Selfhosted

38792 readers

366 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

282

My self-hosted home setup (programming.dev)

submitted 11 months ago by tiller@programming.dev to c/selfhosted@lemmy.world

53 comments fedilink hide all child comments

Dedicated wifi for automation allows me to have devices such as Xiaomi Vaccuum, or security camera not phoning home. OpenWRT with good firewall rules completely isolate my "public" containers/VMs from my lan.

Server was built over time, disk by disk. I'm now aiming to buy only 12TB drives, but I got to sacrifice the first two as parity...

I just love the simplicity of snapraid / mergerfs. Even if I were to loose 3 disks (my setup allows me the loss of 2 disks), I'd only loose data that's on these disks, not the whole array. I lost one drive once, recovery went well and was relatively easy.

I try to keep things separated and I may be running a bit too many containers/vms, but well, I got resources to spare :)

you are viewing a single comment's thread
view the rest of the comments

[–] transmatrix@lemmy.world 8 points 11 months ago* (last edited 11 months ago) (2 children)

The risk is the ISP Wi-Fi. As long as you’re using WPA with a good long random passkey, the risk is minimal. However, anyone who had access to your Wi-Fi could initiate an ARP spoof (essentially be a man-in-the-middle)

ETA: the ARP table in networking is a cache of which IP is associated with which MAC Address. By “poisoning” or “spoofing” this table in the router and/or clients, a bad actor can see all unencrypted traffic.

[–] tiller@programming.dev 14 points 11 months ago* (last edited 11 months ago) (1 children)

Well, to be honest if someone has access to my Wi-Fi, I'd consider that I've already lost. As soon as you're on my lan, you have access to a ton of things. With this setup I'm not trying to protect against local attacks, but from breaches coming from the internet

[–] transmatrix@lemmy.world 1 points 11 months ago

Doesn’t need to be the case if you segment your network to protect against ARP.

[–] foggenbooty@lemmy.world 2 points 11 months ago (1 children)

How would you change his setup to prevent ARP attacks? More network segmentation (clients and servers on separate VLANs) or does OPNsense additional protections I should look into?

[–] transmatrix@lemmy.world 2 points 11 months ago (1 children)

Don’t have the Wi-Fi network “upstream” of the LAN. You want the connection between the LAN and Wi-Fi to be through the WAN so you get NAT protection.

[–] Ac5000@lemm.ee 1 points 11 months ago

Any way you could update/create your own drawing with what you mean? (Bad paint drawings are acceptable!)

I ask because I am curious if I am subject to the same problem. I'm not the most networking savvy so I need the extra help/explanation and maybe the drawing will help others.