How far do you take privacy on your home network?
Reading the following story from /r/privacy ( https://www.reddit.com/r/privacy/comments/10ia9nm/normie_gf_gifts_me_an_amazon_kindle_and_chaos/ ) made me wonder how restrictive/tight you guys have configured your home network when it comes to "privacy"?
Personally, I have to admit that I haven't really setup any privacy-related measures in my home network. On my devices I use Google DNS/Cloudflare DNS along with AdGuard in the browser. I'd assume that some people might have more tight privacy settings, though.
Normie gf gifts me an Amazon Kindle and chaos ensues
She meant well. I thanked her for the Amazon Kindle and she says, "well, let's set it up!" She was so excited. I was full of anxiety.
The Kindle attempts to reach the internet and my pfSense was like, "nuh-uh". Girlfriend gets very agitated that the device can't seem to connect. Since the Kindle just gives her an error message which says, "This device can't seem to connect to your WiFi," she thinks she's just entering the password incorrectly. She is close to tears and explains how she wrote a short story about us and self-published it and that it was a surprise and she wanted me to read it.
Ugh. How was I going to tell her, "babe that's great but Amazon has hardcoded this thing to use its own DNS-over-HTTPS and this aggression will not stand, man. I just need a little time to assign this devil device a static IP and write a quick redirect in pfSense.
So I do that. But once we're using my DNS, one of the servers the Kindle pings is,
kindle-wifi-cn.amazon.cn
, which gets blocked. Jezzzus. I have a block on a few TLDs. One of those is*.cn
. By this time she is screaming at me and in full tears. So I just say, "fuck it" and whitelist that single entry and that is enough to get the god damn tablet up and running.I linked it to her amazon account. It works but I put it in airplane mode as soon as I could. Make sure you blacklist
dns.kindle.com
or use a regex which catches all 3rd party DNS lookups which contain the phrasedns
(that's what I do). Blocked DNS lookups that this Kindle made include:amazoncustomerservice.d2.sc.omtrdc.net device-metrics-us.amazon.com unagi.amazon.com c.amazon-adsystem.com
Then I told her that I'd keep it at her place. Her short story was really fun to read and then I took her out to dinner; so everything was fine in the end.
Edit:
This post is being shown to people outside of /r/privacy so to those people, the reason why I want to enforce my DNS (vs. Amazon's DNS) is because I want to block ads and tracking (telemetry) on Amazon's Kindle. The reason I block DNS lookups to China is because I work for a company that contracts with the US government so anything with a
*.cn
(Chinese TLD) from my home IP address creates paperwork that I don't want to do. Having a blanket block on the TLD keeps things simple.
Comments
On my Wi-Fi, I have suffixed "optout_nomap", especially for Windoze devices
_ [I hate surreptitious crap like that. Oh, and poxy markdown!]
It wisnae me! A big boy done it and ran away.
NVMe2G for life! until death (the end is nigh)
Google DNS, sometimes cached on a local mikrotik... If issues arrise i sometimes use Cloudflare DNS...
I also use Huawei router which contacts motherhip to tell them how am i doing, the auto upgrade is disabled, but if there is a new version, it literally makes MITM of HTTP traffic until i login and press manually upgrade, wonky Xiaomi access points, they broadcast IP 1-254 arps scanning my network literally each second...
tplink switches, tenda switches... Xiaomi Redmi ads 'subsidized' phone... Even Chinese vibrators require full phone permissions, IMEI, GSM number, Camera, microphone, access to media...
I rely on uBlock Origin within Chrome of Firefox, to clean all the crap. And it does, quite well.
As you get older, you stop giving a fuck.
So i would say, not restrictive, at all.
All hackers and unwanted visitors are required to sign my guestbook, though.
Seems fair enough. I also have some security measures in place, but not really restrictive in terms of privacy.
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
The people in /r/privacy are extremists. It’s just a pissing contest for who has the most extreme restrictions on their network. The fact they refer to their SO as ‘a normie’ says it all.
Also, why the fook would Amazon use a .cn domain? Sounds like a counterfeit Kindle?
Full disclosure: I do have some restrictions in place. My guest wifi is on a separate VLAN and works with temporary passwords that expire after a set time or when I want to. I have a network for good friends with a fixed password, but that VLAN only connects to the internet and I have a separate VLAN for devices that I won’t have connected to the internet. Just to keep it a bit sane (and my home network safe).
I currently have 3 vlans: one for phones and computers, one for IOT stuff, and one for guests.
I run Adguard home and my wife constantly complains about the ads on Google search results that she can't click.
When my daughter grew up i probably create one vlan just for her electronics.
The all seeing eye sees everything...
self-host adguard, especially for android private dns
for windows pc had to use like wpd.app and use their firewall preset
my iot devices doesn't require treatment since i make them from scratch, either using esp32 or some small raspberry pi boards (for home automation/ cctvs)
Fuck this 24/7 internet spew of trivia and celebrity bullshit.
Sophos XG Firewall & 2 Rasp Pi's running PiHole is about it privacy wise, I use DNS over HTTPS but the PiHole's handle that.
lex.st - Free Shared Hosting in 4 Locations. fk ipv6.
I try not to use crappy devices in the first place, but I put stuff like Chinese surveillance cameras on their own subnet or VLAN and completely block them from anything outgoing. If it requires "setup via app" I'm not touching it.
Most people I know use smartphones, social networks, and payment cards (Visa, Mastercard etc.) - so not much use in trying to protect their privacy from my home network.
The same goes for me since I started my websites and YouTube.
Those few who really care about their privacy usually don't even ask for a Wi-Fi password when they go somewhere.
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
I was also quite surprised they called their SO "normie". Also the measures in place made me think it's kind of extreme. That's why I was wondering how people here did things.
This is similar to what I was thinking. Sure, I use AdGuard, but that's about it. And I haven't even configured AdGuard on router level, because like @terrorgen some content might become inaccessible and the gf or other people using the network (e.g. my parents, when I was still living at home) were sometimes having trouble reading e.g. (news) sites that prevent people with Adblock from reading their content. If it was a browser extension they could simply turn it off and read the desired page, but changing DNS is still more "difficult". And to be honest, AdGuard browser extension (AdGuard family) is working just fine.
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
Really similar to what I am doing. One VLAN for my desktop/work PC and work phone, one for everything else in the house, one for guests. Using AdGuard Home and have found it to be pretty decent. Pihole was a bit too aggressive breaking stuff that even I cared about, so far adguard home has been decent. I did try pihole quite awhile ago, though. If my wife can't click google ads, good. I'll ignore those complaints if she raised them.
That's a good idea about your daughter. I think I'll do the same when the time comes.
NVMe VPS | Ryzen 7950X VDS | Dedicated Servers -- Crunchbits.com
Kinda weird question, but are there routers that support using VPN for guest-network only? Personally, I use VPN on the application level or on virtualbox machines when needed. However, I've been thinking about routing traffic from guest network over some Switzerland VPN. My Asus router can't seem to achieve this rn, but I assume it's difficult to achieve this with one router in general eh? Considered deactivating my guest network on Asus and gettingg a portable vpn router (Mango or better) and use it to create the guest network. That way I can separate the two and can easily route guest traffic through some Wireguard Switzerland vpn client.
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
Off the top of my head, not sure. I think the easiest is probably what you said: just get a second/portable vpn router for guest network. I think it's doable with Ubiquiti stuff--as in you can set VPN for the network, but you'd just create separate networks on your existing AP's. I just haven't tried, myself.
NVMe VPS | Ryzen 7950X VDS | Dedicated Servers -- Crunchbits.com
On Mikrotik you could do this for sure
FreeVPS.org - Grab a free VPS! | SOGo Webmail - Powered by Alinto
Yes. I do something similar. Mikrotik lets you run as many OpenVPN clients (or other protocols) as you want and tie each of them to a subnet, VLAN, or whatever.
What if the kids ask for the password? Ravens like shiny stuff, Cat likes any food that doesn't
eat it first same as dog.
Flaws big time flaws I tells yas!
Free Hosting at YetiNode | Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?
Plot twist: birds are not real and that raven is an NSA drone.
Why?
I am not having fun trying to setup VLANs on the cheap. The switch configuration interfaces and documentation suck, and I have access point issues as well. I would like to find different access points. Figuring out how to "bootstrap" the configuration so that I don't cut off connections to devices has been tricky, too. I do not have PoE, either. I am not there yet. I am still running on one common internal LAN with the VLAN switches operating like the previous unmanaged switches.
Those cheap TP-Link TL-SG10xE (e.g., TL-SG105E or TL-SG108E) are part of the problem. I bought them for their low price and the fact that they support 802.1q VLANs. Sometimes they are labeled "unmanaged" and sometimes "managed" depending on which revision you buy. (Refurbished v5s are available and labeled "unmanaged". The current v6 is "managed". The interfaces and operation appear to be the same). Those cheap TP-Link VLAN switches have other issues, too. For example, the management is over HTTP. Yes, it exposes usernames and passwords in the clear. I sniffed them off the LAN to confirm. HTTPS is not supported.
Adding: My goal is to isolate consumer devices (game consoles, video streaming, home appliances, cameras, etc.) from the rest of the home network.
Drone targeting eyes and shitting on the heads of guests. Well mannered.
i renamed my router to virus, i bet noone is trying to connect to it anymore. privacy comes 1rst, follow me for me helpful tips !
Privacy?
Not much.
My father/mother gets a separate SSID and password.
When it's connected, it's the same subnet.
Two IoT devices are moved to separate subnet.
It's for performance reason, to isolate their broadcast traffic from the rest of network.
Accepting submissions for IPv6 less than /64 Hall of Incompetence.
Spent most of this weekend restructuring network to get everything behind a opnsense firewall so that I block traffic that is sus (IoT etc). Also figured out how to stream the logs out so that I can bulk log stuff to analyze what's going on
Beyond that - adguard home, ghostery, FF containers, privacy badger and ublock origin.
Imperfect, but I'd say that's above average overall
Any recommendations for non RGB bulbs that doesn't "works with Tuya"? The marketplace is flooded with them.
The all seeing eye sees everything...
You mean like smart bulbs? I use deCONZ and Zigbee, they have a compatibility list. I got a pack of Innr LEDs that are still going.
Bribe the kitty. Bring top quality sausagg.
Has anybody asked that little girl what Privacy protection means? The enclosure was the little girl's home.
blog | exploring visually |
I'm not really too fussed about home security - I live in a city (Liverpool) where everyone is all thick and doesn't have a clue what an "internet" is. In terms of online protections, I just use uBlock on chrome.
I am so paranoid I don't even let myself on the network
Free Hosting at YetiNode | Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?