homelab

I currently have my reverse proxy on my NAS. That means I forward all of my 443 HTTPS traffic to my NAS. I am using OpnSense for my router, and there are several options for reverse proxies on that. Everything works the way it is now, but I do wonder if it would be "better" if I moved all of the reverse proxy stuff to my router. I don't know that anything would be simpler to manage one way or the other, so I think it comes down to best practices and security. If I move the reverse proxy to my router, I would be able to remove that forwarded port, but is that really any more or less secure?

Looking to build my first server out, trying to figure out if there is a "better" platform for my needs. Right now I'm just planning a mix of machines and containers in Proxmox for running a NAS and Plex server, router of some sort (also, any preferences on wireless access points?), a pihole if that's not just as easily done in whatever router OS I decide on, VPN, and 3-5 various machines/containers going in and out of service as I find what my needs else I want to play with and host continuously..

Basically just looking for bang for the buck CPU/chipsets people are getting for this use case. Any advantages of AMD vs Intel in mid-consumer level options? Is getting something similar with more efficiency cores worth worrying about in a hypervisor use case?

cross-posted to: https://sh.itjust.works/post/14114626

If the rule is about forwarding traffic from the lan interface to the wan interface, then why is there also a forward rule? How would inputs, and outputs make any sense if the rule is talking about forwarding? What does it mean for wan to forward to REJECT? I interperet that as saying that wan doesn't go anywhere, but that wouldn't make sense given that the router can send, and receive over the internet.

For example I would interperet the first rule as follows:

• lan => wan: the conditions for which connections from the lan interface are forwarded to to the wan interface.
• Input: accept: the lan interface accepts all connections originating from the network (I wouldn't understand the point of setting this to be reject).
• Output: accept: all connections exiting the wan interface are accepted (again, I'm not sure what the point of this would be).
• Forward: accept: forwarding of packets from lan to wan is allowed.
• Masquerade: I honestly don't know what the effect of enabling this would be. What would it mean to masquerade the lan interface?

I tried finding documentation, and I did come across this, and this, but, from what I could understand, they didn't really answer any of my questions.

Does this look like a decent starting point for a first router build?

Cross posted from: https://lemux.minnix.dev/post/204890

So I was wondering, what is exactly the use case of owning a server rack with huge CPUs and 256GB of DDR4 RAM with 1PB of storage?

Obviously, I'm kind of exaggerating here, but it does seem that most homelabs are big server racks with at least two CPUs and like 20 cores in total.

Why would I want to buy a server rack with all the bells and whistles when a low-power, small NAS can do the trick? What's the main advantage of having a huge server, compared to an average Synology NAS for example?

Honestly, I only see disadvantages tbh. It consumes way more power, costs way more money and the processing power it provides is probably only relevant for (small) businesses and not for an individual like me.

So, convince me. Why should I get a homelab instead of a regular NAS?

Hello all!

So I am setting up a internal domain that consist of active directory and rhel IDM. I would like to have some way of connecting the the internal network with a VPN that supports SSO. I have been looking around for a good solution but could not find one that would work nicely. I Looked at Wireguard at first but it doesnt seem to support user authentication. Then i found pritunl which at first glance seems great and is foss. only to be disappointment that for SSO you require a enterprise subscription of 70$/month. No thanks I am a home user.

I Know about OpenVPN and it works well when i used it (not in this setup yet) but is rather slow and I was looking if a better alternative exist.

Any ideas or suggestions would be appreciated.

cross-posted to: https://sh.itjust.works/post/12856684

I have the following topology:

The device running Nextcloud (snap) used to be connected to Router A, but I have recently added a bridge (Router B) and I moved Nextcloud's device to that bridged network; however, as soon as Nextcloud was moved to Router B, the portforward on Router A seemed to stop working -- as in I cannot connect to nexcloud from the public IP anymore. Bridges operate at layer 2, so this should make no difference whatsoever (this is reflected in the fact that other services (like SSH) still work perfectly fine portforwarded -- it's only Nextcloud that doesn't work), which leads me to think that it is a Layer 7 (i.e. Nextcloud) issue. What's going on here? How can Nextcloud even tell that it's been placed on a bridged network?

EDIT (2024-01-16T00:19Z):

I performed a network capture on the device running Nextcloud, and it appears that it's receiving the incoming request (SYN), and responds appropriately (SYN, ACK), but then Router B responds with Destination unreachable (Network unreachable), which is then, of course, followed by many requests for retransmission as the packets are being dropped. But what's causing the packets to be dropped? Why aren't they making it through the network?

EDIT (2024-01-25T08:37Z):

I’m not 100% sure what the previous problem was, but I think that it had to do with the bridge that I was using – not necessarily that it was broken, but perhaps it was jsut incompatible with the setup in some way. What I ended up doing was buying a different router that supported WDS, and then I created a WDS bridge between the two routers. The network seems to be working reliably, and as expected now.

Having got my Raspberry Pi for Christmas, I was finally able to enter the world of home labs and I'm slowly getting everything up and running.

That said, one thing I was super excited about but hasn't come to fruition was Pi-Hole. That's for two reasons, one my Pi isn't hardwired into the router and two my router kinda sucks (Virgin Media Hub 5).

So I came here to ask for recommendations for a router. One that would allow me to run vLANs and use my Pi for adblocking. Honestly the advice I got was like fire and I was like water.

I wanted a simple cheap solution and everyone was like just spend 🥺

Eventually though, my ignorance waned and I started looking into what the suggestions were, which was essentially buy an N100 Firewall Mini PC with 4 Ethernet Port, load up PFSense or OpenWRT, then buy an Access Point, connect it and profit.

So with my dreams of a £50 plug and play experience down the drain, can someone explain to me how it all works? Why is this the suggestion? My Pi is kinda set and leave. My NAS is set and leave, will a firewall PC be the same? Also why a firewall PC over a second Pi?

My main homelab server runs a bunch of stuff but was a little limited in the hardware department.

Here's the overview of the upgrade. Old -> New CPU: i7-3370K 4c/8t -> xeon e5 2630L 8c/16t RAM: 16 GB mixed non ECC 1333 DDR3 -> 32 GB Micron DDR4 2133 (running at 1866) CPU COOLER: AIO -> air cooling MB: No idea -> Asrock x99 extreme 4 with 10 SATA ports!!! GPU: None -> RTX 610 passively cooled

Runs: Nextcloud, pihole, unbound, security stuff like fail2ban, hosts a couple small databases, VPN.

This upgrade will allow for expandability in terms of upgrade CPU cache, bus speed, maximum allowed RAM (32 GB to 128), and extra cores to maybe do some light compute with when I'm writing some code without sacrificing performance of other services. All of this while having similar "net" TDP (I didn't measure either idle power draw).

Here's where the fail comes in. I got the whole original machine and drives for free from a recycle pile at my old job. I threw in a drive cage where the DVD drive use to be and it fit like a glove! Felt like a really cool "sleeper" server build with hot swap drive cages. My new mother board is wider by an inch and the drive cage covered the 24 pin connector. So now my drive cage hangs out and is supported by zip ties and I can't close my case in the front lmao... See linked pictures so you can laugh at it with me: https://imgur.com/a/1XqALZ4

So I'm looking for either a new case or a relatively small 4-bay drive cage thats cheap. The total ive invested in this build after this upgrade is ~$200 and I don't want to spend a ton more so I'm wildly disappointed at my oversight. Any advice or suggestions would be appreciated!

I have a network set up something like the following:

Device A <---> Router A <---> Router B <---> Device B

where Router A is a tp-link Archer AX73, and Router B is a tp-link Archer C7. Router B is flashed with OpenWRT, and Router A is using stock firmware. Router B is set up to be a wireless bridge between Router A's network, and its own (it was set up using this guide).

What I am wondering is if Device A can find, say, Device B.local, using Avahi (assuming Device A, and Device B both have Avahi installed, and running), over this bridged network. So far, I haven't been able to get it to work, so I'm wondering if it is possible at all. I have read that Avahi only works on a local network, but I was wondering if it could be bridged.

UPDATE (2024-01-16T01:28Z):

The issues that I mentioned in this post have since been solved. The majority of the issues stemmed from the fact that the relay software that I was using, relayd, doesn't support ipv6. All the tests that I was conducting were defaulting to ipv6, so it was appearing like the bridge was failing unpredictably. Since that realization was made, and countermeasures were enacted, the problem was solved.

I am looking for a single board computer that has a charging circuit (i.e. a power management chip) so it can be powered directly by a battery. I am aware of the A20-OLinuXino-LIME2 which supports this. However, I wanted to explore my options. Are there any other boards which support this? I am aware of PiJuice and LiFePO4wered as well.

Other requirements:

• Ethernet port
• Micro SD slot
• Min. 1GB RAM (Ideally 2+)
• Ideally support for a LiFePO4 battery

Is anyone running saltstack, and if so, are you doing gitfs for your repo?

Do you have your pillar data in the repo? Or some other external?

Are you doing one top file in base? Or top in each branch/environment?

Is there a better way to do managed repo for salt?

I am able to fit an HDD and an SSD in the drive bays that it came with. However, I'd like to put as many HDDs in it as I can.

I am not using the optical drive, so I'd like to replace it. It measures at 41mm thick which is 1+5⁄8 inches: A half-height drive bay. Is there a caddy that would work with this so that I can install a Seagate Barracuda 6TB 3.5" drive in it which measures 26mm thick?

Hi everyone, I'm looking to see if I could get some suggestions or recommendations on an upgrade path for my NAS in my current home environment. I'm also unsure if this is the best place to ask, so please let me know if this question doesn't fit in here.

My setup isn't too sophisticated at the moment. I had purchased a QNAP TS-453A back in February of 2017 and have it loaded with four WD Red 8TB (WD80EFZX-68UW8N0) configured in RAID 5. It is solely dedicated to storage and nothing else; with the bulk of it used for media archive. It has proved a shockingly reliable little device. I have a headless Intel NUC6i7KYK that is dedicated to running a majority of the self hosted services I use.

In the next year I'd like to expand my network storage and initially I had planned on simply purchasing replacement Exos X18's and go through the drive swap process but upon further thought, I figured I'd like to purchase an additional NAS and use my current one as a backup solution. I'm not particularly locked in to staying with QNAP and so any recommendations would be welcome. Admittedly, I have been looking at the TS-932PX-4G as I'm interested in adding in SSD caching to the array.

At any rate, thanks for any help or suggestions you may be able to provide! Or, if you can point me to a more appropriate place for this sort of question, I would also greatly appreciate it.

As I'm in the beginning steps of sorting out my homelab, I'm starting to ask questions I haven't asked before and come across conundrums I hadn't considered previously. One of which is how to sort out pi-hole given that my ISP has locked down the router tighter than a tight thing.

As I had been reading about and watching YouTube videos, I had stumbled across Tailscale and the idea of VLANs is a nice one. That coupled with wanting to block ads and a new router seemed to the optimal choice.

Another thing is that I eventually want to get a Reolink POE video doorbell and Reolink E1 outdoor camera for my garden and so I'm trying to think somewhat ahead as the last thing I want is a server rack in my house. Aesthetically speaking.

So I stumbled across all the recommendations for Mikrotik and they're really reasonably priced, especially compared to the Netgear Nighthawk thing I was looking at for ten times the price.

The Mikrotik HAP AX Lite is reasonably priced, does all the cool new stuff, let's me set up virtual local area networks, has room for growth and has PoE capabilities. It seems to be the perfect choice. But is it? Because it seems almost too good to be true.

Dear homelabbers,

I was reflecting on all of these nice wirings referred to as cableporn you know when all cables have the perfect length, angle and are at the perfect spot in the rack.

Considering my rack the cables have neither the perfect length nor angle nor spot. How do professionals get these results? Do they own all necessary lengths or is it common to crimp them ?

Thanks!

I have a small client on the side that I am looking to get more durable off-site backups done. I personally use restic and resticprofile in my homelab without issue. The issue is that I would like to give them some kind of GUI and from what I see, none of the restic ones will do it.

Kopia appears to be roughly the same kind of design so I'm wondering about the KopiaUI. I would be running the backups themselves off the file server itself but would like a GUI to be available via either a desktop OR at least exposed on a port on the file server to hit via a web browser.

Would running KopiaUI in 'server mode' be what I'm looking for? It seems to be but I would like to confirm before researching it any further. Backups would simply be going to backblaze.

I have a P400 in my storage server which currently also runs some media containers like Plex, sonarr-sma, radarr-sma, Jellyfin, exploring Immich, etc. I have the GPU surfaced via docker and added it to each of the containers that needed access to the GPU for hardware acceleration needs. Is it possible to be able to leverage the Nvidia gpu container remotely (over the lan) without having the containers access it (pseudo) directly? I want to move the media handling containers to a Turing Pi 2 and keep just the GPU access on the storage server.

Two friends and I would like to build a PC as a server in my house. The idea would be to have a headless server with 3 VMs. I was wondering what would be the best thing to do so that everyone could have their own private space, while optimizing disk space as much as possible (1TB M.2 SSD + 8TB HDD via RAID1). Each of us could play with Docker to have services on top. What software would you use to set up VMs and manage disks, and what advice would you give us in general?

The other option would be to go cloud, with Hertnez + Mega (autoscaling).

I've heard that WDS is the standard for creating a wireless bridge, but I have since read on a number of forum posts that WDS shouldn't be used anymore. This idea of it being deprecated seems to make sense, as it appears that it is not supported by another newer router that I have (tp-link Archer AX73). How should I go about this?

Update (2024-01-14)

I have since found this guide which seemed to work well. I'm not sure if it's the best way, but it does at least work.

Looking at the amount of PoE splitters and how much people hate having too many power bricks, I was wondering of anybody is doing something unconventional with PoE at their homelab?

If you look at the PoE table at Wikipedia, you'll see that apart from the common 802.3af (~13W), 802.3at (25.50W), there is the beefier 802.3bt with 51W and 71.3W depending on the type. I was wondering if anybody has stories of playing with the higher power types?

The list of bookmarks

• PoE nuc https://www.gorite.com/poe-power-over-ethernet-lid-for-intel-nuc-gr-lid-poe
• All-in-one PoE computers
• 1U PoE server

... but given how many splitters there are:

• PoE to USB-C (data+power) - guess it'd be cool for a dumb Home Assistant tablet - everything connected with 1 cable, but it's easier to just use regular USB-C and WiFi :P Could be also used for a wifi-less weird phone server. Can also just charge your phone

• PoE to Eth+12V - limitless possibilities. There's a guy on reddit that connected a PoE to Eth+12V splitter to power his ISP modem. The PicoPSU also takes a 12V DC plug, so you can go PoE -> PoE to 12V+Eth splitter ->PicoPsu -> some low power computer -> burn down your house

• Did some electrical engineer finally make a PoE solution for having so many power bricks when somebody has a SFF/TinyMiniMicro cluster? Those things are big.

Workaround

I'm not sure what was going wrong with what I was doing initially, but, thanks to @[email protected], as suggested, I disabled the tftp server system service, and, instead, started it with the following command:

sudo in.tftpd -L /srv/tftp --verbose --permissive -s

and it then flashed successfully.

Original Post

cross-posted from: https://sh.itjust.works/post/11735447

I'm trying to flash firmware to a router (Archer C7) using TFTP, but, when the router makes the request for the firmware file over TFTP, the TFTP server responds with the following error

Error code: Access violation (2)
Error message: Only absolute filenames allowed

This is the config for tftpd in /etc/conf.d/tftpd:

TFTP_OPTIONS="-s"
TFTP_DIRECTORY="/srv/tftp"
TFTP_USERNAME="tftp"
TFTP_ADDRESS="192.168.0.66:69"

I have the firmware file in /srv/tftp, and both the firmware file, and /srv/tftp have chmod 777 permissions.

The TFTP server is running on Archlinux, and is installed as tftp-hpa from the arch repos.

If I test as a client, I can get it to download if I specify the full (absolute) path to the file /srv/tftp/filename, so it seems that the config isn't pointing the server to /srv/tftp as the relative path... How would I go about fixing that?

Without SSL on the LAN side of a reverse proxy, I presume that all traffic between the server and the reverse proxy is unencrypted and, thus, accessible to any device on the LAN.

Which specific scenarios result in this being a concern? The primary concern that I can come up with is if you know that there are untrustworthy entities connected to the LAN (untrustworthy devices, or perhaps malicious individuals).

I used to use an old Linksys WRT54GL v1.1 router for the purpose of testing homelab setups, but I have recently found that, as of 2022, it is unsupported by OpenWRT. So, I am now looking for a router to replace my old one. I don't need anything fancy -- I just need a router with WiFi connectivity (2.4GHz is fine, but 5GHz is, of course, appreciated, if possible), and a few LAN ports (gigabit would be nice, but it is not a necessity). By no means does it have to be a new model of router. So long as it supports a current version of OpenWRT, and satisfies my hardware requirements, it will be an acceptable recommendation

Hello, wonderful people!

I am trying to set up two domains: a.domain.com and b.domain.com. The reason for having two domains is that one is for Active Directory, and the other is for the Linux domain using RHEL IDM.

The Windows server serves as the DHCP server, with the domain controllers' IP as the first DNS and the IDM controllers' IP as the second DNS. Both domains have a forward zone set up to point to the other domain, and this configuration seems to be working nicely so far.

Now, the issue: Let's say I have clients client.b.domain.com and client2.b.domain.com. They have successfully joined the IDM domain, but neither can ping each other's hostname nor perform an nslookup on it.

I also notice in the Windows DHCP server that the clients' FQDN is client.a.domain.com and client2.a.domain.com, even though I have set them to b.domain on the clients themselves.

Any ideas on how or what I need to change to get local hostnames working in this scenario?