Allow for software to look for Static internal IP

[WildSquirrel]

My SiliconDust device lives on a IoT network with a reserved IP. That works great for Game Consoles, Chomecasts, and other devices that live on that network.

However, for Desktops and Laptops, the easiest way I've found to use the device is to stream it through VLC leveraging the network stream @ http://xxx.xxx.xxx.xxx:5004/auto/vxx.x
[Replace the x with the IP and channel. EX: http://192.168.100.231:5004/auto/v3.1]

The need to make this consumer facing software simple and easy to use is understandable. However, it is also recommended that ALL IoT devices live on their own segregated VLAN.

Please allow the software to either scan the appropriate internal IPv4 address range OR allow users to set a static internal address in the software.

192.168.0.0/16
172.16.0.0/12
10.0.0.0/8

[nickk]

Sanity check, if there is full routing (ie no isolation or security) between the IoT network and the desktop/laptop network then what is the goal of the network structure?

[WildSquirrel]

Crosstalk Solutions
https://youtu.be/UGBobTInIBc

It's a separate network with rules so the main network can see ALL other networks. This is where the Laptops and Desktops live. The IoT network can see itself and other devices on the IoT network but it can't call out to other VLANs and establish new connections. The Quarantine network is where a device is completely isolated, so it only has internet access and can not see anything else in the environment.

For the most part:
Main VLAN = Devices where the Network and Device administrator is the same group of people
IoT VLAN = Devices managed, updated, and controlled by a third party.
Quarantine VLAN = Devices that are EoL but still in service, never need to see anything else on a network, or devices that may be comprised.

As the HDhomerun device is updated and managed by a third party, it should live on the IoT network along with the Chromecast and currently supported game consoles. Normal broadcast and discovery works as expected with Software.

The desktop lives on the main network. Since the "broadcast" feature will only call out to the network the device lives on, it can't make a connection to the Hardware that lives on the IoT network. This requires the use of VLC, or some other third party application, to establish a new connection.

[nickk]

Ok, thank makes some sense.

Minor note... Windows forces updates, the HDHomeRun does not (there is no mechanism for our system to push a firmware update). Likewise our system doesn't manage/control the HDHomeRun outside of providing the recording tasks if you are running DVR.

[WildSquirrel]

Minor note... Windows forces updates, the HDHomeRun does not (there is no mechanism for our system to push a firmware update). Likewise our system doesn't manage/control the HDHomeRun outside of providing the recording tasks if you are running DVR.

The difference is who has final control.

With a desktop or laptop, an administrator/owner of the hardware has final control. If the admin want to alter settings in the BIOS or choose to install a Linux Distro (Mint, PopOS!, Ubuntu) that's up to them. When Windows 10 goes EoL in October 2025 there is a lot of hardware that can not be readily upgraded to Windows 11. Those administrators have a choice on what to do with that hardware.

With an IoT device, final control or say belongs to a third party.

https://arstechnica.com/security/2025/0 ... ze-ddoses/

https://www.reuters.com/graphics/IOT-CYBER/0100307Z0J8/

Regardless; an option to tell the software what internal address the HDHomerun lives on would be nice.

[rpcameron]

With an IoT device, final control or say belongs to a third party.

https://arstechnica.com/security/2025/0 ... ze-ddoses/

https://www.reuters.com/graphics/IOT-CYBER/0100307Z0J8/

Regardless; an option to tell the software what internal address the HDHomerun lives on would be nice.

That's (mostly) true for devices that require internet access. However, the HDHomeRun devices have no requirement to have a connection to the internet. They will happily function without any external access. (Your device logs on the tuners will be flooded with messages about not being online, but functionality is not impaired.)

The HDHR tuners only need internet access if you use SiliconDust's software, because the device needs a token for the fetching of guide data. No other TV/DVR software that uses the HDHR requires that token, so the internet is unnecessary. (I ran 3 HDHRs in an isolated network that was only connected to the computer running my DVR.)

So, if your concern is that the HDHR won't function if SD goes belly-up, rest assured that other software is there to fill the void that does not rely on their servers.

[WildSquirrel]

The HDHR tuners only need internet access if you use SiliconDust's software, because the device needs a token for the fetching of guide data. No other TV/DVR software that uses the HDHR requires that token, so the internet is unnecessary.

Yes, which is why using VLC to stream channels with the HDHR works. But isn't that the best reason to allow the software to look for a static internal IP address?

If the device is on the network, and that network has internet access, then it is a device connected to the internet. All internet connected devices are vulnerable to attacks. Ideally, we should be using the principal of "least privilege" and, if the device only needs minimal access then it could live in quarantine. However, that is currently not an option if users want to use the current software available on console, Android, iOS, or Windows.

I do plan to install HexOS on an old machine later this year, so maybe setting up Plex is the answer. But it would be nice to sit at my desk, do some work, and have the HDHR DVR available.

[NedS]

We also have mDNS addresses, and you can also set IP addresses on your router/DHCP server. You still have final control.

[WildSquirrel]

While that is understandable from a professional point of view, what is easier for the consumer/end user?

Right now, the software asks the end user to retry their scan.

Why can't it ask for the internal IP, if known, with a check box to use IP address on next start up? All a consumer knows is that they can stream their content with other software; but they lose the ability to pause, rewind, or use their DVR subscription.

This is a software limitation on a device intended to provide network services to "basic" consumers. Consumer grade network products are shipping with Guest and IoT networks baked in.

https://www.verizon.com/support/knowledge-base-303332/

https://www.asus.com/support/faq/1053665/

And network equipment manufacturers are trying to sell products with "IoT" security marketing and PR materials.

https://www.netgear.com/hub/network/sec ... ty-report/

[NedS]

Those are two different things. Making things work across different subnetworks does not require setting a static IP address from the device.

[WildSquirrel]

Those are two different things. Making things work across different subnetworks does not require setting a static IP address from the device.

You are right, and mDNS is supported on UniFi: https://help.ui.com/hc/en-us/articles/1 ... ticast-DNS

It doesn't always work as expected. From the Main VLAN to the IoT VLAN Chromcast devices are easily connected to.

With the HDHomeRun:

No HDHomeRun tuners Found
Version 20250408a
Using Async Platform API

I am guessing that means the software is using this: https://www.asyncapi.com/

What hasn't failed is directly connecting to the hardware using its static IP address.

http://192.168.100.231:5004/auto/v3.1

Regardless of the issue, or solution, it would be nice if the HDHomeRun Software promted the user for an internal IP address if the Tuner was not automagicly found. I know the software functions across VLANs as I have temporarily connected a Wired (Main VLAN) and Wireless (IoT VLAN) network to a machine and had the software establish a connection. After disconnecting the Wireless (IoT) network the software continued to work as intended for quite a while. Again, this seems to be a software limitation, not a network or performance one.

[NedS]

Ah, I think there's some confusion on my part. The term "Static IP" typically refers to the device reserving a specific numeric IPv4 address, rather than a dynamic or assigned numeric IPv4 address. So this request is not really about it being technically a static-set address, but rather it is about being able to manually enter the IP address.

[jazzy112]

If your pc's have full access to the VLAN anyway, create an SSID on that VLAN and use it when you want to watch something. You're overcomplicating your network unnecessarily. I run a separate network for my business servers, but couldn't care less about the IoT crap. Oh and a separate VLAN for Dante, no wireless audio for me. I don't use those no name services. The junk that runs on WiFi is unreliable and burns through batteries like they are candy. I made the mistake of buying a WiFi lock, changing batteries once a month. Verses once every couple years on a Zwave network.

If you use a proper enterprise grade firewall which is typically indicated by the use of VLAN's, you should be able to reserve a group of IP's for your tuners in your normal VLAN and just block those IP's from reaching the internet or services you don't want them to. Unless you've configured your network just right, those devices can all see each others packets anyway. It's just the mismatched VLAN tag will cause the devices to ignore irrelevant packets, but that does not inherently stop malware coded to broadcast storm with various vlan tags. I am not saying you haven't done it right, just that configuring VLAN's isn't a security thing by default, it's a convenience thing. It can be more secure, but I usually have to tell even seasoned MSP's how to actually configure a switch properly to make it more secure.

You're also gimping yourself by limiting your traffic between your VLANs because that traffic has to pass through the router/firewall. The 10G routers that can actually do 10G (not Ubiquiti, don't get me started), are wicked expensive and not likely to be seen in a home environment. Even cheap Layer 3 switches don't route all that well between VLANs. Besides, the switches don't have firewalls in them which breaks your use case. I see you are a UniFi fan, I do not make my comment lightly. I do personally own a Dream Machine Pro, and have had several UniFi AP's trying to find one that doesn't stink. I gave up. Within my eyesight, I see Ruckus, Aruba, and Peplink. The UniFi is in a box in the garage. The dream machine has been in the garage since I last moved. I replaced it with a Sophos which is only used for the Web Server for my CRM. Everything else runs through a Peplink. The core switch is an old Brocade with 48 1G POE 8 10G ports. I had temporarily replaced that beast with a Mikrotik 10G switch and a 24 Port POE switch, the performance was terrible and it ran a lot hotter. I have recently gotten rid of most of my copper 10G and replaced it with fiber. It runs cooler and actually can do 10Gbps. I know this is sort of off topic, but I figured providing some experience details would prevent a flame war.

You can also buy an Android TV and use the HD Homerun App instead. It can't do 5.1 properly, but it would inherently be on your IoT network. Or Use an Xbox which will pass 5.1 properly. I've used PiHole's to keep Xbox's from phoning home. It won't break HD Homerun but wreaks havoc with online gaming, if you use one of the paranoid lists. The one that comes baked in doesn't mess up Xbox services. I suppose if you're watching TV on a laptop, 5.1 doesn't matter.

[WildSquirrel]

If your pc's have full access to the VLAN anyway, create an SSID on that VLAN and use it when you want to watch something. You're overcomplicating your network unnecessarily. I run a separate network for my business servers, but couldn't care less about the IoT crap. Oh and a separate VLAN for Dante, no wireless audio for me. I don't use those no name services. The junk that runs on WiFi is unreliable and burns through batteries like they are candy. I made the mistake of buying a WiFi lock, changing batteries once a month. Verses once every couple years on a Zwave network.

If you use a proper enterprise grade firewall which is typically indicated by the use of VLAN's, you should be able to reserve a group of IP's for your tuners in your normal VLAN and just block those IP's from reaching the internet or services you don't want them to. Unless you've configured your network just right, those devices can all see each others packets anyway. It's just the mismatched VLAN tag will cause the devices to ignore irrelevant packets, but that does not inherently stop malware coded to broadcast storm with various vlan tags. I am not saying you haven't done it right, just that configuring VLAN's isn't a security thing by default, it's a convenience thing. It can be more secure, but I usually have to tell even seasoned MSP's how to actually configure a switch properly to make it more secure.

You're also gimping yourself by limiting your traffic between your VLANs because that traffic has to pass through the router/firewall. The 10G routers that can actually do 10G (not Ubiquiti, don't get me started), are wicked expensive and not likely to be seen in a home environment. Even cheap Layer 3 switches don't route all that well between VLANs. Besides, the switches don't have firewalls in them which breaks your use case. I see you are a UniFi fan, I do not make my comment lightly. I do personally own a Dream Machine Pro, and have had several UniFi AP's trying to find one that doesn't stink. I gave up. Within my eyesight, I see Ruckus, Aruba, and Peplink. The UniFi is in a box in the garage. The dream machine has been in the garage since I last moved. I replaced it with a Sophos which is only used for the Web Server for my CRM. Everything else runs through a Peplink. The core switch is an old Brocade with 48 1G POE 8 10G ports. I had temporarily replaced that beast with a Mikrotik 10G switch and a 24 Port POE switch, the performance was terrible and it ran a lot hotter. I have recently gotten rid of most of my copper 10G and replaced it with fiber. It runs cooler and actually can do 10Gbps. I know this is sort of off topic, but I figured providing some experience details would prevent a flame war.

You can also buy an Android TV and use the HD Homerun App instead. It can't do 5.1 properly, but it would inherently be on your IoT network. Or Use an Xbox which will pass 5.1 properly. I've used PiHole's to keep Xbox's from phoning home. It won't break HD Homerun but wreaks havoc with online gaming, if you use one of the paranoid lists. The one that comes baked in doesn't mess up Xbox services. I suppose if you're watching TV on a laptop, 5.1 doesn't matter.

Hello random person on the internet

I am also a random person on the internet.

You may not care for Ubiquiti Hardware, but it works for me, and I've recommended their products to many home users and small businesses.

You may not care about IoT device security, but

The Engineers at IBM do:
https://www.youtube.com/watch?v=7zWVxrjjIpE

And Ethical hackers like David Bombal:
https://www.youtube.com/watch?v=o9rlLuUpYxo

and Professionals/Influences like Tom from Lawrence Systems:
https://www.youtube.com/watch?v=pBeIT7aSuMw

Maybe we are both paid professionals expressing our opinion on a support forum for a product that happens to meet both our needs or Maybe we are just enthusiasts trying our best. It doesn't matter as I don't really want to debate; it's very off topic.

I just wanted to ask the Software Devs at SiliconDust to consider adding the option for users to input the device’s IP address, instead of relying on mDNS and Multicast, in a future software release. If a user knows the IP address, they should be able to provide it. I understand things like ATSC 3.0 DRM Encryption is not with in the vendors control, but this would be a quality of life improvement for me and my situation.
viewtopic.php?t=78888

Thank You!