Just wanted to add… After reading your initial post I did some more digging on adding tracking headers, etc… especially by T-Mobile.
While it’s definitely a thing, it only applies to HTTP traffic. Even HTTPS blocks their ability to add those headers. So any traffic that’s using any other protocol (DNS, email, ssh, or just gaming, etc…) would be safe from your ISP from at least trying to add these tracking headers.
Yes but while the service is targeted for home use there still is remote work which generally requires a VPN back to the company network. They wouldn’t be able to block this. Now sure they might be more inclined to block Mullvad but they’d impact too many businesses by blocking wireguard as a whole.
And assuming they did block Mullvad but not wireguard… Just rent a VPS and install a wireguard server and client there to bridge back to Mullvad.
I know this doesn’t help much but I use T-Mobile cell towers with an always on VPN with no issue. But I don’t see why they’d block Mullvad. (I’d be more concerned that they’d block them than wireguard in general). But there’s completely legitimate reasons to use both so I don’t see them really bothering to block either.
If you’re worried about your IoT devices on your LAN the problem isn’t necessarily that they can access WAN but rather that there’s a security vulnerability and that they can be accessed by the WAN. Once a device is compromised and attacker can then use it as a “beachhead” to access other devices on your network.
So for example, with my setup every IoT device is on a separate VLAN (the guest network acts similarly) which can’t get access to WAN, can’t be accessed from the WAN and can’t initiate any network calls to any other VLAN. Now my primary VLAN can talk to my IoT VLAN, and IoT can talk back, it just can’t start the communication.
This does pose a problem for TVs though that need to talk to Jellyfin as hinted at in the original post. So what you could do is create a specific firewall rule that allows the TVs to at least initiate communication to Jellyfin but not any other device on your primary VLAN. This will probably require a more sophisticated router though than most of the consumer ones out there. Just be mindful that if n IoT device is compromised they can then try to attack the jellyfin server to jump to your other VLAN and then the rest of your network.