Dedicated wifi for automation allows me to have devices such as Xiaomi Vaccuum, or security camera not phoning home. OpenWRT with good firewall rules completely isolate my “public” containers/VMs from my lan.

Server was built over time, disk by disk. I’m now aiming to buy only 12TB drives, but I got to sacrifice the first two as parity…

I just love the simplicity of snapraid / mergerfs. Even if I were to loose 3 disks (my setup allows me the loss of 2 disks), I’d only loose data that’s on these disks, not the whole array. I lost one drive once, recovery went well and was relatively easy.

I try to keep things separated and I may be running a bit too many containers/vms, but well, I got resources to spare :)

  • Ac5000@lemm.ee
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 year ago

    Thank you for posting this with the explanations and great visuals! I am wanting to upgrade to a setup almost identical to this and you’ve basically given me the bill of materials and task list.

    Anything you wish you had done differently or suggest changing/upgrading before I think about putting something similar together?

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    AP WiFi Access Point
    IP Internet Protocol
    NAT Network Address Translation
    SSD Solid State Drive mass storage

    4 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.

    [Thread #100 for this sub, first seen 1st Sep 2023, 11:25] [FAQ] [Full list] [Contact] [Source code]

  • Huschke@programming.dev
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    I would never use an ISPs router for my home network. It just causes so many issues that you can easily avoid by either using your own router directly or if that is not possible putting the device into “bridge” mode and using your own router behind it.

    What are some of the issues?

    The devices the ISPs send out are usually the cheapest hardware imaginable and therefore introduce substantial unnecessary latency.

    Where I live some ISPs also used to use tools that genereted wifi passwords based on the devices MAC address. While this is apparently fixed now, a lot of non tech savvy users still use these old devices that are basically open to anyone now.

    To save even more money, they sometimes deliberately send out faulty devices (as in devices that drop connection frequently, restart for no reason, etc) which is just horrible.

    I know these issues because I worked in that field and there are a lot more unfortunately…

  • Bjornir@programming.dev
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    That is a great quality post! Congratulations and thank you

    Your home network is not too shabby either ;)

  • transmatrix@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    As an FYI: this set up is vulnerable to ARP spoofing. I personally wouldn’t use any ISP-owned routers other than for NAT.

    • tiller@programming.devOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      I’m not well versed in ARP spoofing attack and I’ll dig around, but assuming the attacker gets access to a “public” VM, its only network adapter is linked to the openwrt router that has 3 separated zones (home lan, home automation, dmz). So I don’t think he could have any impact on the lan? No lan traffic is ever going through the openwrt router.

      • transmatrix@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        1 year ago

        The risk is the ISP Wi-Fi. As long as you’re using WPA with a good long random passkey, the risk is minimal. However, anyone who had access to your Wi-Fi could initiate an ARP spoof (essentially be a man-in-the-middle)

        ETA: the ARP table in networking is a cache of which IP is associated with which MAC Address. By “poisoning” or “spoofing” this table in the router and/or clients, a bad actor can see all unencrypted traffic.

        • foggenbooty@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          How would you change his setup to prevent ARP attacks? More network segmentation (clients and servers on separate VLANs) or does OPNsense additional protections I should look into?

        • tiller@programming.devOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          1 year ago

          Well, to be honest if someone has access to my Wi-Fi, I’d consider that I’ve already lost. As soon as you’re on my lan, you have access to a ton of things. With this setup I’m not trying to protect against local attacks, but from breaches coming from the internet

  • Sotuanduso@lemm.ee
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    Hmm, nice detailed specs on your home network. Mind sharing your IP? For, uh… totally trustworthy reasons. Asking for a friend. >: )

  • tuff_wizard@aussie.zone
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    That’s… not all hand written is it? No one who is good at computers can write that well. We got into this BECAUSE we couldn’t write well, right?