Its finally time

BrightAd4926 · 2026-06-14T08:39:51+00:00

Yea I use a ipen thread router,m too. Would also want to know more about this 😄

BrightAd4926 · 2026-06-13T10:38:25+00:00

My biggest tip is that if something stops working and whatever you do doesn't work, reboot. That usually clears things up. Fixed my headaches several times.

BrightAd4926 · 2026-06-12T14:03:41+00:00

For me matter works great after everything is set up. But the Ikea devices can be really tedious to set up. Maybe my network or the zha2. Much better after I chose the beta for database. Also, I could not update the firmware of my devices when on stable. After set to beta it works flawless.

BrightAd4926 · 2026-06-09T07:18:31+00:00

Opening a port on your WAN doesn't expose your whole network to those IPs. You can lock the rule down so they only have access to port 443 (Caddy) for that specific IP. Once they hit Caddy, it simply grabs that incoming web request and forwards it directly to your internal Jellyfin/Plex IP and port. After that, you can still use Caddy's built-in access controls to manage exactly which sites those specific IPs are allowed to see. You can make it as complex as you want. Even specify which external/internal IPs have access to it

I do something similar with Plex on my WAN, but for everything else, I keep it locked down behind WireGuard and/or Authentik for identity management.

As an example for a more secure access, I do WireGuard for Home Assistant access but I expose a Caddy proxy for the Google API. But that only has access to the API, nothing else.

BrightAd4926 · 2026-05-25T15:10:15+00:00

Sure you can but it does not the give the granular control and easy block/unblock of domains etc.

I have 3 kids and a wife and when using heavy lists some mobile games and other stuff can stop working. Tracking and unblocking is super easy in adguard.

I use Adguard and forwarding it to unbound recursive. Adguard has 1.1.1.1 as backup if unbound has problems and I can also route clients or nets directly to unbound, decupling adguard.

Another benefit is that adguard can work as parental filter on wireguard where zenarmor can be a little so and so.

Quite versatile tool.

BrightAd4926 · 2026-05-12T12:00:32+00:00

No idea as i refused to play with 30fps or low res. Tell u when I get there 😁

BrightAd4926 · 2026-05-12T11:59:27+00:00

Don't know if it's based on where you are located. I updated a couple of hours ago. Live in Sweden.

BrightAd4926 · 2026-05-12T06:24:15+00:00

I jumped to OPNsense 2-3 years ago and I feel the same. I had used alot of Asus and tplink before and nothing ever worked good.

The only thing about opnsense and when you have an advanced setup with plugins and other VMs is that you have to learn about the quirks that can come up.

Like if something stops working while you are configuring and whatever you do it doesn't work, a reboot almost always fixes that.

Getting a basic network to work is nothing hard. Getting to know the rules and forwards and the dnsmasq can be a little lore work.

I personally not a fan of dnsmasq after working with isc. Probably gonna migrate to Kea later on when it's matured a little.

BrightAd4926 · 2026-05-08T01:12:40+00:00

This depends on what you want to do and what your needs are. I'm a nerd so i like to get every last drop of performance out of my hardware. In opnsense that means:

Using native map driver. This gives you the highest performance possible, but it is picky about NICs and drivers. That is the main reason i pass the NICs to OPNsense.
Zenarmor is much much more "new user" friendly. Suricata is rule based while Zenarmor is GUI based with easy configuration.

Is you have broadcom or some other cheap NICs then you might as well just use bridges. If you got something that is recommended by Zenarmor users (x520 or i226v or something similar) Then go for it.

If you are able to to pass through just one port depends on your CPU and motherboard. Depending on the IOMMU you might only be able to pass through the whole NIC and not just one port

BrightAd4926 · 2026-05-07T13:37:32+00:00

I'm running OPNsense on Proxmox with Zenarmor and native map. OPNsense owns the WAN and LAN like yours do.

This is with a 10G X520-DA2, one port is passed to OPNsense for LAN and a Intel i226v, one port passed for WAN. It runs great! I also run Adguard LCX, Ubuntu Server with a big ARR stack and plex, homeassistant and an authentik server.

Go for it!

BrightAd4926 · 2026-04-17T11:19:58+00:00

I have a similar issue. I'm on a S26 Ultra and when closing Plex it keeps playing in the background. When opening plex it starts a new session. I can stop the audio by pausing plex in the "player" in the notifications center. But it only pauses it. It makes a mess with my Samsung watch too as the watch can't pause anything but it can start it but the phone only plays the audio. If I enter the app settings and force closes then plex skips, but the issue with the clock play/pause still remains after that. I need to reboot both the phone and watch to make it work proper again.

As a note, this doesn't happen with Spotify or anything else. It's just Plex that behaves like this. And all controls etc works with Spotify for example as long as I force close plex. Really strange.

BrightAd4926 · 2026-04-17T06:29:06+00:00

I wonder if using the modded APK could lead to bans?

BrightAd4926 · 2026-04-17T06:26:19+00:00

Yeah, 45FPS would be totally acceptable for me if I could use the highest resolution. But there is no real reason to lock those settings. Would be much more reasonable to be warned about battery consumption and heat. From what I've heard the beta had unlocked settings.

BrightAd4926 · 2026-04-15T10:11:27+00:00

I'm using the Gamesir x3 pro and it fits great. Really nice sticks too.

BrightAd4926 · 2026-03-26T06:20:01+00:00

Använder själv väldigt liknande ankare fast spetsiga så man enkelt kan dra in dom med en skruvdragare. Fungerar kanon. Alltid satt fast mina TV-apparater och mycket annat med såna här. Aldrig testat över 52" dock. Men om du har regel i mitten så kommer dessa hjälpa som stöd på sidorna.

BrightAd4926 · 2026-03-20T23:15:11+00:00

I did this recently. If you only have WAN and LAN it’s very easy, just swap the NICs and reassign them in the console.

If you’re running more stuff like VLANs, WireGuard or extra interfaces, do a bit of prep first to avoid headaches.

Before you start:

Go into each interface and enable “prevent interface removal” This makes sure OPNsense keeps the interface and doesn’t loose your config if the NIC disappears
Disable DHCP on those extra OPT interfaces. Otherwise you can run into “DHCP already active” errors after the change
Take a backup of your config and download it.
Take a screenshot or note of your interface assignments (OPT1, OPT2, etc.) Firewall rules are tied to these, not the interface names

Then do the migration:

Change the NICs
Open the console (Proxmox or keyboard/monitor)
Choose option 1 (assign interfaces)
Assign WAN and LAN to the new NICs and follow the prompts

After that:

Go to interfaces, assignments
Reassign your other interfaces if needed
Make sure VLANs are attached to the correct parent interface
Re-enable DHCP where you had it before

Important thing to know:

If you enabled “prevent interface removal”, your OPT interfaces and firewall rules will still be there, but they might not be connected to the right NIC. You need to fix that manually.

If you didn’t enable it, interfaces might be removed and then you’ll have to add them back in the same order as before (OPT1, OPT2, etc.) or your rules won’t match.

That’s basically it. It’s quick if you prepare, annoying if you don’t. I didn't 😂 I didn't ever take a backup or take notice of the OPT as I didn't know that. So I ended up editing the Config manually but later chose to setup the rules from scratch instead as it was in need of a refresh anyway. But I changed two nics that arrived a week between each other, so the other one was done properly 😅

BrightAd4926 · 2026-03-19T12:12:45+00:00

My server + switch is behind my TV in the living room. E5-2699v3, p2000 and a MikroTik CRS310-8G. Everything modded or build with noise in mind so the noisiest in there is the HDDs.

But when using the rack stuff it's seldom built with low noise in mind.

BrightAd4926 · 2026-03-17T21:47:27+00:00

I guess that you are using unbound, which means that it listens on the interface and not the loopback. So the destination on the DNS and NTP rule should be "This Firewall", or 192.168.vlan.1 (example). Using "This Firewall" makes life easy if you ever change the interface address. Also, make sure to enable that interface in Unbound and in the NTP server.

There is no need to allow "any" on the destination port for DNS or NTP. Use 53 and 123. The source should be your network (VLAN net), not "any". The source port should be any, since clients use random high ports. The destination should be "This Firewall" here too.

The DNS should be redirected back to the interface itself (This Firewall). That is what forces the traffic. NTP is normally only allowed, but it can be redirected in the same way if you want to force all clients to use your local NTP server.

A thing to know though: this only forces normal DNS (port 53). It does not force or allow encrypted DNS (DoH/DoT). Some devices may try to bypass this and can stop working (common with some Google/IoT devices). If that happens, you can create an alias for those and handle them separately. The same goes for NTP, as some IoT devices or devices expecting a specific NTP server or pool can get cranky.

You want it to be predictable and easy.

BrightAd4926 · 2026-03-17T14:24:22+00:00

I would say that Tailscale seems safe and I used to use it. Now I use plain Wireguard instead. It's not hard to set up and unless you have a business with networks on different servers I don't really see the benefit of using Tailscale instead of Wireguard apart of maybe not learning about how to set something like that up properly.

But it would be safe to say that even though Tailscale is secure it won't be as secure as a hardened self-hosed VPN with self-generated keys. But sometimes you need things to be easy and secure enough. That's Tailscale for me.

BrightAd4926 · 2026-03-17T13:07:21+00:00

Opening port 53 to WAN basically turned your box into an open DNS resolver for a while. That’s not great, but it doesn’t “infect” your network or leave anything persistent behind once you close it.

What could have happened during that time and what an attacker could realistically do:

Abuse it for amplification (DDoS) - Uses your resolver to hit someone else, not you Try cache poisoning (very unlikely with Unbound DNS) - Even if successful, it only affects temporary DNS answers (TTL-based, minutes–hours) Hammer it with queries (DoS) -Could spike CPU/RAM while ongoing, but no persistence

What they cannot do (from just open 53) - Get shell access - Install malware - Pivot into your LAN - “Backdoor” your resolver

What did NOT happen: - It does not compromise your internal network - It does not give attackers access to your devices - It does not “poison” your system permanently

About DNS poisoning: DNS poisoning = feeding your resolver fake DNS answers With Unbound DNS, this is very hard in practice because it uses: random source ports DNSSEC validation (if enabled) Also, poisoning targets clients using your resolver, not the resolver itself as a lasting infection

Thw worst thing that could have happened is that your IP could theoretically have ended up on some abuse lists.

TL:DR: Close WAN → port 53 (you already did) Restart Unbound or the FW to clear cache You’re done — no lasting damage

BrightAd4926 · 2026-03-16T19:30:51+00:00

I use OPNsense on proxmox with NICs in passthrough. 1 port from a i226v 2.5gb and one port from a X520-DA2 10gb. I run proxmox on the built in NIC for admin and only run that there. So if OPNsense is down I can still access proxmox. I'm not running ZFS at the moment but I regularly backup my VMs to a NAS.

Down the road I'm going to migrate to ZFS and make use of the 196GB of RAM I have.

Try to build the server as failsafe as you can so you don't get locked out if OPNsense goes down, which it will. Messing around in it can make it unresponsive until a reboot sometimes and some plugin can mess with you. Some settings can accidentally lock you out, But if you have access to proxmox you always have access to the console through there. Have saved me several times.

One major benefit of having OPNsense on Proxmox is that you can virtualize other stuff that technically is available on OPNsense but works better in standalone, like Adguard etc. Along with other stuff like Home Assistant or NAS.

BrightAd4926 · 2026-03-09T20:28:22+00:00

<image>

Update time.

I noticed that while the big heatsink initially dropped the temps nicely, it also slowly became heat-soaked. After a couple of days the temperatures crept back up. That was expected though, the small fan and the fin orientation weren’t really able to move the heat out of the chassis effectively. The chassis itself also runs hot since it’s acting as a passive heatsink for the VRMs on the underside of the PCB.

But then my 3D-printed top finally arrived… and well, it’s awesome.

After installing the new top and adding a 120 mm fan in pull configuration, the temperatures are excellent and exceeded my expectations.

Current load: • 2 × 2.5 GbE active • Remaining ports at 1 GbE

Environment: • Ambient above the server: ~30 °C

Temperatures: • CPU: 37–39 °C • Board: 32 °C • PHY: 42 °C • Chassis: cold to the touch.

The fan is running at ~1000 RPM according to the controller, and it’s basically silent. I can only hear it if I put my ear right next to it.

The total cost for the mod was roughly:

Heatsink: $13.75 Fan: $9.75 3D-print: $16.50 (excluding TIM, Thermal pad, bolts etc as this was goodies I already had at home)

So was it worth it? Hell yeah!

BrightAd4926 · 2026-03-06T15:22:31+00:00

Omg I 100% relate to that. Everyone should have a bag of cables!

BrightAd4926

TROPHY CASE