How do I see all devices on my LAN?

internetman · November 15, 2023, 12:27am

I want to do things like cast from Chrome to my chromecast and connect to servers on my LAN. How can I do this? I just want to set up one insecure domU for things like this.

balko · November 15, 2023, 1:00am

The qube, that has your ethernet adapter connected (usually sys-net), can access everything on its network like a normal GNU/Linux would be able to. Start from there.

apparatus · November 15, 2023, 6:26am

You’ll need to apply firewall rules to forward chromecast between sys-net, qubes between your sys-net and your qube where you want to use chromecast (qube-chromecast).
It’s as if qube-chromecast is behind multiple routers with NAT and you need to configure them accordingly.

barto · November 15, 2023, 11:47am

Running Chrome and chromecast is removing any “privacy” feature of using Qubes anyways.
Chromecast is relentlessly tracking you (and your neighbor’s) WiFi, apps, stream preferences etc.
But, I guess it is doable, if you open enough ports and protocols:

One of Chromecast’s components, the DIAL Service Discovery protocol, uses Simple Service Discovery Protocol (SSDP) version 1.1, which is defined by UPnP (Universal Plug and Play), to allow a DIAL client device to locate a DIAL server device running on the same network. The other component, the DIAL REST (representational state transfer) Service, is then accessed to query, launch or stop applications using HTTP (hypertext transfer protocol) requests from the client device to the server device. In the case of Chromecast, your phone, tablet or computer is the client and the Chromecast itself is the server.

HardcodedNonce · November 15, 2023, 11:58am

I am not 100% sure how chromecast works, but i have the firm technical understanding that this statement is factually wrong.

In the worst case it removes any expectation of privacy from the used qube, not every qube on the system.

It is technically impossible for any app on a qube to scan your or any other nearby wifi if said qube does not hold a physical wifi adapter. With QubesOS it is not able to infere any information on running Apps or other streams from other qubes.

However, It may attempt to scan the LAN. You can restrict it from doing so with firewall rules of your upstream netvm. Restrict it only to your streaming target like your TV.

Even tho this i not the topic at hand, i want to give a quick answer to the title of the post: How do i see all devices on my LAN?

You can use nmap to enumerate devices in a LAN.

Installation

sudo apt install nmap -y
# or sudo dnf install nmap -y

Usage for a quick list of online devices:

nmap -sP <target>

For a typical residential wifi/LAN this should work:

nmap -sP 192.168.1.0/24

You may need to adapt the address from 192.168.1. to 192.168.178. or whatever you LAN range looks like. You find this information in your sys-net with ip a.

barto · November 15, 2023, 12:35pm

What I meant is that it puts you right there on the map, i.e. Google will know your present location.

Hold on, I was referring to the “apps” used on Chromecast, like Spotify, YouTube.

Well, I had a feeling that I should’ve said nothing, because my post could be misconstrued easily. And the info about the Chromecast protocols and ports is nothing more than “let me Google this for you”.
Carry on…

HardcodedNonce · November 15, 2023, 2:18pm

Thanks for your clarification.

I agree with you, that the privacy situation is pretty bad when using google services. However QubesOS gives you the tools needed to minimize exposure. Sorry for misinterpreting your post.

Rudd-O · February 6, 2024, 6:36am

Firewall rules are not enough.

I have a trick I use to allow Home Assistant to see mDNS. My HA instance runs in a qube behind a NetVM, and I run the avahi reflector in that NetVM to reflect between the Ethernet device and the virtual network device attached to HA’s qube. Pretty much every smart device, in particular ESPHome chips, is discovered by HA no problemo.

Of course, this only works because I am running qubes network server with the HA qube set to routing mode instead of masquerade mode, and the HA VM permits inbound mDNS traffic on port 5353.

I can share the configs tomorrow.

I also have a socat-based trick to relay Wake-on-LAN packets from HA thru to the LAN. Gotta turn on that media center HTPC somehow!

Rudd-O · February 8, 2024, 11:34am

Stand by for configs…

Rudd-O · February 8, 2024, 11:50am

#!pyobjects

# Salt pyobjects config for configuring Avahi in NetVM attached to machine that needs to see LAN mDNS
# you get the idea of how it looks like

from salt://lib/qubes.sls import fully_persistent_or_physical, rw_only_or_physical


if fully_persistent_or_physical():
    milestone = [Pkg.installed('avahi').requisite]
else:
    milestone = []

if rw_only_or_physical():
    with Qubes.bind_dirs(
        'avahi-config',
        directories=['/etc/avahi/avahi-daemon.conf'],
        require=milestone
    ):
        IniWithoutSpaces.options_present(
            '/etc/avahi/avahi-daemon.conf',
            separator="=",
            sections={
                "server": {
                    "allow-point-to-point": "yes",
                },
                "reflector": {
                    "enable-reflector": "yes",
                },
            },
        )
    Service.running('avahi-daemon', watch=[IniWithoutSpaces('/etc/avahi/avahi-daemon.conf')])

Of course, both NetVM and VM behind it must have firewall rules allowing for port 5353:

  mediadisco: &mediadisco
  - from:
    - netc # one subnet
    - ois  # the other subnet
    to: 224.0.0.0/4 # these are all inputs to these addresses
    proto: udp
    to_ports: 5353
    comment: allow mDNS services to discover each other
    action: accept