc tuners
Answered your own question. Step it up a notch with an enterprise/small business switch that does filtering in hardware. Or move to a routed network (and again, for performance, a router capable of performing near line speeds (some enterprise switches can do L3 forwarding at line speed)).I've tried restricting access via Netgear FS526T at layer 2 mac level and while this does work, the cheaper managed switch kills the throughput so it's essentially unusable.
On the other hand, if you describe the real problem you are trying to solve there may be alternatives.
Re: controlling lan access to multiple hdhr3-cc tuners
thanks gtb - I'm happy to go into as much detail as you need (and let me say upfront I don't want anything that violates copyrights)
I'm testing a system for duplex to 32 or more apartment buildings. Increasingly these see the benefits of a building wide lan for at a minimum security camera access and access control. 99% of these tenants do not want to setup the infrastructure for optimal program viewing and want as few devices as possible in the apartments themselves. This and the fact much of the installed coax has issues handling hd signals rules out placing the hdhr3's in the apartments. This is a VERY price sensitive market so your point about more expensive switches/routers is taken but is suboptimal due to cost. This system makes traditional live viewing very secondary(but still unfortunately necessary) in favor of pushing programming via the lan in a controlled fashion to various devices in the apartments. To be legal and provide live view, there's one hdhr3 per apartment controlled only by that tenant(and optionally an admin). So there needs to be a way to restrict access to a particular hdhr3 to a particular tenant.
The tuner locking Silicondust provides would work if only you could pass a lock forever parameter. From a support standpoint an admin override that also gave reboot capability would be ideal.
I'm testing a system for duplex to 32 or more apartment buildings. Increasingly these see the benefits of a building wide lan for at a minimum security camera access and access control. 99% of these tenants do not want to setup the infrastructure for optimal program viewing and want as few devices as possible in the apartments themselves. This and the fact much of the installed coax has issues handling hd signals rules out placing the hdhr3's in the apartments. This is a VERY price sensitive market so your point about more expensive switches/routers is taken but is suboptimal due to cost. This system makes traditional live viewing very secondary(but still unfortunately necessary) in favor of pushing programming via the lan in a controlled fashion to various devices in the apartments. To be legal and provide live view, there's one hdhr3 per apartment controlled only by that tenant(and optionally an admin). So there needs to be a way to restrict access to a particular hdhr3 to a particular tenant.
The tuner locking Silicondust provides would work if only you could pass a lock forever parameter. From a support standpoint an admin override that also gave reboot capability would be ideal.
Re: controlling lan access to multiple hdhr3-cc tuners
Thanks rpcameron, failing any better thought I'll set up some testing with a pfsense and see what happens but I'm not optimistic. Your comments about the dvr are spot on and if you could get all tenants to understand how idiotic live viewing is none of this would be necessary. Whether you're using one of the silicondust clients(meaning one tuner supports one live stream) or vlc/mpv(meaning one tuner could support 3 live streams) you still need a way to only allow a particular tenant to access a particular tuner.
Re: controlling lan access to multiple hdhr3-cc tuners
Depending on your MSO, they will typically have solutions targeted towards MDUs/Hospitality properties. I would examine that is the solution set of choice (the pricing per "port" is much lower than a classic individual contract solution). Typically these offerings are under one/more terms such as business solutions, industry solutions, or something else appropriate, but in almost all cases are considered under the business side of the house in the MSO. If your local MSO does not provide such solution directly there will be someone in the area who does (because your typical hotel/motel does not have such expertice on the front desk).
Re: controlling lan access to multiple hdhr3-cc tuners
Thanks, you're right on the hospitality(transient tenant) side. We're designing for long-term MDU's from duplexes to apartments and scheduled delivery of recordings after receipt whether that be via individual hdhr3's or commercial headend equipment which we find lacks the flexibility of the individual units.
Return to “Development Support”
Who is online
Users browsing this forum: No registered users and 1 guest