Keeping "smart" devices on guest network (lemmy.world)

submitted 1 week ago by applemao@lemmy.world to c/privacy@lemmy.ml

8 comments fedilink hide all child comments

I realized I was at risk by having smart devices on my normal network, so decided to move them to my guest network.

I don't like my smart tv, but it's all I have to work with for now. I want to keep it on my guest network, but still stream using jellyfin. I see on my netgear router there is an option to "let devices on guest network see other devices and access local network" which would probably allow it to see my jellyfin server, but then doesn't that defeat the point of a guest network? Maybe I need to learn what a reverse proxy is...jellyfin server is currently on windows (not my pc) but could move it to my linux pc if needed.

And yes, I plan to get a media center linux box in the future so I don't have to deal with the garbage smart tv os!

top 8 comments

sorted by: hot top controversial new old

[-] yaroto98@lemmy.org 6 points 1 week ago

Disclaimer: I'm not a networking guy, but I've worked with them.

If you're looking for security, you set up vlans. I don't know enough about your setup to know if you setup a vlan, or just a separate subnet.

The goal is to have separate vlans, to block all traffic between the two networks, and then add exceptions in the ACL. The ACL is essentially a firewall between the two vlans.

With this in place the smart device can't scan your network to gather info. Also, if it gets infected, it can only attack through the opened routes or the other devices on the vlan.

[-] applemao@lemmy.world 3 points 1 week ago

I just saw that i have a vlan/iptv setup that I can apply as a bridge on the guest network the tv is on. That seems right ?

[-] yaroto98@lemmy.org 2 points 1 week ago

Unsure, does this answer help?

https://community.netgear.com/discussions/Orbi/what-is-vlanbridge-and-should-i-enable-it/1934301

If what that says looks right, then that's probably not what you're looking for.

[-] applemao@lemmy.world 1 points 1 week ago

Yeah this doesn't seem right. Im not sure my router supports running a vlan and allowing certain services through to lan

[-] applemao@lemmy.world 1 points 1 week ago

I think netgear makes the guest network a subnet.

Im going to look into a vlan with all exceptions. It's a nighthawk router so I think it has those features. Haven't gotten around to putting dd wrt on it yet

[-] catloaf@lemm.ee 1 points 1 week ago

Yes, unless it lets you list exceptions, that would defeat the point. You might need to set up a full router and firewall.

[-] FeelzGoodMan420@eviltoast.org 0 points 1 week ago* (last edited 1 week ago)

A better solution is to use a pihole to block all domains that the TV pings, and only let through ones that allow you to use streaming apps (i.e. netflix API domain.)

Another good solution is to block WAN access for specific devices and only allow them to communicate over LAN. This would be done on your Router. This method would allow local streaming using Jellyfin but wouldn't allow streaming apps like Netflix since that requires communication with the outside Internet.

[-] marsara9@lemmy.world 4 points 1 week ago

If you're worried about your IoT devices on your LAN the problem isn't necessarily that they can access WAN but rather that there's a security vulnerability and that they can be accessed by the WAN. Once a device is compromised and attacker can then use it as a "beachhead" to access other devices on your network.

So for example, with my setup every IoT device is on a separate VLAN (the guest network acts similarly) which can't get access to WAN, can't be accessed from the WAN and can't initiate any network calls to any other VLAN. Now my primary VLAN can talk to my IoT VLAN, and IoT can talk back, it just can't start the communication.

This does pose a problem for TVs though that need to talk to Jellyfin as hinted at in the original post. So what you could do is create a specific firewall rule that allows the TVs to at least initiate communication to Jellyfin but not any other device on your primary VLAN. This will probably require a more sophisticated router though than most of the consumer ones out there. Just be mindful that if n IoT device is compromised they can then try to attack the jellyfin server to jump to your other VLAN and then the rest of your network.

this post was submitted on 29 May 2025

6 points (100.0% liked)

Privacy

38498 readers

264 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS