DeltaTangoLima

DeltaTangoLima, 10 months ago

I had a dream about watching my dad die in a factory accident (he worked a lot of factory jobs in the 80s and early 90s).

I could smell the machine oil, hear the thump of the presses (feeling it in my feet, too), and even remember the brief bruised feeling in my shoulder when the paramedic shoved past me to get to him.

It felt so real and vivid, I felt very strongly for the longest time that I’d had a premonition about how my dad would die.

It somehow even sticks with me every now and then, despite him having passed from brain tumours 13 years ago this month.

Weird.

DeltaTangoLima, 10 months ago

Yeah, well, sedans and hatchbacks don’t tow my caravan into the Victorian High Country.

I’ll gladly switch to an EV offroader once I know it’s capable of getting my family and I to where we’re going, and home again.

DeltaTangoLima, 10 months ago

I can’t speak for others, but I definitely do use mine for off-roading as much as I can.

Is it as much as I’d like? No - I have to earn the money to afford the hobby. But it’s absolutely worth it, especially when I get to show my daughter some of the awesome things we have to offer.

The reality is that we’re a rough, tough country, and getting to see lots of it requires special vehicles.

The reason this seems so recent is because, previously, 4WD vehicles were either purpose-built, or expensive if they were tricked out to be daily drivers. That made them uncomfortable or expensive.

With the death of our local car market, it’s opened up a much wider, cheaper, more refined set of offerings, so more people can afford to get into the hobby.

DeltaTangoLima, 10 months ago

What an ignorant thing to say

DeltaTangoLima, 10 months ago

Each to their own. We enjoy caravanning. Did our time in tents - too much fuckery setting up and packing up.

DeltaTangoLima, 10 months ago

It’s an off-road caravan, which I take off-road. Ergo, I need an off-road tow vehicle.

DeltaTangoLima, 10 months ago

I said my use case was off-roading in the Vic High Country. So your reply to that was ignorant. Simple.

DeltaTangoLima, 10 months ago

I’d been a loyal Galaxy user since the S4.

But then I had such a terrible experience with the Fold3 (and Samsung support) let year that I finally decided to try the Pixel.

Happy to say I love my P7P, and won’t be considering a change anytime soon.

DeltaTangoLima, 10 months ago

It had one really good use case for me: 4wd maps. I use an app called Hema Explorer for my offroading, and it’s not supported in Android Auto. Having a larger screen for these maps made life a lot easier, rather than trying to securely mount a tablet somewhere.

DeltaTangoLima, 10 months ago

I’m glad you found something that works for you

Well, I thought I had, until I had repeat issues requiring I send it back under warranty three times, then I experienced the shitshow that is Samsung support. Hence why I’m happy with my P7P now.

DeltaTangoLima, 10 months ago

I use SyncThing to get the backups I want over to my main computer, then rclone to encrypt them onto remote cloud storage. In my case, I use S3, but rclone supports heaps of cloud remotes.

DeltaTangoLima, 10 months ago

Yeah, absolutely. I forgot to mention that I use Wireguard and Tasker so that, when I’m travelling, only the backups I want to sync over 5G/remotely are sync’d over. The rest can usually wait until I get back home.

• Syncthing syncs a parent backups folder on my phone
• Wireguard keeps me permanently tethered to the home network (for Pi-hole and searxng private search engine, which goes out via Mullvad VPN @ home)
• Tasker keeps the large and/or unnecessary backup files out of Syncthing’s view when I’m not on the home network

DeltaTangoLima, 10 months ago

Excellent question, and good that you’re asking.

Just about everything is virtualised on Proxmox, but that’s only something I started doing this year. Before that, just about everything was running in Docker containers on Raspberry Pis. But, the security remained the same - just the back-end services changed. That said, only a handful my services are available via the internet. For everything else, I use the permanently on Wireguard VPN connection from my phone, to access private services (including Pi-hole DNS resolution and SearxNG) when not at home.

Nginx Proxy Manager

To start with, everything (even internal-only services) is hosted behind a reverse proxy server - Nginx Proxy Manager (NPM). NPM ensures the all communications to my services is over SSL, using a free, automatically renewable SSL certificate with Lets Encrypt. Crucially, I have NPM configured to steer all traffic for any publicly available services through an authentication service called Authelia (next section).

NPM also means I have name portability for my services. For instance, I used to use Whoogle for my private search engine, but recently changed over to SearxNG. As all my browsers reached the search engine using the host search.mydomain.tld, I didn’t have to reconfigure all of them. I simply changed where NPM steered the traffic.

Authelia

Authelia has its own username/password database, or it can be configured to use an LDAP server. Authelia is one of a few single sign-on (SSO) services out there. Many others use one called Authentik. Either way, you need an SSO.

Crucially, SSO provides two factor authentication (2FA). 2FA is where a service will ask you for an additional something, after username and password, to prove who you are. This is often a timed one-time password (TOTP) - frequently a 6 digit time-limited password generated by an app on your phone. In my case, Authelia is configured to use Duo Mobile, which does a push notification to my phone, but also has the option of using a TOTP from the Duo Mobile app if push fails.

Network Segmentation

I don’t really use a DMZ as such any more. With the advent of better, virtualised firewalls (see below), I don’t really need to. Instead, all my Proxmox guests use a dedicated VLAN, making it very easy to identify and treat their traffic on my firewall. I have six VLANs setup:

1. Myself/my wife
2. Our kids
3. Physical infrastructure (switches, Proxmox server, storage devices, etc)
4. Proxmox guests
5. Guest users
6. IoT (usually untrusted IoT - Roomba vaccuums, etc)

These mean I can setup some good, broad firewall rules for each segment of my network to catch all traffic, then focus on specifics higher up the firewall rule-chain. Which leads me to…

Firewall

As always, how you firewall your traffic is key to success. I’ve virtualised my firewalling/routing on Proxmox, with an OPNsense VM. My Proxmox server has two physical network interfaces, with one of them being plugged in directly to my fibre internet, and presented only to the OPNsense VM. Unless someone figures out how to break out of virtual jail on that link, their only way in is via OPNsense.

Given the network segmentation above, the rest is just about how you craft your firewall rules. Generally speaking, firewalls use “first match” for evaluating firewall rules, meaning the first rule it hits that matches the traffic it’s evaluating is the rule it applies to that traffic.

For example, I block all IoT from internet access as my last rule for the IoT segment. I then add a few rules up top that allow traffic out for the IoT devices that can’t/don’t operate without internet - Roomba vacuums, for example.

Being specific about the known use cases on your network is difficult at first - it’s surprising how much “just works” without you specifically knowing about it. I spent a fair bit of time using the live logging feature on my firewall, analysing blocked traffic, to determine what else I needed to open to make sure things were working as expected.

As painful as it can be to do this, it’s critical to being able to sleep at night, knowing you’ve only created the tiniest pinholes required. That’s what firewall rules are - pinholes in an otherwise impenetrable brick wall protecting your network. But also a requirement for certain things to operate properly. The cool thing is, firewall rules are directional (eg. something coming in to the network, or something leaving the network), so these pinholes aren’t a two-way street, if you don’t need them to be.

Additional thoughts

Ultimately, what helped a lot was mapping this out on paper first. Nothing beats having a plan to refer back to, when you’re in the middle of building/changing a bunch of network stuff. It centres your thoughts and reminds you of the prize, when all you want to do is unpick it all and go back to that shitty wireless internet router your ISP gave you.

Not sure about your circumstances, but I did a lot of my work in stages, often late at night, when the kids were in bed. Trying doing open heart surgery on your internet access with teenagers in the house!

DeltaTangoLima, 10 months ago

Ah - good tip. Thanks. The guide I followed when I first tried pfSense suggested that, but the OPNsense guide I followed didn’t. I’ll switch that over when I can reboot without incurring teenager tears, and see how it goes.

DeltaTangoLima, 10 months ago

OK, move along folks - nothing to see here.

mumbling shuffles feet kicks imaginary rock I might’ve just swapped out a dodgy Cat-6A cable and it came good at 1Gbps…

MIGHT have…

DeltaTangoLima, 11 months ago

The thing I don’t get (I do - it’s greed, FYI) is why the fuck they even care? If I’m paying for 2 or 4 screens on my Netflix account, why the fuck does it even matter which address they’re playing at? Netflix were about to sting me because my stepkids (who are with us half the time) were using my account while at their dad’s.

Believe it or not, Netflix finally drove me to Plex. I’d been holding out, still using Kodi, but decided the money I was saving could go towards a much nicer setup, and it did. A pair of HP DL380 G7s, Proxmox - the works.

Now my stepkids use my Plex server, and have both happily streamed the latest Black Mirror from it (shit season, BTW - another hump in the downhill shitshow that Netflix has become). And the savings from my cancelled Netflix sub will have paid for it over the next 12 months or so.

Thanks Netflix! Ya dumb cunts.

DeltaTangoLima, 11 months ago

After some discussion with the Minister for War and Finance (my wife), we agreed I had a modest budget (~$300AUD) to spend on some old enterprise servers, which I did.

But I’ve seen plenty of posts where people are getting away with their old gaming rigs, and the like.

DeltaTangoLima, 11 months ago

Seriously, after I did it and set my wife up for it, she asked me why it took me so long to make the move. It’s been a real game changer for my family. It just works.

DeltaTangoLima, 11 months ago

I think us cancellers are probably outnumbered by people who just created new accounts

Oh, 100% right there. Those of us that are both willing to cancel and capable of setting ourselves up with an alternative like Plex are, sadly, in the minority. I’m doing my bit, though. Have invited a couple of friends to my library and showed them how to use the app, and they’ve happily cancelled their Netflix as well.

DeltaTangoLima, 11 months ago

Yeah, I tried Jellyfin but, at the time, it wasn’t as well-featured as Plex. I might go back for a second look but, as I got Plex Pass lifetime sub on special, there’s no ongoing cost to offset against the pain of getting my family to adopt yet another new app.

DeltaTangoLima, 11 months ago

The work calendar gods have aligned and I have a whole week ahead of working from home, rather than the usual three days of having to commute 70km each way.

Now if only the kids weren’t also on school holidays… 😬

DeltaTangoLima, 11 months ago

Yep - the latest release supports both 0.18.x and 0.17.x. I’ve been running it for the past few releases over the last couple of days and I really like it.

BTW, it’s been rebranded as Liftoff.

DeltaTangoLima, 11 months ago

Uninstalled the app, blackholed the domain in my Pi-hole servers, and removed the domain from my web search results on my SearxNG server. I use Wireguard from my phone when out and about, so I’m always usnig Pi-hole and SearxNG.