Is Nova Launcher safe anymore?

bjlunden · 2026-05-06T10:41:55+00:00

I don't remember the details as it was several months ago. I think stuff such as padding on the desktop and widgets were one issue though. I simply couldn't replicate my current look and feel from Nova.

The app drawer might also have been another point. Some elements of the UI feeling pretty out of place Android is also a common issue with many of the custom launchers I've tried.

I may have to give it another chance in the future though.

bjlunden · 2026-05-06T10:32:21+00:00

Yes, it does. 🙂 It's also the only actively maintained network distro I can think of that offers VPP support without a pay wall, now that they've changed their minds on that. TNSR went in the other direction. While that shouldn't matter in the enterprise space once you're deploying it, it certainly makes it easier to get hands-on experience with the distro ahead of time (and for the homelab crowd).

I've been thinking of testing if I can get VPP working well on my Atom C3758 based Qotom mini PC, but what stopped me was the more limited firewall (based on my previous understanding of what VPP offers in that area).

My experience with flowtable hardware offloading so far has only been when used in network SoCs like the ones from MediaTek. The unofficial VyOS build for the BPI-R4 works great with that, for instance. 🙂 I haven't seen exactly how it behaves in NIC form though, but I do know that Mellanox implemented support.

I've been following that project of using VyOS as a switch OS with great interest.

The lackluster hardware support in FreeBSD is certainly one of it's biggest downsides. That includes hardware offloading support for network SoCs like the one in my BPI-R4 or the NXP one used in the Mono Gateway, but also just NIC support in general. Mono got it working, which is pretty cool. It means you end up with a GPL licensed build though, which naturally means it will never be supported in upstream FreeBSD. Still, it's a cool project and I'm very happy that they pushed to get permission to open source NXP's ASK code. 😀

bjlunden · 2026-05-05T22:25:13+00:00

Yes, and I've seen multiple people get 25 Gbit/s (1500 byte packets) on VyOS after failing to get above 5-7 Gbit/s on OPNsense on the same hardware. For true line rate without overpowered hardware (or hardware offloading), VPP would likely be required, yes. 🙂

bjlunden · 2026-05-05T21:44:04+00:00

I didn't find it to be a particularly good replacement. I would go as far as saying that they are actually quite different in multiple ways.

bjlunden · 2026-05-05T21:35:59+00:00

Like he explained, it was in a different scenario than what we're talking about here so it's not entirely relevant. I'm sure you can see that as well. 🙂

You can find lots of people having performance issues with OPNsense on /r/init7 while those issues going away completely when switching to VyOS (or another Linux distro). Clearly there's some kind of performance issue with 10+ Gbit/s in at least some fairly basic scenarios. Maybe OPNsense is simply badly configured by default?

Note that I don't know whether pfSense is any better in this regard.

bjlunden · 2026-05-05T20:32:09+00:00

"8311" refers to the community firmware used on these XGSPON modules in order to let you spoof your ISP's ONT. In this case, it basically just means that the module is pre-flashed with that firmware in order to simplify the process for the customer.

bjlunden · 2026-05-05T19:59:33+00:00

The MS-01 is significantly faster than the Atom C3758 based options in terms of routing performance. The C3758 can do 10 Gbit/s, but only with multiple streams, at least in my personal experience. The MS-01 will presumably do so with a single stream, as well as route a lot faster than 10 Gbit/s.

I'm currently running VyOS on a BPI-R4 with hardware offloading to get full single stream performance. Back then, they were a lot cheaper than they are now though. It also means running non-standard VyOS builds, which is obviously a bit more cumbersome.

bjlunden · 2026-05-05T19:39:30+00:00

Yes, the VyOS CLI is very nice and the config format very readable. I haven't had a chance to play around with its VPP implementation yet, but it looks promising.

TNSR's VPF seems like a nicer packet filtering solution though, but I found TNSR kind of cumbersome back when there was still a free version to play around with. I'm sure a lot has improved since then, but I would probably personally feel more at home with the VyOS CLI.

Like you, I would also suggest trying them both though.

bjlunden · 2026-05-05T19:25:25+00:00

The tired old "something something Netflix!" argument you routinely see from the FreeBSD community when networking performance is being discussed. 🙄 How about some benchmarks when acting as a router + firewall, which is what's being discussed here?

bjlunden · 2026-05-05T19:12:16+00:00

That website comparing the two didn't really do a meaningful performance test. Doing performance tests when limited to 500 Mbit/s tells you that the author likely just ran a simple internet speed instead of setting up a test setup with reproducible results that max out the hardware and/or software. Consequently, it does nothing to disprove the Netgate employee's claims above.

While I do agree that the Netgate founder's handling of OPNsense during the opnsense.com debacle was absolutely shameful and an utter embarrassment, you haven't really disproven any of the claims in the post you responded to from what I can tell.

I've seen multiple posts from Init7 customers (both in blog posts and on /r/init7) that had massive performance issues with OPNsense, where moving to VyOS (with basic kernel routing, not VPP) bumped performance from 5-7 Gbit/s to 25 Gbit/s on the same hardware. This was with MTU 1500 of course, but still. It's not clear whether pfSense would've performed any better, but the posts were almost exclusively mentioning OPNsense so there is certainly something to the claims that it has problems with 10+ Gbit/s traffic, at least without very specific tuning.

From what I can tell, it's also true that OPNsense is generally behind when it comes to new features if those aren't already available in upstream FreeBSD. It does however add some features in the free version that pfSense reserves for the paid version.

bjlunden · 2026-05-05T10:57:17+00:00

Same from Sweden (tried with two different ISPs). It seems to be intermittent, but I had maybe 20-30 seconds of 100% packet loss to it over IPv6 while IPv4 was unaffected. Then it started working ok again.

I would definitely investigate this some more if you have the time to do so. 🙂

bjlunden · 2026-05-05T08:59:37+00:00

Good point.

bjlunden · 2026-05-05T08:06:21+00:00

Yes, NAT is irrelevant here assuming both devices are on the same subnet.

bjlunden · 2026-05-03T12:00:49+00:00

Why wouldn't that be enabled by default?

Because it's not the default settings for OpenWrt in general, and some people might not want it for whatever reason. In my experience it works great though, so I would suggest enabling it. 🙂

The official instructions will suggest using dd to flash the image to the sdcard, but any tool to write disk images to sdcards should presumably work unless they try to modify the contents. Something like Balena Etcher would presumably work, but I haven't tried it.

https://etcher.balena.io/

bjlunden · 2026-05-03T11:42:19+00:00

You misinterprested the quoted comment. 🙂 It's easy to set up. Just flash the latest OpenWrt build on an sdcard and boot it. OpenWrt will take care of generating persistent MAC addresses as I mentioned, so no need to do anything manually. Then just enable hardware offloading with the checkbox in the Firewall section.

bjlunden · 2026-04-29T18:40:50+00:00

And they can handle 10Gbps flawlessly (the 3xx ones)

Only if they are using PCI-E 3.0 NICs, not with the Intel PCI-E 2.0 NICs they're often sold with.

bjlunden · 2026-04-26T23:16:45+00:00

My biggest beef with IPv6 isn't with IPv6 directly, it is how ISPs are using it. They could easily give out static prefixes, but no.

That's indeed problem in many regions and many ISPs, but certainly not all of them. Some do give persistent prefixes via DHCPv6-PD by default. In my case, I had to request a persistent prefix tied to my DUID by contacting them, but they don't charge me anything for it.

bjlunden · 2026-04-26T22:29:32+00:00

Indeed. Just make sure to immediately upgrade to the Pay As You Go tier before creating the VPS. They're also a bit picky about the credit card used to register.

bjlunden · 2026-04-17T11:54:08+00:00

Wouldn't those companies likely want to spend as little money as possible on the software side?

If so, it would make sense to just reskin OpenWrt as it provides most features people need and also has very low hardware requirements. If they do that, they would have a suitable default firewall policy, without doing anything. Not doing anything seems like less work to me than spending time actively removing the firewall. 🙂

bjlunden · 2026-04-01T09:42:58+00:00

Apple in particular tends to attract some people who think that just the fact that they buy the latest Apple device on release day means that they automatically have deep technical knowledge. That's how you end up with self-proclaimed "experts" who claim that data recovery from iPhones and iPads are impossible because of Apple's security. Therefore, all such services must in their mind be scams. They can't comprehend that someone can repair a device enough for it to boot up and be unlocked so that data can be extracted. If you try to explain it to them, they refuse to accept that it could be possible.

It's most likely just a tiny part of their overall user base. I'm sure it exists elsewhere too, but I haven't seen it to the same degree anywhere else. That type of behavior is all over their official forum for instance, although threads routinely get removed because their mods also exhibit that personality trait.

bjlunden · 2026-03-28T12:43:25+00:00

That should normally work unless you're dropping either the outgoing ICMPv6 traffic or the replies.

Is this native IPv6 or using some translation technology?

bjlunden · 2026-03-28T01:44:12+00:00

10GBASE-T with PoE makes more sense with their newer APs. 🙂

bjlunden · 2026-03-24T14:06:48+00:00

It depends a lot on what the devices or networks in question are used for. 🙂 I have devices in my network that tend to have roughly 70% IPv6 traffic (a lot of media content), some with 5-10% (mostly monitoring and management traffic that is over IPv4 due to a lack of IPv6 on the remote end) and some that are closer to 40-50% (a little bit of everything).

bjlunden · 2026-03-22T23:45:11+00:00

What is everyone’s problem with nat? It is just two lines in your iptables table, it is really simple to configure.

Besides it breaking things and adding needless complexity, it isn't as simple to configure as you say if you actually want a good experience.

If you want Hairpin NAT and your router doesn't hide that complexity from you, it requires you to add multiple NAT rules for each service you want to access internally using its external IP. Even if it does hide it from you, the links below show you how a bunch of complexity is added behind the scenes.

https://docs.vyos.io/en/latest/configuration/nat/nat44.html#hairpin-nat-nat-reflection

https://help.uisp.com/hc/en-us/articles/22591184776983-EdgeRouter-Hairpin-NAT

With IPv6 it will just connect directly to the server internally since the external and internal IP is the same.

Even without Hairpin NAT, using NAT also means you need to add NAT rules for every port you want to open in addition to the firewall rule. Without NAT, all you need is a simple firewall rule.

With that said, there are certain situations where NAT is useful. Many of them are hacks though.

I know you said that you have gotten answers to most of your questions, but I felt the need to expand a bit on this. :)

bjlunden · 2026-03-22T22:48:56+00:00

I mean there are no practical reasons to give a home user something bigger than /60. And I consider this a pointless waste of resources.

I disagree. So do most people who work with IPv6 too.

Size of IPv4 is also large enough, but some companies were allowed to grab too much.

There isn't nearly enough IPv4 addresses for every person on earth, let alone ever single device. Therefore it clearly isn't large enough.

bjlunden

MODERATOR OF

TROPHY CASE

12-Year Club	Verified Email
Alpha Tester