I'm just copy pasting my reddit writeup since that's where the creator is active. For those curious the basic idea of cosmos (https://cosmos-cloud.io/) is home server with a push towards default safety stuff. Reverse proxy over your docker containers configured to not see beyond their world sort of thing so you can safely control access. I believe it's a one person project and still very much in development, but given that so many people just drop "roll your own, you just need to learn...." as the solution I find this to be vastly preferable, and maybe better than things like CasaOS

Post:
I've had less time than I hoped to really poke at this, so it's a bit rambly/stream of consciousness. Figured I'd put this up as a data point for anyone either considering cosmos, or maybe as some feedback. If anyone wants more detail on a specific part I'll gladly dive in, but for now if I don't put this up I never will. A very large thanks to the various people who guided me on the discord.

Techstack/layout/hardware:

1. Cloudflare domain with proxy active
2. Ubiquiti UDM Pro router
3. MS01 on Unbuntu, in default DMZ vlan
4. Client devices on other vlans(a secure VLAN, technically not the default but similar) or external to network

Personal skill level: I code for a living, but that's probably overstating my skill. Mostly light CRUD apps. Network is a MASSIVE blindspot that I know very little about. This project was in part to help fix that by getting me some practical experience. It's also GROSSLY overspecc'd for my skill level with some hope I can eventually do some more ambitious stuff.

Setup: I had installed Cosmos before and run it locally unsecured/self signed (as provided by just clicking on the button in cosmos), just to make sure I understood "intended" behavior.

My initial hiccups mostly revolved around me setting up port forwarding incorrectly in the router, so i'll skip most of that. Short version is misread something, went down the out of date documentation rabbit hole and then doubled down with some AI hallucinations. In the end it's MUCH easier than I was making it.

All i needed to do was setup a 443 port forward to the static IP of my Cosmos box. It's even limited to cloudflare IPs only, which was just taking the list provided by cloud flare and copy pasting it in. There's a section in ubiquitis network interface for this and it's very straight forward.

From there it was configuring the right tokens so I could do the cloudflare DNS Challenge, which is well documented (went the double token route rather than full key.) Once I found the right pages for that it was simple.

Made my tokens, but was confused as hell because in Comsos it says "you don't need to fill everything out" for cloudflare, and there's CLEARLY duplicate entries, so I wasn't sure if I needed to fill out both.

From what I can tell, you need to fill out the duplicates (so you will double enter your email and your key/tokens). You can leave blank things like timeouts or whatever you're not using (key if using tokens, token if using key). Some clarity on the dupe thing might help.

I do think a small guide on bare minimum DNS config would also help. I was using a root A record and a CNAME wildcard record, and I never got it to working with cosmos. Unsure if that's my fault or not, but when I changed the wildcard to another A record (so A record for root and A record for *), it started working. For someone like me who knows fuck all about any of this, there was a lot of stumbling around with DNS.

Of note I did select allow wildcard domains and .local domains on all attempts. No insecure http local access.

From there it, mostly, started working. Https enabled and everyone can connect....exceeeept .local domains.

This is the part i'm still struggling with. There's not a lot of documentation on .local, just "it will work if you check the box". I'm not sure if it clashes with https, or if i need to self sign, or if it really should be that easy.

My understanding is I just make new url for an app, call it whatever.local, and boom I should be able to connect so long as i'm one the same network.

In practice, I see no traffic hitting the server when I try this(unless on the server itself), and get timeouts from local clients (server does work). I got it to work once from a client on another vlan after trying to curl the https://whatever.local, but the next morning with nothing changed (went to bed right after and just left the machines running), it no longer worked.

I did 100% confirm this worked because I used filebrowser to transfer some large data at speeds that NEVER would have been possible if it wasn't over my local network(everything is wired, no wifi, hence the desire for .local access). Also worth noting that I CAN ping the server locally and ssh to it from my other network, so i'm confident the firewall/vlans are configured correctly for that.

Even for that brief moment when it was working, I STILL couldn't hit domain.local. It clearly exists, but if I can hit it (again from the server box or for that one moment from my other machine) I get the "you should use your domain address" text and cannot continue.

I suspect router shenanigans (i do have mdns enabled on all VLANS), but I'm having a hard time finding logs and what not for this. I'm also unsure if I don't know enough and am doing some config that obviously shouldn't work. I have toggled the "allow insecure local access" option in testing once or twice, but it doesn't seem to change anything. Not sure how long the delay should be.

Small things I noticed that might need fixing/expanding: 1. The initial admin account creation "your passwords do not match" help text is not in English. 2. Small thing but while browsing the market it seems there's a few configs that no longer work or aren't supported. EmulatorJS was the main one that seemed clearly done. 3. Hitting the domain, after logging in but not having touched it since forever, just gives you a "user unauthorized" warning but still lets you putter around the setup. 4. Related to that, it does sorta suck that right now even normal users see so much. I would like to hide a LOT of the interface for some of my users(just show them installed visible apps?), and while I can hide something like a new URL, I can't hide the URL screen, or the market, or whatever. It's "fine" but several test members had to be told "yes i know you can see that, no its fine, no you can't delete or edit, yes i know it looks like you can, yes i've tested, etc, etc" 5. In my testing, I did manage to get my domain IP banned by smart shield due to all the logging in and out. Was easy enough to bounce the box and get back in, but maybe a "heavy testing" mode an admin can enable that has smart shield chill for 30 minutes? Dunno how sane that is given the security first focus and I'm sure I could've whitelisted the IP briefly/neutered smart shield somewhere. 6. When entering your license key, you instantly see a "manage your license" button pop up. I emailed about it because I was confused and thought my license was busted, but just needed to scroll to the bottom and hit save. Just a flow thing that might wan to change. 7. Maybe an early "what is your goal" question? Local only vs using a domain vs using a domain and local access with adjusted config process to skip/auto handle things that could go wrong?
8. The "make admin only" checkbox on every app i've installed, that has it, doesn't appear to work. I have to go into the URL config and manually make it admin only from there. Maybe i'm misunderstanding where/how it's doing this, but some light testing seems to confirm that non admin accounts can access until I do that.

Side issues:

At some point in all this my Ubuntu took a spirited attempt at destroying itself and would let me login and then just show me a cursor and nothing else. Couldn't get to the terminal through the recommended ways, but after sshing to the box locally and changing uhh...the display driver I think?, it's mostly been working, but I cannot restart the machine without issues until I hard shutdown (hold the power button). I doubt this is related to cosmos (either caused by, or affecting behavior), but figure I should mention it just in case. Planning a full reinstall later.

Overall:

I do love it. Cosmos is trying to be something that I think should exist and yet for some reason does not. There's so many ways to screw something like this up and the "well just roll your own" approach is hellishly easy to screw up with extreme consequences. I have a few more upgrades/tweaks to do (get .local working, maybe reinstall the OS and the thus resetup from scratch, NAS for storage of some family videos/photos we want backed up in more than one spot), and I have mostly enjoyed how clear Cosmos has been.

I've recently moved, so I have a new ISP and I've also switched to new network hardware. I've been pulling my hair out trying to understand why I keep getting 100% timeouts when connecting to a locally hosted website. To make it more complicated, it only happens when I’m on WiFi.

Hardware setup is:

ISP router/modem -> Ubiquity Cloud Gateway -> U7 Pro AP -> Laptop
                                           -> Webserver

The issue is opening https://foo.bar.baz:58443 when on WiFi. This domain points to my home (not really bar.baz, but you get the idea). There's is port forwarding rule to get to the local server. With tcpdump, I see the request coming in on that webserver, a SSL handshake is completed and then a bunch of TCP retransmissions.

Some observations:

• If the machine with the browser is connected to a cable and not WiFi, everything is fine, no timeouts.
• Opening https://192.168.1.123:58443 (webserver address) is fine (WiFi or wired).
• Opening https://10.0.1.123:58443 (gateway address) is fine (WiFi or wired).

I thought it would be MTU related, but haven’t had any luck with changing it to a lower size. I’m not positive I’ve done this correctly, though, so it may still be MTU related.

I know there are people here that know way more than I do about networking, so I hope somebody can point me in the right direction.

Pretty much what the title says - I'm building out a smallish compute cluster and hoping to set up some centralised storage that won't be a bottleneck, but I'm very much not a networking specialist. Most of the load will be random reads from compute nodes pulling in the bits of various datasets they need to work on.

Is it plausible to throw a 100GbE ConnectX-5 card and 256GB RAM into a consumer AM5 machine, format everything in ZFS, and set up a network share with KSMBD? My understanding is that I want to ensure everything's using mirroring rather than worrying about RAIDZ parity if I'm optimising for speed, which is fine, and I know that I'll only get full throughput as far as things can be cached in RAM - but is it reasonable to expect ZFS ARC to do that caching for me? Dare I hope that the SMB driver will just work if I drop it in there between the filesystem and the NIC? Or have I crossed the line into enterprisey-enough requirements that it's going to be an uphill battle to get this working anywhere near line speed?

Hello, Tildes Tech Support Team,

I'm doing some Homelab stuff. And I'm looking for a way to set up an inexpensive back-up Internet connection. Less about having a connection when I'm home and Internet goes out (Phone hotspot works in a pinch), but more about getting in and getting statuses of stuff when I'm not home and Internet drops.

For background, I have a Ubiquiti Unifi Dream Machine Pro that can do WAN failover. My primary Internet connection is through Verizon Fios. The UDM and the Fios ONT are directly connected via ethernet; I'm not using Verizon's crappy home router. Also, I rarely lose Internet connectivity. This really is just a Homelab experiment to see if it can be done.

I've seen some stuff about getting a cheap, refurb smartphone and a cheap MVNO plan like Google Fi that nets me a handful of GB a month, and then tethering the UDM to the phone somehow (maybe through some cheap router in bridge/passthrough mode like a GLinet travel router). Has anyone had any experience doing this?

But...I actually have a secondary Internet connection already. My apartment complex has WiFi across the complex and for each unit. That I unfortunately have to pay for, even though I don't use it -- I want FULL control over my home network. But since I do have it, is there a way I can take advantage of this? I'm thinking something like a reverse AP, if that exists. But it has to pass through the IP from the apartment WiFi.

I know there will likely be issues with double NATing. But depending on the services/things I'm trying to access or keep access to, that may not be a factor. Like my Unifi hardware talking with the Unifi cloud access stuff. I think double NAT shouldn't matter.

Anyway, appreciate whatever you all got!

Edit: Decided to go with the Ubiquiti Dream Machine Pro. Thank you for all the suggestions and advice!

Hey Tildenauts,

I'm planning to help a local nonprofit replace their aging hardware firewall pro bono. I have a fair amount of experience with networking and security, especially where web servers are concerned, but I haven't setup a hardware firewall recently enough to know off the top of my head which are the best options here.

The organization is fairly small but on its way to medium sized, around 30 employees at the moment but will likely expand to 50+ in coming years. So I'm looking for a solution that will comfortably scale up to 100 employees. There is remote work, accessing their local server via VPN, so something that comes bundled with a user friendly VPN client would be ideal. I haven't seen their physical setup yet but I know their server gets a lot of use. Not all employees use it remotely on a regular basis but many do.

From past experience I know that Cisco, Sophos and SonicWall are potential options. Cisco seems to be pushing their Meraki platform pretty hard but I don't think this organization needs a subscription based solution.

Anyone have recommendations for hardware firewalls I should consider? Any potential footguns I should know about?

Thanks in advance!

I'd normally post this on reddit...but I thought I'd give the Tildes Tech Support Team a try.

I have a Ubiquiti Unifi Cloud Gateway Ultra and I'm trying to better understand zone firewall management and VLANs and all that.

I'll start with a screenshot. I'm only changing the two settings highlighted in red.

I'm trying to understand the difference between two firewall policy settings:

1. Action = Allow ONLY, AND Connection State = Return Traffic
2. Action = Allow AND Auto Allow Return Traffic checked, AND Connection State = All

I have two VLANs -- "Internal" and "Lab." Each is in their own policy zone, also called "Internal" and "Lab." The "Internal" VLAN does not have the "Isolate Network" option checked, but "Lab" does.

What I want is devices in "Internal" able to initiate and maintain connections with devices in "Lab." But I don't want devices in "Lab" able to initiate connections to devices in "Internal."

With Policy 1, "Internal" can't reach "Lab" nor vice versa. Hmm.

With Policy 2, "Internal" can ping and SSH into devices in "Lab," but not the other way around. Perfect; that's what I want.

And now my question(s): What is the difference between these two policies? To me, they look the same. But clearly the end results say they're not. So what's actually going on here? Additionally, assuming I could get Policy 1 to do what I want, is Policy 2 more vulnerable from a cybersecurity perspective than Policy 1?

If it helps, here's a screenshot of my zone matrix, with focus on source "Internal" and destination "Lab."

Thanks!

I like to periodically audit my home computer infrastructure for upgrades/replacements. Mostly this is so I don't have to make an impulse purchase when something inevitably fails, but it's also nice to keep up to date on the state of the art.

I'm currently trying to reassess my home home networking, and I am a bit overwhelmed by everything. So I'm hoping that the residents of Tildes can help me out a bit with recommendations.

I would classify myself as a fairly budget consumer. I'm on a less than 1Gbit Xfinity plan, and have mostly cobbled together my current system from collected parts over the years. My DNS/DHCP is handled by my primary router, an aging T-Mobile Asus device I picked up years ago and loaded with Merlin. A few years ago I picked up an Eero system on discount, and I have been using that in bridge mode to provide mesh Wifi around the house.

The system I have in place is working great. It occurs to me though, that most of the parts are getting old enough that I can't replace them directly. I'm definitely not going to be able to find my specific router easily, and the first gen Eeros are also getting harder to find. I also think I might not be doing myself any favors with the chain of multiple devices being cobbled together. Perhaps it's time to look for a mesh system with the flexibility that my Asus/merlin router offers.

So let's hear it. What sort of networking equipment is everyone using these days? What do you like about it? Any killer features that I have been missing while living under a rock?

So, I want to achieve something particular regarding my home network.
I want to have 2 routers, one is my main router that everything connects to except for my devices where I stream things from, and when it comes to streaming devices, I want those to use a different router that plugs into the main router

Why? I have been selected for the focalmeter panel and that device is connected to a router to

1. intercept all packets going to the router it is setup with
2. replaces the hostnames of all the devices with a random selection of letters (think HH123-4) and I don't want that to happen with my servers. (aka it takes over the DHCP service on the router)

part 1 kinda bothers me but 2 is such a nuisance for when I am doing SSH, So my solution is to get a secondary router for the "streaming" part of my network, hook that router up to my main router and then let the focalmeter take over the DHCP service of that secondary router and so everything it does impacts only the streaming part of my network. Like the focalmeter could literally fuck up the secondary router and my servers and machines I use for non-streaming reasons would not be affected in any way.

My streaming devices need to be able to access my servers to be able to access my jellyfin but that's the only necessary connection I can think of atm. Although it would be nice if I can have the devices on my main network access my streaming devices over the network too.

All that to say, when looking up how to get 2 routers work side-by-side like that with both their DHCP services up and running but not conflicting, I dont really know what to look for. Am I trying to setup a subnet or is there some other word for the network architecture I am trying to achieve?

My MSI motherboard recently had an audio issue and crashed/corrupted my PC.

I RMA'd it and did a fresh install of windows.

I fire up my PC - no internet. After some fiddle-fucking around, I try an Ethernet to USB-C adapter. Works fine.

I try a wifi dongle, no issues.

Okay, motherboard issue related to the Ethernet port then, right?

Except, I plug my Ethernet cable directly into my modem, and now it's working totally fine.

Hmm, router issue? But why is it working with the usb-C adapter? Why does it work when I plug it into my steam deck? Factory reset. No dice.

Drivers updated, windows updated, everything has been disabled, re-enabled, reset, turned off and back on, etc. I'm losing my mind.

I would really like to be able to plug my expensive PC directly into my router via Ethernet, but I can't seem to make it happen. Tried two different cables (which work with other devices).

When I connect, it says it's identifying network and then gives me a 169 IP address - DHPS error then? But why wouldn't that be resolved by the clean install and the factory reset?

Everything is set to auto in terms of IP and DHPS. Everything is enabled as it should be. No firewall. No security. No blacklisted devices. Why won't my router assign an IP address to my PC when connected directly via Ethernet? And why is it working fine when connected to my modem?

msi motherboard and TP-link router by the way.

Edit: Alright folks, I'm just going to squeeze in a network card. I don't want to do another three weeks with no PC and this mobo is just old enough that I don't feel like RMA'ing repeatedly unless I have to. I really tried everything and have ruled out the router and Ethernet cable. Thank you all so much for your help.

Edit: Threw a new network card in. Used my second PCIEx16 slot. Nothing will fit there anyway since it's microatx and my gpu takes up so much space. Working great. So probably the mobo having an ethernet defect - not terribly surprising considering this was just RMA'd and they sent me back the same mobo after repair. If it shits the bed again, I'll just get a new mobo entirely. it's not an expensive one luckily. Thanks again everyone!

We're excited to be closing on our first house in several week! It's a newer build but doesn't have ethernet run so in the nearish term future I'd like to run cat5 cat6 to some key locations:

• main level for TV and a mesh wifi node
• second floor offices (PCs) and entertainment area for consoles/second TV

Any really good guides that others have followed? So far the guides I've found focus on switches and crimping cables rather than how to get a cable from Point A to Point B effectively without knocking more hole that necessary in the wall.

Edit: meant cat6, thanks for the note.

I come in search for somebody who knows a thing or two about VLANs or, if possible, had set it up for themselves at home (or work).

I have Mikrotik router and Ubiquiti Unifi APs. My goal is to have three separate SSIDs on my APs to differentiate clients. One group would be closest family (group 1), another friends (2) and the last one would be QR-setup guest wifi (3).

The reason is security. I run 24/7 server at home with many services that I don't want other people than #1 to see. But I also run ie. DNS there that I would like all to see (all three groups; or make them use other DNS via DHCP-set-DNS, ie. 1.1.1.1).

So far I believe everything from that list is doable with the right knowledge (that I have yet to achieve). But I would also like some other things and that's part of why I'm asking here.

• Is it possible to initiate connection from #1 to device in #2? Ie. from server to Raspberry that serves as temperature sensor for Home Assistant? Is it some built-in functionality like "higher number VLAN can access all lower numbers" or do I have to setup some exception on my router for speciric IP and port? Or specific LAN port (I have 24 port router, yet not everything is connected via ethernet)
• Do I have to set it all up in specific order? I have read that I can cut myself off from accessing my router if I setup VLAN incorrectly and that's what I don't want to do :-)

If you know how to setup VLAN and could provide some points to kinda carve the path I could stick to, I would be really grateful! I do not want manual of step-by-step instructions, rather some points to follow so I don't fall for something important I missed.

I will of course read up on it myself and will experiment a bit (I have old RB133 or maybe even RB433 around that I can use for learning), but it would be great to have some pointers.

Thanks in advance for any advices or recommendations.

so I have a setup where I have a NUC that has docker on it, one of the containers is my nextcloud that I use for sharing my files across my computers.

I also have a synology NAS which is connected to my NUC via NFS and the files themselves are stored on that NFS file via a docker volume mount.

Hopefully that made sense.

My problem: not often but it does happen where my router has an issue, today it just needed a restart. another time it was cause I deliberately disconnected it from the power not realizing it would mess up the connection between my NUC and my NAS.
Why is this an issue? it causes my nextcloud to freeze up as the files it is supposed to share are no longer available. necessitates me restarting my NUC to get the connection going again.
Thankfully hasn't happened often but still something that can be scary in the moment. My question is, is this just one of the pitfalls I have to accept of utilizing a NAS the way I am or is there a way to connect a Synology to a NUC and ensure router issues don't cause the nextcloud docker instance to freeze?

Good evening, everyone. I was wondering if any of my fellow Tilders had experience with using Android's Private DNS feature on unconventional android devices e.g. WearOS, Android TVs etc.

It was quite easy to figure out exactly how to set up an alternative DNS server on these devices. By default, Google has hidden the private DNS setting on them, but it is still accessible from ADB. In both of my examples it is likely easiest to enable “Wireless Debugging”, pair the devices successfully, and then run the commands.

settings put global private_dns_specifier one.one.one.one (replace this with the pertinent server!!)
settings put global private_dns_mode hostname

The issue I have been running into, however, is if there is seemingly any form of content filtering enabled on the DNS server of your choice, the WearOS device seems to think internet is unavailable when first connecting. If you open the Settings app and leave it open for long enough on the Wi-Fi page, it will switch from “Internet not available” to “Connected”. Contrary to this, if you open an app like Samsung Internet for, it does not take this time and just refuses to use any configured Wi-Fi network.

To go into my specific situation in a little more detail, I use NextDNS configured with Hagezi Multi PRO++ block list. I have no issues on my S24+ with regard to internet being deemed unavailable by the OS (sure the occasional public Wi-Fi network blocks DoT—I just use mobile data then). I have also yet to try it on my Smart TV, which is frankly the more important target device than my watch (I will get around to it in the new year once the holidays are over).

This is all a potentially very convoluted way to ask what people's experiences are with this, and if they have faced similar problems to me when using providers like NextDNS, AdGuard etc. that provide content filtering options on their encrypted DNS connections.

Merci beaucoup !

Hey all,

We're working on a press-freedom / anti-censorship project and we're testing a variety of scenarios in which a journalist's internet traffic is being monitored by a hostile state. We'd like to simulate an ISP's access to the journalist's traffic so we can run some packet collection and other tests to see what it looks like.

What's the best way to do this? Put a few routers in series and collect on the last one?

Hey all, not-a-networks-guy here.

I've currently got an rpi set up running pihole natively (not in a container) for ad and website blocking reasons. (Using port 80, no TLS) I've used the pihole localdns feature to set an internal hostname for that ip (me.lan).

On the same pi, I have podman "set up" to run FreshRSS, and I'm getting more and more annoyed about using the port # to access it. (me.lan:12345) I'd like to set up a reverse proxy (probably Traefik) in a container to redirect internally, but considering that port 80 is taken (by pihole, outside of podman) I don't see a way to direct traffic from the pihole to Traefik.

I'd really rather not reconfigure the whole setup to use containers.... I'm lazy, and also prefer my dns resolver to have the least amount of overhead possible. Is configuring the router an option here, or is the only way to achieve what I'm looking for an overhaul of the pi and containers?

If I've missed any pertinent details, let me know and I'll update here.

Hi everyone, I recently finally setup the Ruckus AP unleased system that came with my townhome. After spending a long night learning how to properly configure the system I finally set it up in a way that provided me the best speeds/range without interference.

This was achieved by setting my Ruckus APs to manually sit on the DFS channels (60-140) via the Ruckus configuration app (shown here)

This has been working great as I'm avoiding the 10~ other wifi networks in the area that are all set to the standard 36-48 and 149-160 channels (wifi analyzer screenshot here) but I'm concerned I may be inadvertently violating FCC guidelines. Note I do not live near any military installations, but I am about 13 miles away from a major airport. Will the Ruckus APs automatically change channels if they detect radar interference or am I causing trouble for someone?

So in about two weeks I'll be at a conference for a career path that I've been trying my best to get into for two years. It's a bit niche, having an overlap with science, tech and IT.

As such this conference represents opportunity for me, and given how low my morale is after rejection after rejection after rejection, something I really hope to see some result from.

Does anyone have any tips on how to network at such a conference?

I recently moved to a new place with a new ISP, and my Mullvad VPN isn't playing nicely with Firefox like it used to. Can any of you networking gurus please help me troubleshoot?

When the VPN is enabled, most requests from the browser fail immediately. If I pull up the dev tools Network tab, I can see that these requests fail with an NS_ERROR_FAILURE message before any data is transferred.

I have Firefox configured to use "strict" Enhanced Tracking Protection. When I reduce it to "standard" my requests go through.

I'm also trying to use DNS over HTTPS with a custom provider (Mullvad, via https://dns.mullvad.net/dns-query). I'm configuring this in Firefox, using the "Increased Protection" DoH setting. When I do that, Firefox reports the DoH status as "Status: Not active (NS_ERROR_FAILURE)". This happens even when Enhanced Tracking Protection is set to "standard" — in other words, that reduced setting fixed the NS_ERROR_FAILURE for HTTP requests, but not for DoH.

So how do I fix this so Strict Enhanced Tracking Protection, DNS over HTTPS, and Mullvad all work together? I never had this problem with my old ISP, so I suspect something's being blocked at the WAN level that I need to circumvent.

• OS: macOS Sonoma 14.5
• VPN protocol: WireGuard
• ISP: AT&T Fiber

I'm just using the official Mullvad client app with mostly default settings. The fiber gateway modem/router came with some default packet filtering firewall rules but I disabled everything in the admin panel. Weirdly, rebooting my machine fixed this temporarily, but the next time I disconnected/reconnected the VPN it broke again. Other browsers (with default settings and no DoH) are working fine when the VPN is connected.

Edit: Solved! Solution here.

[SOLVED]

... well, this is in many ways very unsatisfying, because I have no idea why this worked, but I seem to have fixed it.

Server A has two Ethernet ports, an Intel I219V and a Killer E3100. Several months ago, when trying to debug sporadic btrfs errors (I had my RAM installed incorrectly!), I had disabled some unused devices in BIOS, including the Killer Ethernet port.

Since I had no other ideas, and it seemed like this was somehow specific to this server, I just re-enabled the Killer port and switched the Ethernet cable to that port. I'm now getting 300 Mb/s transfers from my wireless devices to my server, exactly as expected.

I'm gonna like... go for a walk or something. Thank you so much to everyone who helped me rule out all of the very many things this could have been! I love this place, you all are so kind and supportive.

Original:

I'm trying to debug a perplexing networking situation, and I could use some guidance if anyone has any.

Here's my setup:

• UniFi Security Gateway
• UniFi Switch Lite
• Two UAPs
• Two servers, A and B, connected to the USW-Lite with GbE
• Many wireless devices, connected to the UAPs

Here's what I'm experiencing:

• Network transfers from the wireless devices to server A (as measured by iperf3 tests) are very slow. Consistently between 10 and 20 Mb/s.
• Network transfers from server A to all devices are expected speeds. 900-1000 Mb/s to server B, 350-ish Mb/s to wireless devices.
• Network transfers between server B and all devices (in both directions!) are expected speeds.
• Network transfers from the USG to server A also seem slow, which is odd. Only about 60 MB/s.
• Network transfers from the USG to server B and the wireless devices is about 300 MB/s

So, specifically network transfers from any wireless device to server A are slow, and no other connections have any issues that I can see.

Some potentially relevant details:

• Server A is running Unraid
• Server B is running Ubuntu
• Wireless devices include a Fedora laptop, an iPhone, and a Macbook Pro
• UniFi configuration is pretty straightforward. I have a few ports forwarded, a guest WiFi network (that none of these devices are on), a single default VLAN, and two simple "Allow LAN" firewall rules for Wireguard on the USG. No other firewall or routing config that I'm aware of.

If anyone has any thoughts at all on how to continue debugging, I would be immensely grateful! I suppose the next step would be to try to determine whether it's the networking equipment or the server itself that is responsible for the throttling, but I'm not sure how best to do that.

Hey all, I'm interested in going down the rabbit hole with Ubiquiti equipment or other manufacturers, more specifically with access points, routers, and a switch. I want to ween off my ISP-supplied all-in-one equipment as their newer hardware limits basic features such as port forwarding, and I'm interested in re-enabling my self-hosted software. Wi-Fi standards have been moving pretty quickly, as have hardware. What setups do you have established in your homes?

I don't really have a budget in mind, and have a 2.5GbE port I'd like to utilize for media consumption over LAN.

Pretty much what the title says - I’ve been looking for something small and not too expensive to run a few VMs on recently, and I’m just genuinely amazed at where the tiny SBC space is at right now.

The Celeron N5105 seems to be the go to choice at the moment. You can get an entire machine running that CPU that’s slightly smaller than an old double CD jewel case, for $150. Less than $200 if you want 16GB RAM and a fast NVMe SSD in there too. Four decent quality 2.5GbE NICs thrown in as a bonus. And it’s not that much slower than my expensive full size desktop from late 2020.

Part of me thinks I’m just getting old - phones have been plenty of people’s primary computer for years now, after all - but there’s something about having a real standalone x86 PC that size for literally 1/5th the price of a flagship phone that just blows my mind.

Hey everyone!

Sorry if this is a long post, but I've done my research and I would like to make a few questions.

I've decided that I would like to buy a NAS mainly to storage all of my documents, photos and videos, so that, I can access them from multiple devices and also use it to upload important documents to Backblaze B2. Then, I've actually discovered that I can install a few Docker containers and I could use it as a media server (Jellyfin) and serve the content to my Apple TV (neat!).

I considered a QNAP (better hardware for the price) but everyone recommends Synology instead (because of the stronger security and better overall software), but to be honest, I'm not sure what should I get.

My budget would be to buy a NAS (without counting the disks) below €1000. Ideally, €500-600 but I don't mind stretching to the €700 mark, if it is really worth it.

Spoiler alert: I think, it should be the DS920+ (4-bay) or the DS1520+ (5-bay). I think a NAS above 4-bay is better for future-proofing.

Looking here in Germany at price comparators, I could buy the DS920+ for €663 and the DS1520+ for €750. But these prices seem to be at an all-time high :(

Questions & Assumptions:

0. I'm not sure if the price difference of about €100 is worth the premium to get the 5-bay model. There are only two differences between these two models: The 5-bay has one extra slot, and it has 4x 1 Gbe LAN ports instead of 2x 1 Gbe. All the rest is the same. What is your opinion?

1. I've read that if you run a few containers (~10) it consumes quite a bit of RAM (~3 Gb), so it should be ideal to have at least 8 Gb. This is the reason I've said that I think I can only choose the DS920+ or DS1520+. Looking at official Synology resellers, these models, seem to come already with 8 Gb, and they are within my budget. Is my research wrong?

2. These two models, have an encryption engine. I think this is necessary to encrypt my files before sending them to Backblaze, or?

3. A lot of people seem to say to simply pick Synology's hybrid RAID setup called SHR-1 or SHR-2. I would go the easy way here and pick one of those two. Would you think that is a bad idea, and it is better to pick a specific (standard) RAID? I've read about the long long long RAID rebuild that could happen in some situations, and picking the "right" RAID could decrease the rebuild in days (or weeks!!!!).

4. In case, I choose a NAS model with Nvme cache slots, most people say it is not worth it to use if you are not running Virtual Machines and the SSD’s "burn" really fast. I have no interest on VMs.

5. Most people say to pick an Enterprise (Server) HDD instead of a NAS HDD mainly because price is similar in some cases and Enterprise has longer life and warranty. I should also pick a CMR HDD which is helium filled. 5400 rpm would be preferable to 7200 rpm because of the noise. Sadly, all Enterprise HDD's and most of NAS HDD's are 7200 rpm. Is the noise difference that big? The NAS will be in our living room.

6. Is 8 TB still the best cost per Terabyte?

7. I was extremely sad to hear that the Hitachi hard drive division was bought by WD. I've had lots of misfortune with WD drives (and let's not forget the debacle with the SMR and CMR drives) and I would prefer not to give money to them, but, nevertheless, I'm still tempted to buy the Ultrastar drives that belonged to Hitachi. Does anyone know if WD kept the components, manufacturing processes, staff, etc., that made these brilliant disks?

8. Following the HDD topic, what is your experience with Seagate or Toshiba drives?

9. These two NAS models have the same Intel Celeron CPU, which supports hardware transcoding. To be honest, I don't know in which cases would that happen. It seems if I use Infuse on the Apple TV it would never transcode (and instead direct play) because Infuse would do the transcoding in software. Should I take in account that hardware transcoding is a must-have or a nice-to-have?

10. Would you recommend having a CCTV system connected to the NAS? Should I dedicate one entire HDD just for the NVR system? Would a standalone NVR device be better?

11. My last question is: Should I just wait for the new model of the DS920+ or DS1520+? The 20 means it was launched in 2020 (in Summer specifically) and it seems Synology refreshes the model every two years., that means, a new model would be available in Summer this year. Most people say it is not worth the wait because Synology is very conservative in its model updates/refreshes. People are saying that a better CPU will be of course available (do I even need that for my use cases?) and probably upgrade the 1 Gbe LAN ports to 2.5 Gbe or 10 Gbe (10 Gbe I really doubt it). I've read that a 4K stream does not fill a 1 Gbe bandwidth, and you could theoretically have three 4K streams in a single 1 Gbe connection. If all else fails, I could just do a link aggregation of the two ports to be 2 Gbe, or?

12. Anything I'm forgetting? Should I be careful with something in particular?

I know I should buy a UPS too, but I think I'll create a separate post regarding this topic because I would also want a recommendation regarding a UPS for my other devices.

I know that I could actually build my own NAS and use Unraid for the OS. Furthermore, I'm just at a time in my life with too much on my plate (baby and small child) and having something that just works is preferable. When they are older and more independent, I'll have more time to investigate this option :)

Again, sorry for the long post. Thank you everyone!

Hello everyone, I'm going to move to a new apartment and doing full time home office while my wife is doing part home office, so I'm looking to improve my internet connectivity. I already plan to get the 400 mbps down fiber cable plan. So, I have to be honest that routers is one of those topics that I should know more than I should but don't, so I'm not sure what should I expect and the features I want or don't need.

Some time ago, I discovered and bookmarked the amazing website smallnetbuilder which at the time I thought, I would just trust his thorough reviews and choose the best router within my budget. Sadly, the website seems abandoned now, so I'm not sure if there is something new on the market or if the routers on his "Best" rank, are still valid options. By the way, I don't really game online.

My requirements are:

• 150€ budget, but willing to go to 200€ if really worth it;
• Mesh compatibility, just in case I need it in the future;
• Hopefully very low packet loss maybe 0-0.5%;
• Compatibility/support with open source firmware;
• Maybe VPN support (not sure, if worth it);
• 2.5Gb LAN ports would be nice for future-proofing, but I think this is not possible without going over the budget;
• Something that I don't know and never heard about, but you would really recommend it to me :).

After a first glance, the Asus RT-AX58U looks nice. Just not sure about only having two 5GHz streams and no LAN port aggregation.

Bonus dumb question(s) (sorry): Will all the routers work with my ISP modem? Or is it normal to always check with the ISP first before buying?

I recently got my home internet upgraded to 10 Gb/s. I currently have the following hardware:

• 10 Gb/s fiber modem (from the ISP)
• 1 Gb/s ASUS combo router/AP/switch (needs replacement)
• 2.5 Gb/s 4 port switch (not currently in use)
• 5 Gb/s USB C ethernet adapter

My ASUS router is the bottleneck in my current setup. My actual internet speeds are more in the 2-5 Gb/s range when plugged directly into the modem. So I'd be happy if I can get 2.5 Gb/s hardware between my laptops and the modem. That makes my existing ASUS router the bottleneck and in need of replacement. Is there a good, relatively cheap, standalone router (no switch or AP) I can build/buy that supports >1Gb/s speeds? Or is there a good all-in-one solution that isn't way too expensive? I'd honestly prefer to have different components each doing just one job.

I already tried hooking the switch into the modem directly to see what happens. Under that configuration only one device plugged into the switch has internet access.

I did some cursory Googling but found stuff that I'm not looking for (maps of the web and traceroutes hooked up to GeoIP lookups). Is there a resource that will show me the internet as a series of interconnected hops? Preferably with information on the connections between nodes that indicates the amount of traffic. I'm interested in the topography of the internet itself - not physically where hops are located.