IPv6 benefits?

Hi-

I know some trackers enable dual stack (eg, MAM), and some seem to think that you’re dual announcing if you have a dual stack.

For at least those that allow it, do you find that you are more connectable / get better speed / get more upload if you’re dual stack?

Thanks!

reddit.com
u/SparhawkBlather — 4 days ago

Verizon FiOS trucks on Beacon near Dean today...

Well, looks like they're laying down fiber along where the T construction is on Beacon... a person can hope that there's some changes coming! Anyone know anything / talk to the guys working there?

reddit.com
u/SparhawkBlather — 5 days ago

Netbird self-hosted and Google oauth - managing users & devices (+AppleTV)

So I was baking off headscale vs netbird for a while. I like netbird better in many regards. Integrated idp, easier control, I just like it. That said, I’m still using preauth keys and a bunch of my users are actual literal grandmothers. Google oauth would be simpler, and I’m not above outsourcing a portion of my perimeter to ye olde Google.

A few questions before I go down the rabbit hole:

  1. Can anyone go to https://nb.mydomain.com and auth with their Google account and it creates a “pending” new user with no policies and hence no access until I enable them, or do I have to pre-create all users?
  2. If a user is trying to use the AppleTV app, do they get the “nice sso flow” where they can scan a QR code and/or enter a code from their screen on their mobile device to authenticate?
  3. Other than the fact that if someone’s Google account is compromised, then they have all the access that that person has, are there any downsides to this approach?
reddit.com
u/SparhawkBlather — 8 days ago
▲ 12 r/ipv6

IPv6 for iot vlan on home network - happy eyeballs driving me mad

Hi-

I’m a homelabber, and not from a tech background. I’ve been running opnsense for about a year, with fairly segmented vlans (trusted, guest, management, homelab, iot, media, voip), but only ipv4. I got a /60 from Comcast, and enabled IPv6 on trusted and guest. I did a bunch of research on how to lock things down, and feel reasonably confident that I’m not allowing ingress. I went so far as to set up a bunch of uptime kuma “upside down” alerts from my VPS in case I screw something up on my ULA or rotate addresses down the line.

However what I’m trying you figure out is how far to go. I’m not sure there’s a service I run in my homelab that would benefit from ipv6 and I’m wary of enabling given complexity of individual firewall rules.

What scares me even more is my iot network. I have so many “just for this particular device type” rules such as my alarm panel, garage doors, ting monitors, ring cameras. But I don’t and can’t know what ipv6 these have unless they have an admin interface that shows it. And if they don’t do happy eyeballs, then they could all of a sudden think that ports aren’t open - and the consequences for some of these things would suck - my alarm goes off if it can’t phone home.

So am I stuck on ipv4 for some of my vlans like iot?

reddit.com
u/SparhawkBlather — 9 days ago

Decision settings for WAF vs core?

Hi-

I’m new to this world, so apologies in advance if I use words incorrectly or inconsistently.

Why is it that out of the box a single port scan merits a ban, but an IP that does the same vpatch-env or vpatch-cve 70 times in one minute doesn’t get a decision? Is there a solid reason for that, or should I do some tuning? None of my (homelab) users is hitting the same incorrect url multiple times in a short period of time.

Thanks.

reddit.com
u/SparhawkBlather — 25 days ago

[WTB][US-MA][W] Quill Satins / Aether R / Turii Ti / Aroma Jewel / Noble Ronin / Penon Impact [H] PayPal G&S

Hi-

A few harder to find mid-range focused IEMs I’m looking for:
* Quill Acoustics Satins
* Lime Ears Aether R
* Softears Turii Ti
* Aroma Audio Jewel
* Noble Ronin
* Penon Impact

If you’re interested in trading in part, I have Elysian Diva’s, Thieaudio Monarch MkIIs (which I prefer to the MkIV) and UM Mest Indigo’s, plus a bunch of “lesser” IEMs that I can share list of if interested.

reddit.com
u/SparhawkBlather — 2 months ago
▲ 94 r/homelab

Hi-

For a long time all my passwords were the same on all my machines, and it was not a great password. But it was memorable to me, and easily typable. If I ever needed to type it in to a web interface I could easily use vaultwarden. But more importantly when I needed to type it in to a sudo password prompt I did just that. It was fine because Tailscale was my perimeter, and I accepted that risk.

Eventually i built a DMZ. I protected it the way I think most folks do - caddy/ authentik for all external and internal access, only a couple VMs visible on the internet. Crowdsec, Q-Feeds, suricata. But I think I ought to harden my machines a bit too - strong passwords, different per machine, rotate once a quarter. All feasible to do. But how the hell do you deal with typing these in on sudo? Seems like a huge hassle - I very rarely put in my actual passwords outside of sudo now. I’m not sure the hassle is worth it to me. I can do lots of stuff with keys, but not sure I want to enable Passwordless sudo.

Don’t know much about this sort of thing.

Thanks!

reddit.com
u/SparhawkBlather — 2 months ago

Hi-

Ironically, my DMZ is the interface that’s listed as the one with the anti-lockout vlan. That’s not great. I’ve tried all kinds of things to try to force my opnsense to change it - I’ve unchecked all the other listening ports but the Trusted vlan, saved, and then tried to add other interfaces back, but no luck. Is there anything else you all can suggest?

Thanks

reddit.com
u/SparhawkBlather — 2 months ago
▲ 2 r/opnsense+2 crossposts

Finally getting ready to build out my DMZ so I can start sharing some services over the internet, not just over Tailscale. Would love feedback from those of you who actually do this for a living and/or are way more experienced than I am.

Here's the rough idea:

  • Tiny mini PC (called pve-dmz) with 2 NIC's (GMKtec G2 Plus) - one NIC to a DMZ VLAN-only NIC on OpnSense, one port to management VLAN tagged port on core switch.
  • Proxmox on pve-dmz with only two 2 containers - caddy and proxmox backup server
  • Firewall rules to harden DMZ traffic to WAN (DNS only to internal, NTS ports, handful of ports to) and to all LAN (basically only pass to opnsense and only to the specific services/ports I want to expose)
  • Caddy container has ddclient updating cloudflare records with my IP address as it changes (for auth.mydomain.com and each service like immich.mydomain.com and jellyfin.mydomain.com)
  • Caddy runs crowdsec and caddy bouncer
  • (and somehow I push app/service logs to the caddy container so that caddy-bouncer can consume them? this part I'm quite unsure of)
  • I run q-feeds and suricata on OpnSense
  • Caddy has authentik in front of services (with some being more complex than others, like jellyfin requires quickconnect & jellyfin-plugin-sso)
  • PBS on pve-dmz backs up locally, and then my primary pbs runs a sync job to pull nightly backups

How is that as a rough architecture and security plan? I know that strictly speaking the extra rigamarole of having a separate NIC on my OPNsense and a separate physical DMZ box are unnecessary and could be accomplished with just a new DMZ VLAN and a container on that VLAN, but given I'm a bit of a n00b and I don't really know that much about networking / security, and I have the hardware available, I want to minimize the failure modes.

reddit.com
u/SparhawkBlather — 2 months ago