They do maintain an x86 build. I haven’t used pfSense but I have used OpnSense so that’s that closest thing I have to compare it to. I think the upside and downside to RouterOS/Mikrotik is the same thing: it allows very granular control over almost everything. Maybe to a fault. It’s probably overkill for most home networks.

Set up a VPS. Create a VPN tunnel from you local network to the VPS. Use the VPS as the edge router by opening ports on the VPS firewall and routing incoming traffic on those ports through the VPN tunnel to servers on your local network.

I used to do this to get around CGNAT. I ran RouterOS in a Digital Ocean droplet and setting up a wire guard tunnel between it and my local Mikrotik router.

It will obscure your local WAN IP and give you a static IP but that’s about the only benefit. And you have to be pretty network savvy to configure it correctly.

It does not make you immune to DDoS attacks and is honestly more headache to maintain (albeit just a small headache).

Mail servers are the one thing I refuse to self host. Years of managing enterprise email taught me that I don’t need that kind of negativity in my life

Oh, I wouldn’t if I could avoid it. The “fun” of tinkering with IT stuff in my very limited spare time vaporized many years ago. If I could pay for services that did exactly what I wanted, respected my privacy, and valued my business while charging a fair price, I would stop self-hosting tomorrow. But that’s not usually how it works.

Self hosting isn’t super high maintenance once you get everything set up but it still takes up probably 10-12 hours per month on average and I would not mind having that time back.

This is a pretty good summary. In enterprise networking, it’s common to have the ‘DMZ’, the network for servers exposed to the internet, firewalled off from the rest of the system.

If you have a webserver, you would need two sets of ports open, often on two separate firewalls. On the WAN firewall, you would open ports 80/443 pointing to the webserver. On the system firewall, between the DMZ and LAN, you would open specific ports between the webserver and whatever internal resources it needs; a database server for example.

This helps limit the damage if a malicious actor hacks into your webserver by making sure they don’t also have unrestricted access to other parts of your system. It’s called a layered security approach.

However, someone self hosting may not have the expertise or even the hardware to set up their system like this. A VPS for public facing services, as long as it’s configured properly, can be a good alternative. It also helps if you have a dynamic WAN IP address and/or are behind CG-NAT.

Edit: maybe good to mention that securing your local network behind a VPN, even one hosted on your local network, is more secure than allowing public facing services. Yes, it means you still have to open a port. But that’s useless to a malicious actor without the encryption keys. Whereas, if you have a webserver exposed publicly, malicious actors already have some level of access to your system. More than they would if that service didn’t exist anyway. That’s not inherently bad. It comes with the territory when you’re hosting public services. It is more more risky though. And, if the exposed server is compromised, it can potentially open up the rest of your system to compromise as well. Like the original commenter said, it’s about managing risk and different network configurations have different levels of risk.

Interested to see what you come up with. I manage our personal finances along with my wife’s consulting business. I switched to Quicken about a year ago. I don’t regret switching because it’s does the job better than anything else I’ve used. But I’m not 100% satisfied either and if I found a better solution, I would seriously consider it.

If you want a really good, capable firewall that’s easy to configure, go with OpnSense.

If you want granular control and [near] enterprise grade features for a low price, go with Mikrotik.

Windows Hyper-V Server on the host with most of the VM’s split between Ubuntu and Debian. I also have two Windows VM’s that I keep out of necessity.

It’s a song that’s been played so many times the record is starting to get worn out.

Big manufacturer buys software company.

Big manufacturer does not understand software business, software company, or software company’s customers.

Big manufacturer makes a bunch of cost reductions based on incorrect assumptions.

Big shot at big corp customer calls peon (like me) at budget time to ask why we spend so much money on this “VMWare”.

Peon explains that "VMWare is very important software which used to be “Best in Class” but has become “Overpriced, second rate, yada yada…” And suggests we switch to Hyper-V.

Big shot asks (a little suspiciously) if we would save money without any negative impact to operations.

Peon says, “Yes.”

Big shot writes big check to Microsoft.

Other big shot at big manufacturer is stuck trying to figure out where all the customers went; not realizing that big manufacturer pissed all over the peons who actually have to use their [now] shitty software.

Big manufacturer decides the acquisition was a failure, learns nothing from it, and sells the shell of the once popular software company for a fraction of what they paid for it.

deleted by creator

I use Veeam Backup & Recovery Community Edition. If you’re runing VM’s you have to be on VMWare or Hyper-V. You can also use agents on the individual VM/Server. It also requires a pretty hefty Windows host, at least if you want your backups to complete fairly quickly.

Those are understandably downsides for some people. But, Veeam is in a class by itself. It has no serious competitors and as far as ease of use and reliability, it’s top tier.

I’m lazy. I don’t want to spend a bunch of time configuring finicky backups only to find out I needed one and it failed. I honestly wish there were a comparable open source backup system. I have yet to find anything that works as well.

How is your speed and connection quality otherwise? The fact that your work VPN doesn’t stay connected – I’m assuming the client is running on your PC – is odd. That makes me think there may be some issues with signal strength or tower congestion. TMobile also gives home internet a lower priority than cell phone traffic.

Is that a recent change? They did support it (with cgnat) when I had TMobile home internet about a year ago.

I’ve got an old Dell Poweredge tower server with dual 6-Core Xeons, 128 GB Ram, and 21 TB combined Raid 5 storage.

• 10 VM’s
• Veeam Backups
• All behind a Mikrotik RB3011

I run one service per VM because I like being able to nuke the whole thing without bringing down any other services.

You can get some good hardware on eBay if you know what you’re looking at. The HDD and SDD’s cost more than the server. Electricity probably runs about $16/mo.

Biggest problem I’ve got coming up is what I’m going to do for backups once I exceed Veeam community editions 10 VM limit.

Three most important VM’s are Jellyfin (whole family uses every day), Paperless-ngx (I use every day), and Jitsi (kids use to video call Grandma and Grandpa). Most of the other stuff is non-essential.

Encryption and Decryption can be resource intensive processes. Most firewalls typically have a lower throughout for VPN connections than they do for just straight routing because of the extra processing power required for VPN. Based on what little I’ve read, it seems like CPU’s with AES-NI are capable of handling the encryption process more efficiently which probably reduces system load and allows for more throughput.

This only helps in situations where your firewall is either serving or connecting to a VPN. It won’t make any difference if your connecting to a work VPN form your computer. Even if you are hosting a VPN connection from your firewall, AES-NI is probably overkill unless you’re planning to connect a bunch of clients to it at the same time or plan to do something like file transfers at Gigabit speeds.

You’re probably better off blocking it at the firewall level. It would be more thorough but also more effort. In my experience, most devices/apps that use DoH call a domain name rather than an IP. If you block the domain in piHole, the app cant resolve the DoH server IP and therefore won’t be able to use DoH.

NAT TLDR

Your router is, at it’s core, a very advanced traffic cop and NAT – Network Address Translation – is it’s primary function. You have multiple devices on your local network (LAN) that need to communicate with other non-local servers via the WAN (i.e. the internet). Now you have a problem. Your ISP assigns you (usually) a single IP address on their network which is on a different subnet than your LAN. Devices on your local network and devices on the WAN are not aware of one another and cannot communicate with each other directly. So, requests have to be routed to the correct destination via your router.

SRC-NAT

Let’s say you’re trying to pull up a website on your computer. Your computer sends the request to the router. Your router alters the IP packet headers so that the request source address, and therefore the address that the server responds to, is your WAN IP instead of the requesting devices LAN IP. Your router then forwards the packet to the destination server, tracks the connection, and forwards the response back to your computer.

DST-NAT

Let’s say you’re hosting a web service on your home server that you want to make available publicly. You would set up a dst-nat (often called port forwarding) rule in your router/firewall which will tell your router to redirect any requests received at the WAN IP on port 80 or 443 to your home server’s IP address. Unlike SRC-NAT, your router doesn’t replace the source IP address. Just the destination. Your server knows that the requesting device is not on your LAN subnet and will forward the response back to the gateway (your router) which is already tracking the connection and will forward the response back to the requesting device via the WAN.

Routing DNS with DST-NAT

Since DST-NAT is just changing the destination IP address and routing the packet to the new destination, this can be done internally in some situations as well. To redirect DNS requests, you would set up a rule in your router/firewall to grab outbound UDP packets that originated from the LAN, do not originate from your internal dns server, and have a destination of port 53 and redirect/dst-nat them to the IP address of your choice. The new destination can be an internal or external IP address and the requesting device won’t know the request was redirected. OpenWRT’s documentation actually has a section that deals with DNS redirection which you can find here. The DNS redirection part is near the bottom of the page.

That’s correct. I block DoT in my firewall and block known DoH domains in piHole. I’m sure stuff slips through occasionally but the vast majority of my DNS requests are handled by piHole.

Traditional DNS over UDP/53 is insecure but I’m using ProtonVPN’s DNS server over VPN externally so I’m not worried about that.

I have a firewall rule to dst-nat any outgoing DNS requests not coming from piHole back to the piHole server. That way all devices on the LAN are forced to use piHole for DNS and can’t bypass it. I don’t have an OPNSense firewall but I would think it should be able to do that as well.

Personal accounting is a tough one. I recently switched accounting software. There aren’t really any great FOSS options that I’ve found and automatic bank transaction syncing is a major obstacle there. Not to mention, any good accounting software is complex and detail oriented. I ended up switching to Quicken; which is probably not a phrase said often. Quicken Desktop is legacy and their online/mobile offering is lackluster at best. But the desktop suite, “Quicken Classic”, effectively has no competitors and has a feature set far more advanced than any other personal accounting suite.

I’ll admit my situation is probably unique. I manage our personal finances and two businesses and I am incredibly picky. The next logical step would be QuickBooks but I don’t have a payroll and don’t really want to spend that kind of money. I made the switch – somewhat begrudgingly – and after doing lots and lots of research. Overall I don’t regret going with Quicken. I definitely have some complaints and concerns, not the least of which is that it’s closed source and extracting my data would be difficult. If I had the time, I probably would have used Excel w/ Tiller. That gives you the flexibility to do just about anything. But, spending my evenings creating VBA scripts and pivot tables is not my idea of a good time. I really wish there were a better and more comprehensive solution because I would be all over it.