EDIT: I found the following tutorial after posting this (and then finding some sites not resolving properly): https://labzilla.io/blog/force-dns-pihole .... this tutorial better describes the 3 NAT rules that are implemented and detail how they operate. I have seen that these rules operate better than how I have things configured.

Previously, I have setup multiple AdGuard Home instances on my personal network and have all VLAN's pointing to those instances. This works well, like 99% of the time. However, there are times where kids or others have devices (Amazon tablets, Roku TV's, etc) that have external DNS resolvers (like google dns) as a fallback in case there are issues with the local DNS. Now... I literally want to avoid this. Part of this is due to restricting children's access on the Internet, some is due to making sure that everything gets logged. When these devices are permitted to bypass local DNS resolvers, it opens up the Internet for wide consumption, such as being able to access YouTube without restriction.

Here is my method of forcefully redirecting all DNS requests to AGH on OPNsense.

Now, I understand from others, that I have a complicated setup and I have only continued to complicate this network, all in the name of network security and segregation since there are some services that I expose publicly.

First, since I have two AGH instances and then two Windows Server Active Directory servers as primary DNS, I setup an Alias for those instances:

Firewall > Aliases

Create a new Alias, providing a name that relates to AGH... I chose "AdGuard_LAN_DNS_Servers" ... it specifically identifies that it is AdGuard related, but also specifies that it is for LAN.

• Type: Hosts
• Categories: enter something if you want... I chose "DNS"
• Content: Enter each individual IP, pressing Enter after each.

Save.

Go to Firewall > NAT > Port Forward, create a new rule. (we'll refer to this as Rule 1 as a reference for this post)

Enter the following:

• Interface: LAN
• TCP/IP Version: IPv4
• Protocol: TCP/UDP
• Destination/Invert: Checked
• Destination: LAN net
• Destination port range: DNS
• Redirect target IP: AdGuard_LAN_DNS_Servers (use alias name from above)
• Redirect target port: DNS Pool Options: Round Robin or Random. I chose Round Robin with Sticky Address
• Category: DNS (not necessary though)
• Description: enter something if you want
• NAT Reflection: Use system default
• Filter Rule Association: create system rule

Save. Apply changes.

At this point, the rule should cause redirection to occur. You can test this. For instance, on Linux, when the above rule is disabled, if you run the command host yahoo.com 8.8.8.8, this will force an NSLookup using the name server 8.8.8.8 (google's DNS) and will return valid values. However, once you enable the rule and apply the configuration changes, if you attempt the same command again, it should fail.

I have applied the same rules for every single VLAN that I have setup and every VLAN is now unable to access external DNS.

The only remaining permission that I needed to have added is to permit my AdGuardHome instances to effectively "bypass" the restrictions that OPNsense has now put in.

Firewall > Rules > LAN:

Create rule (we'll refer to this as rule 2)

• Protocol: TCP/UDP
• Source: AD_DNS_Servers
• Destination: any
• Gateway: WAN

This permits my AD DNS Servers to access the internet, without going through the port forwards.

Create another rule: (we'll refer to this as rule 3)

• Protocol: TCP/UDP
• Source: AdGuardHome_LAN_DNS_Servers
• Destination: AD_DNS_Servers
• Port: DNS

Save; This gives permission for AGH instances to access my local primary DNS servers that are "upstream" of AGH.

Finally, We need to make sure that our Firewall rule ordering is in order, to make sure to permit access without causing blockers.

I have rules configured in the following order on Firewall > Rules > LAN:

2, 3, 1

This permits all DNS Servers to access WAN. Then Permits AGH to access AD DNS Servers port 53. Finally, the port forward that reflects all DNS requests to AGH.

If you have questions, please feel free to ask below!

Hello all, I’m looking to get some icons and header images setup for the GeekRoom.Tech instance and its associated communities.

Would you be willing to create community images and banner images? It’ll help identify the communities when individuals want to post to these communities and helps create a community brand.

If you have some ideas of images or want to donate some images that would help the communities stand out, please feel free to link higher quality images to a comment and I’ll check them out.

Thank you in advance for anyone willing to help contribute!

Images needed: HomeLab icon and banner DataHoarder icon and banner FAQs icon and banner GeekRoomMeta icon and banner New Here icon and banner

I’ve got a site icon, but no banner. If you have other options for those images, I’d be happy to put something up there too!

I’m looking into switching from 1gig Ethernet in the network to at least 2.5gig for my core switch. I’d love to be able to do intervlan routing with a layer 3 switch but am unsure whether it’s worth my time and effort.

Should I instead just setup my OPNsense with LAGG of 3-4x 1gig ports and just continue routing VLAN traffic with it?

I know it’s not optimal, but I’m also looking to do things relatively within budget. I don’t want to spend $500+ on a 2.5/10gig layer 3 switch… especially but if that’s my options I’ll consider it.

Edit: I made my decision. I found the Brocade ICX6610-48P. It ticks almost all the boxes that I’m looking for.

• more than 4x 10gbps SFP+
• layer 3
• has plenty of expansion for both SFP+ ports and for Ethernet ports.

I know that it doesn’t have 2.5/5g speeds natively, but I’m understanding that if I set the SFP ports to 10G but have transceivers that are capable of negotiating 2.5 or 5g speeds. Then it still works. Currently, I’ll continue using 1G speeds on my mini pcs, but my NAS and my proxmox node that hosts OPNsense will be 10G, even though I won’t necessarily need it since I’ll be switching to Layer 3 routing on the switch and not OPNsense. Eventually, I’ll play around with some 2.5/5g USB dongles for the mini pcs since they aren’t compatible with any additional modules for Ethernet. I think it will eventually completely replace my SG2428P since it doubles the amount of ports and has POE. Now it’s just the uphill battle to learn a new system and integrate it with my network and cause multiple outages at the same time 😂

I’ve got a few upgrades that I’m looking to do to my homelab and am looking for some suggestions on what to approach first.

I’ve currently got the following mini pcs:

• 2x HP ProDesk 400 G4 i5-8500t, 32gb ddr4)
• 2x HP EliteDesk 800 G3 (i5-7500t, 32gb DDR4)

I’m looking to upgrade these units to 64gb ddr4 as I recently discovered that HP claims only 32gb supported but found there are people running 64gb in these. So that’s what I’d like to move to as well.

Additionally, I don’t use the WiFi cards in these, I run everything hardwired. I have seen some folks changing to a 2.5gb Ethernet adapter that uses the WiFi slot since the flexio port doesn’t support Ethernet in these generations. What adapters are supported?

Administration, moderation, and federation policy for GeekRoom.Tech

This post aims to lay out the rules and principles for how administrators, moderators, and users of GeekRoom.Tech should behave while use the GeekRoom.Tech name, address, and reputation. This is a set of formal rules that all users, admins, and mods must abide by.

Instance rules

This instance (like most others) has a set of rules which are always visible on the sidebar of the front page. All users of this instance are expected to follow these rules in all of their activities, including:

• Community moderation
• Posting
• Commenting

⚠️ Our rules apply even when you’re posting in a community on another instance. For example, this means that you’re not allowed to post advertisement spam using your GeekRoom.Tech account on any other instance (even if that other instance has no rules).

Each community hosted on GeekRoom.Tech is free to have additional rules in addition to our instance wide rules, but instance rules supercede any community rules and must always be enforced.

---

Responsibilities

Admins

• Ensure that there are no communities on GeekRoom.Tech which break GeekRoom.Tech rules
• Ban GeekRoom.Tech users who break our rules on other instances
• Ban users who consistently break rules across multiple communities
• Purge illegal content from GeekRoom.Tech

Moderators

• Ensure that posts and comments in their communities don’t break rules
• Ban users from their communities for consistently breaking rules
• Ensure that they only provide accurate and clear reasons for mod actions

Users

• Downvote low quality content
• Report rule violations
• Behave in a respectable manner

⚠️ Admins are not responsible for censoring content from other instances.

In exceptional cases (illegal or extremely disturbing content), admins will step in and purge the content from GeekRoom.Tech servers, but in general it is understood that our instance rules do not apply to external users on other instances, and censoring and curating external instances for our users is not a general goal for GeekRoom.Tech admins.

Federation Policy

You can see our federation policy here.

What should I do if I see content I don’t like on another instance?

• If it’s low quality content, you should always down vote ⬇️
• If you think it breaks local rules for the community or instance, then report it and local admins/mods will deal with it
  • Your reports will also reach GeekRoom.Tech admins, so if it’s about illegal content, then we can purge it from GeekRoom.Tech servers
• If it’s just some user being a prick, then you can block that specific user (GeekRoom.Tech admins will not take action in case of external users posting on external communities)
• If it’s a community dedicated to being awful in some way, then you can block that specific community

GeekRoom.Tech Federation Policy

As GeekRoom.Tech is a new lemmy instance, we have not seen any de-federation drama yet, but I want to make a point to address the policy of federation and de-federation in one place, prior to any drama that may eventually happen.

I am the head admin of GeekRoom.Tech. I have opened this instance to be a safe haven for all individuals that have a passion for technology, technology-related topics, and even those that just need a safe space to migrate from other websites such as Reddit without fear of shareholders forcing changes due to the need to make company profits.

This policy seeks to address how GeekRoom.Tech approaches de-federation and how we will handle discussions about de-federating from specific instances.

GeekRoom.Tech Statement of Federation

GeekRoom.Tech administration will treat de-federation as an absolute last resort and will not use it as a general purpose method of curating content for GeekRoom.Tech users. Administration will continue to federate with any willing instance.

Pros of federation

• Federation is the strongest feature of Lemmy, Mastodon, Kbin, Mbin, and similar instances. While there is often confusion about what the "Fediverse" and what "federation" is and what it means for individual people trying to migrate or start anew, federation offers significant decentralization over sites like Facebook, Reddit, X, Instagram, and similar.
• If a single instance goes down, it does not meaningfully affect the rest of the Fediverse. Users are able to choose to sign up for a new account on another instance, subscribe to their favorite communities again, and continue almost like nothing happened.
• The maximum impact that a single instance administration team can have is limited to their own instance. An admin of an instance can only ban users from their own instance, they cannot have a significant impact on any other instance, besides de-federating from another instance, again, limiting their impact to their own instance. We can ban our own users from our instance, we can ban remote users from our instance, but those actions would only impact our own instance.
• Federation offers significant privacy compared to centralized sites like Reddit and Facebook, because personalized details such as IP addresses or e-mail accounts are not shared between instances. If a user is extremely privacy-conscious and does not want to put trust in existing instances, they are more than welcome to self host their own instance.
• Lemmy and similar types of instances are essentially the infrastructure of the Fediverse. Each branch of infrastructure offers multiple opportunities to get involved in communities.

Cons of de-federation

• Every time an instance de-federates from the Fediverse, then it drives users to find other instances which may cause a higher level of centralization.
• Lemmy and similar types of instances are essentially the infrastructure of the Fediverse. Each branch of infrastructure offers multiple opportunities to get involved in communities, however, the larger the instances become, the more centralized that particular branch becomes. This does unfortunately negate the positives of federation and can cause an impact for a larger number of users.
• Collateral damage can be significant. If we de-federate from another instance at the demand of one, a dozen, or maybe even a few hundred users (when we get there), then all of those users that weren't involved in any drama or discussion will also be affected.
• It is incredibly easy for malicious actors to abuse this. If someone goes on to another instance and starts posting spam or generally malicious content and then approaches the admins of the instance with "evidence" of why that other instance should be de-federated, then it's easy to be manipulated and make admins think they have no other choice than to de-federate from that other instance.
• When instances de-federate from others, it means that users may end up requiring multiple accounts in order to be able to participate in discussions between instances, causing a very fragmented experience for them.

Alternatives to de-federation?

There are options that moderators and administrators of instances have, such as banning a user from a community and even from entire instances. If an entire community is used for hate, spam, or similar then those entire communities can be removed. Most issues can be resolved by simply communicating with other instance owners and either issuing bans for specific users or discussing how to handle those misbehaving users.

If GeekRoom.Tech de-federates over every single misbehaving user, we would likely not be federated with any other instances, which is something we seek to avoid.

Most individual clients have the option to block individual users and entire communities without involving instance admins. This leaves most of the decision up to the end-user rather than requesting involvement from admins.

When is de-federation the only option?

This is not a set-in-stone rule, but if an instance is abusing the Lemmy infrastrucutre by generating spam, posting illegal content - deliberately or not - then we may decide that de-federation is the appropriate last resort.

Conclusion

Most of what is written here is subjective, and for that I can only apologize. I will do my best to operate GeekRoom.Tech with the highest level of professionalism, maturity, and decisiveness to deliver the best experience for users across GeekRoom.Tech and throughout the Fediverse.

If you have questions or concerns, please feel free to share your thoughts in the comments so that we can have a public discussion on how federation and de-federation can be approached.

Hello! Just wanted to introduce myself a bit.

I’m a system administrator during the day working with some PITA IBM products, Linux, and related projects as smaller duties.

I’m an avid HomeLabber trying to expand my own skill set but also provide a way for people to engage and have meaningful conversations. During my free time I’m usually tinkering with existing self hosted services or trying to setup new ones to enhance my family’s experience or to make life easier in some fashion.

I have a passion for basically everything technology and learning as much as I can. I realize that as I get older, I’m not picking up on things as fast as I would previously, but I’m going to attribute that to attempting to introduce significantly more complex systems that require more effort, critical thinking, and time to implement.

Two of my most recent successes in my self hosting journey have been getting this Lemmy instance up and running, and also getting VLANs fully functioning in my home network. I have too many pieces to a puzzle that caused most people to be unable to help me successfully.. it took me just about a year of off and on again searching through forums, asking AI and critical thinking on how to get VLANs working properly in my homelab. Well… home production … since there are family members and myself using these things in the regular.

Edit: as I read this post back I found a bunch of errors. iOS autocorrect has screwed me so many times, it’s frustrating. Why iOS doesn’t know “Lemmy” after I’ve saved it as a word so many times is baffling.

Borrowing from @chaorace@lemmy.sdf.org's post and @pH3ra@lemmy.ml's post:

For anyone interested, here’s the Lemmy markdown configuration. As you can see, Lemmy’s website UI supports the full commonmark spec (tutorial / official spec), plus a bunch of extensions. I don’t think anyone’s fully documented these yet, so I’ll try doing so below. Apologies in advance to mobile users, this is probably gonna get ugly (see included image links for how it should look):

• URL autolinking (plaintext URLs automatically turn into links, as recognized by Lemmy... but some may not be autorecognized due to new domain extensions)
• Manually linking URL: [name of link](https://actual.link/) → name of link
• Lemmy autolinking:
  • NOTE: No link will be inserted if the viewer is browsing an instance where the resource is not yet known/blocked
  • Communities: [!fediverse@lemmy.ml](/c/fediverse@lemmy.ml) → !fediverse@lemmy.ml (link ref: /c/fediverse@lemmy.ml)
    • Kbin-style is also supported: /m/fediverse@lemmy.ml → /m/fediverse@lemmy.ml
  • Users: /u/chaorace@lemmy.sdf.org → /u/chaorace@lemmy.sdf.org (link ref: /u/chaorace@lemmy.sdf.org)
• Typography substitutions:
  • (c) → ©
  • (tm) → ™
  • (r) → ®
  • +-→ → ±
  • ... → …
  • --- → —
  • -- → –
  • ???? (>= 4x) → ???
  • !!!! (>= 4x) → !!!
  • horizontal rule (line between paragraphs) --- →

---

• **bold** → bold

• *italics* OR _italics_ → italics

• # Headings → # Headings (1 # for level1 heading, up to 5 #'s; must be at start of new line) [requires space between the #'s and the text]

• [Link text](https://link.com/) → Link text

• Github-flavor Markdown extensions:

  • Tables
  • Strikethrough: ~~example~~ → ~~example~~

• Subscript/Superscript:

  • Sub: example~sub~ → example~sub~
  • Super: example^super^ → example^super^

• Footnotes:

  • Inline part: example[^notename or a number] → example[^1]
  • Bottom part: [^1]: My reference (must be placed at VERY end of post to work.)

• Ruby Text: {example base text|example ruby text} → {example base text|example ruby text}

  • “Ruby” is an html-ism for special pronunciation aids which frequently appear within young person’s media where the language includes non-phonetic characters (e.g.: Chinese characters)
  • Japanese Furigana example: {凄|すご}い！→ 凄い！

• Spoilers:

    
visible text
    hidden part example
    

visible text

hidden part example

• Code blocks:

`inline code` → inline code

code block:

 ```
 println(“Hello World!”)
 println("Line 2")
 ```

becomes

println(“Hello World!”)
println("Line 2")

OR

4 spaces at beginning of each line to be included in the code block becomes

this is a code block
line 2

---

Code Block Syntax Highlighting!

When after using the three backticks to start a code block, specify the language.

Rust:

    ``` rust
    // This is the main function
    fn main() {
        // Print text to the console
        println!("Hello World!");
    }
    ```

becomes:

// This is the main function
fn main() {
    // Print text to the console
    println!("Hello World!");
}

No language specified, defaults to "C" language:

// This is the main function
fn main() {
    // Print text to the console
    println!("Hello World!");
}

Text:

    ``` text
    // This is the main function
    fn main() {
        // Print text to the console
        println!("Hello World!");
    }
    ```

becomes:

// This is the main function
fn main() {
    // Print text to the console
    println!("Hello World!");
}

Python:

    ``` python
    // This is the main function
    fn main() {
        // Print text to the console
        println!("Hello World!");
    }
    ```

becomes:

// This is the main function
fn main() {
    // Print text to the console
    println!("Hello World!");
}

---

Finally:

If I want to write a character that will normally be interpreted as any of the above, I can escape the character with a backslash → \ ... So you can write something like \^this → ^this

[^1]: To make this footnote, I used the formatting defined above, preceding this text with "[^1]:"

Hello! I want to personally welcome you to GeekRoom.Tech. I seek to make this Lemmy instance a fantastic place for anyone and everyone that enjoys technologies of many different kinds.

GeekRoom.Tech is meant to provide a safe haven for individuals to have discussions without fear of censorship and fear of being banned for asking what others believe to be silly questions.

Everyone starts somewhere in their technology journey. I want to be sure that everyone is respectful in their discussions and understands that others may not have the easiest time understanding advanced topics as easily as you.

If you have any questions, please reach out to myself or any other mods or admins for assistance. We seek to enrich your brains and find ways to help you achieve your technological goals!

Email Contact: Contact@GeekRoom.Tech

Mastodon: @GeekRoomDotTech@Mastodon.Social

Over the last year, I have been trying to work through getting VLAN's setup and operational in my Homelab... so that I can not only experiment, but also to start segregating services from PC's and putting things like IOT devices and Guest devices on their own VLANs.

I come to you today, with a working solution for my own homelab. This post is mainly just to discuss the current state of my homelab, but also look for suggestions on how you would make any changes to my layout.

Current Hardware:

1x TP-Link Omada TL-SG2428P (my core switch)

3x TP-Link Omada TL-SG2210P (leaf switches on different floors)

2x HP EliteDesk 800 G4 (i5-8500T 6C6T, 32GB DDR4) aka Hyper2, Hyper3

2x HP ProDesk 800 G4 (i5-7500T 4C4T, 32GB DDR4) aka Hyper5, Hyper6

Whitebox server (i7-4790k, 32GB DDR3) aka Hyper4

TrueNAS whitebox (AMD FX-6350 6C6T, 32GB DDR3 ECC) aka TrueNAS

VLAN's:

50 Infrastructure

51 KVM's

52 VPN's 

53 Jumpboxes

60 Trusted

70 IOT-Secure (No internet access)

71 IOT-Insecure (Internet Access)

99 Guest

1 LAN (default)

All servers are running Proxmox as my hypervisor. Proxmox nodes are NOT configured with VLAN and currently only reside on LAN. Haven't made the move to put those on VLAN ... when one of them hosts the system that controls traffic to those VLAN's... so thinking just leaving them on LAN and limiting access.

VM's & Containers:

Hyper2:

Ubuntu VM (Frigate) VLAN 50

Ubuntu VM (RDT-client) VLAN 50

Hyper3:

Ubuntu desktop VM (crashplan) VLAN 50

Ubuntu VM (Immich, Immich Power Tools, Remmina, Tautulli, Vikunja, Mealie, Paperless-NGX, Linkwarden) VLAN 50

Hyper4:

AdGuardHome LXC VLANs 1, 50, 60, 70, 71, 99,

WireGuard LXC VLAN 50

Windows Server 2022 vm VLAN 1, 50

OPNsense VM (DHCP)

Ubuntu VM (*arr stack, Adguard-Sync, Uptime Kuma, Gitea, Minecraft Bedrock) VLAN 50

Ubuntu VM (NGINX) VLAN 50

Ubuntu VM (OpenVPN) VLAN 50

Hyper5:

MQTT LXC (for home assistant) VLAN 50

Ubuntu VM (Home Assistant focused: MariaDB, Zigbee2MQTT, RTL-433; Nextcloud [app, redis, mariadb]) VLAN 50

Ubuntu VM (Prowlarr, NZBGet, QBittorrent, flaresolverr) VLAN 50

Home Assistant OS VM (HAOS) VLAN 50

Ubuntu VM (Wazuh) VLAN 50

Hyper6:

AdGuardHome LXC VLANs 1, 50, 60, 70, 71, 99,

WireGuard LXC VLAN 50

Windows Server 2022 (AD, DNS) VLAN 1, 50

Ubuntu VM (Omada controller) VLAN 1, 50

Ubuntu VM (nothing running yet) VLAN 50

Ubuntu VM (Plex, ErsatzTV, Maintainerr x2, Immich Machine Learning) VLAN 50

Ubuntu VM (OpenVPN) VLAN 50

This all works pretty well currently. I've been doing some more research and finding that folks have done things a bit different with their server VLAN's... and just trying to get opinions on what would be better. I recognize that currently, my reverse proxy is in the Infra VLAN, which would be fine... but it's the same RP that is used for public access... which has me thinking that it should go in the DMZ OR I should setup a second RP (but introduces an issue with keeping TLS Certs in sync ...

Tear my setup apart... let me have it. What suggestions do you have? What am I doing wrong? What am I doing right (if anything)?