Kodi-Box in RED or GREEN?

I got Kodi (Libreelec) on Raspi and want to use it in my own network.
And I want it to use Tor via SOCKS.

I first installed it in the GREEN network and configured it. It works.

Then I thought about the security and it’s a question: Is it better to install it in RED? Because of the addons (netflix, kodinerds). But then I must allow RED-IP for the TOR on ipfire. Is it lack of security or not? As I understand, it IS one, because one RED IP can get within the internal Network. So is it better to install the Box in the Green network, even with the addons?

Best regards

I am not following. The red zone is internet. It Is the entry point to the firewall. If you put a kodi box on the red side of your firewall, it means that you have another router taking the internet connection coming from your provider and routing it to IPFire, if you put kodi in the local area network of this router in front of IPFire, than it is on the red side of IPFire. This is what you are talking about?

If yes, It has no protection from the firewall. If you do not care, go ahead. About any risk for the green network, unless you create special rules to allow traffic from kodi to go inside the green network (usually you need a destination nat for that) it is not different from any other possible attack coming from any other host in internet.

1 Like

oh, sorry, forgot to mention that. Yes this is, what I tried here.

  1. To put the kodi box between the ipfire and the provider router
  2. to put the kodi box within the ipfire network (GREEN)

The best way perhaps, would be to get the kodi box as DMZ within ipfire. But i have just GREEN and RED (and BLUE for wifi). So no free LAN for DMZ.

I think you only need to decide if you need IPFire to protect kodi. Regarding a potential surface of attack for the rest of the network, unless you write some specific rule in the firewall to allow access from the red side to green side, there is no increased danger.

1 Like

The thing is, that I can not understand the level of trust for the kodi apps (not from libreelec directly, but from the most used sources / forgot the names of them). I suppose, they are not so very trustfull. To have them within the GREEN is probably not so wise. So, is it a better solution to put kodi to the RED.

What is about tor on ipfire? Even if the libreelec seems to have problems with the SOCKS proxy, I want to try to use it. But how can I do it?

FW rule: kodi-IP in RED allow to ipfire in GREEN with destination NAT and TCP 9050
tor has just GREEN and BLUE as allowed subnet, so I suppose I must allow RED, isn’t it? (By the way, I did that, just to try, but it seems not to work).

But is it not a security problem, if I allow RED to connect to the GREEN ipfire (even for tor)??

I think you have to set in the port forward rule as destination the firewall (meaning, IPFire machine).

Of course it is.

I think you have two options for a sensible topology of the network:

  1. put kodi machine in green and write a set of rules to block any traffic from kodi to the rest of the green network, except the tor traffic and the outbound internet traffic; not ideal but feasible; test your rules if you do this;
  2. Increase the number of network interfaces to have a DMZ (technically better but the tradeoff is the purchase of new hardware):
    2a) Buy a “smart” (as in layer 3) switch and sort the traffic using the VLAN in the existing network interfaces;
    2b) buy an extension ethernet card or even a usb/ethernet adapter (compatible with the linux kernel used by IPFire).
1 Like

this is THE solution! USB-LAN-Adapter. But what adapter are compatible? I use ipfire 2.27 with 168 core.

The DuoBox I have here has 2 USB-ports. If I connect my USB-Lan-Adapter (I have two of them: Anker A8341 / LogiLink UA0184A v.2) and set every 4 Zones on active, It shows “remove” on the ORANGE instead of the adapter. So I think they are both not compatible.

Or must I do something special to activate the USB-LAB-Adapter?

#Edit: ok, they seem not to be compatible:

You need to run setup from the console and repeat the assignment of the network interfaces. There you will see if the adapter is recognized or not.

that I made and got what I wrote above. So they seem not to be compatible. Bought one with an asix chipset. So we’ll see.

After plugging the adapter and connecting the ethernet cable I would reboot and then run setup. Just in case.


good idea, thanks! But both one seem not to be recognized. So I wait for the supported one (hope so).

Bought new one with ASIX 88179 chipset (Ugreen USB 3.0), connected it to the USB of my DuoBox, rebootet it and it still shows me “remove” or “reject” (I translate it from german) on ORANGE network (and no network card / adapter).

Did you do this?
Not sure where you see your error message.

sure, I rebooted after pluging in.

Netwoking → Type of Network configuration → set to GREEN - BLUE - RED - ORANGE → go back to network card mapping

There I have 9 lines:

There is everywhere MAC adress, the name of the controller and the network card, but by ORANGE I have just “remove” (translation from german).

By the way… if no USB-LAN-Adapter is pluged in, it also shows “remove” on ORANGE.

Did you select the ORANGE network to choose a network interface?

Is your interface found during boot up ( messages in /var/log/message and/or /var/log/bootlog ) ?

What do you mean by that?
As I understand, I must first set “type of the network configuration” to all 4 kinds of networks. There it sais to me, that I have just 3 and not 4 network cards. After that it just shows “remove” on ORANGE.

Wow… I must ask very stupid question :smiley:
If I list the / on ipfire it shows “ipfire”, but if I “cd ipfire” it shows “no such file or directory”. Whats that??? So I can not read the logs.

#Edit: ok “cd …” helps :smiley: but whats that directory, I was in?

Can not really find something, which has to do with USB-LAN-Adapter in “/var/log/message”

In “bootlog” I get:

ax88179_178a 3-2:1.0 eth0: register 'ax88179_178a' at usb-0000:00:14.0-2, ASIX AX88179 USB 3.0 Gigabit Ethernet, f8:e4:3b:92:ef:c0 

So it seems to be my Adapter.

Hmmm… after that entry I have the following:

[    4.209290] usbcore: registered new interface driver ax88179_178a [    4.512277] EXT4-fs (sda4): re-mounted. Opts: (null). Quota mode: none. [    4.596572] EXT4-fs (sda4): re-mounted. Opts: (null). Quota mode: none. [    4.615146] EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: (null). Quota mode: none. [    4.659944] Adding 990844k swap on /dev/sda3.  Priority:1 extents:1 across:990844k SSFS 

Does it mean, that it mounts the adapter as data drive?? I have no usb flash connected to DuoBox. Or is it just the internal one and has nothing to do with the entry below?

The first element on each line ( you mixed several lines, I suppose ) is the time since system start. Each line reports a new event.
The event at 4.209290 registers the driver for the USB LAN adapter. So it should be found as network interface by setup.
The way to network selection ( for a german system )

  • Networking
  • Netzwerkkartenzuordnung
  • scroll down till " Möchten Sie diese Einstellungen ändern? " , OK
  • select ORANGE, press “Auswählen”
  • now you should be able to select your USB LAN interface ax88179-178a
1 Like

That was the crazy point I did not understand! :smiley:
I did not understand, that the “ok” on this point sends me to the settings of the network cards.

thanks a lot!!! So I have DMZ running now and will play around with that!

1 Like

Ok, just one more step to get the KODI-box running :smiley:

I configured the ORANGE and set it to 10.x.x.0, configured the KODI-Box and set it to 10.x.x.1 with (first try) the gateway 10.x.x.0 (and second try with the gateway of the provider router). The network mask is on both (network card and KODI-Box) on I also set the external DNS server in the Kodi-Box. As I understand, I need no firewall rule for ORANGE just to get with the KODI-Box to the Internet. In both cases (two different gateways, although I think that the 10.x.x.0 gateway is the right one) I got no connection.

A network 10.x.y.0/24 ( netmask ) has two special IPs

  • 10.x.y.0 is the network address ( ‘name’ )
  • 10.x.y.255 is the broadcast address

Both cannot used by individual devices. A possible setting is IPFire:=10.x.y.1 and Kodi:=10.x.y.2 .