controlling lan access to multiple hdhr3-cc tuners

[billschu]

My preference would be to require(allow) the various clients(windows, android,vlc, etc.) to send a username/password for access to a specific hdhr3-cc.
The existing tuner locking scheme COULD work, if it stayed locked indefinitely.
I've tried restricting access via Netgear FS526T at layer 2 mac level and while this does work, the cheaper managed switch kills the throughput so it's essentially unusable. I haven't tried jumbo frames or restriction at layer 3 but before I go down that road...
Any solutions(preferably known to work) that restrict access by tuner so only certain devices can access a particular hdhr3-cc would be greatly appreciated.

[rpcameron]

My preference would be to require(allow) the various clients(windows, android,vlc, etc.) to send a username/password for access to a specific hdhr3-cc.
The existing tuner locking scheme COULD work, if it stayed locked indefinitely.
I've tried restricting access via Netgear FS526T at layer 2 mac level and while this does work, the cheaper managed switch kills the throughput so it's essentially unusable. I haven't tried jumbo frames or restriction at layer 3 but before I go down that road...
Any solutions(preferably known to work) that restrict access by tuner so only certain devices can access a particular hdhr3-cc would be greatly appreciated.

I suppose it depends upon the router and/or firewall you are using. Using pf, you could do something like:

Code: Select all

prime1 = "192.168.0.33" prime2 = "192.168.0.34" primes = "{" $prime1 $prime2 "}" table <allowed-prime1> { 192.168.0.65 192.168.0.66 } table <allowed-prime2> { 192.168.0.67 192.168.0.68 } ... block from any to $primes pass from <allowed-prime1> to $prime1 pass from <allowed-prime2> to $prime2

That's just a quick example. Of course, this might differ based upon your routing and/or firewalling software.

[billschu]

Thanks, but this is all lan, behind the router. This traffic never goes to the wan and is of course heavy so I don't want to put that burden on the router. I'd like something scalable to say 16 hdhr3-cc's.

[rpcameron]

Thanks, but this is all lan, behind the router. This traffic never goes to the wan and is of course heavy so I don't want to put that burden on the router. I'd like something scalable to say 16 hdhr3-cc's.

I understand that this is all on the LAN. The purpose of the router is to "route" traffic through networks, whether it is LAN-LAN, LAN-WAN or WAN-LAN. On the device that handles the routing for your local network, you create a default rule to block all traffic to your Primes. Then your create a rule for each Prime to only allow traffic from certain IP addresses to each Prime. The nature of pf is that last-rule-wins, so the pass rule (allowing traffic) will override the block rule only for IP addresses which are in the allow tables. You could further limit the rules by restricting them to he physical interface that handles the routing for your LAN. For instance, if your router has multiple ports, and they are all part of the virtual switch interface "switch0", then your ruleset could be:

Code: Select all

int_if = "switch0" prime1 = "192.168.0.33" prime2 = "192.168.0.34" primes = "{" $prime1 $prime2 "}" table <allowed-prime1> { 192.168.0.65 192.168.0.66 } table <allowed-prime2> { 192.168.0.67 192.168.0.68 } ... block from any to $primes pass on $int_if from <allowed-prime1> to $prime1 pass on $int_if from <allowed-prime2> to $prime2

Depending upon which software your router runs, the configuration will differ. This is just on example of how such a situation may be achieved. If your router is running FreeBSD, the syntax of the rules may differ slightly as its version of pf diverged from OpenBSD's a bit ago. Similarly, if your router is Linux-based, it is likely using some version of ip tables or similar for directing traffic, which has a very different rule syntax. Likewise with VyattaOS, EdgeOS, IOS, ... the list goes on. Check your router's documentation ...

[billschu]

Thanks very much. We mostly use pfsense but as I said my reservation is slowing down the router by routing heavy, constant video traffic through it. If we could filter at the switch port the router would never see those packets. Guess I'll just have to try it and see if there's any appreciable degradation to other traffic. Logically, it makes more sense to have some rudimentary ACL capability at the hdhr3-cc but it sounds like that does not exist.

[rpcameron]

Thanks very much. We mostly use pfsense but as I said my reservation is slowing down the router by routing heavy, constant video traffic through it. If we could filter at the switch port the router would never see those packets. Guess I'll just have to try it and see if there's any appreciable degradation to other traffic. Logically, it makes more sense to have some rudimentary ACL capability at the hdhr3-cc but it sounds like that does not exist.

The situation you are asking about would only seem to reduce network traffic, not increase it. You can even set the block rule to drop, which would just silently ignore all traffic from unauthorized devices from even entering the router. (That's why pf rules are best defined on "in", which is the default for OpenBSD ... I'm not sure if that change was made before FreeBSD's fork of pf.)

If you truly need some form of ACL, I'm afraid your only option is to use some sort of (reverse-)proxy, such as relayd or similar. Unfortunately there is not sort of authentication on the device itself. (Of course, the Prime does support lockkeys, which function as a sort of restriction mechanism ...)

Personally, I cannot understand the need for the situation that you are asking about. Usually one would use a sort of DVR software to handle the scheduling of the tuners; in turn, the DVR software would handle the ACL/authorization you are asking about. Is there some odd particular use case that necessitates the separation and segregation of tuners in the manner you seek?

[gtb]

I've tried restricting access via Netgear FS526T at layer 2 mac level and while this does work, the cheaper managed switch kills the throughput so it's essentially unusable.

Answered your own question. Step it up a notch with an enterprise/small business switch that does filtering in hardware. Or move to a routed network (and again, for performance, a router capable of performing near line speeds (some enterprise switches can do L3 forwarding at line speed)).

On the other hand, if you describe the real problem you are trying to solve there may be alternatives.

[billschu]

thanks gtb - I'm happy to go into as much detail as you need (and let me say upfront I don't want anything that violates copyrights)
I'm testing a system for duplex to 32 or more apartment buildings. Increasingly these see the benefits of a building wide lan for at a minimum security camera access and access control. 99% of these tenants do not want to setup the infrastructure for optimal program viewing and want as few devices as possible in the apartments themselves. This and the fact much of the installed coax has issues handling hd signals rules out placing the hdhr3's in the apartments. This is a VERY price sensitive market so your point about more expensive switches/routers is taken but is suboptimal due to cost. This system makes traditional live viewing very secondary(but still unfortunately necessary) in favor of pushing programming via the lan in a controlled fashion to various devices in the apartments. To be legal and provide live view, there's one hdhr3 per apartment controlled only by that tenant(and optionally an admin). So there needs to be a way to restrict access to a particular hdhr3 to a particular tenant.
The tuner locking Silicondust provides would work if only you could pass a lock forever parameter. From a support standpoint an admin override that also gave reboot capability would be ideal.

[billschu]

Thanks rpcameron, failing any better thought I'll set up some testing with a pfsense and see what happens but I'm not optimistic. Your comments about the dvr are spot on and if you could get all tenants to understand how idiotic live viewing is none of this would be necessary. Whether you're using one of the silicondust clients(meaning one tuner supports one live stream) or vlc/mpv(meaning one tuner could support 3 live streams) you still need a way to only allow a particular tenant to access a particular tuner.

[gtb]

Depending on your MSO, they will typically have solutions targeted towards MDUs/Hospitality properties. I would examine that is the solution set of choice (the pricing per "port" is much lower than a classic individual contract solution). Typically these offerings are under one/more terms such as business solutions, industry solutions, or something else appropriate, but in almost all cases are considered under the business side of the house in the MSO. If your local MSO does not provide such solution directly there will be someone in the area who does (because your typical hotel/motel does not have such expertice on the front desk).

[billschu]

Thanks, you're right on the hospitality(transient tenant) side. We're designing for long-term MDU's from duplexes to apartments and scheduled delivery of recordings after receipt whether that be via individual hdhr3's or commercial headend equipment which we find lacks the flexibility of the individual units.