Samsung Smart TV setup issue with pfSence

Patian

Hi,
Recently I reset the samsung SmartTv and tried to re-install all the TV apps and re-configure the connection. The TV is connected to the internet via Ethernet Cable and the IP setting indicates the TV is connected and obtained an IP address from the Netgate device.

But when it came to the "terms and privacy" page on the smartTV, the TV failed to connect to the Samsung server, with error message saying " the connection is unstable". It was rather strange to see that, before the reset, everything was working fine. I changed the ethernet cable, try to use wifi connection instead of cable and received the same error message.
Without the registration with the Samsung server, I would not be able to use any of the smartTV features.

I disabled the pfBlockerNG and it did not make any difference.

In the mean time, I got a new Samsung smart TV from the black friday deal and I am seeing the same error message, "the connection is unstable", failed to register with Samsung's server.

I suspected it is pfsence causing this and I only have some very basic firewall rule. I am not sure how i could fix this. I put back my ISP provided router into the network and I was able to completed the 2 smartTV registration and setup. After it was completed, I switched it back to Netgate device. Now the 2 smartTV are working as it should be.

It is a quick and easy fix if you have a similar problem on a new smartTV setup. You do not need to change any configuration on the pfsense.

Generally, once you have setup the smartTV, you would not change any of its configuration. So, it could be just a one time trouble. Do not unplug or plug device from your smartTV after the setup. Your smartTV may not be able to detect the device, hence you would not be able to program the Samsung's universal remote. Especially with Amazon FireTV stick.

The TVs are on the Main LAN and I can see both TV on Samsung's smart thing App. I have main LAN, Camera VLAN, IOT VLAN.

It would be great if there is a solution to fix it through the pfsense configuration instead of switching hardware.

NollipfSense

@patian said in Samsung Smart TV setup issue with pfSence:

I disabled the pfBlockerNG and it did not make any difference.

Just as I had thought, I figured you had pfBlockerNG; however, you'll need to reboot pfSense after disabling it.

stephenw10

Yes, it's almost certainly something pfBlocker is denying access to.

You should also check Snort/Suricata if you have either installed and running in blocking mode.

Steve

nimrod

All so called "smart" TV`s are nothing more than spy hardware. And as such, should not be connected to the internet at all. We are sacrificing so much privacy for convenience its ridiculous. Creating Samsung account and exposing all your data to them is basically defeating the purpose of pfSense and pfBlockerNG. Why bother with it in the first place? If you need internet access on your TV for streaming and all that stuff, go with another brand. Go for a android TV that can be rooted just like a phone. That way you can debloat factory firmware it, disable all spyware, and use 3rd party applications that wont force you to watch 3 minutes of ads on a 10 sec video.

I know its kinda off topic and many will disagree with me, but i just had to say it.

Patian

Hi All,
Thank you for all the reply. I did a bit of further testing.

After I completed the setup on the smartTV, everything seemed to work well, except the SmartTV software Update . Error message " Unstable connection".

I tried disable the pfBlockerNG and reboot the pfsence. It did not make any difference.

I have both pfBlockerNG and Suricata running, no snort, with minimal configuration.

I checked the Report>Alerts>DNSBL Block under pfBlockerNG, I saw a BLOCK entry with Samsung domain, every time I initiated the software update on the 2 SmartTVs. I clicked on it and added the domain into the whitelist. reboot pfSence. The SmartTV software update still unable to get connected. Where can I inspect the whitelist entry in the PfBlockerNG?

On the portal page of pfSence, I disable the pfb_filter, ie pfBlockerNG firewall Filter, temporary and then I tried the software update again.
The update was successful.

So this could be an easier solution than switching the hardware to do a smartTv setup.

With regard to the use of smartTV. I do not see a much differences between a smartTV (samsung), 4Kfirestick(Amazon)or smart Phone(samsung, google or Apple). They all collect some user data and it is something we have to live with it and try our best to protect ourself. The only way absolutely to protect one privacy is not to use their service. Stop shopping on Amazon, using facebook, instagram, watching Youtube or Cable (Cablebox collect your data too), using goole services(Map, calendar, gmail), listen on spotify or amazon music....etc.

I think the pfBlockerNG has done a good job on blocking unwanted spying, upon reviewing its report, in some degree has protect the user privacy.

I just want to know an easier solution to resolve the smartTV setup and software update difficulties. I can live with the procedure disable/enable the pfb_filter whenever I needed to do so. It is easier than switching back and fore the Netgate device and the original ISP router.

stephenw10

It seems like it's hitting a DNSBL entry. Disabling the pfb_filter service would not affect that. So it could also be hitting an IP list.
You can see the DNSBL Whitelist on the main DNSBL config page. It is collapsed by default.

You should check the Reports > Alerts tab in pfBlocker to make sure you not seeing in both DNS and IP components.

I would certainly consider separating IoT devices onto a different interface if you can.

Steve

Patian

@stephenw10

Hi Steve,
Thank you for your advise.
I am able to locate the whitelist and the 2 Samsung's entries have been added.

I checked the Report> Alerts tab in pfBlocker. I no longer see samsung's
domain entry in the DNSBL. Before all the changes I made, there was no samsung's IP components in the DNSBL. Samsung only appears as n the domain.

In addition, I enable TOP1M Whitelist under DNSBL tab, using cisco Umbrella TOP1M.

Now I have pfb_filter running, every time I initiate a smartTV software update on both 2 smart TV and they work, even better.

I have IoT VLAN for all the smart devices, ie switchs, Cat cam, plugs and amazon echos. I also have CAM VLAN for all the security cameras and the synology server. The Main LAN is for PC, apple, SmartTV and firestick.

I have a simple firewall rules, prevent VLAN to cross to other networks and/or only internet access. As a result, i have to put smartTV and firestick on main LAN or CAM VLAN, so that they can access to the synology video server. I could have put them all on IoT VLAN and create IP address specific firewall rule so that they can access to the fixed IP synology video server. But it seem too much works on something can be easily go around it. Make it simple is the goal. Things are working, do not modify it.

I am new with the pfsence and I use most of the standard features and configurations on it.

Thank you for all the inputs, always learn something new from this forum.

Best Regards

Pat

johnpoz

@patian said in Samsung Smart TV setup issue with pfSence:

But it seem too much works on something can be easily go around it.

huh? How would something easy go around a specific allow rule? I allow access to my plex server from my vlan where my players and tv sit, etc. What do you think would get around that? I don't care that things on this vlan access my plex on the plex port..

Are you saying some IOT thing would change its ip to one of your other devices IP and then access your server on port X.. Lets say some iot device was compromised and got around the dupe IP issue or better yet if your really worried you could set static arp as well for those devices mac. But again who cares if something access my plex server on port X.. Which is something I have allowed. But what I don't want is anything accessing anything, etc.

So I am confused on your concern.. To the point you just put said device with free reign on the vlan your wanting your iot devices not to access ;)

NollipfSense

@patian said in Samsung Smart TV setup issue with pfSence:

But it seem too much works on something can be easily go around it. Make it simple is the goal.

To me, making is simple means using a managed switch instead of vlans...that's what I have dome as well as incorporating a Mikrotik just so I can turn off camera from access outside for calling home/firmware upgrade. I manually do that. John is correct though.

johnpoz

@nollipfsense said in Samsung Smart TV setup issue with pfSence:

using a managed switch instead of vlans

Huh? You would need a managed switch to vlan - or atleast a switch that is considered smart ;) even if a "fully" managed switch.

NollipfSense

@johnpoz said in Samsung Smart TV setup issue with pfSence:

@nollipfsense said in Samsung Smart TV setup issue with pfSence:

using a managed switch instead of vlans

Huh? You would need a managed switch to vlan - or atleast a switch that is considered smart ;) even if a "fully" managed switch.

Should have say just a large enough managed switch so no need for vlan. I have 24 port with 6 available.

johnpoz

@nollipfsense said in Samsung Smart TV setup issue with pfSence:

large enough managed switch so no need for vlan

Still confused.. If you do not create vlans on that switch, all of those ports would be in the same network/vlan

If you mean that you don't have to create vlans on pfsense and just use untagged(native) networks into pfsense interfaces. Ok but its still vlans on the switch ;)

The only way to isolate networks on a switch is with vlans - doesn't matter if pfsense knows about them or not if using different uplinks from the switch for each vlan, they are still vlans. The only other way to isolate networks would be with physical switches for each network.

They might be "port" based vlans vs dot1q - but they still "vlans" ;)

johnpoz

Maybe I am misunderstanding what his concern is?

Lets forget how the networks are isolated, be vlans that pfsense knows about or not, just native networks. They could even be on different physical switches. The point is the networks are routed and firewall through pfsense.

So I have a basic setup with 2 networks.

I can for sure isolate iot network from talking to lan via firewall rules. But if I allow 1.100 to talk to my server at 0.100 on port X.. What is the concern? That some iot device on 1.99 would change its IP to be 1.100?

Not saying such a thing is not possible - but its a pretty big leap.. For starters your going to have dupe IP.. Which in itself would be problematic, and you would prob know when stuff stops working - for your example your tv complaining about a dupe IP. You could run something like arpwatch to warn you of such an occurrence

You could set static arp to prevent devices from using a different IP then what your static arp is. Again once there is duplicate devices on the network odd stuff is for sure going to start happening with talking to your original device(s)..

Lets say your iot was fully compromised and there was some hacker on it.. How would he know that he needs to change his IP to your TV IP to access your server, how would he even know about the server IP? And if he did do that - what exactly would he do? You have already allowed this service to be accessed, so have to assume its secure in its own right, need to auth, need to have specific software? etc..

No matter what he changes his IP to - still he can only access this 1 service on this one server.

This is pretty tight tinfoil hat ;) And a real leap to what "could" happen.. But how is moving the TV to your lan easier or better.. Now your TV has access to everything on LAN, what if its compromised? ;)

If your that concerned, put it on its own vlan, say TV-Vlan..

Maybe I am just not understanding the concern?

NollipfSense

@johnpoz Yes, no vlan on pfSense and physical switch to isolate network using the Mikrotik...so that port 2 of the Mikrotik connects to a physical Netgear managed switch for cameras, etc, and port 5 of the Mikrotik connects to guest AP

johnpoz

@nollipfsense said in Samsung Smart TV setup issue with pfSence:

no vlan on pfSense

Nothing wrong with that - I have a few networks I run like that, vlans on my switch that pfsense has no idea about the tags, etc. Those vlans use their own uplink into pfsense.

And for sure its an option, especially if not up to speed on tags or you just have switches that don't understand vlans. Nothing wrong with physical isolation..

NollipfSense

@johnpoz said in Samsung Smart TV setup issue with pfSence:

What is the concern? That some iot device on 1.99 would change its IP to be 1.100?

Maybe he doesn't trust his DHCP server to randomly switch the IPs...but he could make it static in that case. All my cameras have static IP.

johnpoz

@nollipfsense maybe? Maybe he just needs to set a reservation in his dhcp ;)

Its not unheard of practice from a security point of view on firewalled segments that will have different rules to be different. So your not actually creating pinholes for specific IPs on a vlan. Either the whole vlan has access, or nothing does. And if something needs access to some other vlan or specific ips and services on a different - put devices that need this access in a different vlan where you can create rules for the whole vlan vs specific IPs on the vlan.

But it does seems like a leap in concerns for smaller network, maybe in a datacenter or larger enterprise with very strict security policies.

dhcp reservation would ensure his specific device(s) would be the only thing with that IP(s) that are allowed to talk to the server on port X. If really concerned, setting up static arp, and sure also run arpwatch to be alerted if the mac for IP xyz changes.

edit: If you were really concerned - and your devices are wired, you could setup port security on the switch ports. This would prevent a device from changing its mac and gaining access to the network via different mac/ip combo that matched your firewall rules.

GenOkowa

This post is deleted!