I’m just this guy, you know?
If you just want each physical interface on your server to participate in a single VLAN, set the corresponding switch port as an access port in the desired VLAN, and then configure each server interface as a normal untagged interface.
You would only do tagged frames (802.1q trunking) if you wanted to support several VLANs on the switch port.
deleted by creator
It’s mainly about managing risk, but also not all ISPs allow residential accounts to host services on their IP addresses.
Opening a port to the internet exposes the service to the whole internet, which means you need to secure the service with strong credentials, set up SSL, manage the certificate, and keep software up to date. You incur a lot of extra work, and also extra risk not only to your self-hosted service, but to any other services you host that “trust” your service.
All that work requires extra knowledge and experience to get right which, let’s just be honest here: we’ve all probably followed that one How-To blog post, and maybe not understood every step along the way to get past that one pesky error.
Running a secure VPN overlay like Tailscale has much less overhead. You generate some keys, and configure your lighthouse server so the enrolled devices can find each other. It effectively extends your LAN environment to trusted hosts wherever they might be without exposing any of the services to the Internet.
Overall, Tailscale is simpler and much less work for individuals to set up and maintain than to secure multiple services against casual or targeted intrusion.
Tailscale also has the benefit of being a “client” in the view of the ISP, who see your IP address reach out to your VPS to initiate the tunnel, and not the other way around. If there’s any CGNAT going on, Tailscale would tunnel through it.
Its not exactly lightweight, but the Netdata integration will get you all of that.
Securing Netdata itself can be a bit of a chore, and then the integration requires creating sensors of interest in your configuration.yaml file. Have a look, it might be an interesting project if you’re up for a challenge.
Curious to hear what others are thinking too.
I appreciate the pun!
For home networks, I agree there’s usually not a need. I do it for portability reasons: I always use 192.168.0.0/24 addresses (192.168.0.0 - 192.168.0.255) for services I’m hosting on prem at home. In general, my home router is a Linux box connected directly to my ISP’s network on one interface and a switch with several VLANs on its other interface, and which has IP forwarding enabled with IP masquerade. I also use IPv6 a fair amount and receive a healthy whack of addresses from my ISP that I delegate out portions of to each VLAN. By my count I have 6 or 8 active VLANs on my home net for the adults, for work, for the kids, for the central services, for isolating untrustworthy IOT doodads, for infrastructure management, and for guests.
Most of my so-called central services have been hosted on the same Linux box that does the routing, using containers bount do tjose subnet zero IPs on the loopback. It skeeves me out a bit to do that though, so I’ve been moving that stuff over to a new applications server in a DMZ VLAN. I know what I’m doing, but I’m also incurring unnecessary risks having structured my service hosting the way I have.
The IP-on-loopback trick let’s.me move those services from a VIP on the router to an IP on the new service host without having to reconfigure everything. I just fake in some /32 routes where I need to, and the traffic goes where I want of to.
I admit up front this isn’t great discipline, but as I said I know what I’m doing and it only sounds crazy to me when I try to explain it to other people. Lol.
I do this, but I also work in tech and have a pretty solid grasp of routing and how that all works. I agree it may seem overkill for many installs, but makes sense for certain use cases. I’ll try to explain without writing a book. I’ll be glossing over a LOT of texture in the following…
In networking, a router is considered to be a node in a graph with multiple host IP addresses, one for each edge. It has an interface-- sometimes physical but more often viirtual-- on each edge (network segment, VLAN) that connects to it, and which usually serves as the gateway IP for that edge. In larger networks where there is more than a single router, the routers must all tell each other which router has which destination network segment, so they all speak a routing protocol like RIP, OSPF or IS-IS. Each of the speakers must be able to identify itself uniquely among the others so the others know which node is making what advertisements. To do this, they each are assigned a unique router ID, which is normally a 32 bit integer value represented as a dotted quad. Customarily this is an IP address, and the protocols further this idea by adopting the highest numbered IP address on the device or the addrss of its loopback interface, if defined.
The point of a routing protocol is for the participating nodes to advertise IP ranges associated with their connected edges. They assert advertisements for each edge when it is active.(I.e., the interface is UP) and withdraw or expire them when the edge is unavailable (I.e., the interface is in any state other than UP). Every time an edge changes state-- goes from UP to not-UP, or not-UP to UP-- that advertisement must propagate across the whole system, and every node must stop forwarding traffic to recalculate its own best path to the remaining available edges. This is called reconvergence, and network engineers try to do things to minimize the number and frequency of these events.
Practically, one of the things network engineers do to try to avoid instability is not having the ID of a speaker change dynamically. Going back to how the device selects its router ID, it considers the loopback IP first, or else the highest numbered IP active on the device at the time of evaluation. Edge interfaces can go UP or not-UP for any number of reasons at any time, thus they are less than ideal to use for the router ID. The loopback interface by contrast is always up. This interface is typically assigned the IP the routing protocol will use for its router ID.
In practice, the loopback is the only interface on a router than can be said to belong to the router itself¹, and not to an edge connected to the router². There are other practical reasons in routing to do this, but they all come back to the fact that the loopback is always up, and therefore it’s always apt to be advertised as an available edge.
So what does any of this have to do with servers, applications and self hosting?
Applications that provide services over the network, DNS servers for example, need to bind to at least one IP address and protocol port. On servers with multiple interfaces, these applications normally bind to all available interface addresses, using the address 0.0.0.0. In some situations this might be undesirable. Maybe you don’t want your pihole serving your internal DNS to your ISP, or maybe you have several VLANs at your house and want to use a single IP address for DNS across all of your VLANs, or you don’t trust the VLAN interface IPs to always be the same.
Adding an IP to the lo interface ensures that IP is always available and reachable. It provides a single place for all hosts in the system to go that isn’t pinned to any one of the possible VLAN interface IPs.
In my own home setup, I define several IPs on the loopback for different containers that all want to use port 8443/tcp for their public port. This gives me the flexibility of being able to assign different services their own IP (which I can then reference by name in DNS) on their native port vis-à-vis the documentation. So my Pihole container has its address and my Unifi controller container has its own as well.
Anyway, this is very much a Done Thing in the industry. Not everyone needs it, but its a useful technique in the right circumstances.
No, we all only ever used single mobile clients. Sorry I can’t help
I hear you. The desktop wasn’t Signal’s primary market, and that’s pretty clear in their implementation. On the other hand, that difficulty registering a desktop servuce may make it less attractive to would-be bot farms and spammers. Its a thin one, but I see that as a silver lining.
I maintained an ejabberd server for myself and a few friends for many years. The config language was a little arcane to me at first, but it was pretty solid after I got it set up. I used a couple of different client apps with it over that time, most of which are still available on the F-droid repo. It was fun, but got annoying when the server needed maintenance, or was down, or because of any of the other minor nuisances that come along with maintaining a service for others to use.
Eventually we all ended up just moving over to Signal because it was just as good from the view of cost-benefit and risk for us. We’re just trading stupid memes and Saturday night stories among ourselves. The most radical thing we might organize is a trip to Vegas for the week.
Definitely try it out, but consider that being a comms provider for others is always a bigger chore than it seems at the outset.
The best way to say thank you is to pay it forward. Always be mindful of the time when you were the new kid, and freely share your knowledg & experience with the next new kid behind you in the spirit of community.
Geek on!
They’re like the Lincoln & Ford (or Acura & Honda, if you prefer a less ambiguous simile) of the electrical components world
What your situation for data backup? You mentioned a homelab and a NAS, are you running regular backups to an off-box store? You could mate it with a few TB of inexpensive USB disk, maybe some software RAID, and use it for off-box backups. Doesn’t have to be fast, just reliable.
Specs like that, you have some options. Virtual assistant, IPCam NVR like MotionEye or Frigate, media server for your car (takes DC voltage, right?), weather base station, ADS-B feeder, smart mirrors.
Or (if you’re in the US) you could repair it and then, if you donate it to a suitable charity, you could take the the cost of the repair as a deduction on your taxes. Probably doesn’t help you that much, but it could maybe really help someone else who needs it.
Or, just wipe it and send it to e-waste.
deleted by creator
News to me! Good to know, though.
I think realtime media routed through the node back when I was running one, but that was quite a while ago now. It wasn’t bad for my crew, but load scales exponentially in those sort of applications as you take on endpoints.
I ran an ejabberd node on an old x86 for years for family and some close friends. Works great.
Then I got tired of maintaining devices after long days at work doing IT things. We talked. Signal is easier. We moved over to that, in the end.
A Pi3 1GB will easily scale to 4 people.and beyond. XMPP is really lightweight for text and images. Consider a Pi4 for voice or video though.
I think the i5 is Ivy Bridge, but I couldn’t tell you what gen that is. My main use of HA aside from the automation is Frigate, which apparently needs the hardware AVX flags. This chip supports AVX512, where my older AMD did not, so that’s why I went with it. Its an i5-3470T, if that helps.
For an older SFF unit, it’s a beast for HA.
I’ve got HA with Frigate + USB Coral w/4 cams, FlightRadar24 receiver/feeder, ESPHome, NodeRed, InfluxDB, Mosquitto, and Zwave-JS on a refurbished Lenovo ThinkCenter M92p Tiny, rigged with an i5 3.6GHz, 8GB RAM and 500GB spindle drive. It’s almost overkill.
Frigate monitors 2 RTSP and 2 MJPEG cams (sometimes up to 3 RTSP and 5 MJPEG, depending of if I’m away for the weekend) with hardware video conversion. FR24 monitors a USB SDR dongle tracking several hundred aircraft per hour. I live under one.of the main approaches to a major US hub.
Processor sits at 10% or less most of the time, and really only spikes when I compile new binaries for the ESP32 widgets I have around the house. It uses virtually none of the available disk. It’s an awesome platform for HA for the price.
I am also bailing on Gandi, and am in the process of divesting them of my assets.
I was already using Let’s Encrypt for my self-hosted applications, and never used Gandi’s certificate service.
In July of this year I moved all of my Gandi mailboxes over to MXroute after subscribing to their $99 lifetime subscription plan. It’s more than I’ll ever really need.
I plan to move my domains over to Porkbun as they come up for renewal at Gandi, starting with two domains next month. I hold several domains in the standard TLDs and am US-based, so porkbun is a good fit for my needs. I’ll need to sort out DDNS services for a couple of my hosts, but if Porkbun isn’t sufficient then DuckDNS seems popular and well supported among the applications and self hosted services I use. If they have a paid tier, I will probably consider using that.
I intend to avoid Cloudflare except as a very last resort for more or less the same reasons I might avoid Google or Amazon: privacy, intellectual property and good netizenship.
You could source a pair of gigabit media converters and a length of fiber on Amazon for about $100. Just use the media converters to extend the Ethernet port from where the Internet hands off in your house over to your office. You can affix the fiber along baseboards and up over door frames with adhesive cleats and zip ties, or those nylon staples on a nail they use to tack down coax cable.
If you’re willing to spend a little more on the fiber for a custom color, you can probably even order the fiber in a more neutral color than SMF yellow to blend into the trim better.