My setup is “simple” and all these monitoring functions are performed in my opnsense box with the telegram plugin.

Most of the alerts are pretty basic and are done into the FW level or the outbound basic logging. So opnsense with the basic tooling is just enough.

I have in my todo to connect the logging system from opnsense to a proper Prometheus/grafana system to really have proper log of several days without having an impact on the FW but I never find the time to do it (lazyness problem)

Segment the network as much as feasible, forbid the communication between the segments via FW rules, and set an alert when those rules are triggered.

For example: your dmz should never initiate any type of communication with your lan segment, your lan segment should not try to access services outside ports 80/443, your dns should log all resolutions performed and it would be nice to have at least a black list.

None of them should have dns over tls, and for specific hosts and networks segments, new domains with very looong active but idle connections should trigger an alert.

My personal opinion is that for a homelab is not realistic to perform a dpi to check that there is not an active attack ongoing, neither from the raw processing power, either from the human effort side, your best chance is to alert when something unusual is happening and then adjust your rules of the are false positives

The outbound connections problems as stated here? https://tailscale.com/docs/integrations/synology

The only thing I can tell is that it is totally worthless.

Because you can not have an uga ipv6, then obviously you will have an ula served via dhcpv6 with ipv4 local address (double stack).

And in this point you will realize that most computers implementation select which ip address to use following prio: ipv6 uga -> ipv4 -> ipv6 ula

So even if you do all the things right, your clients will not use it because ipv4 is there and you cannot deselect it because I assume you still want connectivity

Funny, right? :)

Here you have: https://ntfy.sh/

And because it is you you launch the connection is pretty secure… Assuming telegram servers are not compromised…

Oh I see, could you please point to that system that

• it is free and not tie to any vendor
• easy to use to the point that my grandma could use it
• properly tested by an active q group
• with safe boundaries
• production ready
• total flexibility
• with a proper wizard / gui that is self explanatory, robust enough to make sure you don’t select contradicting options.

If such system exist perhaps I move my homelab, who knows…

I think you are missing the point how easy is to fuck things up in a console with truenas when trying to activate de duplication or making a backup VS the same thing in a user friendly, already tested private solution. Of course from the noob point of view.

Installing truenas when having no idea about almost anything is cumbersome, dealing with the millions options (some of them incompatible between them) is frustrating, cryptic error codes are discouraging…

You want people jump in? Then make it easy for them, lower the entry barrier, if not, you will find yourself alone in your ivory tower.

The exact same ia true for you synology NAS. + the limitations on how synology thinks you should do backups vs how it actually suits you.

If you already know how to setup a proper backup system, balancing the pros and cons, with a robust and solid way to avoid data loss, then you don’t qualify for noob.

If you don’t know any of that and still makes yiur backup system, that’s the recipe of the disaster and you have real probabilities of losing data with nay option to recover.

I see your point but in this world there is only 2 options, or you have the skills, the knowledge and the time to do it by yourself, or you need to outsource it.

Assuming that the op is a real noob it is clear that the 2 first prerequisites are missing making that option unacceptable, then you can only go to the buy something easy enough for the general public.

And in top of that, in a homelab, the most sacred thing is the data, not the service, the data. If you misconfigure a nas or the automated backup system it could lead into the worst scenario: the data is lost forever.

Weighting everything I still recommend what I did. Although if instead of synology you prefer ugreen or asustor… Well that’s depends of your taste

If you are a real and total noob try to get a synology, ugreen or another reputable brand of nas an start from there.

The point of having one of these is to avoid a big fuck up resulting in a data loss. An from there you will be able to Bild up what you need.

all the best in this journey

Seems like a very reasonable reason to switch to another isp well established in the 21st century

Fuck, there is a law in internet (which name I cannot recall) about the impossibility of distinguish an ironic message.

I felt in that trap completely!!

Cable quality only matters in long distances, when the dumping of the signal is noticeable.

If the distance is so short that there is not any voltage drop and still out powering the external noise. There is in effect no influence

What a lot of nonsense. Of course the technology exists and of course it can be done. But in reality is not done because it simply doesn’t bring any benefit.

And in addition a address translation is not nat ™ because the server can be hit from the outside.

Today in ipv4 we have likely 2 Nats, 1 after your router and the other by the carrier (cgnat) and ipv6 those are non existent

Ipv6, get an ipv6. There is not nat in ipv6

Kasm, you only need kasm.

It is a docker engine with the streaming already incorporates. Try that.

It is true that it relies in wine, so perhaps you will need to experiment a bit and pin down a specific wine version. But if I recall correctly I saw an old version of ms office running in wine

It is about the quality. Pretty sure there is not a quality upgrade and then the format is not applied.

It is contra intuitive for the arr stack. What triggers the format is the quality and then the rest of parameters.

I find it annoying because you can not make a format that you prefer a 1080 HD movie in multilanguage over a 4k in just English…

Usually 2.5" hdd tends to be more silent. But they are definitely worse from a nas perspective and not so in the ratio €/gb.

The solution with non mechanical disks is by far the most silent, but prepare the wallet and probably a kidney too.

Are both of them ula addresses? (both of them starting with 2). If they are not the same then the ISP is providing an internal unique address for isp internal configurations.

If so, are they having the same network? ( The first 48 bits) if not, then is probably a miss configuration but probably in their side. But with no practical effects. You could ignore it.

If yes again, then it is a miss configuration and it shouldn’t happen, but this time it could be in your side, check that the dhcpv6 daemon doesn’t try to give an ipv6 address To your Wan port

Honestly, every hw that is not going automatically into a power save mode when not used is utterly crap, even my home grade switches are able to do so.

So, the only thing you need to do is to buy recent hw and of course not over size your hw necessities. But recent hw tends to be more expensive, so in the end, it is an excel driven decission.

And once this is said, be careful, some hw suffer more for a on/off cycle than from a continuous power on mode. Think in hdd power cycles or condensation/ salt-rust problems in high humidity areas.

Still it is not clear to me how the internal reverse proxy may get a valid certificate when the domain name is pointing to the vps. Do you copy later manually to the internal proxy?

And if so, how do you overcome the invalid certificate warning when you are accessing your services locally?