

Then I really recommend you not to play with vlan and use different eth ports as different segments.
The performance will be significant better this way


Then I really recommend you not to play with vlan and use different eth ports as different segments.
The performance will be significant better this way


Just for me to fully understand your setup.
How many eth ports do you have in your opnsense box?


Try to find a rev3, the cpu upgrade really is really worthy


Which hw revision?
If it is a ver3 it is the same I have, good for FW and red services, you can make complex setups.
It is a bit short on cpu for ips systems(suricata and zenarmor) , but it is able to do dns filtering via adguard or unbound.
100€ sounds good to me if it comes with AP, people here are happy with that brand
Good luck


Take a sophos second hand FW.
Intel nic, low power consumption processors and full opnsense support.
Go at least for 4gb ram and the most powerful processor you can safely get. It will come with a lot of eth ports too on top.
And it will cost close to 100€, probably less if you struck a good deal


Dawkins solved it time ago.
Mutations are passed into the next generation and if we assume that only chickens can laid chicken eggs then the paradox solution is as follows :
A proto chicken (soemthing extremely similar to a chicken but not yet one) laid a proto egg of which a chicken hatched and then it could laid a chicken egg.
Here there is a reduced scope version saying that proto chicken can lay eggs, which depends on the eggs definition may not be 100% acceptable


My setup is “simple” and all these monitoring functions are performed in my opnsense box with the telegram plugin.
Most of the alerts are pretty basic and are done into the FW level or the outbound basic logging. So opnsense with the basic tooling is just enough.
I have in my todo to connect the logging system from opnsense to a proper Prometheus/grafana system to really have proper log of several days without having an impact on the FW but I never find the time to do it (lazyness problem)


Segment the network as much as feasible, forbid the communication between the segments via FW rules, and set an alert when those rules are triggered.
For example: your dmz should never initiate any type of communication with your lan segment, your lan segment should not try to access services outside ports 80/443, your dns should log all resolutions performed and it would be nice to have at least a black list.
None of them should have dns over tls, and for specific hosts and networks segments, new domains with very looong active but idle connections should trigger an alert.
My personal opinion is that for a homelab is not realistic to perform a dpi to check that there is not an active attack ongoing, neither from the raw processing power, either from the human effort side, your best chance is to alert when something unusual is happening and then adjust your rules of the are false positives


The outbound connections problems as stated here? https://tailscale.com/docs/integrations/synology


The only thing I can tell is that it is totally worthless.
Because you can not have an uga ipv6, then obviously you will have an ula served via dhcpv6 with ipv4 local address (double stack).
And in this point you will realize that most computers implementation select which ip address to use following prio: ipv6 uga -> ipv4 -> ipv6 ula
So even if you do all the things right, your clients will not use it because ipv4 is there and you cannot deselect it because I assume you still want connectivity
Funny, right? :)


Here you have: https://ntfy.sh/
And because it is you you launch the connection is pretty secure… Assuming telegram servers are not compromised…


Oh I see, could you please point to that system that
If such system exist perhaps I move my homelab, who knows…


I think you are missing the point how easy is to fuck things up in a console with truenas when trying to activate de duplication or making a backup VS the same thing in a user friendly, already tested private solution. Of course from the noob point of view.
Installing truenas when having no idea about almost anything is cumbersome, dealing with the millions options (some of them incompatible between them) is frustrating, cryptic error codes are discouraging…
You want people jump in? Then make it easy for them, lower the entry barrier, if not, you will find yourself alone in your ivory tower.
The exact same ia true for you synology NAS. + the limitations on how synology thinks you should do backups vs how it actually suits you.
If you already know how to setup a proper backup system, balancing the pros and cons, with a robust and solid way to avoid data loss, then you don’t qualify for noob.
If you don’t know any of that and still makes yiur backup system, that’s the recipe of the disaster and you have real probabilities of losing data with nay option to recover.


I see your point but in this world there is only 2 options, or you have the skills, the knowledge and the time to do it by yourself, or you need to outsource it.
Assuming that the op is a real noob it is clear that the 2 first prerequisites are missing making that option unacceptable, then you can only go to the buy something easy enough for the general public.
And in top of that, in a homelab, the most sacred thing is the data, not the service, the data. If you misconfigure a nas or the automated backup system it could lead into the worst scenario: the data is lost forever.
Weighting everything I still recommend what I did. Although if instead of synology you prefer ugreen or asustor… Well that’s depends of your taste


If you are a real and total noob try to get a synology, ugreen or another reputable brand of nas an start from there.
The point of having one of these is to avoid a big fuck up resulting in a data loss. An from there you will be able to Bild up what you need.
all the best in this journey


Seems like a very reasonable reason to switch to another isp well established in the 21st century


Fuck, there is a law in internet (which name I cannot recall) about the impossibility of distinguish an ironic message.
I felt in that trap completely!!


Cable quality only matters in long distances, when the dumping of the signal is noticeable.
If the distance is so short that there is not any voltage drop and still out powering the external noise. There is in effect no influence


What a lot of nonsense. Of course the technology exists and of course it can be done. But in reality is not done because it simply doesn’t bring any benefit.
And in addition a address translation is not nat ™ because the server can be hit from the outside.
Today in ipv4 we have likely 2 Nats, 1 after your router and the other by the carrier (cgnat) and ipv6 those are non existent
OK, then assuming that you already discarded to run 2 cables and others in this thread provided a very good guide of how to do vlan, I can only recommend to setup some aggregation channels in your opnsense box and some switches to at least mitigated the performance hit.
Not now, of course, first you need yiur setup working