Firewall settings for smart TV VLAN

waynea · November 28, 2023, 12:04pm

Trying to get to grips with segregating smart TV and firestick through VLAN. Objective is 1) completely segregate thiese from other devices and router, 2) stop them sending data back home, 3) but continue to allow streaming services from internet.

So what should the firewall settings for this interface be?
I think after a lot of searching (but probably less understanding)
Input = reject
Output = accept
Forward = relect

But with forwarding allowed from this zone to WAN

timur.davletshin · November 28, 2023, 2:33pm

VLANs - try staring from basics:

Blocking ads:

github.com

openwrt/packages/blob/master/net/adblock/files/README.md

<!-- markdownlint-disable -->

# DNS based ad/abuse domain blocking

## Description
A lot of people already use adblocker plugins within their desktop browsers, but what if you are using your (smart) phone, tablet, watch or any other (wlan) gadget!? Getting rid of annoying ads, trackers and other abuse sites (like facebook) is simple: block them with your router. When the DNS server on your router receives DNS requests, you will sort out queries that ask for the resource records of ad servers and return a simple 'NXDOMAIN'. This is nothing but **N**on-e**X**istent Internet or Intranet domain name, if domain name is unable to resolved using the DNS server, a condition called the 'NXDOMAIN' occurred.  

## Main Features
* Support of the following fully pre-configured domain blocklist sources (free for private usage, for commercial use please check their individual licenses)

| Source              | Enabled | Size | Focus            | Information                                                                       |
| :------------------ | :-----: | :--- | :--------------- | :-------------------------------------------------------------------------------- |
| adaway              | x       | S    | mobile           | [Link](https://github.com/AdAway/adaway.github.io)                                |
| adguard             | x       | L    | general          | [Link](https://adguard.com)                                                       |
| adguard_tracking    |         | L    | tracking         | [Link](https://github.com/AdguardTeam/cname-trackers)                             |
| android_tracking    |         | S    | tracking         | [Link](https://github.com/Perflyst/PiHoleBlocklist)                               |
| andryou             |         | L    | compilation      | [Link](https://gitlab.com/andryou/block/-/blob/master/readme.md)                  |
| anti_ad             |         | L    | compilation      | [Link](https://github.com/privacy-protection-tools/anti-AD/blob/master/README.md) |
| antipopads          |         | L    | compilation      | [Link](https://github.com/AdroitAdorKhan/antipopads-re)                           |
| anudeep             |         | M    | compilation      | [Link](https://github.com/anudeepND/blacklist)                                    |

This file has been truncated. show original

P.S. There is smarttv_tracking blocklist and oisd for ads.

waynea · November 28, 2023, 2:42pm

Yep, i block ads already through Adblock as well as using the https-dns-proxy and the excellent VLAN intro at. https://fabianlee.org/2023/01/22/openwrt-bridge-vlan-filtering-for-openwrt-21-x-with-dsa-isolated-guest-wi-fi/ was really helpful too. My issue is the correct settings for the firewall zone

timur.davletshin · November 28, 2023, 4:17pm

Well, in this case you should start with sharing your /etc/config/firewall and network files.

flygarn12 · November 28, 2023, 4:19pm

You can’t have rule 2 in combo with this!

There is also another problem with Smart TV in this case. You haven’t even defined if you talk about a actual TV or Apple-TV or Cromecast or any other black box?

But usually the Smart-TV is very integrated in a lot of streaming services and synchronization with computers , tablets and smartphones etc inside the same network.

So usually when you have everything working the firewall have so many openings so it is simply easier to just put the Smart-TV in the usual home network with internet access where everyone else are.

Or you wake up one day and the icons on the tv or in some app look really strange because it doesn’t have a internet connection so it could download the right icons.