this post was submitted on 06 Nov 2023
47 points (98.0% liked)

homelab

6648 readers
16 users here now

founded 4 years ago
MODERATORS
 

I am still very much a novice in the self-hosting space, Linux etc. having fairly recently switched from using macOS as my daily driver and not tinkering much at all.

One of the things that often confuses me is networking and making sure my setup is secure. This is currently holding me back from hosting more stuff locally that I would require access to from outside my home, as I am afraid I am doing something that could severely compromise my data. It can sometimes be difficult to follow explanations from more advanced users due to the many different components of networking and security, and different layers of abstraction, which prevents me from following completely. I might understand one particular case, but then be unable to make connections to another one. So I would want to research this more intensively, and ideally I would end up being able to easily understand the data flows - the paths the data takes (e.g. I make a HTTPS request to some server from my laptop, how is that traffic routed correctly through my local area network and later the wide area network), in what forms (i.e. different protocols, encryption layers etc.).

In communities like this, I see there are a lot of very knowledgeable people who maybe could recommended any resources that cover this from the basics and onto more advanced stuff? Maybe a textbook from a university course on ICT that is considered particularly good? A YouTube channel with great explanations and visualizations? I am looking both at home LAN and internet in general. Enterprise level networks are not very interesting to me (at the moment).

you are viewing a single comment's thread
view the rest of the comments
[–] cyberwolfie@lemmy.ml 2 points 1 year ago (1 children)

if you ping wifi.myisp.tld what is the IP address? is it private? what if you go to http://ip.add.re.ss it should be the same thing???

The IP address is outside my network. If I try to connect directly to the IP address, it fails the certifications, I get a list of domains that are connected to the cert and am allowed to "continue and accept the risk", landing at the same site.

yes. Bridge mode means the ISP provider router is now only for translation (IE: from coaxial/DSL/Fibre to RJ45/cat cable). You plug the ISP device into the WAN port of your own device and now your device has the public IP address and that is what your trusting to protect you.

OK, I will definitely look into this in the near future then.

as long as the ISP router is plugged into the WAN port of your router and ONLY the WAN port, then you’re safe from the ISP shenanigans.

There's a modem connected to the WAN port, and the router/hotspot is connected to the modem. But I guess that doesn't change anything?

I have scripts that try to update everything every hour and I’m not really worried. I’d rather a update to a new version take down my services then trust myself to login every couple days and do it manually.

I will definitely need to setup this myself then. Do you run this as cron jobs?

Thinking about the torrent thing, there’s no better way to do it. I’d personally open a static port IE 12345 and point that at the torrent client on the PC. I would not randomize it and open a massive range on your firewall just in case. Then just close the client when you’re done and know that packets for 12345 will still reach your PC, they’re just dropped there.

OK, that is basically how it is configured now. It is not randomized in the sense that it changes every time, but it is listening on a port that was randomly chosen, but it is static since configuration.

Not that I support it, but if you’re downloading more then just Linux ISOs and you’re in a country with pretty strict laws around this sort of thing, you should be using a VPN that supports opening ports. then you do not need anything open on your firewall, just to connect to the VPN when you’re ready to sail the high seas.

I do use a VPN (with port forwarding supported, but I have not activated it, which I know could affect performance, but I have not noticed anything here). Is the port opening on my router unnecessary in this case?

[–] skankhunt42@lemmy.ca 1 points 1 year ago (1 children)

The IP address is outside my network

I don't like this. That's super weird and I would not trust it. I'm sure it's "fine" but I'd hard pass on that. Set up my own 100% for sure.

There's a modem connected to the WAN port, and the router/hotspot is connected to the modem. But I guess that doesn't change anything?

I don't understand. Can I get a pic (MS Paint or real or something) or some brand names or something? I understand if you don't want to show, I'm just not sure what you're saying.

My ISP gave me a white box, I plug a fibre cable from the street Plus power from the outlet into this box. Then I have a cat6 cable from this box (port 1 as per their instructions) into the WAN port of my firewall. My Firewall has a Public IP on it's WAN interface and I have 4 ports for LAN. The same firewall gives off wifi to the rest of my house.

I will definitely need to setup this myself then. Do you run this as cron jobs?

Yeah, here's one of them for a VPS I rent: 30 * * * * root dnf clean all ; dnf -y update && needs-restarting -r || /usr/sbin/reboot

I actually run things in Kubernetes and use https://github.com/keel-hq/keel to keep my pods (containers) up to date.

I do use a VPN (with port forwarding supported, but I have not activated it, which I know could affect performance, but I have not noticed anything here). Is the port opening on my router unnecessary in this case?

The port opening on the router is unnecessary and could be a bad thing. If you're using a VPN with port forwarding I'd close the one on your router right now. The "open" port is open via the VPN connection so they do all the opening for you, you just need to make sure your PC is on the VPN.

Go to this site with out your VPN on, it will tell you if you're using your raw internet to download torrents: https://iknowwhatyoudownload.com/en/peer/

it sounds like you might be doing that, or at least have the ability for people to connect to you via your ISP (bad) and not over the VPN (good)

[–] cyberwolfie@lemmy.ml 2 points 1 year ago (1 children)

I don’t like this. That’s super weird and I would not trust it. I’m sure it’s “fine” but I’d hard pass on that. Set up my own 100% for sure.

Yeah, good to have my suspicions confirmed. This setup is standard where I live now, and I don't think you can get around it. First I noticed this was a coupe of years back. I'll start finding a suitable router and set it up in bridge mode.

I don’t understand. Can I get a pic (MS Paint or real or something) or some brand names or something? I understand if you don’t want to show, I’m just not sure what you’re saying.

I have two small boxes in a cabinet - one is receiving a white cable that comes from outside my home, and outputs an optical signal that goes into the other box. This other box also gets a coax cable from outside my home, and outputs an ethernet connection that is connected to what my ISP calls a WiFi router. This has additional LAN ports as well.

Go to this site with out your VPN on, it will tell you if you’re using your raw internet to download torrents: https://iknowwhatyoudownload.com/en/peer/

I could not access this site now, however, I've checked this with the torrent address detection tool on ipleak.net many times before. I recently had an issue where my real IP would show for a second if I disconnected my VPN connection manually, but I solved this. My torrent client is bound to the interface created by the VPN client. At this point I am pretty sure it is fine. But I will close the ports again.

[–] skankhunt42@lemmy.ca 2 points 1 year ago* (last edited 1 year ago) (1 children)

I have two small boxes in a cabinet - one is receiving a white cable that comes from outside my home, and outputs an optical signal that goes into the other box. This other box also gets a coax cable from outside my home, and outputs an ethernet connection that is connected to what my ISP calls a WiFi router. This has additional LAN ports as well.

humm, I've never seen or heard of this. I've only ever been provided one box by my ISP. I have two guesses... Either you can replace your WiFi router with your own and everything will be okay or you'll have to add a 3rd that is your own and Plug it into the WiFi router and ask them to put it in bridge mode. My guess is they can help you a lot better then me guessing.

torrent client is bound to the interface created by the VPN client.

perfect. Then you can close the open port on your router for sure. My Torrent client (rutorrent) shows what IP and port I'm using at the bottom, these are my VPN IP and the port I opened with the VPN provider.

[–] cyberwolfie@lemmy.ml 2 points 1 year ago (1 children)

humm, I’ve never seen or heard of this. I’ve only ever been provided one box by my ISP. I have two guesses… Either you can replace your WiFi router with your own and everything will be okay or you’ll have to add a 3rd that is your own and Plug it into the WiFi router and ask them to put it in bridge mode. My guess is they can help you a lot better then me guessing.

From what I've understood from previously looking up this with my ISP, is that I connect my own device to the WiFi router they gave me. In that case I have four boxes... :) But I will naturally double check this before going forward with it, and then I might also get some clarification on what the two different boxes in my cabinet are. Bridge mode can be activated through a switch in that online portal though.

perfect. Then you can close the open port on your router for sure. My Torrent client (rutorrent) shows what IP and port I’m using at the bottom, these are my VPN IP and the port I opened with the VPN provider.

I've closed them and everything still works the same way. So I guess the ports have just been open for anyone to say hello. A good example of one of the many areas where I get confused because I don't truly understand all this stuff very well. I learn more every day, and I've gotten plenty of tips in this thread, but it makes me a bit sad that self-hosting safely requires spending a lot of time learning about this stuff, and requires continued vigilance to keep things updated. This excludes a lot of people from enjoying the freedom that comes with data ownership and control. My issue is of course not with the self-hosted solutions - the developers have done excellent work to make these tools available to people including myself, who is not an IT professional. My issue is rather that the society at large has given the major tech players carte blanche to do whatever they want for such a long time, that true privacy is so distant for most people. Some good things going on in Europe to combat this (at least against corporate malpractices), but still not nearly good enough.

Thanks again for all your answers. I really appreciate you taking the time to educate me on this stuff. It's time for me to log off the computer now, and stare at a large screen in my living room instead. The season finale of Stargate SG-1 season 6 awaits :)

[–] cyberwolfie@lemmy.ml 2 points 1 year ago (1 children)

Oh, before I go, I just realized that the boxes in the cabinet also handles fiber TV signals.

[–] skankhunt42@lemmy.ca 1 points 1 year ago (1 children)

My fibre box does TV, phone, and internet all in one. I guess you have one for each? I'm interested to find out if you'll share.

I think asking them what each of them do and understand it is a good first step. Maybe you can get that down to 2 boxes. Good luck!

Nice! Glad its still working! Definitely triple check with something like https://canyouseeme.org/ when you open ports. I'm a Linux Sys Admin and happy to do my best to help of you have any more questions. At least I'll try and get you on the right track.

I 100% agree with you on the rest. Canada isn't doing anything and at this point I'm ready to give up. I'm not sure where to draw the line anymore and self hosting is a bit of a pain for me these days. Personal life is a bit rough and it's just so easy to make a gmail account and have them host it.

[–] cyberwolfie@lemmy.ml 2 points 1 year ago (1 children)

My fibre box does TV, phone, and internet all in one. I guess you have one for each? I’m interested to find out if you’ll share. I think asking them what each of them do and understand it is a good first step. Maybe you can get that down to 2 boxes. Good luck!

I'll try to remember to DM you when/if I get any answers, but I am currently sick and will be traveling soon, so I am not entirely sure when that will be. The boxes in the cabinet aren't really in the way, so I am fine with the two boxes there. But it would be nice to avoid having to use their WiFi router if possible though. There is in fact a last box that I have packed away in a closet: the decoder for TV signals, which I don't use since I don't have the included in my plan (I could discard TV from my plan in exchange from going fro 100 -> 500 MBit/s internet connection, which for me was a no-brainer). So their standard setting is four boxes, and that is only for TV and internet.

Nice! Glad its still working! Definitely triple check with something like https://canyouseeme.org/ when you open ports.

What a great tool! I will definitely make use of this.

I’m a Linux Sys Admin and happy to do my best to help of you have any more questions. At least I’ll try and get you on the right track.

Cheers, I appreciate that. I might just send you a question or two in the future if I am stuck in trying to figure out something, but of course, don't ever feel obligated to answer.

I 100% agree with you on the rest. Canada isn’t doing anything and at this point I’m ready to give up. I’m not sure where to draw the line anymore and self hosting is a bit of a pain for me these days. Personal life is a bit rough and it’s just so easy to make a gmail account and have them host it.

Yeah, it is difficult to draw the line. With about 15 years of just going with the flow, signing up for and using all kinds of services, I've lately (the past two years at least) trying to untangle me from the worst of it. It takes so much time, and every time I learn about something new (e.g. fingerprinting has finally just started creeping me out) I fall down yet another rabbit hole. I am trying to work myself towards as complete control over my data as possible, including an elaborate homelab setup (though that is still some time away). Hence trying to understand this stuff better so I can do it properly.

I hope you get through your stuff in your personal life. This interaction has in any case been greatly appreciated by me.

[–] skankhunt42@lemmy.ca 2 points 1 year ago

I'll try to remember to DM you when/if I get any answers

Thanks! No worries if not, It's just a different setup then I'm use to. Safe travels! I think I got sick over the weekend too. hah.

I also have 500 MBit/s symmetrical internet. They tried to upsell me on 1.5GBit/s but my Firewall only supports "up to 700 MBit/s throughput" even though it has gigabit NICs so watch out for that also :) https://shop.netgate.com/products/1100-pfsense is the one I use. I'd love to upgrade but money has been tight for awhile.

but of course, don't ever feel obligated to answer.

No problem! I'll answer when I can, even if it's a "I don't know"

I am trying to work myself towards as complete control over my data as possible,

I started doing this in college. Deleted Facebook, started buying cheap Tiny Lenovo PCs to run everything on. It's almost a chore now but I still enjoy it. I think the issue is I also do it all day at work so it kind of feels like more work after work, you know? I'm paying a company to host my email because I tried doing it myself and it was too much work.

I hope you get through your stuff in your personal life. This interaction has in any case been greatly appreciated by me.

All good, I was just giving context. Thanks though!!