this post was submitted on 17 Oct 2023
28 points (91.2% liked)

Selfhosted

40246 readers
816 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 
  • For my first goal, I want to get around my ISP's CGNAT so I can access my NAS outside my network. Tailscale doesn't work. Attempting to access my NAS always goes through their relays. From what I've gathered, a VPS is a good way to get around this so I got the basic $1/mo Racknerd KVM VPS. I'd like a performant way to manage this with low latency being ideal. That is my primary goal. From what I've researched, wireguard would be the most performant way to make that connection. I'd like to be able to access my NAS's primary IP or even set up reverse proxies so I can access it from outside the network, without sending all my network traffic through the NAS. I was under the impression tailscale did this but for some reason when I have tailscale active on my macbook, speedtests show major lag over 100ms.
    • I've heard wireguard was the most performant but anything will do with the goal of accessing my NAS. The maximum I need is to be able to stream 4k hdr/dolby atmos content from my NAS.
  • My second goal is to set up Unbound, Blocky and maybe have a fallback to quad9. I'd also like my devices to be able to use this externally. I set up a basic version of this today using this guide. However upon more investigation, I've learned Blocky causes much less latency than pihole. I went down a rabbit hole, researching nextdns, dnsfilter, etc. I think Blocky and Unbound will be great, but I'm more interested in the goal than the technology used to get there. I'm primarily interested in a low latency content/ad/tracker/malicious blocker that's available on and off my network.
    • Would it introduce less latency to run this locally off my NAS, and have a separate version set up in the cloud for when I'm away from home? I'll happily do this if there's any tangible benefit. My routing setup is ISP modem/router -> asus zenwifi router-> 10g switch, then my PC and NAS. All connected by cable.
    • Is there a way to set this up with the primary goal of having external access to my NAS? I feel like there's a way to kill two birds with one stone with this. Like maybe having the DNS resolve my NAS's internal IP to the VPS external IP which will then forward traffic requesting that IP address to the NAS somehow (not sure how exactly to accomplish this, or if it's possible).
    • I set this up originally on GCP due the guide I followed mentioning performance benefits. I'd be willing to host all this on the VPS if that's possible, but would prioritize high availability, reliability and low latency, which I believe GCP would give me better than my budget VPS. Strangely, the latency when connected to the current setup, GRC DNS benchmark is showing 100+ ms latency, while with it deactivated I get about 50ms average.
  • My third and kinda stretch goal is to host my website and side projects with the help of the VPS since I'll most likely not be using all the storage, bandwidth or computing power from just my primary and secondary goals. I currently host using github pages and redirect to my domain using cloudflare. I had my projects hosted on heroku. It seems like there's a heroku free tier popping up and then quickly enshittifying every other week so it just seems more reliable to host it myself.
  • It goes without saying that I'd like to have this be as secure as possible as I've read lots of self hosting horror stories. My priorities are security, cost, reliability, performance in that order. I think hosting unbound/blocky on the VPS would make for a more elegant and easy to maintain solution, but I'm not 100% sure of the reliability and performance of Racknerd's budget level VPS offerings.
  • So to retierate, I'd like to access my NAS which is behind a CGNAT externally, set up ad/tracker/malicious content blocking, and host my website/projects, with security, cost,reliability and performance in mind.

I think I want to use something like NPM, pfsense, blocky, unbound, authentik, fail2ban, and wireguard. either divided between free tier cloud hosts like GCP and oracle, and my VPS for less critical stuff like NAS access, or just put it all on the VPS if that's easier. I've done an absolute boatload of research to try and educate myself, which I've not included here because this would make this already lengthy post even longer. That said I'm still very noobish with all of this and appreciate any advice!

you are viewing a single comment's thread
view the rest of the comments
[–] thelittleblackbird@lemmy.world 17 points 1 year ago (2 children)

Ipv6

Cgnats don't exist in ipv6. Nat doesn't exist in ipv6

What also could happen is your isp blocking some ports from outside its network as a security approach, but normally you can ask to free a range of port from the firewall.

[–] MonkCanatella@sh.itjust.works 3 points 1 year ago (2 children)
[–] thelittleblackbird@lemmy.world 5 points 1 year ago (2 children)

Honestly, I cannt believe it.

Double or triple check it. The problem these days is to get a semifucntianl ipv4, they are expensive, scarce and full of problems.

Ipv6 on the contrary is abundant and all enterprise equipment fully support it since decades.

[–] Aganim@lemmy.world 3 points 1 year ago (1 children)

I can totally believe it. Here in the Netherlands we still have providers that haven't implemented IPv6. We've had one (Delta) finally starting their IPv6 rollout to fiber customers this year, not sure if they already finished it. Some providers are just slow AF unfortunately.

[–] thelittleblackbird@lemmy.world 1 points 1 year ago (1 children)

Truly incredible, shame on the.

Question then.

Are you experimenting some kind of connections problems?

I ask because I know some multiplayer games make a heavy use of the ipv6. Steam have some servers that are not reachable via ipv4, and don't speak about vps...

[–] Aganim@lemmy.world 1 points 1 year ago* (last edited 1 year ago)

Can't answer that I'm afraid. My current provider fully supports IPv6 (and assigns a /48 😁 ), as did their predecessor, so my network has been dual-stack for years.

[–] wjs018@lemmy.world 2 points 1 year ago

My isp doesn't support ipv6 in my area (Verizon). They claim to be in the process of rolling it out, but it's been years that they have been saying that, so idk. At least they don't use CGNAT, so it isn't a huge deal for me after I set up dynamic DNS.

[–] 2xsaiko@discuss.tchncs.de 4 points 1 year ago (1 children)

CGNAT but no IPv6? Despicable

[–] MonkCanatella@sh.itjust.works 2 points 1 year ago (1 children)

It’s Mexico. The ISPs incredibly worthless and corrupt

[–] 2xsaiko@discuss.tchncs.de 2 points 1 year ago

My condolences :(

[–] stown@lemmy.world 2 points 1 year ago (1 children)

NAT certainly exists in IPV6, I use it on my home network for my nginx proxy VM. I cannot, for the life of me, figure out how to change the IP on the host so I do NAT on my router. 🤷‍♂️

[–] thelittleblackbird@lemmy.world 3 points 1 year ago (1 children)

This is not the Nat functionality as people associated with ipv4, and certainly it is not showing the drawback of allowing the communication only when the NATed client started the communication.

Even if they are alike they are not the same.

I reaffirm myself here. It is possible to have full ipv6 communication and providers do not have cgnats. It is your easiest and most uncomplicated solution with almost nothing to install to make it work.

And in addition, I have to say that I don't see any benefit in using such functionality at home. If someone can illustrate me a use case I would be thankful

[–] stown@lemmy.world 0 points 1 year ago (1 children)

I use NAT on IPv6 so that I control which IP address is exposed. I've got /60 and all of my home devices are assigned unique IPs. What I like to do is set up a V6 address that uses the same numbers as my static V4 address and NAT that to my NGINX box, basically using the router assigned V6 as a "local" address.

[–] thelittleblackbird@lemmy.world 3 points 1 year ago (1 children)

Take wiht a bit (or a lot) of salt what I am gonna say. Because undoubtedly I am. Missing something here.

But if what you a already say is true probably you are not restricting anything. The recommended way to do so is with a firewall rule (probably in your router).

You are extending the subnet definition beyond the 16 bits. This can create problems and I doubt that your router will block anything if something crafted is received from Internet.

But of course, being the extremely big address space your are probably safe.

I any case, with a firewall rule in your router allowing only the proxy to go receive connections, you should be good and more standard conform

[–] stown@lemmy.world 0 points 1 year ago* (last edited 1 year ago)

I already do use firewall rules, this is just an extra step I take to segment things which also serves to make it a bit easier for me to remember certain addresses. It is entirely unnecessary, but I like it this way.

Let's say I have a static IPv4: 72.235.228.162

And IPv6 block: 2660:1100:45f0:c17:: /60

What I do is set up a Virtual IP in OPNSense and give it the address 2660:1100:45f0:c171:72:235:228:162

Then I set up the firewall rules for that IP.

Then I NAT 1:1 that IP to the NGINX VM's IP and now the Internet doesn't need to know about it.