If you want a really good, capable firewall that’s easy to configure, go with OpnSense.

If you want granular control and [near] enterprise grade features for a low price, go with Mikrotik.

Windows Hyper-V Server on the host with most of the VM’s split between Ubuntu and Debian. I also have two Windows VM’s that I keep out of necessity.

It’s a song that’s been played so many times the record is starting to get worn out.

Big manufacturer buys software company.

Big manufacturer does not understand software business, software company, or software company’s customers.

Big manufacturer makes a bunch of cost reductions based on incorrect assumptions.

Big shot at big corp customer calls peon (like me) at budget time to ask why we spend so much money on this “VMWare”.

Peon explains that "VMWare is very important software which used to be “Best in Class” but has become “Overpriced, second rate, yada yada…” And suggests we switch to Hyper-V.

Big shot asks (a little suspiciously) if we would save money without any negative impact to operations.

Peon says, “Yes.”

Big shot writes big check to Microsoft.

Other big shot at big manufacturer is stuck trying to figure out where all the customers went; not realizing that big manufacturer pissed all over the peons who actually have to use their [now] shitty software.

Big manufacturer decides the acquisition was a failure, learns nothing from it, and sells the shell of the once popular software company for a fraction of what they paid for it.

deleted by creator

I use Veeam Backup & Recovery Community Edition. If you’re runing VM’s you have to be on VMWare or Hyper-V. You can also use agents on the individual VM/Server. It also requires a pretty hefty Windows host, at least if you want your backups to complete fairly quickly.

Those are understandably downsides for some people. But, Veeam is in a class by itself. It has no serious competitors and as far as ease of use and reliability, it’s top tier.

I’m lazy. I don’t want to spend a bunch of time configuring finicky backups only to find out I needed one and it failed. I honestly wish there were a comparable open source backup system. I have yet to find anything that works as well.

How is your speed and connection quality otherwise? The fact that your work VPN doesn’t stay connected – I’m assuming the client is running on your PC – is odd. That makes me think there may be some issues with signal strength or tower congestion. TMobile also gives home internet a lower priority than cell phone traffic.

Is that a recent change? They did support it (with cgnat) when I had TMobile home internet about a year ago.

I’ve got an old Dell Poweredge tower server with dual 6-Core Xeons, 128 GB Ram, and 21 TB combined Raid 5 storage.

• 10 VM’s
• Veeam Backups
• All behind a Mikrotik RB3011

I run one service per VM because I like being able to nuke the whole thing without bringing down any other services.

You can get some good hardware on eBay if you know what you’re looking at. The HDD and SDD’s cost more than the server. Electricity probably runs about $16/mo.

Biggest problem I’ve got coming up is what I’m going to do for backups once I exceed Veeam community editions 10 VM limit.

Three most important VM’s are Jellyfin (whole family uses every day), Paperless-ngx (I use every day), and Jitsi (kids use to video call Grandma and Grandpa). Most of the other stuff is non-essential.

Encryption and Decryption can be resource intensive processes. Most firewalls typically have a lower throughout for VPN connections than they do for just straight routing because of the extra processing power required for VPN. Based on what little I’ve read, it seems like CPU’s with AES-NI are capable of handling the encryption process more efficiently which probably reduces system load and allows for more throughput.

This only helps in situations where your firewall is either serving or connecting to a VPN. It won’t make any difference if your connecting to a work VPN form your computer. Even if you are hosting a VPN connection from your firewall, AES-NI is probably overkill unless you’re planning to connect a bunch of clients to it at the same time or plan to do something like file transfers at Gigabit speeds.

You’re probably better off blocking it at the firewall level. It would be more thorough but also more effort. In my experience, most devices/apps that use DoH call a domain name rather than an IP. If you block the domain in piHole, the app cant resolve the DoH server IP and therefore won’t be able to use DoH.

NAT TLDR

Your router is, at it’s core, a very advanced traffic cop and NAT – Network Address Translation – is it’s primary function. You have multiple devices on your local network (LAN) that need to communicate with other non-local servers via the WAN (i.e. the internet). Now you have a problem. Your ISP assigns you (usually) a single IP address on their network which is on a different subnet than your LAN. Devices on your local network and devices on the WAN are not aware of one another and cannot communicate with each other directly. So, requests have to be routed to the correct destination via your router.

SRC-NAT

Let’s say you’re trying to pull up a website on your computer. Your computer sends the request to the router. Your router alters the IP packet headers so that the request source address, and therefore the address that the server responds to, is your WAN IP instead of the requesting devices LAN IP. Your router then forwards the packet to the destination server, tracks the connection, and forwards the response back to your computer.

DST-NAT

Let’s say you’re hosting a web service on your home server that you want to make available publicly. You would set up a dst-nat (often called port forwarding) rule in your router/firewall which will tell your router to redirect any requests received at the WAN IP on port 80 or 443 to your home server’s IP address. Unlike SRC-NAT, your router doesn’t replace the source IP address. Just the destination. Your server knows that the requesting device is not on your LAN subnet and will forward the response back to the gateway (your router) which is already tracking the connection and will forward the response back to the requesting device via the WAN.

Routing DNS with DST-NAT

Since DST-NAT is just changing the destination IP address and routing the packet to the new destination, this can be done internally in some situations as well. To redirect DNS requests, you would set up a rule in your router/firewall to grab outbound UDP packets that originated from the LAN, do not originate from your internal dns server, and have a destination of port 53 and redirect/dst-nat them to the IP address of your choice. The new destination can be an internal or external IP address and the requesting device won’t know the request was redirected. OpenWRT’s documentation actually has a section that deals with DNS redirection which you can find here. The DNS redirection part is near the bottom of the page.

Some days I miss my old LG Plasma. Sold the house and left it bolted to the wall. 1080P, deep blacks, crisp colors, and zero “smart” features.

It put off enough heat to warm up the living room but that was only a “bug” in the summer months. Simpler times.

That’s correct. I block DoT in my firewall and block known DoH domains in piHole. I’m sure stuff slips through occasionally but the vast majority of my DNS requests are handled by piHole.

Traditional DNS over UDP/53 is insecure but I’m using ProtonVPN’s DNS server over VPN externally so I’m not worried about that.

I have a firewall rule to dst-nat any outgoing DNS requests not coming from piHole back to the piHole server. That way all devices on the LAN are forced to use piHole for DNS and can’t bypass it. I don’t have an OPNSense firewall but I would think it should be able to do that as well.

Personal accounting is a tough one. I recently switched accounting software. There aren’t really any great FOSS options that I’ve found and automatic bank transaction syncing is a major obstacle there. Not to mention, any good accounting software is complex and detail oriented. I ended up switching to Quicken; which is probably not a phrase said often. Quicken Desktop is legacy and their online/mobile offering is lackluster at best. But the desktop suite, “Quicken Classic”, effectively has no competitors and has a feature set far more advanced than any other personal accounting suite.

I’ll admit my situation is probably unique. I manage our personal finances and two businesses and I am incredibly picky. The next logical step would be QuickBooks but I don’t have a payroll and don’t really want to spend that kind of money. I made the switch – somewhat begrudgingly – and after doing lots and lots of research. Overall I don’t regret going with Quicken. I definitely have some complaints and concerns, not the least of which is that it’s closed source and extracting my data would be difficult. If I had the time, I probably would have used Excel w/ Tiller. That gives you the flexibility to do just about anything. But, spending my evenings creating VBA scripts and pivot tables is not my idea of a good time. I really wish there were a better and more comprehensive solution because I would be all over it.

I would not recommend using your primary desktop for self hosting. If you just absolutely have to, install Virtual Box or some other hypervisor solution and run your servers in separate VM’s.

Use a dedicated host. It can be a desktop, server, Raspberry Pi, etc. Depending on your needs. Sooner or later you’ll find that hosting on a workstation that you use for other things is horribly inconvenient. Depending on what you’re self hosting, it can consume lots of resources. If you become dependent on the services you’re hosting, which is the point of self hosting to begin with, even really small things like rebooting your workstation can become really inconvenient.

I’ve got an old Dell PowerEdge ticking away in my basement that runs all my VM’s. I can reboot my desktop without interrupting any of my self hosted services. It also makes it easier to back up my VM’s and I can easily spin up a new one if needed. You have to be careful if you use server hardware though. The T430 that I have is pretty efficient but some servers can be thirsty little space heaters.

Mine is kind of similar. Hyper-V backed up with Veeam to a separate logical disk (same RAID array, different HDD’s). Veeam backups are replicated to iDrive with rsync.

I need to readjust my replication schedule to prioritize the critical backups because my upload speed isn’t fast enough to do a full replication that often.

You don’t have to worry about the backups. It the data recovery that will require divine intervention.

Make sure the appliance you choose can handle the throughput. Just because it has two 10g nics does not mean you’ll get 10g throughput, especially if you start loading it up with firewall rules. Protectli makes some nice little appliances that are designed for running OpnSense.

When I was a kid, the first PC I built was a white box with a Pentium 4 HT, which was still a fairly new CPU at the time. It ran hot so I cut a hole in the side of the case, bolted a 120 MM fan in the hole, and covered it with a shroud that I think I must have fabricated with Aluminum facia.

It didn’t look pretty but it worked. And it kept my bedroom toasty in the winter.