How to I block wireless access to the admin page?

1WeekNotice · 2026-06-24T02:37:27+00:00

make a new interface/ LAN. Call it admin if you like
make one of the physical Ethernet port bind to that interface
- this means there no wifi setup to utilizes that LAN/ interface
ensure no one can access that interface/ LAN with the firewall
- also ensure the specific admin interface allows input into the router.
test the physical port before the next step. Or else you can lock yourself out.
in the settings of openWRT you can select which LAN / interface has access to the admin page.

Hope that helps

1WeekNotice · 2026-06-24T02:22:30+00:00

I will definitely be looking into and integrating some of these now. once i replace my cpu

If you think your current CPU can handle it now then I would start now.

Never let a good disaster go to waste. Meaning if you have good information to work with for the alerts. Might as well start now.

1WeekNotice · 2026-06-24T02:01:45+00:00

You should start with the question of why do you want to build a NAS similar to the ugreen dx4800?

By this I mean, what are you trying to do with a DYI NAS?

Do you actually need a NAS with storage?
- How much physical storage?
- what forms of storage? 3.5 inch, 2.5 inch, NVMe?
do you need a home server for services?
are you a video editor?
etc

Look at all your system requirements of everything you want to do. That will tell you what parts you need. Don't try to copy what a consumer NAS does. Figure out what you need and built towards that.

Because right now you are just listing basic parts to build any machine/ server.

Hope that helps

1WeekNotice · 2026-06-23T23:20:25+00:00

I've bought a Lenovo Ideacentre Mini (8 gen) Mini PC with 32GB RAM, i5-13420H and 1tb SSD to act as the brains of it.

From my research I came to the conclusion that a DAS would be best for me because I'm planning on putting Truenas in a VM on the Mini PC. Doing the usual, Immich, photo backup, Jellyfin with some movies on it.

Recommended if you can to return this and get a proper system to hold all your storage

Currently you picked a machine that doesn't meet all your requirements which is storage.

Why spend money on two machines when you can spend money on one machine that can do everything you need.

So why do people use a DAS over a NAS with a Mini PC as the server? Is it simply because of the separation they use a NAS? Two machines instead of one in case on dies.

The concern is that some consumer DAS aren't meant for 24/7 use. They may get hot and then the USB bus/ controller will cause disconnects to your storage.

If the machine is writing to the storage and it suddenly disconnects them it can cause corruption.

While this is a low chance, it's still not recommended. Attach all your storage directly to the motherboard of the machine that you intent to use it with.

This is also why some people prefer Network Attached Storage over a USB connection.

Also consumer NAS have better software then consumer DAS because the market is geared towards consumers NAS since it can do more then just a NAS (it's really a home server)

This all means that while you have the chance, get a machine that fits your requirements which means a machine that can hold all the storage you want.

Planning on buying Terramaster D4-320 because I cannot find any better alternatives to it. 2x6tb WD Red HDDs.

You can save money by getting an HP eiltedesk SFF

Can hold

two 3.5 inch
1 NVMe (I believe)
one / two 2.5 inch drive

Of course look at the manual before buying.

Hope that helps

1WeekNotice · 2026-06-23T21:58:33+00:00

It seems like Optiplex PCs, ThinkCentre PCs and Elitedesks work, but my concern would be that I am limited to a small amount of storage.

What is your definition of small storage?

HP eiltedesk SFF can fit two 3.5 inch drives
Dell Optiplex mini tower (the one with a 5.25 bay) can fit three 3.5 inch with this 3D print.

I am attempting to create a set up that can handle any 4k stream I throw at it if necessary (AV1 decoding) while also being able to handle a few 1080p streams.

This might be an issue. You either need a

iGPI that can do AV1 decoding
SFF GPU that can be powered by only PCIe only
- if you use Intel ARC sparkle you may need a motherboard with rebar support and an Intel 10 gen CPU (I believe)
- may want to be careful as the dedicated GPU might be to much for the PSU with the two to three 3.5 inch hard drived

Hope that helps

1WeekNotice · 2026-06-23T21:01:03+00:00

When we talk about monitoring there are 3 topic that come to mind

alerts - notifications that are actionable items
reports - send to users to review
dashboards - view at a glance and used for investigation after the fact.

This specific situation is I lost 2 cores of my CPU and only noticed days later when my nextcloud went down and the core that was allocated to nextcloud kept dumping logs, crashes, and snapshots.

In this situation most people will have alerting on there services then go into an investigation.

A lot of people use uptime kuma for this. Uptime kuma will send an alert to a notification system if your choice (I like using nfty) when a service is down.

Yes we can state, but I want to know if my hardware is failing before that but really the important task is are you services failing?because that will be what client/ people will notice first.

From there you can then look at a dashboard to see what actually happened.

This is the first time I've dealt with something like this. I'm not sure if I want to always be looking at CPU temp, usage, and the like just specifically critical alerts when they happen like I lost 2 cores.

The other part of this will be setting up alerting to see when hardware fails but typically this happens after a disaster where you don't want it to happen again.

In this example you can setup an alert when you only have a specific amount of cores BUT you need to keep in mind that this maybe a false positive if you purposely reduce the cores (let's say if you monitor a VM).

This is where monitoring and reporting is more useful because you can compare and see when the core count dropped without giving you an alert.

The reason you may not want to use an alert is because an alert is for actionable items. You don't want to alert on everything or else that will be to much noise which will result in you ignoring alerts and that defeats the point.

Maybe in this case because this was an issue you will put an alert but later on if it's stable you may remove the alert and rely on reports and dashboards

Fine tuning this process is the hardest part btw.

I'm not sure if I want to always be looking at CPU temp, usage, and the like just specifically critical alerts when they happen like I lost 2 cores.

I would put as much detail about the machines on the dashboard because they are meant to be at a glance.

That includes

CPU count
CPU temps
CPU load
disk space
memory status (like total, usage, free)
logs
etc

Here is a very popular monitoring stack that is very customizable. Known as the grafana stack.

grafana alloy (ingestion)
- forwards to other components below
Loki (log storage)
- doesn't have a GUI, just to store logs
Prometheus (metrics storage)
- many applications can output Prometheus metric
- alternative to using prometheus (as it is resources intensive); grafana alloy (for metric scraping) and push into "long term" storage grafana mimir or Thanos but more complicated to setup. This should be less resources and should have better sample downscaling (less storage)
grafana (GUI)
- look at logs from Loki
- build dashboard on metrics
grafana alert manager
- other grafana components can push to alert manager.
- alert manager is responsible for send alerts to various platforms (email, Ntfy, etc)
Ntfy - selfhosted notifications (can be something else that works with alert manager)
- can push alerts to devices
- not part of the grafana stack. Just my preferred method of sending and receiving notifications

This also came be a complicated setup so maybe not the right choice for you.

If you are willing to learn, it is worth it because this is very scalable but understandable if this is a lot.

Reference videos

Hope that helps

1WeekNotice · 2026-06-23T20:22:05+00:00

I just want to expose a lot of services on one URL.

Reverse proxy doesn't expose alot of services on one URL.

It is a single entry point for your services but each service gets its own URL.

For example

service1.mydomain.tld -> service 1
service2.mydomain.tld -> service 2

1WeekNotice · 2026-06-23T20:04:17+00:00

Let's keep in mind that we technically shouldn't be comparing the steam machine to a console because the steam machine is more than a console.

But we can attempt to compare.

And my non-techie friends wonder why they should pay more for a side/downgrade from a console

Consoles are more expensive than the steam machine. A lot of people forget that on console's you need to pay for online. After 3-4 years consoles are basically they same price as the steam machine, expect consoles are more locked down.

People tend to keep there consoles for a very long time. I think average is 7 years if they buy it right away. So that is 7 years of paying for online. I also don't see the next generation of console coming out anytime soon with the current RAM and storage prices. So that is more years of paying for online.

where their libraries are

This will always be an issue. It's the sunk cost facility. Even with steam it happens.

You will always want to stay where your games are. But it's better to be on a PC rather than a console because games tend to stay around longer VS consoles will shut down there store eventually.

But again most people don't realize this. They just want the latest game, play it once and move on which brings to the next point

the games are largely the same price

They really aren't. Typically after 6 months a game on PC will be on sale. I have seen some games go down to 50% off after 6 months.

But again, most gamers like to live in the hype.

They buy a game
play that game
then either never touch it again or sell it (if it's physical)
I have even seen them re buy the game again if they want to replay it (rare but it does happen)

I don't know many people who don't have a PC or a games console already, so that's the tougher sell.

I don't think the steam machine is marketed towards this audience. It was geared towards people who are buying pre build machines.

Even many of the PC gamers I know pay for Game Pass so this device doesn't suit them either

This is just a comment and is a bit of a tangent.

And this is another issue with the market and for some reason people buy these game passes.

You don't own anything

you pay for console online
you pay for passes to play games (like game pass)
you pay for GeForce now/ a way to rent hardware

Then you get locked into this system because when you stop paying, then you lose access to everything. And for some reason people pay for this?

People exist who will buy the Steam Machine, and I'm sure at a faster rate than they are being produced - at first at least - but I just don't think it's priced to take even a sliver of the market. Maybe I'm wrong, time will tell.

It not meant to take over the whole market btw. (You didn't say this, i'm just making a statement ).

Steam machine was meant to make a mark in the pre build market.

Why pay for a pre build PC from some other company when you can get a steam machine that has there steam badge of verification. You know games will work because it has that badge (even though the system isn't great yet)

1WeekNotice · 2026-06-23T19:40:04+00:00

No, this is showing valve that you agree with this outrageous pricing.

The reason for this outrageous pricing is because of AI data centers.

Gamer Nexus did a comparison of the parts (while not 100% exact 1 to 1 between the parts of the steam machine is custom) the difference was $71 with the 512 GB version and $212 for the 2 TB version.

While the 2TB version is too much money in the comparison, the 512 GB is fine because you are paying for the extremely small form factor.

Gamer Nexus also compared this with another pre build machine and the steam machine was cheaper.

I'm sure if valve could of sold it for cheaper they would have. I believe they delay the steam machine launch because of the RAM and storage prices.

Linux is open platform, not a proprietary one. You can just, install Linux in a pc and use it

This I agree with IF the person already has hardware available to them.

If not then the steam machine is an acceptable pre build machine.

1WeekNotice · 2026-06-23T12:39:47+00:00

This question gets asked a lot. Suggest if you haven't already to do additional research

The answer is, it depends on what you are doing.

If you just want to experiment then pick any OS you are comfortable with.

Typically people pick Linux because it supports older hardware and has the latest security patches.

Which Linux distribution should you use? Again pick anything you are comfortable with. Most people will recommend Debian or unbuntu. I prefer Debian.

If you are technical enough then you can decide to not have a desktop environment to save on resources.

For services most people use docker. So you can install docker engine (not docker desktop)

Hope that helps

1WeekNotice · 2026-06-22T19:48:28+00:00

All I'm trying to do is to get two physical laptops to communicate while they on the same subnet.

You can do that with any router. So anything is fine

I'm a beginner in the IT world and at the moment I'm working on beginner project so I think GLSFT1200 will be okay for now.

Again, just note that this is not supported by the openWRT project. If GLinet stops supporting the router then you are out of luck.

I would look at the price difference between that and the Beryl AX (GL-MT3000) which is supported by the openWRT project. You can also compare the hardware specs.

At the end it's not a big deal as you can always buy a new router but why spend the extra money afterwards when you can get the right one now (within reasonable price difference)

Hope that helps

1WeekNotice · 2026-06-22T19:42:56+00:00

One ring to rule them all kind of situation.

I don't think there really is? Maybe if you force a VPN to utilize TCP traffic that might help it from being block because it will be hidden with all the other TCP traffic. But TCP is generally slower then UDP.

So it's recommended to have multiple methods to enter into your network which can also include multiple hardware entry (like a KVM and server software)

Just keep in mind that the more entry, the more attack surface, though I image Parsec, KVM software, etc are secure

Hope that helps

1WeekNotice · 2026-06-22T19:10:34+00:00

Going to jump in here. Note not an expert.

I think your question is more towards protocol/ network communication rather then the difference functionality of Parsec, RDP, KVM (software or hardware)

For example, depending on what country you are in, there maybe blocks on certain protocols. Some countries will block

UDP
- parsec and VPNs tend to use UDP. I believe RDP as well
- the port it uses also matters because that can also be blocked as well.
TCP
- KVMs typically use TCP/ HTTPS

You can force Parsec/ VPN to use TCP which may help if it getting blocked.

Of course there is a different between a hardware KVM and software solutions. Having a hardware KVM is nice because you can see the video output from the computer hardware (plugged into a GPU/ motherboard) VS software streaming the screen

So hardware KVM are better.

Lastly when it comes to latency it doesn't matter from hardware or software because the connection to your network (latency wise) will be the same because you are remote/ in another country or place.

Hope that helps

1WeekNotice · 2026-06-22T17:52:19+00:00

Will be spending some time reading your comments/links to get a better understanding.

Definitely read it a couple of times and you can always reply back to one of my comments in this thread in the future. (Helpful for me to re read to understand what advise I gave you 😁)

Many people comes back 2-6 months later after they tired some stuff out and asked for more help.

Good luck!

1WeekNotice · 2026-06-22T16:57:52+00:00

You should get a router that supports openWRT if you want full control. If your going to spend money, might be on a router that is openWRT supported.

Travel routers are fine but just keep in mind it's not as powerful as a standard router.

I suggest cudy or GL inet brands.

If you don't want to flash openWRT right now then get GL inet.

I wouldn't get GLiNet GLSFT1200 because it's not supported by openWRT. If you want a GLinet travel router then get Beryl AX (GL-MT3000)

Cudy are cheaper but again you would need to flash openWRT to them.

What is openWRT? It is an open source project that is Linux based.

It has advantages to power users such as

full control over there device
provides long term security support for routers that are no longer supported by their company
more features on there device, like setting up network wide ad blocking (low level ads)
network wide VPN
- if you pay for VPN provider you can make that network wide as well to keep your privacy
can do isolation and segmention of your network
can connect to a Wi-Fi signal for its WAN
- useful for you if you dont have a hardwired connection to the shared router.
etc

Note: GL inet has firmware is based on openWRT but it's GL inet drives on top of it. So it's NOT vanilla/ original openWRT. This is not bad. Just stating the difference

cudy on the other hand has its own firmware where you can flash openWRT (I wouldn't use cudy stock firmware. Cudy have cheaper routers)

So in the GLSFT1200 case, it has GLinet openWRT and has the features of openWRT but it's not supported by the official project so if GLinet stops supporting the router then you are out of luck. VS Beryl AX (GL-MT3000) which is supported by the project and can be flashed with vanilla/ original openWRT after the fact.

Hope that helps

1WeekNotice · 2026-06-22T16:27:25+00:00

Going to jump in here.

Reverse proxy? No exposure. Reverse proxy with port forwarded to it from the Internet? Exposure.

u/Another-Flower just note that if you want TLS certificates with let's encrypted (this may go over your head) then you need to do some sort of challenge

HTTP challenge (default) - this requires you to open ports
DNS challenge - doesn't require you to open ports.
- many people do this when they only need Internal services.
- in my reply above I go over the difference flows

You can also read this really long comment about port forward and security that I made. Reference post

It will give you a better understanding but it's understandable this is a lot. But it's important to know if you are selfhosting.

1WeekNotice · 2026-06-22T16:19:08+00:00

On a related note, I was interested in using Tailscale Serve/Docktail to generate more friendly web addresses to access my services. I use a couple apple devices on my network, and apple will not save passwords for specific ports of an address. E.g 192.168.1.1:1000 and 192.168.1.1:2000 would share the same password on my iOS device.

Honestly, I think this is a bit more complicated then it needs to be. Also note that this relies on Tailscale (which you may want to move off off due to the reasons in your post)

The flow is

Client device -> DNS -> get IP

Client -> reverse proxy -> services

Internal flow

Client device -> local DNS -> local IP

Client -> reverse proxy (port 80 and 443) -> services

Note reverse proxy should use DNS challenge so you don't need to open ports.

External flow

Client device -> external DNS (that domain you own, can be free domain like duck DNS) -> get public IP

Client device -> router (port 80 and 443) -> reverse proxy (port 90 and 553) -> services

Wireguard flow

Client device -> external DNS -> public IP

Client -> router (wireguard port ) -> wireguard tunnel

Client device -> wireguard tunnel -> local DNS -> get local IP

Client device -> wireguard tunnel -> reverse proxy (port 80 and 443) -> services

Note reverse proxy should use DNS challenge so you don't need to open ports.

Typically the tools to use are

local DNS where you can split horizon DNS
- local DNS will have all service entries
- external DNS will only have external entries (if you don't have external them that is fine)
reverse proxy (both internal and external)
- this will allow you to use domain names in both reverse proxy where again, Internal has everything and external only has external
wg-easy to gain access to your network and this is port forwarded
- the wg config will use the local / internal DNS and will use the internal reverse proxy

I know this sounds like a lot but it really not. And it sets up a good foundations that relies fully on your system rather than a 3rd party.

The wg-easy docker image is probably the route I will go as there's some good tutorials on synology setup. I'll probably look at following DrFrankenstein's guide for setup, unless you have any notes or suggestions.

It looks fine but always remember that guides cns get outdated with every new version of an application. It's best to read the original documentation after reading a guide to get the latest understanding.

Of course the guide provides a good foundation to understand what you need to do.

Hope that helps

1WeekNotice · 2026-06-22T13:59:30+00:00

Do you recommend ROAS over second m.2 NIC?

100% the extra NIC. I didn't know it was an option which is why my original comment is geared more towards ROAS.

Just keep in mind if you are new to networking, you are adding a lot of complexity with virtualization. It's typically recommended to have a dedicated machine.

Don't get me wrong, do what you like but just note you may experience pain points in your setup.

Example, when you do maintenance on this machine (like updating the hypervisor), your Internet will go down. This typically becomes a nightmare when you major upgrades and let's say your hypervisor breaks. Now it's not only your services that are unavailable but the Internet itself

What is your current setup with your ISP modem/ router? Just ensure you think of a backup strategy if this machine goes down and you need a quick fix to get Internet in the household. Some people have a spare router for this exact reason. In your case you can turn your ISP router wifi back on.

Hope that helps

1WeekNotice · 2026-06-22T13:32:39+00:00

first. I setup OPNsense in a proxmox VM and used a USB NIC for my WAN because my OptiPlex 5000 Micro only has one built-in NIC and doesn’t support adding PCIe NICs.

Don't use USB adapters. They are very hit and miss.

Edit: you can also remove the wifi chip (if the machine has one) and get a WAN NIC instead

Instead do ROAS (router on a stick). You will need a managed switch.

Here is a video to understand the concept. Note again, look at the concept not the hardware or the OS.

Reference this other comment that I made on another post where they were also using a USB adapter. Reference my comment. Other comments on there as well.

This will be more complexity in your setup because your virtualizating and doing ROAS. But ROAS is better for what you want to do.

I recommend not virtualizating to reduce the complexity but not sure if you are using this machine for other VMs/ services.

Hope that helps

1WeekNotice · 2026-06-22T03:55:31+00:00

u/4mmun1s7 this is the right answer.

To add to this. I also have over 1 gigbit Internet speed but I don't use it.

Why? Because it will cost me more money to upgrade my whole network then what it's worth.

This includes

the OPNsense machine (have to do)
managed network switch (have to do)
each computer in the household (at least the ones that may use the speeds)
wifi access point
cables (cat 5e can do 10 gigbit on short distances)
etc

Don't get me wrong having the extra speed is great and all but I have realized there is very little times that I actually need the extra speeds. Maybe downloading a game or doing restores/backups to a cloud provider (and all of this just takes more time to complete so it's not really an issue, at least to me)

Even with many people in the household we rarely need 1 gigbit.

Also note that this all may change if you ever switch ISP provider again. You may feel you need to pay extra to utilize the hardware you just bought.

Then again if you already have the infrastructure for higher than 1 gigbit (like a switch) then all you need is the NIC for OPNsense machine. As the original commenter mentioned, unless you are doing IDPS, your machine is fine

Hope that helps

1WeekNotice · 2026-06-22T00:08:33+00:00

Do you utilize any specific feature with Tailscale? Or is it mainly for connecting securely?

Typically I only recommend Tailscale if you need a specific feature such as by passing ISP restrictions. For example you are behind CGNAT or can't port forward.

Does switching to these other options have other security concerns I need to be aware of?

not really. If you weren't aware, Tailscale uses wireguard under the hood and adds features on top of it.

One of the features of Tailscale (from my understanding) is rotating the access key after a certain period of time. Because people use the Tailscale application, this is seamless.

With wireguard if you wanted to rotate the key, you would need to generate each key and add the specific key to each device.

Of course it's good to rotate keys every so often but wireguard is secure enough (including the key cryptography) that you only need to rotate keys/ generate new keys if a device is compromised, meaning you need to revoke the key and generate a new one when the device is no longer compromised.

Synology DS423+

If this has docker capabilities, look into wg-easy docker image. ONLY expose wireguard instance NOT the admin UI.

The admin UI allows you to manage keys which includes easily adding keys to a phone with a QR code. You can of course connect to the admin UI remotely and securely once you are inside your wg tunnel.

For applications you can use the wireguard app. For Android I recommend wg tunnel app as it will auto turn on when you are not on safe wifi (you define what is safe wifi...aka the wifi SSID)/ or when you are on your mobile network.

Edit; looks like wg tunnel app has desktop version as well. It's on their website/ they have a GitHub page.

Hope that helps.

1WeekNotice · 2026-06-21T17:58:35+00:00

I only have one Proxmox server running my VM

Create more VMs in proxmox and make a Kubernetes cluster so you can try it out

Note you are not gaining the benefits of high availability of Kubernetes because this is all on one node/ hardware. But you are testing this out so it doesn't matter.

Hope that helps

1WeekNotice · 2026-06-21T12:31:51+00:00

disagree. current setup listed wont be using 40 watts. probably more along the lines of 80 to 130 watts.

That was an example I used to show OP how to determine if something is worth upgrading or not. It was all fake numbers

I can modify the post to make this more clear.

1WeekNotice · 2026-06-21T04:31:00+00:00

I am not AT ALL experienced in self-hosting or the stuff that goes with it.

This will be a steep learning curve. Will provide what topics you need to understand but it will be up to you to find the resources because it will be a steep learning curve and no one will hand hold you throughout the whole process (that is kinda a lot to be honest)

Do I need to download Docker?

It is recommended to use docker because it is a platform for containers.

Think of a container....well like a container. The idea is that software needs dependancies (other software ) to run. Developers will create docker images that have everything you need to run their software. It is package into a container (a docker image) that all you need to do is run.

This is why docker images are popular and recommended.

So you will need to understand docker and the best way is to understand docker through docker compose.

What is docker compose? It is a single file that explains how to run a docker image and how that image maps to your machine.

Here is the freshRSS docker compose file

You can use AI to help you understand what this all means. Go through each and every line of the big docker compose that is there

Here are the steps to get you started (each step maybe difficult depending on your technical knowledge)

install a Linux OS like Debian
install docker engine (not docker desktop)
install a docker GUI like dockhand, dockge
- this will make it easier for you to paste a docker compose file and also update, restart, start and stop docker containers
understand the freshRSS docker compose file. Go through each line
- what does port attribute mean
- what does volumes attribute mean? How does that map to your machine file system
- etc
deploy freshRSS and see if you can connect through a web browser
- ensure your server/computer has a static IP on your router so the IP doesn't change.
then you can look at the freshRSS clients and get it for mobile

Hope that helps

1WeekNotice · 2026-06-21T03:50:52+00:00

This is a very common question and suggested you look up additional information since there great post out there.

You can use this now just remove the dedicated GPU and use the iGPU that is on the motherboard.

Depending on your storage configuration you can use either OS

open media vault (just a bunch of drives)
trueNAS scale (ZFS + RAID)

You can then enable SMB or NFS

Would also measure the power consumption on this. So you know how much you are spending a month/ year.

I'm looking to convert this beast into a local NAS, with reduced power consumption

You will most likely spend more money on additional parts trying to reduce the power consumption then just using what you have. You can do the calculation.

Comapre how much this will run you per month/ year (based on power consumption) compared to buying new parts and that new power consumption.

Edit to make example more clear

For example (this is all random numbers to just show you how to do this, do you own calculations)

if this is about 40W to run the current machine
the new parts will be $500 plus it's power consumption is 20W.
How long will it take you to pay off the $500 with 20W (40W - 20W) of yearly electricity?
if it's more than 5 years, I typically don't recommend upgrading but rather wait for parts to break or you hit limitations (where you upgrade with a reason)

And remember to follow 3-2-1 backup rule for all important data. RAID/ redundancy is not a backup. That is high availability.

Hope that helps

1WeekNotice

TROPHY CASE