# Roku + Gentoo router (for privacy)

## grant123

How should I configure my Gentoo router to handle a wired Roku for network privacy?

----------

## pietinger

It depends on your router (and its feautures), how yout want connect your Roku and if there is a dedicated firewall in your home network (or having a computer with two ethernet cards).

Usually a home router has only one uplink to your internet provider (ADSL?) and 4 (or 8 ) ethernet ports which act like a switch (on layer 2). Now the first question: Can you configure your router to "split off" one port (usually a home router cant do this). If yes, it should be easy

If no, then you have your roku in your LAN if you connect it to one of these ports. Now you have two choices:

1. Configure a personal firewall on every computer you have in this LAN,

OR - if you have a computer with two ethernet ports -

2. Set up this computer as a firewall and connect your roku to this system

----------

## grant123

My router is just a dedicated Gentoo system.  It has an ethernet interface for the WAN and another for the LAN.  I connect the LAN interface to a switch and everything connects to that switch.  Should I be able to split off one port of the switch?  Or maybe it would be best to connect a third ethernet interface to the router?

----------

## pietinger

 *grant123 wrote:*   

> My router is just a dedicated Gentoo system.

 

Great !

 *grant123 wrote:*   

> Should I be able to split off one port of the switch?

 

Sorry for my old sayings ... but ... it depends on your switch  :Wink:   If it is able to configure VLANs then this is one choice,

 *grant123 wrote:*   

> Or maybe it would be best to connect a third ethernet interface to the router?

 

This is a very personal decision and I can only tell what I would do ... YES ... make a fine DMZ   :Cool: 

(like I draw in this setup: https://forums.gentoo.org/viewtopic-t-1114432.html )

----------

## Ralphred

 *grant123 wrote:*   

> Or maybe it would be best to connect a third ethernet interface to the router?

 

There are 3 levels of "isolation" available for you to choose from, hacky, network and [virtual or physical], each building on the last and adding "better" isolation.

Hacky

Easiest to achieve, just make the isolated device think it's in a smaller network than it is by setting a /30 (ideally, but larger network if you have to) address that only lets it talk to the router.

Network

Similar to a above, but without "breaking protocol", add a second IP in a different network (subnet) to the the routers LAN port, and use an address on this network (again ideally /30) for the "isolated device". This gives you layer 3 isolation, but the isolated device can still see layer 2 broadcasts.

Physical

Add a second LAN NIC to the router and keep everything literally separate (no using the switch unfortunately)

Virtual

Same as above, but with a virtual separation between the "two networks". But this can be done two ways, the traditional (more secure) way where the switch is responsible for not forwarding packets from VLAN A to VLAN B and vice versa (and providing layer 2 isolation).

Or where devices on VLAN {A,B} know they are only looking for packets tagged for them (but I'd be surprised if you had that level of control over the Roku device) and ignore the ones that "aren't for them".

If it's only the Roku you don't trust then network isolation is fine (assuming you aren't anticipating a 3rd party messing with it's network settings). If you have a managed switch that is VLAN capable, then doing it that way is better (and free, as you can just config the switch and router to cope). If you don't have a managed switch then an extra NIC for the router is probably cheaper (and technically better/safer, but it's moot in a home set-up) than procuring a managed switch.

----------

## grant123

Thank you.  I'll use an extra physical NIC for the Roku.

Without implementing this, does the Roku see everything I do on the wired network that isn't encrypted?

----------

## pietinger

 *grant123 wrote:*   

> Without implementing this, does the Roku see everything I do on the wired network that isn't encrypted?

 

No, if it is a (real) switch (->only broadcasts) - yes, if you would use a hub.

----------

## NeddySeagoon

grant123,

That depends on how you configure your router/firewall.

Separate LANS are supposed to be separate but anything is possible. 

The Roku LAN should not be permitted ta start connections to your other (private) LAN.

----------

## grant123

 *Quote:*   

> No, if it is a (real) switch (->only broadcasts) - yes, if you would use a hub.

 

I'm using a switch so it sounds like my traffic will be private from the Roku while I figure out the DMZ.

----------

## Hu

If you are concerned, you could temporarily place a Linux system on the quarantined port and try to use network monitoring tools on it to snoop on other traffic.  If your switch provides the desired level of isolation, the quarantined system should be unable to snoop anything from other systems.  Once you have proved that the quarantine works, you can move the Roku onto that port.

----------

## grant123

Let me see if I have this right.  Once I've put the Roku on a DMZ I'll have increased security/privacy in two ways:

1. I won't have to rely on my switch's proper functioning and security.

2. I'll have a more robust way of specifying that the Roku may not connect to the rest of the LAN.

Am I missing anything?

----------

## grant123

Am I thinking about this correctly?

----------

## pietinger

 *grant123 wrote:*   

> Am I thinking about this correctly?

 

Yes ! ... but please keep in mind: A DMZ is only as secure as your firewall rules are ...  :Wink: 

----------

## grant123

Should routefilter,nosmurfs (and maybe dhcp) be sufficient OPTIONS for every line in /etc/shorewall/interfaces?  It looks like tcpflags is default and logmartians is implied by routefilter.

https://shorewall.org/manpages/shorewall-interfaces.html

----------

## pietinger

 *grant123 wrote:*   

> Should routefilter,nosmurfs (and maybe dhcp) be sufficient OPTIONS for every line in /etc/shorewall/interfaces? [...]

 

Sorry, I am not a shorewall man and cannot help you here. Maybe open a new thread for it ?

----------

## NeddySeagoon

grant123,

Is this embryonic page any help?

I'm a shorewall user too.

Shorewall does not change for being installed on a Pi4

----------

## grant123

Yes, very helpful thank you!

Why no routefilter OPTIONS in your interfaces file?

Why set these without routefilter:

```
net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.all.rp_filter = 1
```

Why no OPTIONS for the net zone in your interfaces file?

Doesn't your firewall need to make some connections in your policy file?

----------

## NeddySeagoon

grant123,

I was playing with running my own VPN end point at one time but the need for it went away.

The policy routings things are probably leftovers from that.

----------

## grant123

I tried creating /etc/sysctl.conf and adding these:

```
net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.all.rp_filter = 1
```

but after rebooting I still have this:

```
# cat /proc/sys/net/ipv4/conf/default/rp_filter

0

# cat /proc/sys/net/ipv4/conf/all/rp_filter

0
```

I'm using gentoo-kernel which I'm guessing has Sysctl support but there is no config or config.gz file in the installed sources.  How best to check the config with gentoo-kernel?

----------

## NeddySeagoon

grant123,

```
pi_router ~ # cat /proc/sys/net/ipv4/conf/default/rp_filter

0

pi_router ~ # cat /proc/sys/net/ipv4/conf/all/rp_filter

0
```

Me too.

----------

## grant123

Ok but aren't you setting them to '1' here:

https://wiki.gentoo.org/wiki/User:NeddySeagoon/Pi4_Router#.2Fetc.2Fsysctl.d.2Frouter.conf

Also at the bottom of this section:

https://wiki.gentoo.org/wiki/Home_router#NAT_.28a.k.a._IP-masquerading.29

----------

