Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need assistance willing to pay up

    Scheduled Pinned Locked Moved Community Job Board
    52 Posts 8 Posters 12.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S
      stephenw10 Netgate Administrator
      last edited by

      At least they seem to give you the option of entering an IP manually. That's more than many app developers doing similar things.

      D 1 Reply Last reply Reply Quote 0
      • D
        Digital_ADHD @stephenw10
        last edited by

        @stephenw10 yeah that's kind of cool but it didn't work unfortunately not sure why it still needed to discover it

        1 Reply Last reply Reply Quote 0
        • H
          hodgiers @johnpoz
          last edited by

          @johnpoz said in Need assistance willing to pay up:

          To be honest allowing multicast from 1 vlan into another vlan defeats the whole purpose of vlan isolation. If your going to allow that you almost might as well just run everything on the 1 vlan.

          @johnpoz How is allowing multicast between defeating the purpose of vlan isolation?

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Because you just joined the L2s, they are no longer 2 different networks.. You might as just put everything on 1 L2 and not have to deal with any of such issues.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            H 1 Reply Last reply Reply Quote 0
            • H
              hodgiers @johnpoz
              last edited by

              @johnpoz So while I can now connect to some device in my iot vlan over a random udp port after making changes to allow Roku through... the IOT vlan isn't capable of connecting back to my super secret server with ssh exposed.
              Badly implemented network stacks in the Roku app does not mean segmenting networks and poking holes in them to allow known services through is a bad idea - it's the entire point of segmentation.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                L2 discovery makes it easy for grandma to find her shiny new roku from here phone.. But should be able to just point the IP in the client.. So I can open the port(s) needed and be done with it..

                I shouldn't be letting anything in L2 A discover anything it wants in L2 B.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                H 1 Reply Last reply Reply Quote 0
                • H
                  hodgiers @johnpoz
                  last edited by

                  @johnpoz
                  The ability to discover and the ability to connect are two very different things.
                  I can discover what the IP address of company's SMTP server is all day, it does not mean I can connect to it. In fact, I can "discover" infrastructure all day courtesy of the internetz and dns records but that doesn't mean much thanks to segmentation.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Oh my gawd you have users here hiding their rfc1918 space because they think they are giving away something... While you think its ok for all your iot devices on your isolated vlan to discover anything they want on any other vlan you have...

                    Have at it... It not good practice..

                    here
                    https://www.sans.org/reading-room/whitepapers/networkdevs/paper/246
                    IPv4 Multicast Security: A Network Perspective

                    In some home network is not a big deal most likely.. But the problem is letting people think its ok to just have data flow from 1 L2 to another L2 is introducing them to bad security practice..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 1
                    • D
                      Digital_ADHD
                      last edited by

                      @johnpoz So to that point we should not use Avahi, IGMP Proxy, and disallow IGMP from leaving L2?
                      Thank you.

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        Ideally, yes.

                        But as with many things security vs convenience is a trade off. If you are aware of the risks then you can make an informed decision about the convenience.

                        As has been said for most home users the risks with allowing multicast between L2 segments are minimal but increased convenience is substantial. But that's not the case in other environments.

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by johnpoz

                          @Digital_ADHD said in Need assistance willing to pay up:

                          we should not use Avahi, IGMP Proxy, and disallow IGMP from leaving L2?

                          In my opinion no you shouldn't I sure wouldn't use them.. But your take might be different.. Without fully understanding the security implications that might be involved, its better to just isolate them completely.. Like these iot devices. I wouldn't put them on my normal vlans. The only thing I allow my roku's to do from their vlan is talk to my plex on 32400. I have found zero reason to allow multicast from 1 L2 to another in my home.. You know the simple solution for air printing to your printer from your wifi network.. Put the printer on the same vlan.. Done - no L2 boundaries to cross no avahi to setup, etc.

                          My devices on my lan network have no issues getting to the printer, since they just print to the IP.. But when my wife wants to print from her phone or tablet.. She can still use L2 discovery to find it (airprint).. Now no multicast spreading into any of my other vlans.. Its isolated to that L2 those devices using that shit are on.. Be it a security concern or not - its noise I don't need my other networks.

                          My iot devices are isolated - what exactly would they be discovering.. Other than joining that IOT wireless vlan to setup a new devices that needs L2 discovery have zero reason for my mobile devices to join that network Once the devices are discovered I don't need to be on that network... I can control my roku's just fine from my phone without being on the roku vlan... Need to join it once to discover any new roku's but once the roku is found no need to be on that vlan again.

                          Don't need to be on any specific L2 to control any of my smart lightbulbs, power outlets, etc.

                          The big word used here is "convenience" which is always going to be at the cost of security. If what you want is for shit to be convenient.. Why not just 1 flat network, where everything is on the same L2.. Its easy that way ;)

                          Just because pfsense provides a feature, doesn't mean you "have" to use it ;) Its provided for the people that want to use it, or maybe need to use since sure that would be better than 1 flat network ;) But its not something that to be honest should be required.. I have many a techy device in my home. Alexa's, Smart Bulbs, I get alerted when my garage door opens and closes, can control from my phone even. My thermostat is connected, nest protect, harmony remote, etc. etc. None which any of them require to break the L2 boundary to function. All of these devices are isolated to their own vlans and don't touch any other network.. Other than the roku's can talk to my plex.. And I let them talk to my ntp server that is on its own isolated dmz vlan.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.