With… or without their knowledge? 😉

But yeah, there’s so many wifis around me, I could probably load balance across them all…

Wow.

Ok, that sounds like that has evolved over some time!

Yeah, I think the firewall has a hardware issue… it reboots, starts stops fine under normal conditions, but, just sometimes a weird glitch throws it off.

Good point about VRRP, I’ll look into that some more as I think that’s the open, non-Cisco one.

That (2 FWs) was what I was considering initially.

But, looking at some other posts, I’m starting to rethink my design as I only have 1 WAN connection, then I only need 1 FW (maybe). SIM would be rarely used, I’m not sure the overall cost would be worth it

So separating FW from DHCP & DNS might be a better solution.

Not heard of BeeGFS, had a quick look on the Arch wiki… looks quite involved…

But, ok, at least I know that the DHCP part can be dealt with - thanks.

I’ve not looked at Proxmox clusters - can they restart VMs on a different host if they’re all using the same shared storage?

Ah… I was reading this thinking “ah, I’ll have to reply about the battery…”… glad you’re limiting the charging…

But an interesting point… I have a spare OLD Dell laptop kicking around which has various issues, but might be able to do what you’re doing. Thanks

Yep, all good with DHCP vs DNS… just my grammer was terrible.

Nothing was getting an IP from the DHCP, when the wifi returned…and… DNS was also not working for the few devices that still had an IP.

Sry bout the confusion there.

Good points there.

For 1. The ISP router is a Fritz one set to bridge mode running over a PoE adapter from the same UPS the firewall is using. It stayed up all the time (looking back at the logs)

2. Not sure what happened here, but the firewall is the DNS resolver and when everything else powered back up, nothing got an IP address. Now, whether thw service failed or the WAPs took longer to start than the devices could wait, I’m not sure, but as Scotty said: it’s dead Jim.

3. Good point. I don’t need it ALL to be redundant.

4. Also good. The UPS is directly connected to the firewall (which has NUT in), but it doesn’t inform anything else… I’ll look into that too.

Nice mental reset for me about over thinking it… thanks

Well, in my case the most crucial single point is the firewall.

The rest isn’t too bad

Nice.

Running different SSIDs too?

I put all my IoT stuff on a dedicated 2.4-only network, VLANd it to the (pfsense) firewall which allows the VLAN trunk to be split into separate logical NICs that I apply different policies to, like no access to the internet, etc…

👆🏻 This is the link everyone needs to look at.

It covers things like keeping your phone active for 2FA, subscriptions that need to be paid until data is saved, etc.

It’s what my SO & I use.

Very thorough

Ah, good old dd

When you have some spare time, take a look at partclone - clonezilla uses it because it only backs up used blocks, not free space, so more efficient.

Interesting.

Yep, I agree there’s 2 types of backups:

• data
• OS image

Out of curiosity, how are you doing the drive imaging?

Yep, this is what I did too.

I found no-one was using the NC interface and just syncing, so stripped right back.

Stable. Lightweight. Mostly no maintenance (just moving to syncthing-fork)

I think the point here is that no-one uploads / enters a password/phrase/file.

Whatever you enter on the keyboard is hashed and the hash is sent. Depending on the protocol, sometimes it’s time limited so no-one can record the network traffic and resend the data (replay attack)

Files (SSH keys, certificates, etc) are checked against a (usually) asymetric key exchange algorithm, so they can only compare what’s sent if they have the corresponding key to decrypt the cipher.

The length of the password (or file) is basically meaningless. It’s just how long it’ll take someone to guess it (brute-force), but as the saying goes, you don’t break into a house through the door, you go through Windows… ie the weakest link.

In your concept, the weakest link is the meatware: humans. We need ease of use, so, someone will store that file and it’ll be compromised, so 64b, 128b or 512b doesn’t matter, if they have the file, they’re in.

Now… MFA… Now, that’s more like it.

At least there’s no Windows…

I have a 7530. (Is yours a typo?)

Yes, those instructions look about right.

My pfSense box has the username & password, so the router really is just being used as a dumb modem (I used to use Draytek modems)…

… but…

The router’s diagnostics will show the DSL details, so you can check if your external connection is ok (ie OSI Layer1), but it will always think it’s offline.

So once you get your OPNSense setup and working, have a look around the Fritz diagnostics and get comfy with what you can / can’t see, because when there’s a failure you won’t know what is really failed.

Also… write down what you did and how to reverse it, as you (or others) might want to reset it to full router if your OPNSense is down.

The advice above matches mine.

I have a home-built pfSense unit and when parts die (not if), then I just replace them with spares I have already waiting… as that box is now critical for you.

I also have a Fritz in bridge mode with the pfSense doing PPPoE through it, so effectively, the firewall is the first real device on the WAN. Makes things much simpler as the WAN interface has status like packet drops, etc, much easier to diagnose issues.

Wow.

Ok, I don’t have anywhere near that amount of media, but MythTV takes seconds to rescan ~2TB of videos and maybe a minute to get any missing details like fanart, etc.

Similar amount for music - but I feed it the files after I’ve run them through Picard.

I’ve not done a complete rescan of eveything for ages, but from memory it’s like an hour absolute tops. More like ~30 mins.

And that’s on an underclocked CPU (for quietness).