How far do you take privacy on your home network?

YmpkerYmpker OGContent Writer
edited January 2023 in General

Reading the following story from /r/privacy ( https://www.reddit.com/r/privacy/comments/10ia9nm/normie_gf_gifts_me_an_amazon_kindle_and_chaos/ ) made me wonder how restrictive/tight you guys have configured your home network when it comes to "privacy"?

Personally, I have to admit that I haven't really setup any privacy-related measures in my home network. On my devices I use Google DNS/Cloudflare DNS along with AdGuard in the browser. I'd assume that some people might have more tight privacy settings, though.

Normie gf gifts me an Amazon Kindle and chaos ensues

She meant well. I thanked her for the Amazon Kindle and she says, "well, let's set it up!" She was so excited. I was full of anxiety.

The Kindle attempts to reach the internet and my pfSense was like, "nuh-uh". Girlfriend gets very agitated that the device can't seem to connect. Since the Kindle just gives her an error message which says, "This device can't seem to connect to your WiFi," she thinks she's just entering the password incorrectly. She is close to tears and explains how she wrote a short story about us and self-published it and that it was a surprise and she wanted me to read it.

Ugh. How was I going to tell her, "babe that's great but Amazon has hardcoded this thing to use its own DNS-over-HTTPS and this aggression will not stand, man. I just need a little time to assign this devil device a static IP and write a quick redirect in pfSense.

So I do that. But once we're using my DNS, one of the servers the Kindle pings is, kindle-wifi-cn.amazon.cn, which gets blocked. Jezzzus. I have a block on a few TLDs. One of those is *.cn. By this time she is screaming at me and in full tears. So I just say, "fuck it" and whitelist that single entry and that is enough to get the god damn tablet up and running.

I linked it to her amazon account. It works but I put it in airplane mode as soon as I could. Make sure you blacklist dns.kindle.com or use a regex which catches all 3rd party DNS lookups which contain the phrase dns (that's what I do). Blocked DNS lookups that this Kindle made include:

amazoncustomerservice.d2.sc.omtrdc.net
device-metrics-us.amazon.com
unagi.amazon.com
c.amazon-adsystem.com

Then I told her that I'd keep it at her place. Her short story was really fun to read and then I took her out to dinner; so everything was fine in the end.

Edit:

This post is being shown to people outside of /r/privacy so to those people, the reason why I want to enforce my DNS (vs. Amazon's DNS) is because I want to block ads and tracking (telemetry) on Amazon's Kindle. The reason I block DNS lookups to China is because I work for a company that contracts with the US government so anything with a *.cn (Chinese TLD) from my home IP address creates paperwork that I don't want to do. Having a blanket block on the TLD keeps things simple.

Thanked by (1)Janevski

Comments

  • edited January 2023

    On my Wi-Fi, I have suffixed "optout_nomap", especially for Windoze devices ;)
    _ [I hate surreptitious crap like that. Oh, and poxy markdown!]

    Thanked by (1)Ympker

    It wisnae me! A big boy done it and ran away.
    NVMe2G for life! until death (the end is nigh)

  • Google DNS, sometimes cached on a local mikrotik... If issues arrise i sometimes use Cloudflare DNS...
    I also use Huawei router which contacts motherhip to tell them how am i doing, the auto upgrade is disabled, but if there is a new version, it literally makes MITM of HTTP traffic until i login and press manually upgrade, wonky Xiaomi access points, they broadcast IP 1-254 arps scanning my network literally each second...
    tplink switches, tenda switches... Xiaomi Redmi ads 'subsidized' phone... Even Chinese vibrators require full phone permissions, IMEI, GSM number, Camera, microphone, access to media...

    I rely on uBlock Origin within Chrome of Firefox, to clean all the crap. And it does, quite well.
    As you get older, you stop giving a fuck.

    So i would say, not restrictive, at all.
    All hackers and unwanted visitors are required to sign my guestbook, though.

    Thanked by (1)Ympker
  • YmpkerYmpker OGContent Writer

    @Janevski said:
    Google DNS, sometimes cached on a local mikrotik... If issues arrise i sometimes use Cloudflare DNS...
    I also use Huawei router which contacts motherhip to tell them how am i doing, the auto upgrade is disabled, but if there is a new version, it literally makes MITM of HTTP traffic until i login and press manually upgrade, wonky Xiaomi access points, they broadcast IP 1-254 arps scanning my network literally each second...
    tplink switches, tenda switches... Xiaomi Redmi ads 'subsidized' phone... Even Chinese vibrators require full phone permissions, IMEI, GSM number, Camera, microphone, access to media...

    I rely on uBlock Origin within Chrome of Firefox, to clean all the crap. And it does, quite well.
    As you get older, you stop giving a fuck.

    So i would say, not restrictive, at all.
    All hackers and unwanted visitors are required to sign my guestbook, though.

    Seems fair enough. I also have some security measures in place, but not really restrictive in terms of privacy.

  • The people in /r/privacy are extremists. It’s just a pissing contest for who has the most extreme restrictions on their network. The fact they refer to their SO as ‘a normie’ says it all.

    Also, why the fook would Amazon use a .cn domain? Sounds like a counterfeit Kindle?

    Full disclosure: I do have some restrictions in place. My guest wifi is on a separate VLAN and works with temporary passwords that expire after a set time or when I want to. I have a network for good friends with a fixed password, but that VLAN only connects to the internet and I have a separate VLAN for devices that I won’t have connected to the internet. Just to keep it a bit sane (and my home network safe).

    Thanked by (2)Ympker AndrewL64
  • I currently have 3 vlans: one for phones and computers, one for IOT stuff, and one for guests.

    I run Adguard home and my wife constantly complains about the ads on Google search results that she can't click.

    When my daughter grew up i probably create one vlan just for her electronics.

    Thanked by (2)Not_Oles Wolveix

    The all seeing eye sees everything...

  • self-host adguard, especially for android private dns
    for windows pc had to use like wpd.app and use their firewall preset
    my iot devices doesn't require treatment since i make them from scratch, either using esp32 or some small raspberry pi boards (for home automation/ cctvs)

    Fuck this 24/7 internet spew of trivia and celebrity bullshit.

  • edited January 2023

    Sophos XG Firewall & 2 Rasp Pi's running PiHole is about it privacy wise, I use DNS over HTTPS but the PiHole's handle that.

    Thanked by (1)Ympker
  • I try not to use crappy devices in the first place, but I put stuff like Chinese surveillance cameras on their own subnet or VLAN and completely block them from anything outgoing. If it requires "setup via app" I'm not touching it.

  • bikegremlinbikegremlin ModeratorOGContent Writer

    Most people I know use smartphones, social networks, and payment cards (Visa, Mastercard etc.) - so not much use in trying to protect their privacy from my home network.

    The same goes for me since I started my websites and YouTube.

    Those few who really care about their privacy usually don't even ask for a Wi-Fi password when they go somewhere. :)

    Thanked by (1)Ympker

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • YmpkerYmpker OGContent Writer
    edited January 2023

    @debaser said:
    The people in /r/privacy are extremists. It’s just a pissing contest for who has the most extreme restrictions on their network. The fact they refer to their SO as ‘a normie’ says it all.

    Also, why the fook would Amazon use a .cn domain? Sounds like a counterfeit Kindle?

    Full disclosure: I do have some restrictions in place. My guest wifi is on a separate VLAN and works with temporary passwords that expire after a set time or when I want to. I have a network for good friends with a fixed password, but that VLAN only connects to the internet and I have a separate VLAN for devices that I won’t have connected to the internet. Just to keep it a bit sane (and my home network safe).

    I was also quite surprised they called their SO "normie". Also the measures in place made me think it's kind of extreme. That's why I was wondering how people here did things.

    @bikegremlin said:
    Most people I know use smartphones, social networks, and payment cards (Visa, Mastercard etc.) - so not much use in trying to protect their privacy from my home network.

    The same goes for me since I started my websites and YouTube.

    Those few who really care about their privacy usually don't even ask for a Wi-Fi password when they go somewhere. :)

    This is similar to what I was thinking. Sure, I use AdGuard, but that's about it. And I haven't even configured AdGuard on router level, because like @terrorgen some content might become inaccessible and the gf or other people using the network (e.g. my parents, when I was still living at home) were sometimes having trouble reading e.g. (news) sites that prevent people with Adblock from reading their content. If it was a browser extension they could simply turn it off and read the desired page, but changing DNS is still more "difficult". And to be honest, AdGuard browser extension (AdGuard family) is working just fine.

  • crunchbitscrunchbits Hosting Provider

    @terrorgen said:
    I currently have 3 vlans: one for phones and computers, one for IOT stuff, and one for guests.

    I run Adguard home and my wife constantly complains about the ads on Google search results that she can't click.

    When my daughter grew up i probably create one vlan just for her electronics.

    Really similar to what I am doing. One VLAN for my desktop/work PC and work phone, one for everything else in the house, one for guests. Using AdGuard Home and have found it to be pretty decent. Pihole was a bit too aggressive breaking stuff that even I cared about, so far adguard home has been decent. I did try pihole quite awhile ago, though. If my wife can't click google ads, good. I'll ignore those complaints if she raised them.

    That's a good idea about your daughter. I think I'll do the same when the time comes.

    Thanked by (3)Ympker terrorgen Not_Oles
  • YmpkerYmpker OGContent Writer

    @crunchbits said:

    @terrorgen said:
    I currently have 3 vlans: one for phones and computers, one for IOT stuff, and one for guests.

    I run Adguard home and my wife constantly complains about the ads on Google search results that she can't click.

    When my daughter grew up i probably create one vlan just for her electronics.

    Really similar to what I am doing. One VLAN for my desktop/work PC and work phone, one for everything else in the house, one for guests. Using AdGuard Home and have found it to be pretty decent. Pihole was a bit too aggressive breaking stuff that even I cared about, so far adguard home has been decent. I did try pihole quite awhile ago, though. If my wife can't click google ads, good. I'll ignore those complaints if she raised them.

    That's a good idea about your daughter. I think I'll do the same when the time comes.

    Kinda weird question, but are there routers that support using VPN for guest-network only? Personally, I use VPN on the application level or on virtualbox machines when needed. However, I've been thinking about routing traffic from guest network over some Switzerland VPN. My Asus router can't seem to achieve this rn, but I assume it's difficult to achieve this with one router in general eh? Considered deactivating my guest network on Asus and gettingg a portable vpn router (Mango or better) and use it to create the guest network. That way I can separate the two and can easily route guest traffic through some Wireguard Switzerland vpn client.

  • crunchbitscrunchbits Hosting Provider

    @Ympker said:

    @crunchbits said:

    @terrorgen said:
    I currently have 3 vlans: one for phones and computers, one for IOT stuff, and one for guests.

    I run Adguard home and my wife constantly complains about the ads on Google search results that she can't click.

    When my daughter grew up i probably create one vlan just for her electronics.

    Really similar to what I am doing. One VLAN for my desktop/work PC and work phone, one for everything else in the house, one for guests. Using AdGuard Home and have found it to be pretty decent. Pihole was a bit too aggressive breaking stuff that even I cared about, so far adguard home has been decent. I did try pihole quite awhile ago, though. If my wife can't click google ads, good. I'll ignore those complaints if she raised them.

    That's a good idea about your daughter. I think I'll do the same when the time comes.

    Kinda weird question, but are there routers that support using VPN for guest-network only? Personally, I use VPN on the application level or on virtualbox machines when needed. However, I've been thinking about routing traffic from guest network over some Switzerland VPN. My Asus router can't seem to achieve this rn, but I assume it's difficult to achieve this with one router in general eh? Considered deactivating my guest network on Asus and gettingg a portable vpn router (Mango or better) and use it to create the guest network. That way I can separate the two and can easily route guest traffic through some Wireguard Switzerland vpn client.

    Off the top of my head, not sure. I think the easiest is probably what you said: just get a second/portable vpn router for guest network. I think it's doable with Ubiquiti stuff--as in you can set VPN for the network, but you'd just create separate networks on your existing AP's. I just haven't tried, myself.

    Thanked by (1)Ympker
  • @Ympker said:

    @crunchbits said:

    @terrorgen said:
    I currently have 3 vlans: one for phones and computers, one for IOT stuff, and one for guests.

    I run Adguard home and my wife constantly complains about the ads on Google search results that she can't click.

    When my daughter grew up i probably create one vlan just for her electronics.

    Really similar to what I am doing. One VLAN for my desktop/work PC and work phone, one for everything else in the house, one for guests. Using AdGuard Home and have found it to be pretty decent. Pihole was a bit too aggressive breaking stuff that even I cared about, so far adguard home has been decent. I did try pihole quite awhile ago, though. If my wife can't click google ads, good. I'll ignore those complaints if she raised them.

    That's a good idea about your daughter. I think I'll do the same when the time comes.

    Kinda weird question, but are there routers that support using VPN for guest-network only? Personally, I use VPN on the application level or on virtualbox machines when needed. However, I've been thinking about routing traffic from guest network over some Switzerland VPN. My Asus router can't seem to achieve this rn, but I assume it's difficult to achieve this with one router in general eh? Considered deactivating my guest network on Asus and gettingg a portable vpn router (Mango or better) and use it to create the guest network. That way I can separate the two and can easily route guest traffic through some Wireguard Switzerland vpn client.

    On Mikrotik you could do this for sure :)

    Thanked by (1)Ympker
    • Separate subnets for each device at home;
    • Separate DNS servers for each floor (2 floors);
    • Big dog guarding router at 1st floor and fat, aggressive cat at 2nd guarding repeater;
    • Balcony guarded by domesticated, trained raven;
    • WIFI passwords generated with Xchacha20 variant with 192-bit randomized nonces and no exposed counter. Regenerated each time guest connects to guest WIFI subnet;
    • Kids are trained to immediately report any attempts for asking our home WIFI password.
    Thanked by (2)Ympker KidRock
  • @daffy said:

    @Ympker said:

    @crunchbits said:

    @terrorgen said:
    I currently have 3 vlans: one for phones and computers, one for IOT stuff, and one for guests.

    I run Adguard home and my wife constantly complains about the ads on Google search results that she can't click.

    When my daughter grew up i probably create one vlan just for her electronics.

    Really similar to what I am doing. One VLAN for my desktop/work PC and work phone, one for everything else in the house, one for guests. Using AdGuard Home and have found it to be pretty decent. Pihole was a bit too aggressive breaking stuff that even I cared about, so far adguard home has been decent. I did try pihole quite awhile ago, though. If my wife can't click google ads, good. I'll ignore those complaints if she raised them.

    That's a good idea about your daughter. I think I'll do the same when the time comes.

    Kinda weird question, but are there routers that support using VPN for guest-network only? Personally, I use VPN on the application level or on virtualbox machines when needed. However, I've been thinking about routing traffic from guest network over some Switzerland VPN. My Asus router can't seem to achieve this rn, but I assume it's difficult to achieve this with one router in general eh? Considered deactivating my guest network on Asus and gettingg a portable vpn router (Mango or better) and use it to create the guest network. That way I can separate the two and can easily route guest traffic through some Wireguard Switzerland vpn client.

    On Mikrotik you could do this for sure :)

    Yes. I do something similar. Mikrotik lets you run as many OpenVPN clients (or other protocols) as you want and tie each of them to a subnet, VLAN, or whatever.

    Thanked by (2)Ympker daffy
  • @legendary said:

    • Separate subnets for each device at home;
    • Separate DNS servers for each floor (2 floors);
    • Big dog guarding router at 1st floor and fat, aggressive cat at 2nd guarding repeater;
    • Balcony guarded by domesticated, trained raven;
    • WIFI passwords generated with Xchacha20 variant with 192-bit randomized nonces and no exposed counter. Regenerated each time guest connects to guest WIFI subnet;
    • Kids are trained to immediately report any attempts for asking our home WIFI password.

    What if the kids ask for the password? Ravens like shiny stuff, Cat likes any food that doesn't
    eat it first same as dog.

    Flaws big time flaws I tells yas!

  • @legendary said:

    • Balcony guarded by domesticated, trained raven;

    Plot twist: birds are not real and that raven is an NSA drone.

    Thanked by (1)Ympker

    Why?

  • edited January 2023

    I am not having fun trying to setup VLANs on the cheap. The switch configuration interfaces and documentation suck, and I have access point issues as well. I would like to find different access points. Figuring out how to "bootstrap" the configuration so that I don't cut off connections to devices has been tricky, too. I do not have PoE, either. I am not there yet. I am still running on one common internal LAN with the VLAN switches operating like the previous unmanaged switches.

    Those cheap TP-Link TL-SG10xE (e.g., TL-SG105E or TL-SG108E) are part of the problem. I bought them for their low price and the fact that they support 802.1q VLANs. Sometimes they are labeled "unmanaged" and sometimes "managed" depending on which revision you buy. (Refurbished v5s are available and labeled "unmanaged". The current v6 is "managed". The interfaces and operation appear to be the same). Those cheap TP-Link VLAN switches have other issues, too. For example, the management is over HTTP. Yes, it exposes usernames and passwords in the clear. I sniffed them off the LAN to confirm. HTTPS is not supported.

    Adding: My goal is to isolate consumer devices (game consoles, video streaming, home appliances, cameras, etc.) from the rest of the home network.

  • @jmaxwell said: Plot twist: birds are not real and that raven is an NSA drone.

    Drone targeting eyes and shitting on the heads of guests. Well mannered.

    Thanked by (1)jmaxwell
  • i renamed my router to virus, i bet noone is trying to connect to it anymore. privacy comes 1rst, follow me for me helpful tips !

    Thanked by (1)Ympker
  • Privacy?
    Not much.

    My father/mother gets a separate SSID and password.
    When it's connected, it's the same subnet.

    Two IoT devices are moved to separate subnet.
    It's for performance reason, to isolate their broadcast traffic from the rest of network.

    Thanked by (3)Ympker Janevski Not_Oles

    ServerFactory aff best VPS; HostBrr aff best storage.

  • havochavoc OGContent Writer
    edited January 2023

    Spent most of this weekend restructuring network to get everything behind a opnsense firewall so that I block traffic that is sus (IoT etc). Also figured out how to stream the logs out so that I can bulk log stuff to analyze what's going on

    Beyond that - adguard home, ghostery, FF containers, privacy badger and ublock origin.

    Imperfect, but I'd say that's above average overall

    Thanked by (1)Ympker
  • @tetech said:
    I try not to use crappy devices in the first place, but I put stuff like Chinese surveillance cameras on their own subnet or VLAN and completely block them from anything outgoing. If it requires "setup via app" I'm not touching it.

    Any recommendations for non RGB bulbs that doesn't "works with Tuya"? The marketplace is flooded with them.

    The all seeing eye sees everything...

  • @terrorgen said:

    @tetech said:
    I try not to use crappy devices in the first place, but I put stuff like Chinese surveillance cameras on their own subnet or VLAN and completely block them from anything outgoing. If it requires "setup via app" I'm not touching it.

    Any recommendations for non RGB bulbs that doesn't "works with Tuya"? The marketplace is flooded with them.

    You mean like smart bulbs? I use deCONZ and Zigbee, they have a compatibility list. I got a pack of Innr LEDs that are still going.

    Thanked by (1)terrorgen
  • @AuroraZero said:

    @legendary said:

    • Separate subnets for each device at home;
    • Separate DNS servers for each floor (2 floors);
    • Big dog guarding router at 1st floor and fat, aggressive cat at 2nd guarding repeater;
    • Balcony guarded by domesticated, trained raven;
    • WIFI passwords generated with Xchacha20 variant with 192-bit randomized nonces and no exposed counter. Regenerated each time guest connects to guest WIFI subnet;
    • Kids are trained to immediately report any attempts for asking our home WIFI password.

    What if the kids ask for the password? Ravens like shiny stuff, Cat likes any food that doesn't
    eat it first same as dog.

    Flaws big time flaws I tells yas!

    Bribe the kitty. Bring top quality sausagg.

    Thanked by (1)terrorgen
  • vyasvyas OG
    edited January 2023

    Has anybody asked that little girl what Privacy protection means? The enclosure was the little girl's home.

    Thanked by (1)bikegremlin
  • HostarisHostaris Hosting Provider
    edited January 2023

    I'm not really too fussed about home security - I live in a city (Liverpool) where everyone is all thick and doesn't have a clue what an "internet" is. In terms of online protections, I just use uBlock on chrome.

  • AuroraZeroAuroraZero Retired
    edited January 2023

    I am so paranoid I don't even let myself on the network

    Thanked by (1)chimichurri
Sign In or Register to comment.