VLAN causing issues?

[jamesm113]

Perfect. I played around with socat a bit. It will work for simple cases, but it won't work in my case because I'd like to actually have my primes in one VLAN, the DVR in another (since this is on my NAS), and clients in potentially another one.

Interested to know why (genuine question)...

In order to make this work they all need to be able to talk to each other, and once you have that, why have them on separate VLANs?

The typical setup is an IoT/guest VLAN that's segregated from the rest of the home network. So if some smart thing has a security vulnerability/gets hacked, it does not have access to the rest of your network. You can punch holes through the firewall to access known services/ports on devices on the IoT VLAN.

[nickk]

The typical setup is an IoT/guest VLAN that's segregated from the rest of the home network. So if some smart thing has a security vulnerability/gets hacked, it does not have access to the rest of your network. You can punch holes through the firewall to access known services/ports on devices on the IoT VLAN.

Ok, so it is a variant of the Firewall-Every-Device security concept but when it comes to embedded devices you group them together and do one firewall instead of firewalling each one individually.

It should be possible to achieve the same thing by using L2 VLANs so you can firewall but keeping everything on the same L3 subnet so you are only firewalling and not dealing with routing.

BTW - the HDHomeRun hardware is hardened for dealing with protected Cable TV content. There is no shell, no telnet/ssh, no serial port access, no root filesystem on flash, no busybox.

[jamesm113]

The typical setup is an IoT/guest VLAN that's segregated from the rest of the home network. So if some smart thing has a security vulnerability/gets hacked, it does not have access to the rest of your network. You can punch holes through the firewall to access known services/ports on devices on the IoT VLAN.

Ok, so it is a variant of the Firewall-Every-Device security concept but when it comes to embedded devices you group them together and do one firewall instead of firewalling each one individually.

It should be possible to achieve the same thing by using L2 VLANs so you can firewall but keeping everything on the same L3 subnet so you are only firewalling and not dealing with routing.

BTW - the HDHomeRun hardware is hardened for dealing with protected Cable TV content. There is no shell, no telnet/ssh, no serial port access, no root filesystem on flash, no busybox.

Yeah, basically. I'll note that they cannot communicate to each other either as well, unless explicitly allowed by the firewall.

I'm an enthusiast user, not a pro and the common (aka most well documented path) is to have L3 subnets match the L2 VLANs. I guess I could go down that rabbit hole of combining multiple VLANs onto the same subnet, but honestly, it's easier to see that a device has a 3.x IP vs 1.x IP and know it's on the IoT/guest VLAN. My router (OpenWRT) seems to have it's firewall setup on the L3 level too.

[jamesm113]

Also, even if I were to move the HDHomeRun onto the regular network, clients (Rokus, Apple TV, Chromecast, etc) would still be on the IoT.

[jumpmanjay]

Perfect. I played around with socat a bit. It will work for simple cases, but it won't work in my case because I'd like to actually have my primes in one VLAN, the DVR in another (since this is on my NAS), and clients in potentially another one.

Interested to know why (genuine question)...

In order to make this work they all need to be able to talk to each other, and once you have that, why have them on separate VLANs?

I have some devices that are either EOL, IOT, or require more wide open access (like Nintendo Switch or XBOX online gaming). Those I'd like to keep in their own VLAN and have firewall permissions to only go to the internet.

The next VLAN is a mix of devices that may or may not roam outside of my network. This contains laptops, phones, tablets. This network will very selective access through the firewall to access the "secure" network. This is also kind of the media VLAN (nVidia Shields will live here), so the HDHomeRuns will live here.

So the next VLAN are the ones I want to protect the most. My servers, NAS boxes, and personal desktops live here.

I do suppose the HDHomeRuns could live in the secure VLAN, and then I could just use socat for the #2 network. I was playing around a bit with writing my own specialized HDHomeRun broadcast forwarder. Wireshark had the same broadcast packets between my program and socat, but I couldn't get DVR to work with mine.

My setup is something like this:

vlan1 - hdhomerun and dvr in this network
10.0.0.0/24
10.0.0.1/24 <- Firewall

vlan2 - client
10.1.0.2/24

Running a wireshark in the vlan1 network, I see:

10.1.0.2:[src_port] -> 255.255.255.255:65001
10.0.0.1:[src_port] -> 10.0.0.255:65001
10.1.0.2:[src_port] -> 255.255.255.255:65001
10.0.0.1:[src_port] -> 10.0.0.255:65001

All these have the same 18 byte payload (0002000a2d0800000001000000054f63391f)

This behavior is the same with my program vs socat, except socat works. Maybe I'll just put the HDHR in the secure network...

[ThisWayToo]

Regardless of the mechanisms to make discovery work across VLAN's, I think it is still a good idea to have a means available within HDHomeRun Connect software to explicitly specify the known static IP of the HDHomeRun box when trying to connect to it.

[alpineaudio]

Is this issue still trying to be resolved by SD?

[alpineaudio]

We are working on a solution for multi-subnet site-local environments... look for an update next week.

Nick

Any updates to a resolution?

[nickk]

The plan we had in mind didn't work out unfortunately.

We are still tracking your issue.

Nick

[alpineaudio]

The plan we had in mind didn't work out unfortunately.

We are still tracking your issue.

Nick

So then, is this still something that is still being worked on?