Dedicated wifi for automation allows me to have devices such as Xiaomi Vaccuum, or security camera not phoning home. OpenWRT with good firewall rules completely isolate my “public” containers/VMs from my lan.
Server was built over time, disk by disk. I’m now aiming to buy only 12TB drives, but I got to sacrifice the first two as parity…
I just love the simplicity of snapraid / mergerfs. Even if I were to loose 3 disks (my setup allows me the loss of 2 disks), I’d only loose data that’s on these disks, not the whole array. I lost one drive once, recovery went well and was relatively easy.
I try to keep things separated and I may be running a bit too many containers/vms, but well, I got resources to spare :)
You must log in or register to comment.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters AP WiFi Access Point IP Internet Protocol NAT Network Address Translation SSD Solid State Drive mass storage
4 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.
[Thread #100 for this sub, first seen 1st Sep 2023, 11:25] [FAQ] [Full list] [Contact] [Source code]
That is a great quality post! Congratulations and thank you
Your home network is not too shabby either ;)
deleted by creator
Thanks, excalidraw.com if you’re ever interested
Interesting setup, mines very similar. Except with ZFS and no DMZ 😅 I’m thinking of setting up vlans for automation too, how do you handle updates and software downloads on that lan?
If I ever need to update any device on the home automation vlan, I’d add an exception to the firewall for this specific host for the time of the update
That’s… not all hand written is it? No one who is good at computers can write that well. We got into this BECAUSE we couldn’t write well, right?
It’s not, look at postgres under both DB in the last picture. That’s not just the same writing, it’s identical.
Looks like excalidraw to me. I use it all the time to quickly make diagrams like these.
🙈
Oh God yes, I never knew I needed illustrated self hosting architecture.
Need more. Could you also add like, a curious cat that asks questions?
Hate to break it to you but this is a font. It’s all typed.
You’ll want to check out Excalidraw
Interesting tool, but I don’t know self hosting. I need a kitty cat to explain it to me in a drawing.
Hey, that’s how it’s all done! Network maps are the starting point.
Thank you for posting this with the explanations and great visuals! I am wanting to upgrade to a setup almost identical to this and you’ve basically given me the bill of materials and task list.
Anything you wish you had done differently or suggest changing/upgrading before I think about putting something similar together?
As an FYI: this set up is vulnerable to ARP spoofing. I personally wouldn’t use any ISP-owned routers other than for NAT.
I’m not well versed in ARP spoofing attack and I’ll dig around, but assuming the attacker gets access to a “public” VM, its only network adapter is linked to the openwrt router that has 3 separated zones (home lan, home automation, dmz). So I don’t think he could have any impact on the lan? No lan traffic is ever going through the openwrt router.
deleted by creator
The risk is the ISP Wi-Fi. As long as you’re using WPA with a good long random passkey, the risk is minimal. However, anyone who had access to your Wi-Fi could initiate an ARP spoof (essentially be a man-in-the-middle)
How would you change his setup to prevent ARP attacks? More network segmentation (clients and servers on separate VLANs) or does OPNsense additional protections I should look into?
Don’t have the Wi-Fi network “upstream” of the LAN. You want the connection between the LAN and Wi-Fi to be through the WAN so you get NAT protection.
Any way you could update/create your own drawing with what you mean? (Bad paint drawings are acceptable!)
I ask because I am curious if I am subject to the same problem. I’m not the most networking savvy so I need the extra help/explanation and maybe the drawing will help others.
Well, to be honest if someone has access to my Wi-Fi, I’d consider that I’ve already lost. As soon as you’re on my lan, you have access to a ton of things. With this setup I’m not trying to protect against local attacks, but from breaches coming from the internet
Doesn’t need to be the case if you segment your network to protect against ARP.
I like the WiFi 6 just going out into the ether. Like you’re just throwing morsels out to the peasants.
Congrats for keeping your setup simple!
Hmm, nice detailed specs on your home network. Mind sharing your IP? For, uh… totally trustworthy reasons. Asking for a friend. >: )
192.168.0.1
Got it. Sending the virus to 192.168.0.1…
It’s been three months, I’m assuming the attack worked as intended lol
I heard everyone on the internet is nice and have good intentions. Did they lie to me?
Here’s my password to show trust:
“*******”
You see, when you see ‘hunter2’, I only see ‘*******’
No no, it’s Solarwinds123
Zero Trust<
Totally trustworthy
I like the way you wrote this in history class
For the stupid among us, what’s the purpose of the switch?
deleted by creator
Maybe the ISP router only has one port?
That would be a smart idea for the ISP. Sell a 5 gigabits fiber connection but force the customer to use their router which comes with a single gigabit port
Indeed, the isp router only has 1x 2.5gbps and 2x 1gbps. I wanted both my pc and my server to have 2.5gbps to wan, and I wanted 2.5gbps between them too
So it’s someone like Iliad
They sell a 5 gbit fiber but they force their router, and it only has 2x 1 gigabit ports, and 1 2.5 gigabit ports. Most people only use wifi, so they pay for 5 gbit, but use 150 mbit, lol
(in their defence, for the price they offer this bandwidth (only 20 euro per month), i’m ok with that)
Upvoting because Balsamiq
I’m afraid I can’t take your upvote sir… excalidraw.com
Oh damn! I must be out of practice. Still a great tool
Very nice
