Future Proofing Server
-
it causes headache now since, but i don't think i have another choice if i want faster than 100 megabit speeds.
-
What about on major version update?
-
they happen when the reboots occur.
-
I would not want to expose my home server to the internet. VMs have been breached. I would dump the windows stuff, if nothing else it is not future proof. Consider an AP. Backup consider a hot mount sata enclosure. One can then do swapable high speed backups. I would want off line and off site backups. One issue with rsync is it may not store all file attributes. Just be aware and it may not keep historical snapshots. Some of this depends on how it is configured.
-
not a concept; an actual, physical server that i've been using for almost five years now.
VMs have been breached
i have automatic updating enabled to incorporate cve fixes/updates asap on all of the instances and the host server.
now that you've made me aware, i intend to create automated jobs to destroy & create both vm's from an immutable golden image that are also pre-staged to capture all updates before they replace their older live and possibly compromised predecessors.
the host server is also gaped from internet access via pci passthrough dedicated to the pfsense vm; so the only entry vector, afaik, is through the pfsense firewall.
i was also wondering if an immutable distro for the host server would help with security as well and now i think i'll do that too.
I would dump the windows stuff, if nothing else it is not future proof. Consider an AP.
i'm limited to sub-100 megabit wifi speeds without the windows vm since intel will not allow the linux driver to have gigabit speeds in ap mode. i feel like this is the weakest part of the entire design and i was hoping someone had a better idea that didn't require AP purchase. all of the AP's i've purchased in the past eventually lost support from their manufacturers and they became compromise-able anyways so it's less future proof imo; whereas i plan on keeping this server running for atleast another decade and support is virtually guaranteed to be never ending.
also: i haven't yet encountered an AP that is capable of providing all of the features that i currently use. ie ad blocking; personal vpn; web hosting; and cloud-like internet accessible storage via ssh tunnel (in addition to others). purchasing a dedicated AP would effectively deny myself these capabilties and i would have pay $$$ for the privilege.
Backup consider a hot mount sata enclosure. One can then do swapable high speed backups. I would want off line and off site backups.
it feels silly to to me to purchase hardware to duplicate the same capability that i already have and that cloud like internet accessible storage is reason why offline backups don't work for me, but i can see the wisdom of having gapped backup duplicates nonetheless; so i'll figure out a way to incorporate it somehow.
these 3 very valid points are exactly why i asked this question and thanks for giving me this awareness.
-
802.11ac will hit 600-800Mbps easily, and those APs are dirt cheap since it's old tech.
-
Pretty much any wireless AC AP from the last 10 years can hit those speeds with no headache, no keys, and no Windows.
-
That’s fair. My UniFi gear has added that in recent updates, though that’s an investment. If your system works for you, that great; stick with it!
But, I would try to find an alternative to Windows 10. Paying for ESU’s would be better spent getting something else. What that might be, I’m not sure.
-
The attacking bots will surely be liking all your 'buts'
-
Regrading AP. Why can't you just use the wifi functionlity and let your server do the rest? APs are really just glorified WiFi cards with a bridge.
-
Commenting in case I need this someday.
-
i have no key for the windows10 vm
MAS will activate Windows server versions as well. Much easier to use that and keep a persistent install IMO.
-
i haven’t yet encountered an AP that is capable of providing all of the features that i currently use. ie ad blocking; personal vpn;
Pfsense does both of these. pfblocker NG in particular is a very powerful network adblocker with lots of lists. Pfsense can also run VPNs, it supports openvpn and wireguard in both client and server mode and you can set up multiple so one client, one server.
web hosting; and cloud-like internet accessible storage via ssh tunnel (in addition to others).
If you just need personal services it would be best to run something local, setup a wireguard tunnel on pfsense that gives access to your network and VPN in to access things remotely. If you need to share with others I suppose this can become a problem.
-
Yes, I use a pfsense based virtual machine as my firewall and I have availed myself to some of these capabilities like I've mentioned earlier.
I've grown accustomed to have this broad range of capabilities and the idea of getting a home router without this functionality feels foolish because I would literally be paying for the privilege of denying myself these utilities.
-
Im stuck at sub-100-megabit Wi-Fi speeds if I use Intel Linux driver; but their Windows driver doesn't have any such restriction, so I give the Windows virtual machine full control of the wireless adapter via PCI passthrough to workaround this annoying and pointless restriction.
-
I hope you help me better appreciate your recommendation better; the windows machine only faces internally so if there's bots they would be coming from my personal Linux laptop or work MacBook and those things never leave the house.
It feels like if pfsense is unable to help them out; then I stand little chance of doing myself so myself.
-
The standard (automated) attacker manipulates the 'inside' device first and makes it perform an attack on the WiFi router, to which the device is connected.
If the inside device is a windows pc and the WiFi router has it's inside port open for administrative actions, this is an easy game. Millions of WiFi routers have been turned into bots this way.
In your case the WiFi router is windows. This is different from the usual plastic router, but still not really a safe situation.
-
What's an ESU?
I wish I could get rid of the windows VM but doing so would slow my Wi-Fi speeds below 100 megabits since Intel won't allow the Linux driver to do the same in AP mode.
I like unifi; I would probably be using them if I didn't hate the idea of throwing away perfectly good equipment.
I spent a little over ten years in IT and it always saddened me to witness and commit the staggering volume of wastefullness of all of it, so try not to now
-
The router is a pfsense virtual machine based on openbsd; Windows is only the wifi access point and no administration whatsoever is conducted from it.
However the delineation between router and Wi-Fi access point gets murky for me here since the an access point is a effectively router, but by this same loose definition, it's also, effectively, a proxy.
Since this Windows virtual machine is headless like is host server, so the only possible entry vector would come from its clients entirely made up of Linux, android, and Mac machines. If those are compromised; then I don't think there's any way for me to stop it.
-
Connect the AP to a Gigabit ethernet port. No way that should be it should be limited to 100MBit.
