Smart TV using pfSense

zaffy

Hi,

I'm new to pfSense and would like to build a box with it to solve an issue.

Issue - Need to connect my Smart TV to a Nord VPN.

As-is configuration
ISP router/wifi connected to switch. Switch connected to 3 devices including the smart tv.

Will it be possible to connect the ifSense box to the switch and forward only TV traffic via OpenVPN/Nord tunnel and leave all other traffic as it currently is ?

The box I would use only has 1 LAN port so would rely on the switch for connectivity.

I was thinking that the TV's gateway would need to be the pfSense box and the pfSense box would only need to deal with the TV's outbound rules.

Any help appreciated on this and I hope this is not too silly!

NogBadTheBad

@zaffy Check out policy based routing.

https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html

johnpoz

@zaffy I am going to take a stab in the dark and guess your wanting to circumvent geo restrictions on streaming services. While sure you can easy policy route traffic of any client out a vpn you have setup per the link @NogBadTheBad provided.

Keep in mind this may or may not work how you think it will. Have you validated it works on say a normal client first, ie you can watch what you want via the vpn connection?

Many streamers block known vpn IPs - its a wack-a-mole sort of game.. So what your wanting to accomplish may or may not work, it may work today, but not tomorrow, etc.

But sure its pretty easy to route traffic out a vpn via pfsense policy routing.

stephenw10

You will want to set the TV with a static DHCP lease in order it always has the same IP. And you probably want to pass it an external DNS server to use such as the VPN providers DNS server(s). Otherwise the DNS requests will appear to come from a different location and bad things will happen!

johnpoz

@stephenw10 said in Smart TV using pfSense:

different location and bad things will happen!

Define bad for who? ;)

If the streaming service blocks users trying to geo circumvent policy then that would be a good thing ;) For the streaming service.

zaffy

@johnpoz said in Smart TV using pfSense:

@zaffy I am going to take a stab in the dark and guess your wanting to circumvent geo restrictions on streaming services. While sure you can easy policy route traffic of any client out a vpn you have setup per the link @NogBadTheBad provided.

johnpoz, Thanks. Geo restrictions - Sure this is part of the objective but I would like to use this exercise to get to know pfSense a bit better and then to deploy it for my cameras and other devices so that it eventually will be come my main firewall/router. I can confirm that Geo restriction are lifted by the VPN so hopefully this idea will work too.

zaffy

@nogbadthebad - Thanks for this. It looks like I will need a dual NIC box or have to get a managed switch to setup VLANs. My current switches are all unmanaged unfortunately.

johnpoz

@zaffy you don't have to actually put the tv in a different network/vlan to use policy routing. You can route a specific IP out a vpn via policy route rule with just one lan network..

Example:

So my normal IP when going just out my normal ISP connection. Funny that same first octet ;) Then create a policy route for my PC IP, killed all the states for my pc so new connections use the new policy route. And see that my IP is now the IP of my vpn connection.

Notice in the rule as well that you see traffic and states using the policy route rule the 18/4.87 MB

NogBadTheBad

Just remember if you follow the NordVPN instructions tick don't pull routes, otherwise the default route for everything is NordVPN.

zaffy

@johnpoz Appreciate this.

One thing though, when I installed pfSense it couldn’t find any LANs but only the WAN. This I believe is because I only have one NIC and all my devices are on the same network ( what pfSense calls a LAN) - they are all on 192.168.0

I can login to the web configurator on the IP address it assigned from DHCP.

Will I be able to setup a policy on a WAN only network ?

johnpoz

@zaffy said in Smart TV using pfSense:

Will I be able to setup a policy on a WAN only network ?

Huh.. Not going to route anything with only 1 network.. Pfsense is a "router" and firewall - to route, you need more than one network.. Not sure how you expect to route if you only have 1 network. You need another interface, or you need to have vlans - so pfsense can route between networks..

You might be able to do some sort router on a stick with pfsense only having the wan interface, and from their creating your vpn connection. And then pointing what you want to use the vpn to pfsense as its gateway..

But just get another interface.. Or a vlan capable switch and do it with vlans..

stephenw10

I guess the VPN would be another interface and it might technically be possible by passing different gateways to clients but.... that's a horrible setup!

zaffy

I built a Linux box and installed Nord
Opened up the firewall for all of the relevant ports.
Set all outbound traffic to use the VPN.

Set the TV gateway to this box.

It seems to work well.

stephenw10

Yup, and you could do that using pfSense in the same way. However you could very easily hit asymmetry issues at some point down the line. And if that happens diagnosing it might be challenging as not all the traffic goes through the same gateway.

bingo600

@zaffy said in Smart TV using pfSense:

I built a Linux box and installed Nord
Opened up the firewall for all of the relevant ports.
Set all outbound traffic to use the VPN.

Set the TV gateway to this box.

It seems to work well.

I'm doing excactly the same for my ATV & WiFi-VPN's

I have a little i3 that runs Free VMware , and i have made 3 x 2-GB (Ram) virtual Linux instances for OpenVPN to ... "whatever".
The Linux runs DNS + DHCP + iptables & OpenVPN, and is basically a "selfcontained unit", just needing a "default gateway".

Make a separate (closed) Vlan for the virtual Linux VPN Box.
Connect Linux net interface + pfSense vlan interface to the Vlan , and set linux def-gw to point at pfSense IF.

In pfSense Deny any from Vlan network to RFC1918 , then allow any from linux ip to "any" (use pfS as def-gw)

If WiFi VPN , make a separate SSID , connect to the VPN Vlan , set linux DHCP to hand out linux ip as def-gw ... Done

I wanted the ease & flexibility from OpenVPN config files , to be able to point that VPN to "whatever" in a minute ... Not fiddling with pfSense OpenVPN config.

If i need to be "cloaked" .. I just point my lappy to one of the VPN SSID's , and the linux box handles the rest .... And i can switch to another VPN server, by just ssh'ing to the linux and start up another config file.

Avoiding DNS Leak , easiest is using 8.8.8.8 or 1.1.1.1 on the linux box.

If you wanted to use the VPN provider's DNS'es .. Some linux tweaking might be required.
As linux seems to remember the "boot dns" after the OpenVPN DNS'ses are handed down.
Resulting in it will remember/use both the boot DNS , and the VPN DNS'es
The boot dns might "leak" , if set to a local DNS , ie. pfSense

/Bingo

zaffy

@bingo600
Some good ideas here for a future project - appreciated.

My current solution seems stable enough and was more of a proof of concept than anything else.

I’m going to source some dedicated fanless hardware and build a better solution for the entire house so I can access devices remotely via pfSense.

JonathanLee

@bingo600 could DoH cause problems with DNS in this situation also?

bingo600

@jonathanlee
Define problem ....

But DOH isn't blocked by the linux box, if that's what you ask

JonathanLee

@bingo600 I mean that if you do not set up some controls for DoH that it could also cause issues.

stephenw10

If some client was hard coded to use DoH then and local filtering/redirecting would not apply to it. However if would still be routed the same as any other traffic from that host so it should work OK.

Steve