Max_P

Max_P , 4 months ago

Gives memories of all those crappy "draft N" routers that played loose with the spec and were full of problems.

I"'d rather wait for final spec hardware.

Max_P , 4 months ago

You can layer them however you want, so you can slap luks on the physical drives, or the mdraid, or the individual LVM volumes as you do right now. If the entire setup is either locked or unlocked, luks between the raid and LVM PV makes sense. Having luks on the individual LVs have the advantage that you can have your data partially unlocked.

2FA is complicated. You can use a second factor like, you need to enter both a password and be in possession of the flash drive, but you can't do it with the standard TOTP codes because you need the key to validate them in the first place.

One thing you can explore is TPM: the computer can detect if it's been tampered with, and if all checks out, it will unwrap the key. You can add a password or flash drive as a second factor. There's also the whole smartcard rabbit hole.

What exactly are you unsatisfied with? I think that's a better starting point to advise on.

Max_P , 5 months ago

It wants you to put in whatever nameservers you will be using. It's pretty nice, it's even offering you glue records if you're to self host your DNS too!

Most domain registrars tend to also offer DNS services and even default to using theirs, so it's often thought those come together. It seems like eu.org doesn't. So you have to provide your own. That could be Cloudflare or any number of DNS providers out there.

Most of those DNS providers will give you two name servers that you can input there. Minimum is 2 but some have 4 and 8 too, but it's rare. You just put them there for the first two and you can leave everything else blank.

Max_P , 5 months ago

Yeah slightly misleading but I guess they did mention a card specifically, not GPU.

But for a moment I was like wow, 100FPS in software rendering, that's impressive even for an EPYC.

Max_P , 5 months ago

The votes are public. Kbin displays them right in the UI. Lemmy semi-hides it, but it's never been designed to be private in any way.

Changing instance won't do shit if that's a concern to you. As an admin I can see them even if my instance isn't involved with the post at all:

https://lemmy.max-p.me/pictrs/image/6bae7aa5-20a3-497e-9012-dc4c8a869eb4.png

Max_P , 5 months ago

And this is why we have access to the votes, and why the protocol doesn't obfuscate them.

Admins can deploy scripts to detect those kinds of patterns and act on it.

Max_P , 5 months ago

L4s is a bot and it seems to source from a lot of the mainstream journals that all have those stupid paywalls.

I guess people are just expected to have a solid ad blocker these days.

Also I think a fair chunk of those sites let you read the article if you're coming from Twitter/Reddit but that doesn't work on Lemmy.

Max_P , 5 months ago

What baffles me is that those lawmakers think they can just legislate any problem with law.

So okay, California requires it. None of the other states do. None of the rest of the Internet does. It doesn't fix anything.

They act like the Internet is like cable and it's all american companies that "provides" services to end users.

Max_P , 5 months ago

Hard to understand but at least there's multiple implementations other than ntpd, like Chrony and systemd-timesyncd.

Max_P , 5 months ago

Except not everyone has learned english, not everyone can especially older people.

Lemmy has that feature built-in that communities can support arbitrary languages. If you don't want to see them you can literally just pick your languages in your profile, and it'll automatically ignore what you can't read.

A bit weird in practice, but it's intended from the start to be available in everyone's languages without having to make news-de, news-fr, news-es communities or have to rely on regional instances.

If we went with maximizing who can read your post then it should be in Chinese. The assumption that english is the default language for everything is very american.

Max_P , 5 months ago

Any reason the VPN can't stay as-is? Unless you don't want it on the unraid box at all anymore. But going to unraid over VPN then out the rest of the network from there is a perfectly valid use case.

Max_P , 5 months ago

but then Router B responds with Destination unreachable (Network unreachable),

That's... interesting. Router B shouldn't be involved at all with this, it should be blindly forwarding the packets. That's a layer 3 error!

How's the bridge set up? Have you made sure router B doesn't do DHCP and doesn't take the IP of router A by accident?

Max_P , 5 months ago

Hmm, I see, it's not a real L2 bridge, it's a hacky pretend one that relays.

I don't have a solution for this particular situation, but I do have a suggestion on how I would do it:

• Make B have its own subnet, say, 192.168.1.0/24, assuming that A is on 192.168.0.0/24. Enable DHCP and everything, it's now it's own full network.
• Make B a client of A with a static IP, like 192.168.0.2. That makes B present on A's network.
• Add a route on A for B's network: 192.168.1.0/24 via 192.168.0.2.
• Disable NAT on B, just set A as the default route. Since A can talk to any IP on B, B doesn't need to NAT, A can handle it for both networks.

Now, both routers should be able to exchange traffic while being responsible of their own subnet. The only thing missing would be to handle broadcasts so stuff like Bonjour/Avahi works correctly. But as a whole both layer 2 and 3 would behave a bit more cleanly with less surprises.

I think what's going on is B sorta pretends to be A in some way to do the relaying but something is going wrong.

Max_P , 5 months ago

Sounds about right.

I think I set this right: Network->Routing->Add->(Interface: wwan, Route type: unicast, Target: 192.168.0.1/24, Gateway: 192.168.1.1)

That doesn't seem right. If you're using the exact same subnet numbers I've used for example: that's be target 192.168.1.0/24 (B's network) gateway 192.168.0.2 (B's IP on A's network as a WiFi client).

Router B is on two networks at the same time: its own (192.168.1.1/24) and A's network (192.168.0.2/24).

Router A is only on its own network (192.168.0.1/24) and talks to router B as just a client on its network (192.168.0.2). Whenever it has data to send to the 192.168.1.x network, it sends it to 192.168.0.2 which is on that network and will relay it.

How would I go about doing this? I can’t find any definitive information on how to disable NAT in OpenWRT.

Router B would wan configured as a WiFi client with a static IP of 192.168.0.2/24 and default gateway of 192.168.0.1 (router A). The regular default route will do just fine, as that will cover A's network as well. We'd only need to configure more if there was a third router involved. From there you just need to disable IP masquerading option in Network -> Firewall (you want it unchecked):

Firewall configuration for zone "want"

You don't need masquerade even though it's technically a "wan" because A knows how to send traffic to B's clients, so B itself doesn't have to pretend its clients come from itself.

I do need this. I believe this would then require an mDNS reflector, right (it wasn’t required before as relayd was bridging the networks)?

Correct. I found this: https://blog.christophersmart.com/2020/03/30/resolving-mdns-across-vlans-with-avahi-on-openwrt/

If that proves too complicated, I'd consider trying out the GRE tunnel method your original article suggests as an alternative to relayd. It's kind of like a super basic VPN that I think can be hardware offloaded so I wouldn't expect much of a performance hit, maybe even less than the relayd option.

Max_P , 5 months ago (edited 5 months ago)

I think you also need to enable full forwarding to and from wan on Router B. I forgot it defaults to not doing that. Set input, output and forward to ACCEPT on Router B on the wan zone, and make sure you also allow forwarding to and from the lan zone. Router A should be fine, I assume A's WiFi and LAN is the same?

Basically now, Router A sends the traffic to B but B doesn't forward it to its LAN. But since we don't have NAT, A's devices addresses B's devices directly, not B itself, and there isn't any connection tracking happening, so it doesn't "remember" to allow the ping response back in. If you WireShark this, I bet B is successfully sending packets to A and A's devices, and A's packets make it all the way to B but B doesn't forward it to its own LAN, and it stops there.

Can you post the output of ip ro and ip a on both routers? (Feel free to redact your public IP/ISP stuff if it shows up)

Max_P , 5 months ago

Interesting, lan zone doesn't allow forward from wan but wan does allow both ways, maybe that's the one missing. I expect OpenWRT to wire it up both ways automatically... OpenWRT is a mystery sometimes.

Actually no, both show unspecified. You need both zones to allow both ways from the other zone.

Max_P , 5 months ago

Erm, okay that's not looking promising. It's starting to look like Router A doesn't like this setup at all. It's not routing B's traffic, possibly because it's not the subnet it expects to serve. Ugh. Check all the options you can in Router A if you can find something that will allow it to work.

You can fairly easily test that by enabling masquerading on B. It'll break most of what we just set up but it'll confirm that.

We still have some options on the OpenWRT side to make it masquerade only public traffic but now I'm wondering if A will even let you port forward to something on B. I would try that now and see if it works.

Is A able to ping B and devices on B, or only on A? A itself has a route for B's subnet right?

Max_P , 5 months ago

We all know the sole purpose was that the fanbase can sexually harass her freely without actually having to deal with handling the misogyny.

Max_P , 5 months ago

The ads come from an ad network where there is very little visibility into what's going to be displayed in your app. And bad people also keep managing to get their ads published even though the ad network doesn't allow them

And it all ties into the whole targeted advertising, where they also make sure very few people get the bad ad, and tries to target people they think may be more susceptible to these kinds of tactics. Depending on the amount of interactivity allowed, the ad can even display two different things if it deems you too savvy to fall for it.

It's basically unescapable unless you only use apps without ads, or pay for the ad-free versions.

The whole advertising industry is sketchy, more news at 10.

Max_P , 5 months ago

Yes but by doing so you're using the same principles as MBR boot. There's still this coveted boot sector Windows will attempt to take back every time.

What's nice about EFI in particular is that the motherboard loads the file from the ESP, and can load multiple of them and add them to its boot menu. Depending on the motherboard, even browse the ESP and manually go execute a .efi from it.

Which in turn makes it a lot less likely to have bootloader fuckups because you basically press F12 and pick GRUB/sd-boot and you're back in. Previously the only fix would be boot USB and reinstall syslinux/GRUB.

Max_P , 8 months ago

Wat

sudo pacman -Rnsc nvidia-utils lib32-nvidia-utils

Unless you went to the NVIDIA website and ran the .bin, you're not supposed to do that on any distro unless you want problems.

Although it still shouldn't use an inactive driver.

Max_P , 1 year ago

That will depend on usage. If you subscribe to a lot of communities that are very active the database will grow fairly fast. If your users post a ton of large files then that will grow much much faster than the database. Your instance also caches image thumbnails so that can grow somewhat fast too.

Currently sitting at 750 MB for pictrs and 500MB for postgres after a week, so you may want to plan a decent size but 30-40GB should be fine for a while to get started. Add some monitoring for when it reaches 10, 20 and 30GB and keep an eye on it.