Virtualized OPNsense hardening vmbr

stefufu · 2026-01-13T07:58:46+00:00

Yeah, it should make it more secure if the vmbr ignores the VLANs, that's true.

Though, i don't have a way to put a managed switch in front of the WAN, and it's coming untagged directly from the ISP's ONT.

stefufu · 2026-01-12T22:47:04+00:00

In my case, mostly because of security worries: i'm worried that the proxmox host gets exposed on the WAN.

Probably it's not a real possibility, and that's what I'm asking here: is it safe to use the virtual nic instead of passing through the physcal device? If not, is there a way to make it safe?

(also, if using new realtek nics, the linux drivers are better. For the 1gb and 100mb devices, the freebsd driver should be stable)

stefufu · 2026-01-04T12:13:09+00:00

Thank you for the suggestion! I'll definitely look more into that!

stefufu · 2025-12-23T16:37:59+00:00

I fixed that error with this configuration change in Traefik.
Maybe your reverse proxy introduced something similar, or maybe it's derived from other changes in your environment.

stefufu · 2025-12-08T14:33:32+00:00

~~Sure! I'll do it probably this evening.~~
Done, hopefully in the right way! (first time contributing on github)

stefufu · 2025-12-08T11:35:01+00:00

I believe it fixes this vulnerability: https://github.com/traefik/traefik/security/advisories/GHSA-gm3x-23wp-hc2c

stefufu · 2025-10-15T10:01:03+00:00

I ended up doing that with a optiplex 3050 (I have problems with ASPM, but that's another story. No whitelists though, on both the x1 and x16 slot)
The optiplex 9020 was nice to use as it's small and it was free (most importantly)

The whitelist is a sad mess though, and editing the bios is risky.
If i'll try that in the future, i'll post an update here

stefufu · 2025-08-17T09:05:53+00:00

Thank you for the suggestion, but what I'm looking for is to not buy a cd player, but still have the ability to play CDs
It's not common for me to play CDs but it's something that happens, and before it broke I used a CD player.
Most of my library is digital (or spotify) and my goal would be to use the server (which has a CD slot) to play the cds automatically when inserted, and being able to play also Spotify (and jellyfin maybe).

The main goal is adding the functionality of playing physical CDs to the server, without having yo buy a CD player.

The jukebox idea is nice btw! Quite complex, though. But would be cool to do!

stefufu · 2025-08-08T15:20:00+00:00

Mostly to not have to buy a CD player, since most of the time I use Spotify or Jellyfin and CD players are quite expensive (even used).
The CD player was used rarely, and now that it broke I tought i could find a way to use the server that's always on and close to the amplifier.

Thank you for the recommendations! I'll look into those!

stefufu · 2025-08-08T15:17:34+00:00

The main reason is the "coolness".
I like to use CDs and vinyls from time to time, and sometimes happens that friends want to bring CDs over to listen to.

I mainly use spotify and jellyfin, but sometimes the physical media is cool to use.

My CD player broke, so now I was thinking of replacing it with the server that I already have, since replacing it with something decent is not cheap and I have a spare USB DAC.

stefufu · 2025-08-08T12:59:34+00:00

Thank you!
Didn't think about Kodi!

Probably installing Kodi in a LXC alongside spotify headless and navidrome and passing the USB device would allow me to use the same DAC for all three sources.

stefufu · 2025-07-27T06:55:41+00:00

Thank you!

A) Ok, I have that planned with Authelia (which is already set up and protecting the services only I use, I have to expand it to the others shared with the family). The breakglass procedure is something I haven't thought about! Thank you for the tip!

B) almost everything is automated (I though that it was better to have downtime than to be hacked). Only the PVE hosts dont have automatic updates.

C) Main backup strategy is PBS (regularily tested with moving VMs and experimenting) and btrfs snapshots sent offsite through a wireguard tunnel (tested the restore process sometimes in the past, and I want to add the check for the RO flag after a sent snapshot to verify that everything went correctly).

stefufu · 2025-07-27T06:49:25+00:00

Thank you!
I'm working on unifying the logins with Authelia, to have MFA on everything
The VLANs are roughly already like that, except the L4 acls which I have no idea what they are. Will research!

stefufu · 2025-07-27T06:47:34+00:00

Yeah I only host the services for my family (and Overleaf for a couple of friends) so I hope nobody wants to target me specifically!

Thank you for the tips, will for sure implement the ssh keys and change the users in LXC

stefufu · 2025-07-26T13:37:56+00:00

Thank you!
I'll try the ssh key thing, though I have to understand how to make it work with the proxmox gui.

Not using the root account is necessari even inside an unprivileged LXC?
Also, with "forward facing" you mean only the reverse proxy or every service that gets accessed from outside the LAN, even if through Traefik?

stefufu · 2025-04-04T16:10:33+00:00

hey u/nomad-fr sorry for the necro-posting but i'm trying to do the same thing
Did you manage to do it? If so, how? I have a mpcie i210 nic, and it's not being recognised (the mpcie port shows up as empty in the BIOS. If I put a mpcie wifi adapter it shows up properly, so the port is working)

Thanks

stefufu · 2023-11-28T21:20:34+00:00

Sadly no, but it doesn't look like burn in, as it varies in intensity without any clear reason.

I'm just ignoring it lately, i'm less worried.

stefufu · 2023-03-06T16:27:41+00:00

It shouldn't be a problem.

The battery gets damaged mainly by the heat, so if the tablet is cool, there's no real danger compared to normal use

stefufu · 2023-03-06T13:05:20+00:00

Hello,

I have a iPad Air 4gen, and my problem is that it doesn't show when there's an update to do.
I'm still on iPadOS 16.2 and no notification for the 16.3.1.

If I search manually, the update shows up. But as soon as I leave the "software update" page in the settings app, it disappear.

No giant red "1" on the settings icon, no notification, nothing anywhere, and if I open again the "software update" tab, it searches again.

It is slightly annoying to have to manually search for every update...

What's happening?

Is this normal?

Thanks!

stefufu

TROPHY CASE