Yeah, this might be the way to go. OpenWRT supports hardware NAT with many of these ARM-based routers like many of the MediaTek-based ones, which gives them super high throughput at very low CPU usage. The efficiency blows x86 out of the water. The ability to migrate your OpenWRT config to new hardware (real or virtual) in the future means you kinda get the best of both worlds…
Do not use an SSD for cold storage - it will fail. SSDs need to be plugged in every once to refresh the charge in their NAND, otherwise they’ll lose the data.
This is not a theoretical thing - I’ve had a good Samsung 850 Pro drive fail while being off for 2 years.
Thanks, this is good data!
How fast is your internet?
Do a speed test and run htop… you’ll see CPU usage only on one core spiking. Not a big deal if your CPU can handle it, but the AMD GX-412TC in the APU2 I was using is too slow.
Even if the virtualized router is down, I’ll still have access to the physical server over the network until the DHCP lease expires. The switch does the work of delivering my packets on the LAN, not the router.
Thanks for the tip about the pfSense limit. After running pfSense for like 8 years, my opinion is that is flush with features but overall, it’s trash. Nobody, not even Netgate, understands how to configure limiters, queues, and QoS properly. The official documentation and all the guides on the internet are all contradictory and wrong. I did loads of testing and it worked somewhat, but never as well as it should have on paper (ie. I got ping spikes if I ran a bandwidth test simultaneously, which shouldn’t happen.) I don’t necessarily think OpenWRT is any better, but I know the Linux kernel has multithreaded PPPOE and I expect some modern basics like SQM to work properly in it.
The other thing to keep in mind is to pass through physical nics. Using just the vnics will potentially lead to security risks. That’s the reason I went back to physical fws.
I could throw an extra NIC in the server and pass it through, but what are the security risks of using the virtualized NICs? I’m just using virtio to share a dedicated bridge adapter with the router VM.
If you just use 2 nodes, you will need a q-device to make quorum if you have one of the nodes down
I could just use VRRP / keepalived instead, no?
I should try Proxmox, thanks for the suggestion. I set up ZFS recently on my NAS and I regret not learning it earlier. I can see how the snapshotting would make managing VMs easier!
That is pretty sweet. I have a second server I could use for an HA configuration of the router VM. I’ve been meaning to play around with live migrations (KVM) so this could be a cool use case for testing.
I appreciate the advice. I have like 3 spare routers I can swap in if the server fails, plus I have internet on my phone lol. It’s a home environment, not mission critical. I’m glad you mentioned this though, as it made me realize I should have one of these routers configured and ready-to-go as a backup.
My logic is partly that I think a VM on an x86 server could potentially be more reliable than some random SBC like a Banana Pi because it’ll be running a mainline kernel with common peripherals, plus I can have RAID and ECC, etc (better hardware). I just don’t fully buy the “separation of concerns” argument because you can always use that against VMs, and the argument for VMs is cost effectiveness via better utilization of hardware. At home, it can also mean spending money on better hardware instead of redundant hardware (why do I need another Linux box?).
There are also risks involved in running your firewall on the same host as all your other VM’s
I don’t follow. It’s isolated via a dedicated bridge adapter on the host, which is not shared with other VMs. Further, WAN traffic is also isolated by a VLAN, which only the router VM is configured for.
Whisper is the way to go for speech to text (edit: had that backwards). Whisper.cpp is decently fast too: https://github.com/ggerganov/whisper.cpp/releases/tag/v1.7.1 Get the binaries from the link that’s on that page (god GitHub usability sucks)
I want to second Pelican for Python. Really easy to set up and get going. No need to learn a complicated templating language (it’s jinja2, which is what everything uses).
yeah, but it’ll be hard to make those Y Combinator vultures rich at that price
No, I don’t think so.
Tinc has weird limitations and Wireguard completely obsoletes it. There’s zero reasons to ever consider using Tinc when Wireguard exists.
How are the alternatives any better? Download a DEB that executes arbitrary code, signed with some .asc that’s sitting in the same webserver? Download an EXE?
Your comment is so rambley that I can’t understand whether you’re criticizing the distribution method or the packaging. Both of those are very different in terms of attack surface, if you’re talking about supply chain attacks.
I haven’t tried it personally, but Mox looks like a nice modern mailserver. It might do what you want.
Every time I look at this, the value proposition makes no sense to me. The DIY V1 and V2 only have instructions for adding a single HDMI input port (??), and the V3 and V4 are like $350 CAD, which is way more expensive than buying a used KVM on eBay. What am I missing?
I don’t see anyone else actually telling you how to figure out if you’re being DoSed, so I’ll start:
Check your logs. Look at what process is eating your CPU in htop and then look at the logs for that process. If it’s a web application, that means the error and access logs for it. If you see a flood of requests to a single URL, or some other suspicious pattern in the log, then you can try blocking the IPs associated with them temporarily and see if it alleviates the load. Repeat until the load goes down.
If your application uses a database, check your database logs too. IIRC postgres logs queries that take longer than 5 seconds by default, which can make it easy to spot a slow query especially during a time of high load.
I don’t think DNS amplification attacks over UDP are likely to be a problem as I think most cloud providers filter traffic with forged src addresses (correct me if I’m wrong). You can also try blocking all inbound UDP traffic if you suspect a UDP flood but this will likely break DNS lookups for you temporarily. (your machine should not have any open UDP ports in any case though if you’re just running Lemmy).
If you want to go next level, you can use “perf” to generate a system-wide profile and flamegraph which will show you where you’re burning CPU cycles. This can be extremely useful for troubleshooting performance or optimizing applications. (you’ll find that even ipfilters takes CPU power, which is why most DDoS protection happens on dedicated hardware upstream)
Wrapping up this thread, I really appreciate all the opinions and experiences everyone shared! Gave me lots of new perspectives to think about.