How to set up a totally locked-down network

Is it possible to use OpenWrt to set up a WiFi access point routing to my main network that gives me total control of what attached devices can do?

My dream network is where the only DNS that anything can see will only look up a name if that name is in a list that I have built - and the only IP routing that is allowed is to addresses that this restrictive DNS has issued.
Note that this DNS would have to ask the outside-world DNS for the actual answer, i.e. my list would just be the names.
But I would also need a log that shows me what has been requested so I can see what attached devices are trying to do, and maybe add a name to the list.

(I have a GL-MT300N-V2 which I hope to use for something like this.)

I am not sure why this isn't something that everyone wants these days, to keep control of "smart" things because otherwise you have no idea what they might be doing!

1 Like

it's doable in openwrt, but a lot of people use pi-hole for it ....

1 Like

OpenWrt is good for what it does. Keeping cheap consumer grade routers out of landfills.

Consider moving to open source enterprise class firewall software from https://pfsense.org

Runs on almost any x86 hardware or you can buy an appliance directly from Netgate or https://protectli.com

Then relegate OpenWrt devices to dumb APs

pretty sure you're answering the wrong guy :wink:

If it is only for DNS, then you can enable verbose logging, don't enable forwarding to upstream nameservers, and allow only specific addresses to be resolved. However nowdays there are more ways to resolve an address, e.g DNS over HTTPS, DNS over TLS.

That's why we assign them to a separate vlan and live on with our lives.

3 Likes

As @trendy says, the best way would be setting up a separate vlan bound to your AP or an external dumb AP.

And isn't a (domain blocking) adblocking solution enough for your needs?

Talking about features of OpenWrt or general trend in society?

Thanks for the replies.

I hadn't heard of pi-hole and I could run it on my rPi server, but it is not the good solution although it goes a long way to help. The trouble with pi-hole is that it is trivial for evil things to bypass it and perhaps "DNS over HTTPS, DNS over TLS" are further ways to get round it. I want to approve all IP traffic - but as that is too hard to do manually I want a thing to automate it. If a thing like pi-hole could also control IP routing then the job is done.

I do not understand how that helps. The problem of what they do on the public network remains.

The reason for looking at OpenWRT was I liked the idea that a tiny, cheap and low power machine (that I did not have to design and build) could do the access point and firewall for "smart" things to use.

I should add that if the Linux system interfaces were better documented I would just sit down and write a program to do this - but it looks hard just to get to the starting point of having a program that gets to see and forward every network packet.
My problem is that I am an old programmer from the days when things were very well documented, and before people got the strange idea that a .H file could be considered to document anything useful.

In terms of cybersecurity, these two statements are contradicting. If you don't trust some device, you block everything and then open what is necessary.

1 Like

That is what I am trying to do. The difficulty is knowing what is necessary, hence the need to see what a device asks for and then approving or not as required.

Perhaps I am not underdtanding what was meant by "assign them to a separate vlan".

This won't necessarily solve your problems. It's hard to know if a request for abc.example.com is legitimate or not. You can have a good feeling about the domain of the vendor, but what if there are hardcoded addresses or the addresses are rotating in a round robin fashion?
Furthermore you don't know how these devices will respond in an unexpected for them scenario. If they don't get the address they need, will they ask again later in a reasonable interval, or will they become more aggressive flooding your network and stressing the nameserver? Food for thought.

I mean to keep them separated from the home/lan network. In case one of them gets compromised, to contaminate the damage as much as possible.

If you really don't trust the iot/smart devices that much, it would make more sense to avoid buying them in the first place.

1 Like

Isn't it just normal to put the "IoT" (the "s" stands for security) devices into a separate vlan with no access to the internet at all?

You might want to help us a bit by providing some information of you "smart" things?

Do some need a active internet connection to work? Are you sure you could restrict them to one/some hosts so they are working but not tracking or don't do whatever you don't like?

Oh but I do not want that! That would be easy. The point of this is to control "smart" devices that may even be useful.

Example: We have a modern TV which can probably be a browser and play videos etc. but I dare not let it on the network to use these features because I am absolutely sure it will have a wider agenda. It may even have a girl-friend like Alexa. It might want to update and break itself. So I want to offer it a different WiFi access point into an almost sand-box but where I can decide which servers it will be allowed to access.
Another example is that I think our planned upgrade to our boiler may come with unwelcome features, but may still need to be accessible via the network.

To be honest, if it was easy enough to use I would not mind all our external traffic being vetted. I used to poison unwelcome names by adding them to my PC's hosts file redirecting them to something local and non-existent but I found some analytic sites cleverly making up endlessly different names to defeat this.

I not sure how many "smart" devices you own but to have each "legit" connection white listed it might take you some weeks, months or even years. You will also find out that the same connection needed that the thing "works" (like showing web content for example) is the same they use to deliver "anti features" to you (the things you want to "control"). Another thing is that it will always break. The consumer grade internet of sh!t things are known to ship fast and get ripe at your place (they ship updates to make things work - other break and so on...)

If you have only a coupe of devices and have the time you could maybe work something out... but if you are an average customer you will have already around 15 of this black boxes and the only "real" (time preserving) solution is to proxify them with something like pihole or so...

In the end it comes down to what @trendy says:

1 Like

Exactly. This is why pi-hole is not quite enough. Ideally I want a pi-hole thing to update a whitelist of IP addresses as it dishes up whitelisted results.
And if there are devious protocols to reach sneaky DNS then even more reason for this.

The idea that you can just "not buy" such devices is becoming unrealistic. This crap is not going away any time soon and I want to be on top of it, not underneath!

1 Like

If you want to be on top of it you should avoid to buy the crap :put_litter_in_its_place:. Actually not easy and you have a lot's of vendor locked proprietary "smart" things which often rely on clouds :cloud: (other peoples :family_man_man_girl: computers) are out on the market doing sweet talk to end up in your home :house: or close to you :hear_with_hearing_aid:

On the other hand it's today already de-facto impossible to have state-of-the-art/bleeding-edge technology (like "smart speaker" for example) with only free hard- and software. But one could at least use partly open hardware designs combined with open source software (could use a sbc and run almond to get a privacy preserving virtual assistant).

Instead of a smart tv I use a dumb tv combined with a little $25 arm box supercharged with core elec (running kodi). With this setup I have maximum freedom and can fully utilize the potential of the hardware like using the internal screen grabber for bias lightning (hyperion).

I could now go on and on but it all comes down than if you want control over the stuff in your network you need to know it (really own it). Integrate transparent boxes instead of (crappy) black boxes :bulb:

2 Likes

There are several techniques that can be used to secure a network, but the are always a tradeoff between convenience/ease-of-use and normal functionality of both the devices limiting the connections (router/firewalls, dns filters, etc.) and the devices that need to be restricted (i.e. smart TVs and other IoT/marginally trusted devices).

VLANs are a great way to at least keep the untrusted/marginally trusted devices from gaining access to your trusted systems. But that doesn't solve everything, of course.

Assuming that the devices in question don't use DoH/DoT, you can hijack/blackhole the DNS services fairly easily -- just create a rule on the appropriate network that drops and/or redirects all dns (port 53) requests. From there, you can use a PiHole or other similar package to restrict to only the allowed domains.

You can, of course, always create firewall rules that drop/reject all except the explicitly allowed traffic, be it domains/IP addresses or port numbers -- you can do this on an entire network/VLAN, or you could filter by the specific device(s) IP address(es) on your network.

Another way to approach this is to simply monitor what your device(s) do in terms of their external connections and then craft firewall rules that limit/allow traffic precisely as you need for your network security.

The trouble is that each manufacturer (trustworthy or not) will have their own services and protocols. Some should absolutely be blocked and will make the device 'safer' to use. In other cases, blocking some services/ports might cripple some of the features that are integral to the device that are actually necessary and/or valued by some or all users that device. I'm guessing that this is why nobody makes a pre-fab device or firewall/filtering software environment that can provide a good user experience without adding too much extra work in terms of configuration and maintenance -- at least for the average user. And there's no one-size-fits-all recommendation that can be made here, either.

2 Likes

Thanks guys for drawing my attention to the fact that it is all a lot worse than I thought.
DoH is a disaster! It totally bypasses the pi-hole approach. I am now totally convinced that my idea of only routing IPs that were obtained from whitelisted DNS is the only way to make a safe system.

I can see I will end up having to code this myself. Pity I don't have the time for that.
But is there any way that an external machine could do something to an OpenWrt thingy to say to it "here is a valid IP address for your routing table"?

and when the A/AAAA record is modified on the upstream dns server... how will that external machine know that ip is valid?

Not sure I understand what you are saying here.
I am not trying to validate the DNS service results. I just want to construct a network that only allows clients to talk to IP addresses that they were given by my DNS server. If they ask a different one they may well be out of luck - so they must use the one provided. If the DNS database is updated then something will have to ask again.