Doing routing/firewall in software is a lot more flexible, and easier to patch when vulnerabilities come out. Especially when software is integral to the routing (looking at you wireguard/openvpn).

Keep in mind those edgerouters look like they have dual core embedded MIPS CPUs.

My dell power edge is a full blown rack-mount server that could run a small plex instance. You could stick a 1060 in this thing and get Witcher 3 to play at a reasonable framerate.

That’s what makes up for the lack of dedicated asics.

As for the four NICs they are as follows:

• 1gb - wan (to modem)
• 1gb - config (to config vlan on switch)
• 10gbps - main lan trunk to LAN switch
• 10gbps - trunk line to public server VM host (DMZ’d from rest of lan, each VM has its own vlan/subnet/firewall ruleset)

They don’t act as a switch because it handles packets, not frames, allowing/dropping/denying them based on rules set in software.

Tell that to the poweredge r210 ii in my closet running PFsense with its CPU barely getting touched despite four NICS, two of them 10gbps.

You’re thinking of switching hardware.

That being said I might go hit up mikrotik while I still can for switches. Shame cuz I was hoping to wait until they got PoE versions of the CRS310-8G+2S+IN, but I think they wanna get rid of the crusty old stock of CRS112-8P-4S-IN. They made a similiar newer switch but it only runs swos instead of router is which is bunk.

Ubiquiti stuff can still be flashed with openwrt so I’m good on APs I think once my dlink dies, even if it’ll be overpriced.

Worst case I just buy em like I do my FPV flight controllers: from Ali Express

No you’re right. I’m the perpetrator. I asked my awful fucking government run by pedophiles I totally approve of to do that. I totally want that instead of healthcare and basic human rights.

Its almost like if you’re not part of a small club of old kiddie fuckers or their direct lackeys, you’re getting fucked too.

There isn’t ‘a victim’ of these people. There’s fucking hundreds of millions if not billions us, and even more who are dead.

What do you want? Me to uselessly martyr myself so they’ll be another “stupid dangerous tranny” on the news for a week for people use against us before forgetting it happened?

What? What more is it you want me to fucking do? Wave my magic american wand that makes my government stop being run by garbage?

Yeal well seriously, tomorrow the nazis are marching in my city near me, and I will be there. They want to remigrate my family. I don’t need 5 VPNs, i need to leave my phone at home and physically go there.

Your medicine you need to live isn’t actively being made illegal. The FDA is already being petitioned to make lists of us. There prepping to fucking camp us. This isn’t something I need to protest its something Im going to need to live.

But quit thinking of yourself as the main victim when your country’s bombing people for breakfast.

Did I say I was?

So less voting and more doing, chopchop.

Read the previous comment and try again.

Sorry friend im not your enemy

No, but this holier than thou attitude like you’re the only one willing to do something is obnoxious.

As someone who’s working on starting a diyhrt homebrew and joining the SRA: unless you’ve lived through the rise of fascism stfu, chances are if you lived here you’d be doin jack shit too.

Fascism/late stage capitalism is exhausting by design. If I didn’t spend the past decade removing corporate software from my computers I don’t even know how I’d be comfortable doing any of this safely

Proper privacy in today’s day in age requires, at least, an understanding of Linux systems administration/, basic network architecture, and virtualization.

That’s before we talk about neutralizing ME.

If you’re not splitting your identities/footprint across several permanent and burner VM’s w/ different public IP’s you’re probably doing it wrong.

How is that reasonable to expect out of the average person?

When you make a new user using adduser do you leave your full name, number, and room number?

Blank is blank, epoch is functionally the same as leaving it blank. Especially if it becomes industry standard.

Good distros will push default a dob of 1970-1-1, mark my fucking words.

Yeah I’m trying to leverage my homelab for my friends that can’t set one up just to make things even slightly better.

Ultimately there’s only so much you can do to fight fascism.

You can lead a horse to water but you can’t make it drink, especially not when you barely have time in the day to take a drink yourself.

If someone doesn’t have time or will to put privacy over convenience that’s kind of their gig. It sucks but like I can’t fuckin’ change their life schedule/priorities.

I spend enough time documenting and working in my homelab, I don’t need other people’s too. I’ll be happy to point people towards information and documentation, but that’s about it.

However if you’re not willing to:

1. bury your nose in multiple wikis
2. change out the OS on nearly every general purpose computing device you own
3. Live most of your online life anonymously/pseudononymously
4. Run a homelab (technically not required but makes life nicer)

You should stop while you’re ahead.

If you have kids I have no fucking clue how you’d even begin.

At that point you’re installing rootkit anticheat just to get little johnny playing games with their friends, fucking nightmare scenario.

This is stupid and defeatest. Just write code without agents no one is stopping you.

If you can’t open chrome on a pc, connect an android phone to it, and use a simple web tool you’re probably not capable of any actual level of digital privacy.

This isn’t me being elitist its just the fact that the resources needed to make this shit viable and easy are being tied up to corporations in order to make more easy-to-use corporate spyware.

Privacy under fascism takes time, effort, and education. Stop fucking expecting it to be OOTB. Society is literally engineered against that. Its not a reasonable ask of open source devs making privacy tools.

For webapp stuff for sure, but when you want to login as the same user with the same perms across all your VMS and baremetal servers at the os, it’s nice.

I use virtualization over containerization because i have the hardware resource so I might as well take advantage of improved isolation and security VMS provide. Plus I use Linux on my desktop/laptop, and have a separate dedicated storage host.

Its nice to have everything managed by one service with global accounts and permissions.

Looking at authentik it seems to provide some but not all of that. Def something to keep an eye on if freeipa decides to stop being so free.

If you’re running a docker-based environment, and especially if your personal workstation/laptop doesn’t run Linux, I totally get it.

I think freeIPA could use an openid provider packed in for sure. I also kinda trust api keys more than creating the service accounts for software that needs to auth.

Outta curiosity how do you handle SSO and File Storage? I like being able to make samba shares that require SSO authentication over something like nextcloud because I can directly mount the disk. Not sure if theres a good option there.

deleted by creator

Your router is an important security device that you should own and control your self if you want any semblence of ownership over your network.

Your modem is remotely controlled by the ISP even if you own it, and is mostly there to demodulate from the medium installed by your ISP (usually cable, or fiber but those are called ont’s not modems) to a standard cat. 6 Ethernet connection you can plug into most routers.

The main benefit of owning your own modem is not having one with a router built in and not having to pay an equipment fee.

Haven’t touched HA yet but I run FreeIPA, is there an LDAP option or will I have to get an open I’d solution go sit in front of it?

For inside the lan/lab, I have my pem chain looks like:

cold storage root-ca -> offline vault qubes VM ca -> pfsense ca -> freeipa ca

I use letsencrypt for externally facing services.

Its a little bit more effort than getting things just workin’ but its worth the whole lotta security you get in return. Plus it feels nice looking at a shiny green lock.

The XMPP ecosystem is a mess and matrix has a ton of security and metadata issues.

We shouldn’t be using discord-likes anymore, it was a bad idea the first time.

Personal IM/VoIP should be separate from game party chat should be separate from communitt IRC/forums

Matrix has lots of metadata issues and signal requires a phone number which is a non-starter.

Self host what makes sense for communities, use simplex for one-to-one IM/VoIP.

Also discord acted as like six different services and we shouldn’t continue letting anything do that.

Personal IM, party chat/VoIP, meeting software, inter-office communication, wiki software, and forum software are all different things for a good fucking reason.

Alternatively if you’re tired of manual DNS configuration:

FreeIPA, like AD but fer ur *Nix boxes

Configures users, sudoer group, ssh keys, and DNS in one go.

Also lotta services can be integrated using LDAP auth too.

So far I’ve got proxmox, jellyfin, zoneminder, mediawiki, and forgejo authing against freeipa in top of my samba shares.

Ansible works too just because its uses ssh, but I’ve yet to figure out how to build ansible inventories dynamically off of freeIPA host groups. Seen a coupla old scripts but that’s about it.

Current freeipa plugin for it seems more about automagic deployment of new domains.

Can I just type ‘roxorz boxorz’ and be done with it.