this post was submitted on 31 Aug 2023

283 points (95.2% liked)

Selfhosted

38768 readers

436 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

[email protected]

283

My self-hosted home setup (programming.dev)

submitted 11 months ago by [email protected] to c/[email protected]

52 comments fedilink hide all child comments

Dedicated wifi for automation allows me to have devices such as Xiaomi Vaccuum, or security camera not phoning home. OpenWRT with good firewall rules completely isolate my "public" containers/VMs from my lan.

Server was built over time, disk by disk. I'm now aiming to buy only 12TB drives, but I got to sacrifice the first two as parity...

I just love the simplicity of snapraid / mergerfs. Even if I were to loose 3 disks (my setup allows me the loss of 2 disks), I'd only loose data that's on these disks, not the whole array. I lost one drive once, recovery went well and was relatively easy.

I try to keep things separated and I may be running a bit too many containers/vms, but well, I got resources to spare :)

top 50 comments

sorted by: hot top controversial new old

[–] [email protected] 41 points 11 months ago (1 children)

As an FYI: this set up is vulnerable to ARP spoofing. I personally wouldn’t use any ISP-owned routers other than for NAT.

[–] [email protected] 8 points 11 months ago (2 children)

I'm not well versed in ARP spoofing attack and I'll dig around, but assuming the attacker gets access to a "public" VM, its only network adapter is linked to the openwrt router that has 3 separated zones (home lan, home automation, dmz). So I don't think he could have any impact on the lan? No lan traffic is ever going through the openwrt router.

[–] [email protected] 8 points 11 months ago* (last edited 11 months ago) (2 children)

The risk is the ISP Wi-Fi. As long as you’re using WPA with a good long random passkey, the risk is minimal. However, anyone who had access to your Wi-Fi could initiate an ARP spoof (essentially be a man-in-the-middle)

ETA: the ARP table in networking is a cache of which IP is associated with which MAC Address. By “poisoning” or “spoofing” this table in the router and/or clients, a bad actor can see all unencrypted traffic.

[–] [email protected] 14 points 11 months ago* (last edited 11 months ago) (1 children)

Well, to be honest if someone has access to my Wi-Fi, I'd consider that I've already lost. As soon as you're on my lan, you have access to a ton of things. With this setup I'm not trying to protect against local attacks, but from breaches coming from the internet

[–] [email protected] 1 points 11 months ago

Doesn’t need to be the case if you segment your network to protect against ARP.

[–] [email protected] 2 points 11 months ago (1 children)

How would you change his setup to prevent ARP attacks? More network segmentation (clients and servers on separate VLANs) or does OPNsense additional protections I should look into?

[–] [email protected] 2 points 11 months ago (1 children)

Don’t have the Wi-Fi network “upstream” of the LAN. You want the connection between the LAN and Wi-Fi to be through the WAN so you get NAT protection.

[–] [email protected] 1 points 11 months ago

Any way you could update/create your own drawing with what you mean? (Bad paint drawings are acceptable!)

I ask because I am curious if I am subject to the same problem. I'm not the most networking savvy so I need the extra help/explanation and maybe the drawing will help others.

[–] [email protected] 20 points 11 months ago

I like the WiFi 6 just going out into the ether. Like you're just throwing morsels out to the peasants.

[–] [email protected] 18 points 11 months ago (3 children)

That’s… not all hand written is it? No one who is good at computers can write that well. We got into this BECAUSE we couldn’t write well, right?

[–] [email protected] 5 points 11 months ago

Looks like excalidraw to me. I use it all the time to quickly make diagrams like these.

[–] [email protected] 2 points 11 months ago (1 children)

It's not, look at postgres under both DB in the last picture. That's not just the same writing, it's identical.

[–] [email protected] 5 points 11 months ago

https://programming.dev/comment/2512899 :)

load more comments (1 replies)

[–] [email protected] 13 points 11 months ago (2 children)

Oh God yes, I never knew I needed illustrated self hosting architecture.

Need more. Could you also add like, a curious cat that asks questions?

[–] jws_shadotak 5 points 11 months ago

Hate to break it to you but this is a font. It's all typed.

[–] [email protected] 1 points 9 months ago* (last edited 9 months ago) (1 children)

You’ll want to check out Excalidraw

[–] [email protected] 1 points 9 months ago (1 children)

Interesting tool, but I don't know self hosting. I need a kitty cat to explain it to me in a drawing.

[–] [email protected] 1 points 9 months ago

Hey, that's how it's all done! Network maps are the starting point.

[–] [email protected] 11 points 11 months ago* (last edited 11 months ago) (1 children)

I would never use an ISPs router for my home network. It just causes so many issues that you can easily avoid by either using your own router directly or if that is not possible putting the device into "bridge" mode and using your own router behind it.

What are some of the issues?

The devices the ISPs send out are usually the cheapest hardware imaginable and therefore introduce substantial unnecessary latency.

Where I live some ISPs also used to use tools that genereted wifi passwords based on the devices MAC address. While this is apparently fixed now, a lot of non tech savvy users still use these old devices that are basically open to anyone now.

To save even more money, they sometimes deliberately send out faulty devices (as in devices that drop connection frequently, restart for no reason, etc) which is just horrible.

I know these issues because I worked in that field and there are a lot more unfortunately...

[–] [email protected] 2 points 11 months ago (4 children)

WIth my previous ISP, I swapped the ISP's router with my OpenWRT's and everything worked fine. With my current ISP, it appears that it's not that simple to swap the router altogether. But I'll be honest, the biggest factors are price and number of routers/switch. As I want 2.5gbps, I'd need a router with at least dual 2.5gbps ports. The WIFI6 offering is also quite nice. And if I can't swap my ISP router, it would just add another device. In a perfect world, I'd have a single router running openwrt, with wifi6 and couple of 2.5+gbps ports (but unfortunately openwrt doesn't play nice with most wifi6 routers and these routers can get very expensive) For now, my ISP router does the job and I haven't had any issue (yet)

[–] [email protected] 2 points 11 months ago (1 children)

What are too currently using for your OpenWRT router? I just got one of these and I would highly recommend it: https://a.aliexpress.com/_mq4HxaS

Get the N100 barebones version because you can slap an SSD and RAM in there for cheaper and have more selection. It has four 2.5Gb NICs and the internal PCIE slot for a WiFI card if you really want, though I would recommend getting a Ubiquiti AP to go along with it.

You can put OPNsense on it bare metal, or proxmox and then run your network related VMs there instead of your main server. Your choice.

[–] [email protected] 1 points 11 months ago

I got a Netgear AC2000 (R6850) for cheap on sale, and it's been working flawlessly so far

load more comments (3 replies)

[–] [email protected] 10 points 11 months ago

That is a great quality post! Congratulations and thank you

Your home network is not too shabby either ;)

[–] [email protected] 9 points 11 months ago

I like the way you wrote this in history class

[–] [email protected] 7 points 11 months ago (3 children)

Hmm, nice detailed specs on your home network. Mind sharing your IP? For, uh... totally trustworthy reasons. Asking for a friend. >: )

[–] [email protected] 8 points 11 months ago (1 children)

192.168.0.1

[–] [email protected] 2 points 11 months ago (1 children)

Got it. Sending the virus to 192.168.0.1...

load more comments (1 replies)

[–] [email protected] 5 points 11 months ago (1 children)

I heard everyone on the internet is nice and have good intentions. Did they lie to me?

[–] [email protected] 4 points 11 months ago* (last edited 11 months ago) (1 children)

Here's my password to show trust:

"*******"

[–] [email protected] 2 points 11 months ago (1 children)

You see, when you see 'hunter2', I only see '*******'

[–] [email protected] 1 points 11 months ago

No no, it's Solarwinds123

[–] [email protected] 4 points 11 months ago

~~Zero Trust~~

Totally trustworthy

[–] [email protected] 6 points 11 months ago

Congrats for keeping your setup simple!

[–] [email protected] 5 points 11 months ago (1 children)

Upvoting because Balsamiq

[–] [email protected] 14 points 11 months ago (1 children)

I'm afraid I can't take your upvote sir... excalidraw.com

[–] [email protected] 4 points 11 months ago

Oh damn! I must be out of practice. Still a great tool

[–] [email protected] 4 points 11 months ago (2 children)

For the stupid among us, what’s the purpose of the switch?

[–] [email protected] 2 points 11 months ago (1 children)

Maybe the ISP router only has one port?

[–] [email protected] 1 points 11 months ago (1 children)

That would be a smart idea for the ISP. Sell a 5 gigabits fiber connection but force the customer to use their router which comes with a single gigabit port

[–] [email protected] 2 points 11 months ago (1 children)

Indeed, the isp router only has 1x 2.5gbps and 2x 1gbps. I wanted both my pc and my server to have 2.5gbps to wan, and I wanted 2.5gbps between them too

[–] [email protected] 2 points 11 months ago

So it's someone like Iliad

They sell a 5 gbit fiber but they force their router, and it only has 2x 1 gigabit ports, and 1 2.5 gigabit ports. Most people only use wifi, so they pay for 5 gbit, but use 150 mbit, lol

(in their defence, for the price they offer this bandwidth (only 20 euro per month), i'm ok with that)

[–] [email protected] 4 points 11 months ago* (last edited 9 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters	More Letters
AP	WiFi Access Point
IP	Internet Protocol
NAT	Network Address Translation
SSD	Solid State Drive mass storage

4 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.

[Thread #100 for this sub, first seen 1st Sep 2023, 11:25] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 3 points 11 months ago* (last edited 11 months ago)

Thank you for posting this with the explanations and great visuals! I am wanting to upgrade to a setup almost identical to this and you've basically given me the bill of materials and task list.

Anything you wish you had done differently or suggest changing/upgrading before I think about putting something similar together?

[–] [email protected] 1 points 11 months ago

Very nice

[–] [email protected] 1 points 11 months ago (1 children)

Interesting setup, mines very similar. Except with ZFS and no DMZ 😅 I'm thinking of setting up vlans for automation too, how do you handle updates and software downloads on that lan?

[–] [email protected] 1 points 11 months ago

If I ever need to update any device on the home automation vlan, I'd add an exception to the firewall for this specific host for the time of the update

load more comments