If you still use HTTP for cert verification on ACME, you are doing it wrong. Use DNS-01 only, there is no need to allow any inbound traffic to your servers. and HTTP will not give you wildcard anyway.

using wildcards is really bad security practice. and at age of ACME absolutely unnecessary.

No HA. Classic HA is evil, shared control plane is good way to loose both FWs. Need redundancy use 2 independent FW + routing protocols. Losing session states during fail-over is not a big problem these days. I did in-place upgrades, but I’m running LTS and not yet done any major version upgrades. So far no problems.

Sorry, what do yo want to know? IT just a linux based router pretended to be a juniper FW. NAT/IPv6/PPPoE/VRFs are working as expected.

Can you promise a near 100% uptime? Otherwise, some email might not reach you. Just lol. Mail get queued just fine by everyone. If you really concern , setup second MX.

VyOS: Debian based router + firewall. Linux makes it easier for people to pick up the CLI but I’ve heard complaints about it being difficult to follow. Currently CLI only, at least without third-party solutions, but is powerful and competes directly with OPNsense for features for the most part. Seems to be just as stable. my mistake, FOSS version is not LTS but a rolling release and needs to be compiled.

Very misleading statement. Both rolling and LTS are FOSS, they just do not provide LTS binaries for free. Want LTS? build it yourself , all tools and guides(bit outdated) is out there. It will took 30 min you your time to setup.

Stable is not “pay only” . Just build it yourself, all tools are available. it will take 30 minutes of your time if you have docker environment ready.

Are you running it natively as “jail” ?

All of them not equate in same league. Do you know any type 1 free supervises out there? Xen probably.

Nothing can beat bhyve for PFSence.

I do not understand why everyone calling hosting email difficult? IT is like 5 RFC you need to read and implement. Sofware wise you will need mail agent, something for DKIM ( if it not build in in agent), “local delivery agent” ( probably presenting it as IMAP) + mail reader of your choice. Nothing too complex

Do not try to host outbound mail on residential IP blocks, delivery will be really bad. Cheap VPS is same story. You best bet is VPS from some not well know provider, they may be avoid to be in blacklist in M$ and Google. Inbound mail is fine anywhere as so long as you can have port 25 open. DDNS works too.

Just weight your risks. Old drives can fail early, and enterprise drives consume more power. Old drives probably not for mirrors or RAID5. RAID6 and spare HDD on shelf may save your data one day. It is a lottery.

Specks lookg good, Intel NIC, semi decent CPU. I would say it is even overspec for a router.

It is an option. But used from Ali? I’m not sure that I would trust them with my data.

Thank you. Intel now offer ECC on top processors like i7 and i9. It is a news development. Now biggest problem is to find motherboard supporting ECC.

could you please elaborate? what is SFF hardware?

Try other container technologies lie LXC or go right side and play with FreeBSD jails. Quality of dockers you can find around is horrendous, giving that Docker itself build for convenience not security. It is not something I will trust.

HIkvision is great. Good value for money. Just do not use the app to configure them, use web gui. And yes, they need to be isolated from rest of network and the internet ( as pretty much any cameras).

Just get VPS and use it to bounce traffic between nodes.