Smart TV using pfSense

johnpoz

@zaffy said in Smart TV using pfSense:

Will I be able to setup a policy on a WAN only network ?

Huh.. Not going to route anything with only 1 network.. Pfsense is a "router" and firewall - to route, you need more than one network.. Not sure how you expect to route if you only have 1 network. You need another interface, or you need to have vlans - so pfsense can route between networks..

You might be able to do some sort router on a stick with pfsense only having the wan interface, and from their creating your vpn connection. And then pointing what you want to use the vpn to pfsense as its gateway..

But just get another interface.. Or a vlan capable switch and do it with vlans..

stephenw10

I guess the VPN would be another interface and it might technically be possible by passing different gateways to clients but.... that's a horrible setup!

zaffy

I built a Linux box and installed Nord
Opened up the firewall for all of the relevant ports.
Set all outbound traffic to use the VPN.

Set the TV gateway to this box.

It seems to work well.

stephenw10

Yup, and you could do that using pfSense in the same way. However you could very easily hit asymmetry issues at some point down the line. And if that happens diagnosing it might be challenging as not all the traffic goes through the same gateway.

bingo600

@zaffy said in Smart TV using pfSense:

I built a Linux box and installed Nord
Opened up the firewall for all of the relevant ports.
Set all outbound traffic to use the VPN.

Set the TV gateway to this box.

It seems to work well.

I'm doing excactly the same for my ATV & WiFi-VPN's

I have a little i3 that runs Free VMware , and i have made 3 x 2-GB (Ram) virtual Linux instances for OpenVPN to ... "whatever".
The Linux runs DNS + DHCP + iptables & OpenVPN, and is basically a "selfcontained unit", just needing a "default gateway".

Make a separate (closed) Vlan for the virtual Linux VPN Box.
Connect Linux net interface + pfSense vlan interface to the Vlan , and set linux def-gw to point at pfSense IF.

In pfSense Deny any from Vlan network to RFC1918 , then allow any from linux ip to "any" (use pfS as def-gw)

If WiFi VPN , make a separate SSID , connect to the VPN Vlan , set linux DHCP to hand out linux ip as def-gw ... Done

I wanted the ease & flexibility from OpenVPN config files , to be able to point that VPN to "whatever" in a minute ... Not fiddling with pfSense OpenVPN config.

If i need to be "cloaked" .. I just point my lappy to one of the VPN SSID's , and the linux box handles the rest .... And i can switch to another VPN server, by just ssh'ing to the linux and start up another config file.

Avoiding DNS Leak , easiest is using 8.8.8.8 or 1.1.1.1 on the linux box.

If you wanted to use the VPN provider's DNS'es .. Some linux tweaking might be required.
As linux seems to remember the "boot dns" after the OpenVPN DNS'ses are handed down.
Resulting in it will remember/use both the boot DNS , and the VPN DNS'es
The boot dns might "leak" , if set to a local DNS , ie. pfSense

/Bingo

zaffy

@bingo600
Some good ideas here for a future project - appreciated.

My current solution seems stable enough and was more of a proof of concept than anything else.

I’m going to source some dedicated fanless hardware and build a better solution for the entire house so I can access devices remotely via pfSense.

JonathanLee

@bingo600 could DoH cause problems with DNS in this situation also?

bingo600

@jonathanlee
Define problem ....

But DOH isn't blocked by the linux box, if that's what you ask

JonathanLee

@bingo600 I mean that if you do not set up some controls for DoH that it could also cause issues.

stephenw10

If some client was hard coded to use DoH then and local filtering/redirecting would not apply to it. However if would still be routed the same as any other traffic from that host so it should work OK.

Steve