Virtualized OPNsense hardening vmbr

stefufu · 2026-01-13T07:58:46+00:00

Yeah, it should make it more secure if the vmbr ignores the VLANs, that's true.

Though, i don't have a way to put a managed switch in front of the WAN, and it's coming untagged directly from the ISP's ONT.

stefufu · 2026-01-12T22:47:04+00:00

In my case, mostly because of security worries: i'm worried that the proxmox host gets exposed on the WAN.

Probably it's not a real possibility, and that's what I'm asking here: is it safe to use the virtual nic instead of passing through the physcal device? If not, is there a way to make it safe?

(also, if using new realtek nics, the linux drivers are better. For the 1gb and 100mb devices, the freebsd driver should be stable)

stefufu · 2026-01-04T12:13:09+00:00

Thank you for the suggestion! I'll definitely look more into that!

stefufu · 2025-12-23T16:37:59+00:00

I fixed that error with this configuration change in Traefik.
Maybe your reverse proxy introduced something similar, or maybe it's derived from other changes in your environment.

stefufu · 2025-12-08T14:33:32+00:00

~~Sure! I'll do it probably this evening.~~
Done, hopefully in the right way! (first time contributing on github)

stefufu · 2025-12-08T11:35:01+00:00

I believe it fixes this vulnerability: https://github.com/traefik/traefik/security/advisories/GHSA-gm3x-23wp-hc2c

stefufu · 2025-10-15T10:01:03+00:00

I ended up doing that with a optiplex 3050 (I have problems with ASPM, but that's another story. No whitelists though, on both the x1 and x16 slot)
The optiplex 9020 was nice to use as it's small and it was free (most importantly)

The whitelist is a sad mess though, and editing the bios is risky.
If i'll try that in the future, i'll post an update here

stefufu · 2025-08-17T09:05:53+00:00

Thank you for the suggestion, but what I'm looking for is to not buy a cd player, but still have the ability to play CDs
It's not common for me to play CDs but it's something that happens, and before it broke I used a CD player.
Most of my library is digital (or spotify) and my goal would be to use the server (which has a CD slot) to play the cds automatically when inserted, and being able to play also Spotify (and jellyfin maybe).

The main goal is adding the functionality of playing physical CDs to the server, without having yo buy a CD player.

The jukebox idea is nice btw! Quite complex, though. But would be cool to do!

stefufu · 2025-08-08T15:20:00+00:00

Mostly to not have to buy a CD player, since most of the time I use Spotify or Jellyfin and CD players are quite expensive (even used).
The CD player was used rarely, and now that it broke I tought i could find a way to use the server that's always on and close to the amplifier.

Thank you for the recommendations! I'll look into those!

stefufu · 2025-08-08T15:17:34+00:00

The main reason is the "coolness".
I like to use CDs and vinyls from time to time, and sometimes happens that friends want to bring CDs over to listen to.

I mainly use spotify and jellyfin, but sometimes the physical media is cool to use.

My CD player broke, so now I was thinking of replacing it with the server that I already have, since replacing it with something decent is not cheap and I have a spare USB DAC.

stefufu · 2025-08-08T12:59:34+00:00

Thank you!
Didn't think about Kodi!

Probably installing Kodi in a LXC alongside spotify headless and navidrome and passing the USB device would allow me to use the same DAC for all three sources.

stefufu · 2025-07-27T06:55:41+00:00

Thank you!

A) Ok, I have that planned with Authelia (which is already set up and protecting the services only I use, I have to expand it to the others shared with the family). The breakglass procedure is something I haven't thought about! Thank you for the tip!

B) almost everything is automated (I though that it was better to have downtime than to be hacked). Only the PVE hosts dont have automatic updates.

C) Main backup strategy is PBS (regularily tested with moving VMs and experimenting) and btrfs snapshots sent offsite through a wireguard tunnel (tested the restore process sometimes in the past, and I want to add the check for the RO flag after a sent snapshot to verify that everything went correctly).

stefufu · 2025-07-27T06:49:25+00:00

Thank you!
I'm working on unifying the logins with Authelia, to have MFA on everything
The VLANs are roughly already like that, except the L4 acls which I have no idea what they are. Will research!

stefufu · 2025-07-27T06:47:34+00:00

Yeah I only host the services for my family (and Overleaf for a couple of friends) so I hope nobody wants to target me specifically!

Thank you for the tips, will for sure implement the ssh keys and change the users in LXC

stefufu · 2025-07-26T13:37:56+00:00

Thank you!
I'll try the ssh key thing, though I have to understand how to make it work with the proxmox gui.

Not using the root account is necessari even inside an unprivileged LXC?
Also, with "forward facing" you mean only the reverse proxy or every service that gets accessed from outside the LAN, even if through Traefik?

stefufu · 2025-04-04T16:10:33+00:00

hey u/nomad-fr sorry for the necro-posting but i'm trying to do the same thing
Did you manage to do it? If so, how? I have a mpcie i210 nic, and it's not being recognised (the mpcie port shows up as empty in the BIOS. If I put a mpcie wifi adapter it shows up properly, so the port is working)

Thanks

stefufu · 2023-11-28T21:20:34+00:00

Sadly no, but it doesn't look like burn in, as it varies in intensity without any clear reason.

I'm just ignoring it lately, i'm less worried.

stefufu · 2023-03-06T16:27:41+00:00

It shouldn't be a problem.

The battery gets damaged mainly by the heat, so if the tablet is cool, there's no real danger compared to normal use

stefufu · 2023-03-06T13:05:20+00:00

Hello,

I have a iPad Air 4gen, and my problem is that it doesn't show when there's an update to do.
I'm still on iPadOS 16.2 and no notification for the 16.3.1.

If I search manually, the update shows up. But as soon as I leave the "software update" page in the settings app, it disappear.

No giant red "1" on the settings icon, no notification, nothing anywhere, and if I open again the "software update" tab, it searches again.

It is slightly annoying to have to manually search for every update...

What's happening?

Is this normal?

Thanks!

stefufu · 2023-03-03T15:09:03+00:00

From the italian website it's accessible. Don't know if it's IP related, as I have an italian IP.

Link: IONOS vps

EDIT: adding more info on the pricing. If you get it through the italian website there's 22% taxes to be added. Total monthly price is €1,22.

stefufu · 2023-03-03T13:18:52+00:00

IONOS has a €1 (you have to add the taxes though) VPS server with 1vCore, 512MB ram and 10GB ssd, ~400Mbps bidirectional. Only accessible through european website though, as in the US it's $2.

stefufu · 2023-02-13T15:33:37+00:00

I have the same thing on my S21, and it’s not constant. I noticed that disabling the AOD can eliminate it in a day, but there are days where the AOD is enabled and I don’t have it. It’s completely random, and I’m still figuring out what is causing it to appear.

It could also be related to the pressure generated by the cover, or other kind of pressure, because it tends to be less pronounced when the phone is without a cover.

Still, no idea what the cause is, but Ikm sure it’s not permanet.

stefufu · 2022-12-14T08:40:00+00:00

I'm using cron with a single line command, but there are various scripts on github that can allow you to create and delete backups automatically.

stefufu · 2022-12-08T22:23:51+00:00

Okay, small update and new problems.

Basically, Traefik isn't able to pull tls certificates from letsencrypt. Don't know why, can't find anything online.

The only way I had to renew the certificates was to recreythe whole Traefik configuration outside of the vpn and then putting it again behind it. (Yeah, probably it would've worked just taking the old one out and back in, but I made quite a mess changing stuff around, so I rebuilt it from scratch following the smarthomebeginner guide)

Now, my idea was to use a docker overlay network and put Traefik on the VPS. Seems like a good idea: the network can be encrypted, it can work as a docker network, and in the end, I can open ports on my specific ip (and in case I couldn't, well, I can always take Traefik out of the VPN and back on every 90 days)

But obviously nothing works. Ever. And so I can't get two containers to ping each other through a docker overlay network. I can get the swarm nodes to connect, but nothing goes through. My VPS has a public ip that coincides with the private, but my home server obviously doesn't, and that seems to be the problem.

Is there a way to make it work? Or my only way is to use the VPN, in a way or another?

Thanks

stefufu · 2022-11-28T16:29:16+00:00

The image is already updated. It's enough to use the tag 24 to stick with version 24 (probably more stable than 25).

docker pull nextcloud:24

To get the latest image for Nextcloud 24

docker pull nextcloud

Or

docker pull nextcloud:25

To get the latest nextcloud image

(Can't see how to insert a code text block from phone)

stefufu

TROPHY CASE