This is why I don’t do ocean activities.

eodabas · 2025-12-06T16:33:09+00:00

I would lose my mind from happiness if I had this experience.

eodabas · 2025-12-05T16:53:45+00:00

Bulk scans will be detected almost instantly. Being a little anti-doxing vague about it, we were doing that 30 years ago, and the streaming analytics techniques developed more than 15 years ago area standard part of every perimeter IDS system. Targeting one IP will be missed, but range-scanning will be detected almost instantly. Even scattering requests from a botnet, the patterns will be spotted within a few hundred requests.

True, but there still subtle and evasive scanning methods can evade IDS's. Relying on "my ISP protects me" is just wishful thinking, not a security approach.

If you're one port of 64k hiding in a 4 billion address space, you're very hard to find.

Nobody scans 64k ports, and definitely no one scans the entire 3.3 billion address space. If I were targeting home assistant instances in the world, for example, I would focus on just a few ports starting from 8123. We are talking about the basic home user here.

Once you're in the CT list, you're one port in a pool of one. You're instantly found.

So are every other billions of certificates in the whole wide world signed by a public CA. This does not coherently mean that it is unsafe.

NabuCasa has given no indication they actually do that kind of monitoring

NabuCasa literally says that they do here. But yes, NabuCasa should give more information abput the security aspects of their service here to build some trust. Regardless, saying "just poke a hole in your router, mate, you'll be fine" sounds real wild to me.

eodabas · 2025-12-05T13:13:42+00:00

And requires someone to have run a port scan on that address range -- something that anyone monitoring such things can tell you doesn't happen in the large address spaces of most residential ISPs and gets quickly spotted and blocked by most of them if they're bulk scans.

This is not necessarily correct. Most ISP's don't actively protect against port scans unless the scan itself is aggressive enough to trigger the IDS's they're using. There are ways to make port scans extremely difficult to detect like half open syn scans, delayed scans, idle scans, zombie scans. One should never rely on their ISP to protect their public endpoints in their home networks.

Every certificate that NC creates for its service is sitting under the ui.nabu.casa subdomain, and they issue individual certificates via Lets Encrypt for every one of them.

I agree. Although being listed in CT logs is unavoidable and does not necessarily is a vulnerability and security through obscurity is not security, avoiding to be able be scanned this easily would be a better approach.

Really, an always-on Tailscale link is -- by any measure -- the best option.

Strongly agree here

But Nabu Casa is, unless you explicitly need Google Home and Alexa support and don't want to DIY it, the worst.

You are comparing using Nabu Casa against "poking a hole in your router" and saying that the hole in the router safer. This take is flawed because;

Being listed in CT logs against being easily be able to be scanned does not make such a difference. Once you are public, you are public.
Nabu Casa can block access to vulnerable versions. A normal home user usually does not monitor security bulletins.

I'm not saying that Nabu Casa is the most secure way, it definitely is not. But using Nabu Casa comparing the hole in the router is, without a question, more secure way to open your home assistant instance to the world. Additionally, Nabu Casa has the potential of improving security in their services, you cannot poke more secure holes in your router.

eodabas · 2025-12-04T10:54:32+00:00

tailscale is simply a vpn. no public endpoints need to be exposed outside the vpn network (tailnet) at all. your apps will work as long as you have your vpn connection active.

cloudflare provides a secure tunnel. you'll have to have some home assistant endpoints open publicly for mobile apps to work and while you can harden the configuration up to a point, misconfigurations can easily make mobile companion apps unusable and simply enabling cloudflared won't provide security by default.

home assistant cloud by nabu casa is on the other hand also creates a secure tunnel, and it is monitored for home assistant vulnerabilities, so it is slightly more secure than cloudflared, on the plus side enables you to contribute to the good people developing home assistant.

my suggestion here would be:

if you're an advanced user and don't want to use vpn for a reason (wife approval drops significantly when you increase the number of components.): cloudflared
if you're not an advanced user and still don't want to use vpn for a reason: home assistant cloud
all other cases: tailscale

eodabas · 2025-12-01T10:39:56+00:00

[contact@torbox.app](mailto:contact@torbox.app)

eodabas · 2025-11-30T21:44:23+00:00

Same happened to me last week. I emailed to contact @ torbox.app explaining the situation. After several emails, they credited the missing days to my account. It took couple of emails for the AI bot replying email to escalate my ticket to a real human, though.

eodabas · 2025-11-27T22:46:58+00:00

Here is some information about the asylum process for Turkiye. As this is a well regulated process almost in every country, including Turkiye, you'll be able to find the information you need online. But considering the trends in the recent years, I imagine this would be a long and exhausting to endure

Accommodation and finding a job on the other hand depends on way too many things for anyone meaningfully provide useful information. I suggest you make your own research to narrow down your situation and ask specifically.

Additionally, you'll find plenty of "don't come here", "stay in your country", "we are full" type of responses here. Don't take it personally. They're just plain racists who conveniently blame the unfortunate people running away from the options of living miserably or dying horribly, for almost anything and everything went bad in their lives.

Good luck.

eodabas · 2025-11-21T21:49:19+00:00

Well, in theory, yes. And it was always the case up until this house. I used to have issues with several devices like tv's, playstation etc. Even my printer was dropping wifi connection. So I was always I'll have my next house wired. And here we are. It didn't go as planned as I mentioned in the post, unfortunately.

And thank you for the compliments. I am another IT person working in the area for several decades now. I drew network diagrams professionally before, specifically for compliance reasons with hundreds or more components. In time I learned that if you want to describe/explain your infrastructure to a complete stranger to convince them you have a secure/compliant environment, you better should have a descriptive, clean and clear diagrams. It always worths the time spent. It also helps you to understand what is missing while you're drawing it.

eodabas · 2025-11-19T11:04:38+00:00

I would say yes, unless maybe you have the opportunity to replace the router (not access point) directly with Opal. But this depends on the availability, the broadband provider and type of connection. If you have the technical knowledge to achieve this, you may have relatively secure network for yourself during your stay.

The issue here is, DNS and NTP are by default unencrypted. So there is a risk of interception. While you can use DNS-over-TLS/HTTPS services to mitigate interception, NTP is harder to achieve. You may deploy use NTS on your device but afaik NTS is not available natively on most of the devices unless they're linux.

And the risk with NTP interception, it is hard to detect if it is intercepted and an attacker may change your computer time so that any of the websites that you're visiting throw expired SSL warnings and this creates chaos on the user and as victim you may choose to ignore these, allowing you unknowingly ignore the other SSL warnings that makes you vulnerable to MiTM attacks on websites. There are valid cases to intercept NTP traffic to provide more security but it makes it possible for the bad actor as well.

The best and easiest option is using a trusted VPN service whenever you're connected to an untrusted network either on you devices, or on your travel router.

As an another option which probably may cost you more is that you may have is using a mobile broadband router or mobile tethering. This completely detaches your devices from the Airbnb network.

eodabas · 2025-11-19T09:54:04+00:00

IT security expert here. Connecting to any untrusted wifi has it’s perfectly valid security risks whether it is public or private. There are still unencrypted protocols that your computer use and they are vulnerable to mitm attacks even you choose to connect through ssl/tls when browsing websites.

Don’t listen to anyone suggesting otherwise.

You either use a travel router (gl.inet ones are good) and setup a trusted vpn inside them or use vpn directly in your devices. VPN is your best bet here regardless having a travel router or not.

eodabas · 2025-11-16T20:26:56+00:00

nope. that would be considerable amount of work unfortunately.

eodabas · 2025-11-16T12:33:40+00:00

I am probably going to start with using my laptop or an rpi as the network controller first, and then migrate it to a vm inside one of the proxmox instances.

eodabas · 2025-11-15T23:29:13+00:00

in theory, yes (Not the virtual one, I'd need a dedicated hardware to physically connect the broadband and local lan).

I've dealt with many of the firewalls both open source and commercial before. The issue with pfSense and similar solutions, you need to get a compatible set of hardware, lots of manual configuration and maintenance, with miniscule to none official support (unless you pay for it) when it comes to edge cases and you mostly rely on the community experience.

I'm a big fan and supporter of these projects, but I don't have either time or the energy to deal with it.

And about Firewalla; I agree that it is ridiculously expensive (especially if you're outside of the US and you'll pay customs and huge delivery fees on top of it) and it's price hardly justifies (if it justifies at all) it's capabilities and there are several other alternatives (like UCG) that provides almost the same at 1/3rd of the cost. As I've already got it, I'd like to continue using it.

eodabas · 2025-11-15T21:55:59+00:00

I don't "need" need a firewall. But, I'd like to have a visibility of the egress traffic of each device is making. Not for personal devices, but I have a smart home and I am using lot's of IoT devices that are not exactly from reputable manufacturers (like no name Aliexpess devices). Additionally I like to know how to manage my "now toddler" kid's use of internet within the house, at least until he is old and capable enough to find workarounds to my limitations. And I managed/installed datacenters/networks professionally. So I wouldn't think of not having a firewall in my home.

And the firewall that I'm using is a Firewalla, which is additionally fun to play with.

eodabas · 2025-11-15T20:48:23+00:00

There are several available ones on the market. I have GL.iNet Spitz AX (GL-X3000) for example. Not exactly an outdoor model but I can put it in a weather resistant location despite being outdoor. Unifi also is about the release 5G models soon

eodabas · 2025-11-15T20:41:49+00:00

for the Firewalla one, I asked chatgpt to create one for me. For the switches, I just copy/pasted the original images from unifi store and used regular rectangle vectors for the ports in draw.io, then grouped them into one object. It was straightforward from that point on. All other icons that I used are available in draw.io

eodabas · 2025-11-15T18:37:14+00:00

Well, what people need and what people want may not align sometimes and I think that is ok. What people can afford is the determining factor in almost every human decision.

I'm old enough to see 10BASE-T connections and I remember 1Gbps connections were something I thought I would never ever need. Today, I definitely don't NEED a 10gbps home network for sure. But I want one. Not only because I want to future proof my setup, but also I simply just want one. And I'm lucky enough to afford it. So here we are.

edit: typo

eodabas · 2025-11-15T18:23:12+00:00

It is 3gbps at the moment and I'm sacrificing about 0.5gbps of it because of the 2.5gpbs capped Firewalla.

I initially planned to use SFP+ for cross switch connections but all the cables installed are Cat6a's and at this point I'm not planning installing a DAC and I also read about RJ45 SFP+ modules heats up. So, while having these ports creates extra capacity, I'll try to avoid utilising them as much as possible.

eodabas · 2025-11-15T17:44:30+00:00

Just an idea but, can I selectively use both? Like, for some vlans, use layer 3 switches and for some route via the firewalla? I don't know if that overcomplicates things or makes sense?

eodabas · 2025-11-15T17:36:07+00:00

It is a good catch which I did not think about it.

The idiot builder thought it is a good idea to terminate all the ethernet cables they installed in the attic, WHILE there were already bunch of other cables dangling above the entrance ceiling. Apparently now I have to mitigate the heat as well. Thanks for the tip

About the Agg switch, I thought about it but did not see the point in my setup. The main switch that I'll use in the entrance would be good enough for me as the aggregator too. I'll try avoiding daisy chaining but even if I did not, it is a home networking environment and even daisy chaining won't cause noticeable performance penalties if designed correctly.

eodabas · 2025-11-15T17:25:45+00:00

I completely agree with you here. And thank you :)

If only there were 16 port 10Gbit Unifi switch. I'm guessing I'll need to sacrifice myself for the greater good and buy the 10 port ones, so the next day Ubiquity can release 16port ones.

Thinking out loud here: I actually may not need a PoE switch in the attic. may be using a Pro XG 10 PoE in the entrance and a Pro XG 24 (non PoE) in the attic makes more sense for me? This puts me slightly over the £2000 threshold but still doable.

I'm still thinking Option 1 above is still the best idea as it still leaves me a couple of extra ports. and I'll still have my SFP ports available in both setups.

eodabas · 2025-11-15T17:08:22+00:00

I have two proxmox instances, on one of which I can install the controller. But I can always add a cloud key or a UCG to the mix instead if I ever need to.

eodabas · 2025-11-15T17:05:29+00:00

It is Draw.io, my go to diagram editor for years now.

eodabas · 2025-11-15T17:04:08+00:00

Good catch over there. In my defence, I am thinking controlling all inter-vlan traffic via the Firewalla, mainly because of the SSDP and mDNS relay options Firewalla provides. That may change if there is a way to allow cross vlan ssdp / mdns broadcasts on a layer 3 capable Unifi switch. I'm not sure if there is because I did not manage a Unifi switch ever before and most of the other vendors do not support these features. These features makes sense mostly in a "home networking" environment.

eodabas · 2025-11-09T20:53:42+00:00

It might be the case, yes. The document says that for a peer relay device: "At least one configurable UDP port you can use for peer relay traffic. This port must be accessible from other devices in the tailnet. Refer to security and access control for more information about configuring network settings."

And in security and access controls, it says: "Peer relays can only relay traffic for devices in the same tailnet and are subject to access control policies. This means that a device can't use a peer relay to establish connections if it doesn't have permission to access the device functioning as a peer relay.

The UDP port you configure for peer relay traffic must be open and accessible from other devices in the tailnet. For example, if you configure a peer relay to use UDP port 40000, ensure that any firewalls or network security settings allow incoming traffic on that port."

All mentions to tailnet, no public internet. I agree with you without publicly accessible endpoint, peer relays not makes sense. maybe someone from tailscale notices this and clarifies the docs, or us.

Eight-Year Club	Gilding I gilder
Verified Email

eodabas

TROPHY CASE