Home network security & privacy recommendations

I find this guy’s advice and analysis to be very useful:
https://routersecurity.org/checklist.php
and also:
https://defensivecomputingchecklist.com/

1 Like

You take a photo at home and the phone will put the GPS coords in the JPEG metadata.

You are route planning on your phone before departure and you want your starting point to be where you are now. (Yes, this is just for convenience. You can obviously manually direct the map to your starting point.)

There are probably many other scenarios where it is worthwhile to have working GPS at home.

No doubt but if someone wants to call you on your mobile, WiFi won’t cut it unless

  • your provider supports and allows WiFi calling (and likewise your mobile phone), or
  • you have trained everyone who wants to call you to use alternatives to the mobile phone network.

On the first point, I have my doubts that WiFi calling works on many? any? all? carriers yet with the Librem 5. Anyone looked into that?

When you are in Kansas it will tell you where you are when your home lands. You should also get one for your little dog, Toto.

A quick follow-up to my previous post…

I decided to insert a Raspberry Pi into my network, with Pi-Hole installed to block trackers. I wrestled with it for days trying to make the Roku use it for DNS, but no dice (AND functionality was severely limited).

Turns out my brand new Asus router won’t stop broadcasting its DNS setting, so the Roku ignores the RPi. (Supposedly, I could install AsusWRT-Merlin firmware to be able to turn off the router broadcasting, but I’m worried that security updates would end prematurely.)

I then tried enabling DHCP on the RPi and disabling it on the router. Of course, the network crashed and no amount of rebooting would get it back, so I had to factory reset the router and reload my saved settings.

I finally just removed the RPi and settled for blacklisting a bunch of specific URL strings in the router’s firewall settings. I also blacklisted Google’s DNS to prevent the Roku from using it against my will. (Apparently Roku hardcodes Google into its devices!)

So…fun times with black boxes…

1 Like

ICYMI: The BraxRouter is essentially a Raspberry Pi 4 based solution.

More details here: Your Home Privacy Appliance: BraxRouter VPN + TOR Router

I plan to pick one up after my Librem 14 arrives.

2 Likes

I guess you don’t want to go through that again but that shouldn’t be happening.

One approach may be to put the Roku on a separate subnet, put a (better) router between the Roku’s subnet and the main subnet, enable DHCP on this router but enable it only for the Roku’s subnet. Then the Roku’s router can advertise DNS as the Pi. The Pi can sit on the main subnet.

Is your router dual WAN by any chance?

1 Like

I have an apu2 with 4x NIC & WLAN running openwrt with coreboot.
https://www.pcengines.ch/apu4d4.htm
https://openwrt.org/
Openwrt is a linux distribution made for routing/firewall. For each device I have an own interface (WAN, LANx, WLANx) with a minimum set of permissions. Then I have my own DNS set up to avoid leaking all my DNS queries. Very important I think.
There would be a lot of other options like VPN, adblocking or LE certificates.
I was running opnsense on the device before but the Wifi strength/throughput was bad. With openwrt I can reach up to 60 MB/s.

Very happy with this little thing!

2 Likes

Also, if you do give it another shot, I would think in the router settings you can specify the IP address for whatever DNS server you want. You could just set that as the pi hole’s IP address.

Home routers generally might give you one or more of the following three choices:

  • the router via its DHCP server hands out its own IP address as DNS server and then runs a DNS server that typically uses the upstream DNS servers that it has received on the WAN side
  • the router via its DHCP server hands out the IP addresses for DNS servers that it has received on the WAN side
  • the router via its DHCP server hands out IP addresses for DNS servers that the user explicitly configures

@amarok would have to tell us the model of router / which choices are available.

I think my router gives all three choices but I am only using the third choice because I run my own DNS server.

1 Like

What to you think about ubiquity wifi/routers combination for separated lans?
[regarding privacy/security, of course]

It may be due to my inexperience with manipulating networks. Maybe I’ll give it another shot at some point, but I had the hardest time just getting to my router’s admin panel in Firefox after the reset. Next time, I’ll try connecting it to just my laptop directly.

It does have that capability (Asus RT-AC1900P). I like Asus’s routers more than some others I’ve seen, just for the available built-in controls. Unfortunately they continue to broadcast DNS even if you set a different server, and the Roku latches right onto it. (Unless you install the 3rd party software.)

Yeah, I did that, following all available directions to the “T”… It’s just that the Asus continues to broadcast itself as DNS in addition to the one I set.* And the Roku automatically prefers the Asus. (Can be avoided with 3rd-party AsusWRT-Merlin firmware, which has a setting for turning off the DNS advertising.)

*Behavior peculiar to Asus routers, apparently.

The RT-AC1900P lets you specify one different DNS server as DHCP, and one “WINS” server (Windows Internet Naming Service… whatever that is).

I tried specifying the Pi’s static IP address as the DNS server, with Cloudflare as DNS service on the WAN.

According to what I (think I) understand from the PiHole forum, with Asus (stock firmware), you have to use the Pi for DHCP (enabling that first, then disabling in the router). But then…crash.

Apologies to @SteveA if I’m derailing the thread too much…?

Maybe I’m not understanding. If the Asus router is set to use the pihole for DNS lookups, then you want the roku to use the Asus router for DNS lookups.

Is there confusion between DNS and DHCP?

I guess once the Roku hits the router, instead of using the mandated PiHole IP, it diverts to default Asus DNS.

See this discussion in the PiHole forum: https://discourse.pi-hole.net/t/configuring-dns-server-lan-or-wan-settings-on-asus-router/43523/5

Quote:
“Because of the “feature” Asus decided to code into their firmware the router may include itself as one of the DNS servers used by LAN clients. This of course leads to the possibility that LAN clients may potentially bypass the Pi-Hole when the Pi-Hole’s IP address is input into the LAN DNS field(s).”

Huh. That makes no sense, except for some sort of telemetry. Time to get you a Turris!

1 Like

This is kind of the reason that the router is keen to make itself the DNS server. Each “up” interface contributes one or more upstream DNS servers. On a dual WAN router, only the router really knows which WAN interfaces are up at any one time and so it is best placed to maintain the list of valid upstream DNS servers and hence is best placed to use those DNS servers on behalf of the rest of the LAN.

So if you set up an alternative DNS server on your LAN, by default it won’t know which WAN interfaces(s) are “up” and hence which upstream DNS servers to use. (This only matters if your DNS server uses the upstream DNS servers. If your DNS server does full traversal from the DNS root servers - very likely best for privacy - then you can ignore the upstream DNS servers, so you are good to go.)

All of this is assuming that the two WAN interfaces get you two different ISPs or at least get you two different sets of DNS servers.

If you aren’t using more than one WAN then you can ignore this problem even though it is still there theoretically.

If it insists on always including itself as a DNS server, can you still turn off the DNS server that is inside the Asus router? So DHCP will advertise two DNS server IP addresses - that of the router and that of the alternative DNS server - but the former will always fail.

Changing to a different DHCP server should have worked. (Obviously the DHCP server itself will need a static IP address.) While reconfiguring everything it may be advisable to set a static IP address temporarily on the computer that you are using to do the configuration if that is not the new DHCP server.

1 Like

I may just have to install the Merlin firmware if I can work up the will to attempt this again. That should make it easy.

Thanks for the insights!

Edit (next day): And… I have now installed Merlin, which turned out to be remarkably easy, and it didn’t even reset my network or settings. I’ve turned off my router DNS broadcast, and after some trial and error, I’m getting something on PiHole, but It doesn’t appear to be getting a deluge of traffic, blocked or not blocked. Still researching…

Edit2: I now have PiHole working and it’s capturing all the trackers from the Roku. It turns out that I just needed to allow some ufw firewall rules on the Raspberry Pi, as documented here: https://docs.pi-hole.net/main/prerequisites/

At some point I might create a thread to post some findings about trackers on the Roku, and maybe on my Android as well.

More on black box Things (connected to the previously-mentioned Princeton University study: https://inspector.engineering.nyu.edu/

2 Likes

Great information, thanks for sharing! :handshake: