The internet can feel like it's built for speed.
You join a new service and you're presented with a feed. The name tells you all you need to know. The feed is the actor. You are the thing that is acted upon. You don't control the feed. Your role is
Once again, thank you for your insight! It truly does help a lot.
Today I learned the VPN routing is the cause of my issues, I opted to expose my homelab to WAN and tried to connect over LTE/5G and was surprised to see it actually resolve!
I also learned Fail2Ban has failed me in this regard.
Unfortunately this now throws a wrench in my plans In regard to security so now I’m debating on getting another piece of hardware and labelling one as “front end” and the other as “back end” so that the “back end” doesn’t share the same public IP as the “front end”.
Realistically, you don’t need security, NAT alone is enough since the packets have nowhere to go without port forwarding.
But IF you really want to build front end security here is my plan.
ISP bridge -> WAN port of openwrt capable router with DSA supported switch (that is almost all of them)
Set all ports of the switch to VLAN mirroring mode
bridge WAN and LAN sides
Fail2Ban IP block list in the bridge
LAN PORT 1 toward -> OpenWRT running inside Proxmox LXC (NAT lives here) -> top of rack switch
LAN PORT 2 toward -> Snort IDS
LAN PORT 3 toward -> combined honeypot and traffic analyzer
Port 2&3 detect malicious internet hosts and add them to the block list
(and then multiple other openwrt LXCs running many many VPN ports as alternative gateways, I switch LAN host’s internet address by changing their default gateway)
I run no internal VLAN, all one LAN because convenience is more important than security in my case.
Once again, thank you for your insight! It truly does help a lot.
Today I learned the VPN routing is the cause of my issues, I opted to expose my homelab to WAN and tried to connect over LTE/5G and was surprised to see it actually resolve!
I also learned Fail2Ban has failed me in this regard.
Unfortunately this now throws a wrench in my plans In regard to security so now I’m debating on getting another piece of hardware and labelling one as “front end” and the other as “back end” so that the “back end” doesn’t share the same public IP as the “front end”.
This has ignited a spark to rework my homelab!
Realistically, you don’t need security, NAT alone is enough since the packets have nowhere to go without port forwarding.
But IF you really want to build front end security here is my plan.
ISP bridge -> WAN port of openwrt capable router with DSA supported switch (that is almost all of them) Set all ports of the switch to VLAN mirroring mode bridge WAN and LAN sides Fail2Ban IP block list in the bridge
LAN PORT 1 toward -> OpenWRT running inside Proxmox LXC (NAT lives here) -> top of rack switch LAN PORT 2 toward -> Snort IDS LAN PORT 3 toward -> combined honeypot and traffic analyzer
Port 2&3 detect malicious internet hosts and add them to the block list
(and then multiple other openwrt LXCs running many many VPN ports as alternative gateways, I switch LAN host’s internet address by changing their default gateway)
I run no internal VLAN, all one LAN because convenience is more important than security in my case.