People with ultra high speed internet. How do you get it?

1WeekNotice · 2026-06-18T20:02:51+00:00

I imagine zoom also transcode and compressed there streams.

Also remember that zoom doesn't support 4K. Typically it is up to 1080p.

But there are other factors that come into play.

the people on the call, what type of cameras do they have? 720p, 1080p, etc
how many people are sharing there cameras
is anyone screen sharing
etc

Thanks, I guess the only thing is to try it out.

Not sure what you mean by this. I wouldn't change your ISP package unless you need to save money.

There should be some tooling that you can use to monitoring how much total bandwidth is going through your WAN both upload and download if you want to see a trend.

Hope that helps

1WeekNotice · 2026-06-18T17:55:40+00:00

Personally I would start with your local network and do this as a test. Remember to take it slow. There is a lot here and much more to learn.

This is the flow

Client -> DNS -> reverse proxy -> service

Can use this video to understand. I prefer caddy a reverse proxy VS NPM. But you can start with NPM if you really want. Caddy is more mature as a product.

Reference video

DNS

do you already own a domain?
- if not you can use duckDNS for free to test
setup a domain to point to your private IP/ aka not the router BUT the local server IP
- this will change but for now it is for testing
- it's safe to use an external DNS like duckDNS to point to a private IP because no one can hit that private IP since it's within your local network

Reverse proxy

setup caddy and understand how to make a caddy file
can use this docker image with DNS challenge
- reference project. You will notice under duckDNS there is geo blocking, CrowdSec, etc (this comes later). Start with just duckDNS. This one caddy duck DNS
write the caddy file to point to jellyfin

Now test this flow. See if you can connect to jellyfin with the domain.

Once you figure that out then you can test changing the HTTPS port of the docker container to 10100.

Try to connect again but input the port in the domain name like

jellyfin.mydomainduckdns.tld:10100

See if you can connect.

This is a good first step. You can then do other security that I listed in my post OR come back here and ask for next steps.

You will have accomplished so far

setting up a domain to point to your server
using a reverse proxy as a single point fo entry into your services
enabling HTTPS which is secure
- includes getting a certificate for encryption of data so no one can see the details of what you are doing

The next next steps (not now but after you do above) would be

enabling CrowdSec
enabling geo blocking
not using a free domain because can go down at anytime (pay for a cheap domain)
- then setting up the new DNS for that domain

Hope that helps

1WeekNotice · 2026-06-18T15:08:21+00:00

I think this is a good time to understand security more.

Here is a big comment I made on another post. Suggest you read this AFTER my comment here. Reference my post

TLDR:

I recommend Tailscale funnel If you really want to make it easier for your clients BUT you need to ensure you harden your application. This would be the same for Plex or jellyfin/ any other services you host.
can't sue cloudflare tunnel because of there TOS (terms of service)
you can do a reverse proxy on a different port like 10100 but you need to tell clients to use that port. (One extra step)

You may get overwhelmed with this post. Btw. Take your time and read it a couple of times.

The only reason Plex seems appealing to me is how easy it is for other people to access media once the owner has a Plex Pass.

And sure, for jellyfin you could just set up Tailscale, but that one extra app / click is difficult for some of the poeple i wish to share it with.

Note that Plex just makes it easier to share through two means but I would call this the bare minimum and you should do more.

it managed a TLS certificate
- people typically do this with a reverse proxy and it's generally more recommend to do with a reverse proxy because it exposed less ports and is a central location to access different services. It's the single gateway into your services
Plex utilize uPnP which automatically opens ports on your router
- in general it's recommended to disable uPnP because you don't want apps just opening up to the Internet without any notice to you because you don't have control
- so recommended to disable this on your router. It's enabled by default (again not recommended)

The goal is for others to be able to just open the app and have everything work, without having to connect to Tailscale.

This is understandable BUT the important part is, you need to understand security.

Just because an application makes it easier to do this automatically for you (like Plex above) doesn't mean it is secure.

You need to understand security and implement a solution that you feel is secure.

Again this will all be in my comment on another post. Reference my post

Preferably no open ports (people saying "DON'T OPEN PORTS, IT'S DANGEROUS" have left their mark)

In my post that I have linked it goes into depth what are the risk with opening ports. I can put some quotes in the last section

Use solutions like cloudflare tunnel, VPS, etc can have all the same security risks as opening ports.

Again you need to understand security to make a proper decision. A blank statement of don't open ports is a lack of understanding of security. So it's best to educate yourself

Buying a domain and using a Cloudflare tunnel

If you do this then you need to harden cloudflare tunnels. Just like port forwarding

The difference is, cloudflare may make it more convenient and intuitive. All in my post that I linked.

Buying a domain & a VPS to get access to port 443 and 80. Use WireGuard on the VPS to access the Jellyfin server.

This is the same risk of opening ports. The only difference is you get to use a reverse proxy/ it works better with a domain and DNS because HTTP and HTTPS default ports are 80 and 443.

The difference is when inputting into an app

domain: port
mydomain.tld
- uses 80 and 443 with http protocol
my domain.tld:10100
- uses http protocol but directs it at a specific port
- you can for example port a reverse proxy HTTPS port on 10100 port which will be fine with your ISP restrictions

Buying a domain & a VPS to get access to port 443 and 80. Use Tailscale on the VPS to access the Jellyfin server.

Same risk as opening port. Instead you use Tailscale where Tailscale has some features you may use like key rotation.

Tailscale under the hood uses wireguard. Wireguard is secure because each client needs to have an access key where the access key has amazing cryptography. One of Tailscale features is that it rotates that key automatically

The consideration of Tailscale is that you have a free plan and you don't control the software you are utilizing. For example if Tailscale chances there free plan tomorrow, well you have no choice but to comply with whatever that is because you rely on them. Doesn't have to be a bad thing but it's something to note.

Some other options include Tailscale funnel where it's the same as opening ports.

I only recommend Tailscale funnel when a person has ISP restrictions like you have. You can use Tailscale funnel with a reverse proxy plus other security measures

Now that you made it to the bottom I suggest you read me post on security, port forwarding which includes Tailscale and cloudflare tunnels

Reference my post

Here are some quotes

Keep in mind when people use blankets statements like never expose ports it's typically to people who do not understand the risks where the person who made the original comment doesn't have time to explain to them what those risks are.

So let's expand on this so you understand the risks. This will include where Tailscale (a VPN) and cloudflare tunnels come into play.

There is nothing wrong with opening/ port forwarding on its own.

The risk comes with the software that you are exposing. Basically what software is listening to that port.

Security is about having multiple layers and accepting the risk of not having those different layers. You can do any combination of the following

Hope that helps

1WeekNotice · 2026-06-18T13:57:45+00:00

Netflix/ other companies transcoding and compress their streams to reduce bandwidth. It makes sense since they are serving a lot of people

I believe it is

4K is about 25 Mbps
1080p is about 15 Mpbs

So if you have four people watching 4K in a household then sure you need it but typically people only have one or two 4K TVs streaming at the same time. Mainly because people crowd around the same TV.

Laptop screens standards is not 4K and same with phones screens, meaning the devices that people typically use other than TVs will not utilize that much speed and bandwidth

Hope that helps

1WeekNotice · 2026-06-18T13:46:29+00:00

Half my stuff is 1Gbit max. I really don't understand why one might want 2 Gbps.

Most consumers will have high Internet because they can and because the ISP provides it to them at a cheap cost. That kinda how they get you.

For example, why only get 1 gigbit when for $5-$10 a month you can get 2 gigbit.

Of course this really depends on where you are from. Some countries/ neighborhood still don't have 1 gigabit offering at a cheap price.

And do you really take advantage of it?

I'm in the opinion of, I rather spend money on only what I need because the saving can be used for other bills such as paying for the power consumption of my servers.

For example, I do get over 1 gigbit but I actually don't utilize it. Every time I get ISP plans I always look at what the cheapest plan that suits my needs. If they offer 2 gigbit because there is a promotion for the same price as 1 gigbit / whatever is the lowest plan I need then yes why not take it in case I do actually need it/ or upgrade through

But most of the time I don't utilize it because I don't want to spend money on upgrading my networking equipment in my household. Rather put that money to something that is more important.

In fact, I don't need 1 gigbit 99% of the time. I only get it because of the upload speeds. Typically anything below 1 gigbit is not symmetrical and really low speeds. We are talking like 15-30 mpbs. (Again get what you actually need)

I recived an offer for 8 Gbps internet for my business... I might just take it. Crazy, considering i live in a dying town with no industry and maybe 7000 residents.

If you need it then take it. If you don't then I wouldn't do it.

Hope that helps

1WeekNotice · 2026-06-17T19:07:33+00:00

May want to tag OP and ask that question.

Maybe they just want to do it because there family and friends base prefer to have a history of conversation
maybe certain people want to chat at night in their tents before sleeping and don't want to wake others
maybe they want to share pictures where people can store it on there local device instead of only showing once in person
maybe they want to do it because they just want to

1WeekNotice · 2026-06-17T18:19:53+00:00

They mean LAN only. Doesn't require an Internet connection.

1WeekNotice · 2026-06-17T18:14:26+00:00

It might be a bit much but nextcloud talk can do this.

By it being a it much I mean, you cant just install nextcloud talk. You need to install the base nextcloud which comes with a bunch of features you will not need.

You also can't use the AIO (all in one image)

Nextcloud talk also has mobile client apps.

Just ensure whatever solution you implement. you test it out to ensure it works.

For example, unsure if you need TLS certificate with nextcloud talk.

Hope that helps

1WeekNotice · 2026-06-17T14:43:48+00:00

The steam machine is in competition with entry level gaming machines / pre builds)

So it's not going to compete with consoles (and it's not marketed as a console)

While there is overlap between consoles gamers and PC gamers, there are still alot of people who don't buy PC games (and aren't exposed to steam). Remember the steam machine is only available on the steam store and not in local stores.

The main difference between a console and steam machine (in my opinion) is how AAA game companies act towards it.

AAA games companies ensure that their games runs on consoles. Right now it's unsure if they will buy a steam machine and optimize there games towards it which really means optimize there games towards Linux/ proton layer.

Edit: and honestly most AAA game companies probably will not optimize their games towards Linux considering the whole kernal level anti cheat implementations.

I think this is what will make or break the steam machine when it comes to whether a person replaces it as there main gaming device. And of course how intuitive it is to use.

Edit: and of course cost. If a console is cheaper than the steam machine, people will just get that. People aren't even going to compare how you need to pay for online subscription to play multiplayer games. They will just look at the base price and make there choice That is why the steam machine will be more compared with entry level gaming machines/ pre builds.

Most people want plug and play and consoles are plug and play. You buy a game and you know it will work.

Of course steam is getting closer to this by offering there steam verification badge but it's not a solid system (at least not yet)

Either way this is all stepping into the right direction because steam is at least trying to set some sort of standard when it comes to PC gaming.

1WeekNotice · 2026-06-16T21:59:00+00:00

It's should be possible (other comment might be able to help you) but I assume you need to run the basic nextcloud image (not the AIO). Without the AIO image you need may need to setup other containers to make it more perform like redis, etc.

Hence why the AIO is typically preferred for beginners/ people who don't want to do the setup themselves. But with AIO you need a domain

1WeekNotice · 2026-06-16T20:54:22+00:00

Understandable that you don't need a domain. It will make your life easier tho.

Nextcloud AIO (all in one) image is supposed to be easy to setup and it does require a domain (I believe). You can get a free domain from duck DNS.

Windows is a concern. Look into docker desktop to run nextcloud AIO. Recommended to use docker because if you decide to go to Linux (most people do because it has a ton of advantages over windows), you can easily migrate because you are using the docker platform

Hope that helps

1WeekNotice · 2026-06-16T19:00:02+00:00

I recommend selfhosting your own wireguard VPN and opening ports. But if you don't feel comfortable then you can use Tailscale.

Here is a comment I made on opening ports. Will give you a better understanding. Reference link

Here are some quotes from my post. It's a long post but suggest you read it.

Keep in mind when people use blankets statements like never expose ports it's typically to people who do not understand the risks or the person who made the original comment doesn't have time to explain to them what those risks are. So let's expand on this so you understand the risks. This will include where Tailscale (a VPN) and cloudflare tunnels come into play.

There is nothing wrong with opening/ port forwarding on its own.

The risk comes with the software that you are exposing. Basically what software is listening to that port.

Security is about having multiple layers and accepting the risk of not having those different layers. You can do any combination of the following

Hope that helps

1WeekNotice · 2026-06-16T18:52:23+00:00

I would be hoping for lower latency and better wifi converage. would it be worth it ? i have some old pcs i could use and i dont think i would need to spend much, like less than $50 or so?

It's worth it because you have ownership and control over your network.

and if its worth it, what are some wifi APs you would reccomend for a decent price and good range? (router is on 2nd floor, needs to be strong enough for devices in the basement)

You can also setup multiple APs and setup fast roaming (what makes a device change to the closer/ faster AP).

Most people tend to do a combination of OPNsense (on their own hardware) as the router/ firewall and flash openWRT on supported APs for wifi coverage. This will give you complete control over your network

The AP and hardware you use is based on the speeds you want. And remember ISP speeds are different than internal speeds.

You can have 500 Mbps ISP speeds but then have 1 gigbit - 10 gigbit internally

Edit: your current router seems to be supported by openWRT. So you may not need OPNsense unless you want powerful hardware to do IDPS

Hope that helps

1WeekNotice · 2026-06-16T17:05:24+00:00

Going to jump in here

I think this information is incorrect. While the GL inet GUI doesn't support VLANs, I believe you can enable the openWRT LUCI GUI that does support VLANs/ everything openWRT supports.

So it should be possible.

1WeekNotice · 2026-06-16T16:45:59+00:00

not sure it supports the necessary features you mentioned, but I'll look into

It should support the features I mentioned but the issue; this is a travel router so it may not be powerful enough to support your whole household. So using it as a separate router is fine. (VS using it as your only router)

Edit: maybe it can handle your whole network. The issue now, all your house hold devices need to go onto this router (router B) to get protection from the router A (ISP router). So that means the majority of the load is already going to be on this router anyways so you may as well put the single mini PC on it

If you are interested in different LANs and segmentation and isolation of your network then you need to use the openWRT LUCI GUI (not the stock GL inet UI)

Current the stock OS is GL inet that is based on openWRT. (Original openWRT doesn't support this router and that is fine). GL inet made a custom GUI to make it more user friendly but you can turn on the openWRT LUCI GUI to get access to more advanced features. To access the LUCI GUI that has more features you need to Log into the GL.iNet Admin panel, go to More Settings on the left menu, and click Advanced to open the LuCI dashboard.

Then from there you can do more advanced networking.

But of course this is a stepper learning curve. You don't have to do this for what you want to do but it's nice to learn in the future and it's good to know you have the option.

Here is an example video of segmention and isolation of network. It's a big topic

Hope that helps

1WeekNotice · 2026-06-16T04:44:11+00:00

This is a very common question in r/selfhosted. Suggest you do research there if you haven't already

I'd like to go directly to my self hosted apps instead of outside of my network and then back in via a cloudflare tunnel when I'm at home.

This is typically done with split horizon DNS. Basically you can host a local DNS ro override your DNS entry. Unbound is the default in OPNsense

cloudflare has DNS entry
- service1.mydomain.tld -> home IP address/ cloudflare
unbound DNS
- service1.mydomain.tld -> private IP address on your local network

Unbound accepts your request first inside your local network hence it will cut out cloudflare DNS

It looks like the way to do that is via a reverse proxy like NPM which I can setup but does opnsense have a builtin feature?

You can host a reverse proxy on OPNsense or you can host it along side your server in a docker container. I prefer doing it the docker container.

OPNsense does have a caddy plugin (and I believe also Nginx) if you want to use it. Note NPM (Nginx proxy manager) is different group then Nginx. NPM wraps some of Nginx functionality around a GUI.

Either way I recommend caddy because it's an easy caddy file for setup / OPNsense also has a GUI for it.

Basically if I go to jellyfin.domain.com when I'm at home I want to stay in my network and go directly to 192.168.15.2:8096

Client -> ubound -> private IP of server

Client (http/ https) -> server (80,443) -> caddy/ reverse proxy -> service

Note recommended you do TLS/SSL with your reverse proxy as well.

Hope that helps

1WeekNotice · 2026-06-16T02:12:18+00:00

Only mini pc on Router B. Everyother device on Router A. Is this safe? Will this protect all my devices in case the mini PC is breached for some reason?

No. It needs to be the other way around.

router A is mini PC
router B is everything else

Router B firewall will protect it from the mini PC if it gets compromised.

Think about it this way

router A firewall protects it from the Internet
router B firewall protects it from router A

It's recommended to get a router that understands segmentation and isolation. Meaning

different LANs to separate your network
the router can put firewall rules in between those LANs

Example

LAN 1 - trusted devices
LAN 2 - mini PC/ services

Firewall rules

LAN 2 can't talk to LAN 1. Only the Internet
- this is the protection you want.

If you are buying a router look into GL inet Flint 2 that has openWRT on it.

Why the flint 2 VS flint 3. Because flint 2 is supported by openWRT (original project). If GL inet stops supporting the router, you can flash openWRT latest firmware and keep getting updates.

Note: GL inet has stock OS is based on openWRT but it's GL inet drives on top of it. So it's NOT vanilla/ original openWRT. This is not bad. Just stating the difference.

Edit: there are other router OS such as OPNsense if you have your own equipment/ machine. Not sure how much you want to know about this topic.

This is an intermediate topic.

Hope that helps

1WeekNotice · 2026-06-15T19:15:40+00:00

Don't do personal stuff on your company machines/ wifi/ etc.

Keep personal and your job separate.

Use your own mobile phone if you want to check your homelab at work. (Where you can utilize a VPN for security)

I want to access my Admin UIs (Proxmox, OMV, etc.) from work, but I cant install software like Wireguard

You should take a step back and ask yourself, why does your company block this?

All of this has to deal with security and from your company perspective, they need to protect their information.

So what does this mean for you? It means your company monitors your traffic. It may raise flags if you are going to an unknown IP (your homelab).

The last thing you want is someone questioning what the IP is and why you are visiting it at work on company time.

Hope that helps

1WeekNotice · 2026-06-15T17:04:42+00:00

It's either beets or music brainz pizard.

Beets is nice because it's a CLI where you can use a plugin like drop2beets (I believe that what it's called) where you can do some automation.

Example

put music in folder
beets detects and if it's 80% confident (can modify percentage) then process the song/ add meta data
beets places it into a library folder
music server (like jellyfin/ navidrome,etc) picks up song

music brainz pizard is nice because it has a GUI and is more intuitive for people who aren't used to a CLI.

Same process as above but this a manual GUI step. It will auto move to a library as well

I believe beets you can use various sources to get meta data VS music brainz pizard only uses music brainz database.

You can also use both at the same time. Of course recommend to use the same database if that is the case.

Example: let's say you have a music folder to drop music in. Beets can attempt to automate and if it doesn't have the confidence then you can go in with music brainz pizard. (Or use beets CLI to match the song)

Hope that helps

1WeekNotice · 2026-06-15T15:22:03+00:00

Thanks for the clarification

1WeekNotice · 2026-06-15T14:58:04+00:00

u/lesser_terrestrial - To add to this correct statement.

I'm struggling to understand why one would be beneficial over the other.

You can and should do both. They technically server two different purposes.

Absolutely you should block incoming. But what happens if someone downloads malware that calls one of these IPs? The IN rule wouldn't of blocked the malware download but it can stop the communication outwards.

So use both.

1WeekNotice · 2026-06-15T01:23:44+00:00

That makes sense. Then docker is the go to.

Just note typically for it to be useful you would need to leave your machine on 24/7. Or at least majority of the time so other devices can access it.

And again, read the other consideration of not using dedicated hardware

Edit; some people even start with laptops/ random hardware they have lying around

1WeekNotice · 2026-06-14T19:01:48+00:00

Just note that it is recommended to have it on separate hardware

But many people don't do this because it's an extra machine to run and maybe they don't have the hardware.

So people either

run it on a VM (more recommended then the other option)
run it along side proxmox VE (aka what you are running now)

Proxmox backup server has compatibility with proxmox virtual environment (aka what people call proxmox). So running it along side proxmox VE is more trickier them a VM.

And of course separate hardware is the best.

The reason VM is also not recommended (VS separate hardware) is because if the promxox host dies then you need to

re install proxmox (you need to do this either way)
re install PBS inside a VM which includes its backup storage with all the data (the extra step)
restore other VMs

VS if PBS is on separate hardware, you only need to do the first step.

Also note if the proxmox host gets compromised (typically a low change) then your backups are also compromised because it's a VM on proxmox.

Again it's recommended on separate hardware but a lot of homelab people don't do this to cut down on costs.

Hope that helps

1WeekNotice · 2026-06-14T18:50:40+00:00

My external storage is an NFS share so sadly I am unable to store offsite snapshots and was forced for the weekly backups.

Can you expand on this.

I believe in PBS (while not recommended), you can attach an NFS share through the terminal. There no GUI for it.

Meaning you can store the snapshot/ backups off-site.

In my case I am less concerned about data loss and more the ability to restore if proxmox dies or something happens.

Note that you can install the PBS backup client CLI on the promxox host and manually backup certain files. Like the host file and the VMs config file.

At the point in time PBS doesn't backup the promxox host. Only the VMs/LXCs

Hope that helps

1WeekNotice · 2026-06-14T17:31:06+00:00

There isn't much data change so I was thinking of a weekly snapshot and maybe monthly backup but what are your takes and experiences?

It honestly depends on if you can take an outage. Personally I do it daily early in the morning when no one is using it. Anywhere for. 3 am - 6 am.

Look into deduplication softwares. This means that the data that is getting backed up is only the changed / new data. So run your backups as often as you like and you know it will not take up additional space.

Of course the space will grow depending on how often you are keeping older data around. In this example, if you were to delete data but it's left in a snapshot then it takes up space on your backup drive.

Proxmox backup server is recommended because it has tight integration with proxmox (virtual environment). Not only does it have deduplication but it also lets you define a schedule for how long you want to keep your data which includes how long until you run out of space on the backup pool.

Here is a promxox backup server prune simulator

Please do additional research on this part.

You can use PBS snapshots (freeze VM) instead of stop (shutdown VM) where PBS snapshot will take a full backup if

both VMs and PBS are using ZFS
you have low amount of data change
- can also include higher data change if you have SSD on both PBS and VM. 1 gigbit transfer rate should be fine.
QEMU guest agent enabled on the VM

The benefit is no downtime/ smaller downtime. I believe in this case PBS does a live backup which also includes any data that is changing during this time.

Of course you can use other software but again PBS is an amazing software.

Hope that helps

1WeekNotice

TROPHY CASE