I recently got a cheap Chineseium laser projector that worked really great, but of course it is doing a lot of sketchy stuff when it gets online. So I want to set up a separate wifi network and lock it down heavily. The issue is that I can’t cut down internet access for the box completely because I want to cast internet videos onto it so my phone on the normal network need to be able to access it and also it need to be able to access those resources on the internet.
So I’m thinking maybe I can do something with DNS and ip whitelisting. My basic sketch is as follows:
The Chineseium network is 10.0.0.0/8, and the normal network is 192.168.0.0/24
Have a dedicated router/AP as 10.0.0.1 which connects to my home router as 192.168.0.2, and set a static route in my home router so device on my normal network can access the 10.0.0.0/8 network via the Chineseium router
On the Chineseium router, disallow source ip 10.0.0.0/8 output to any other IP (input is allowed so connection from home network can get their response)
instead of returning the real IP of the DNS queries, the DNS server returns a unique ip inside the 10.0.0.0/8 range, and when the projector sends packets to that IP, it forwards it to the home router with the dest ip corrected, and when it gets a reply, changes the src ip to the fake one and sending it to the projector
This way if the projector uses some method to bypass my DNS (or just hard codes IPs) it can’t get pass my router, but it can still talk to servers on the internet that I allow without me having to mess with TLS or hand roll a bunch of IPs and keeping it updated.
is this something that is done normally? what are some keywords I can use to find out how to set this up for real? I’m having a hard time searching up on how to implement this…
You wouldnt need to use a 10.0.0.0/8, the typical /24 here or much much smaller would do if its just one device, say a /30, which would allow just your projector and your router to have an address, and prevents anything else accidentally joining the network as there wont be any addresses left
Youre basically wanting some basic firewall rules though, even on just the one router if it supports it
You would segregate the laser projector to its own network either via seperate port or vlans, restrict the projector from accessing anything outside its own network (as in cant get to anything from your normal network originating from itself) besides getting to the internet, and already established traffic from your internal network from your devices, you would probably need multicast dns to go across as well to allow it to appear for casting to etc
For the projector’s DNS management, you could use Pi-hole or a similar DNS filtering service to ensure it only accesses approved domains. Additionally, consider setting up monitoring to keep an eye on any unusual traffic or attempts to bypass restrictions.
yeah, the thing is I don’t want to babysit this thing forever and ban any infractions after it had already happened. That’s why I would prefer if it’s whitelist based
I would get Tailscale, setup one of your hosts as a router for your local network and access your device from anywhere as if you were on the same network.
Not much of a DNS expert but Cast works using mDNS, so you’ll need an mDNS resolver (forwarder?) from your homenetwork to the locked down net. without it discovery doesn’t work, i.e. you won’t be able to select the projector in youtube’s cast menu.
what is your current network like? if possible with stuff you have…
i would create a DHCP reservation (basically a local static IP address) on my main network and then just use my router to do an allowed external rule list, for that IP to talk to.
basically I’m trying to block all traffic (system updates telemetrics, backdoors, what have you), and only whitelist connections that I know it needs, so that include fcast (raw tcp/mdns) from my normal network, samba, dash/hls/normal http(s) to the internet base on domains I pick. sadly the projector have no network settings to speak of, just pick ssid and enter password.
from these requirements I think the block will have to be IP based, otherwise there will always be holes. but it’s not practical for me to track all the IPs I need to whitelist since it would change frequently. So my idea is that maybe I can have the DNS service create that whitelist dynamically for me base on a list of domains I pick and what DNS requests are being made.
@tleydxdy, by trying to use only whitelist connections to allow connections to your projector, you are complicating your network. Create a guest-only network, connect only your projector to it, use firewall rules to block connections to your regular network, and call it a day.
Dumb idea: Some Routers have parental controls, those sometimes include block-settings.
Maybe those can be used to lock down what the projector can talk to.
If you wanted to take a dive, you could use a Router as an actual router and only create static routes for what you need.
The price of security is convenience, or lack thereof.
For 100% convenience and 100% complicated networking you could take this concept and apply it to an offline wireguard instance.
Run a wireguard server on the router, connect all secure devices through it, create a second wireguard server instance and a simple one-way port for accessing the IOT device. This way the connection is secure, your internet devices can access the printer without the printer accessing the internet. It leaves room for updates too, and you don’t give the IOT device an IP that gives away your location + other data