Samsung Smart TV setup issue with pfSence

stephenw10

It seems like it's hitting a DNSBL entry. Disabling the pfb_filter service would not affect that. So it could also be hitting an IP list.
You can see the DNSBL Whitelist on the main DNSBL config page. It is collapsed by default.

You should check the Reports > Alerts tab in pfBlocker to make sure you not seeing in both DNS and IP components.

I would certainly consider separating IoT devices onto a different interface if you can.

Steve

Patian

@stephenw10

Hi Steve,
Thank you for your advise.
I am able to locate the whitelist and the 2 Samsung's entries have been added.

I checked the Report> Alerts tab in pfBlocker. I no longer see samsung's
domain entry in the DNSBL. Before all the changes I made, there was no samsung's IP components in the DNSBL. Samsung only appears as n the domain.

In addition, I enable TOP1M Whitelist under DNSBL tab, using cisco Umbrella TOP1M.

Now I have pfb_filter running, every time I initiate a smartTV software update on both 2 smart TV and they work, even better.

I have IoT VLAN for all the smart devices, ie switchs, Cat cam, plugs and amazon echos. I also have CAM VLAN for all the security cameras and the synology server. The Main LAN is for PC, apple, SmartTV and firestick.

I have a simple firewall rules, prevent VLAN to cross to other networks and/or only internet access. As a result, i have to put smartTV and firestick on main LAN or CAM VLAN, so that they can access to the synology video server. I could have put them all on IoT VLAN and create IP address specific firewall rule so that they can access to the fixed IP synology video server. But it seem too much works on something can be easily go around it. Make it simple is the goal. Things are working, do not modify it.

I am new with the pfsence and I use most of the standard features and configurations on it.

Thank you for all the inputs, always learn something new from this forum.

Best Regards

Pat

johnpoz

@patian said in Samsung Smart TV setup issue with pfSence:

But it seem too much works on something can be easily go around it.

huh? How would something easy go around a specific allow rule? I allow access to my plex server from my vlan where my players and tv sit, etc. What do you think would get around that? I don't care that things on this vlan access my plex on the plex port..

Are you saying some IOT thing would change its ip to one of your other devices IP and then access your server on port X.. Lets say some iot device was compromised and got around the dupe IP issue or better yet if your really worried you could set static arp as well for those devices mac. But again who cares if something access my plex server on port X.. Which is something I have allowed. But what I don't want is anything accessing anything, etc.

So I am confused on your concern.. To the point you just put said device with free reign on the vlan your wanting your iot devices not to access ;)

NollipfSense

@patian said in Samsung Smart TV setup issue with pfSence:

But it seem too much works on something can be easily go around it. Make it simple is the goal.

To me, making is simple means using a managed switch instead of vlans...that's what I have dome as well as incorporating a Mikrotik just so I can turn off camera from access outside for calling home/firmware upgrade. I manually do that. John is correct though.

johnpoz

@nollipfsense said in Samsung Smart TV setup issue with pfSence:

using a managed switch instead of vlans

Huh? You would need a managed switch to vlan - or atleast a switch that is considered smart ;) even if a "fully" managed switch.

NollipfSense

@johnpoz said in Samsung Smart TV setup issue with pfSence:

@nollipfsense said in Samsung Smart TV setup issue with pfSence:

using a managed switch instead of vlans

Huh? You would need a managed switch to vlan - or atleast a switch that is considered smart ;) even if a "fully" managed switch.

Should have say just a large enough managed switch so no need for vlan. I have 24 port with 6 available.

johnpoz

@nollipfsense said in Samsung Smart TV setup issue with pfSence:

large enough managed switch so no need for vlan

Still confused.. If you do not create vlans on that switch, all of those ports would be in the same network/vlan

If you mean that you don't have to create vlans on pfsense and just use untagged(native) networks into pfsense interfaces. Ok but its still vlans on the switch ;)

The only way to isolate networks on a switch is with vlans - doesn't matter if pfsense knows about them or not if using different uplinks from the switch for each vlan, they are still vlans. The only other way to isolate networks would be with physical switches for each network.

They might be "port" based vlans vs dot1q - but they still "vlans" ;)

johnpoz

Maybe I am misunderstanding what his concern is?

Lets forget how the networks are isolated, be vlans that pfsense knows about or not, just native networks. They could even be on different physical switches. The point is the networks are routed and firewall through pfsense.

So I have a basic setup with 2 networks.

I can for sure isolate iot network from talking to lan via firewall rules. But if I allow 1.100 to talk to my server at 0.100 on port X.. What is the concern? That some iot device on 1.99 would change its IP to be 1.100?

Not saying such a thing is not possible - but its a pretty big leap.. For starters your going to have dupe IP.. Which in itself would be problematic, and you would prob know when stuff stops working - for your example your tv complaining about a dupe IP. You could run something like arpwatch to warn you of such an occurrence

You could set static arp to prevent devices from using a different IP then what your static arp is. Again once there is duplicate devices on the network odd stuff is for sure going to start happening with talking to your original device(s)..

Lets say your iot was fully compromised and there was some hacker on it.. How would he know that he needs to change his IP to your TV IP to access your server, how would he even know about the server IP? And if he did do that - what exactly would he do? You have already allowed this service to be accessed, so have to assume its secure in its own right, need to auth, need to have specific software? etc..

No matter what he changes his IP to - still he can only access this 1 service on this one server.

This is pretty tight tinfoil hat ;) And a real leap to what "could" happen.. But how is moving the TV to your lan easier or better.. Now your TV has access to everything on LAN, what if its compromised? ;)

If your that concerned, put it on its own vlan, say TV-Vlan..

Maybe I am just not understanding the concern?

NollipfSense

@johnpoz Yes, no vlan on pfSense and physical switch to isolate network using the Mikrotik...so that port 2 of the Mikrotik connects to a physical Netgear managed switch for cameras, etc, and port 5 of the Mikrotik connects to guest AP

johnpoz

@nollipfsense said in Samsung Smart TV setup issue with pfSence:

no vlan on pfSense

Nothing wrong with that - I have a few networks I run like that, vlans on my switch that pfsense has no idea about the tags, etc. Those vlans use their own uplink into pfsense.

And for sure its an option, especially if not up to speed on tags or you just have switches that don't understand vlans. Nothing wrong with physical isolation..

NollipfSense

@johnpoz said in Samsung Smart TV setup issue with pfSence:

What is the concern? That some iot device on 1.99 would change its IP to be 1.100?

Maybe he doesn't trust his DHCP server to randomly switch the IPs...but he could make it static in that case. All my cameras have static IP.

johnpoz

@nollipfsense maybe? Maybe he just needs to set a reservation in his dhcp ;)

Its not unheard of practice from a security point of view on firewalled segments that will have different rules to be different. So your not actually creating pinholes for specific IPs on a vlan. Either the whole vlan has access, or nothing does. And if something needs access to some other vlan or specific ips and services on a different - put devices that need this access in a different vlan where you can create rules for the whole vlan vs specific IPs on the vlan.

But it does seems like a leap in concerns for smaller network, maybe in a datacenter or larger enterprise with very strict security policies.

dhcp reservation would ensure his specific device(s) would be the only thing with that IP(s) that are allowed to talk to the server on port X. If really concerned, setting up static arp, and sure also run arpwatch to be alerted if the mac for IP xyz changes.

edit: If you were really concerned - and your devices are wired, you could setup port security on the switch ports. This would prevent a device from changing its mac and gaining access to the network via different mac/ip combo that matched your firewall rules.

GenOkowa

This post is deleted!