Here’s a drawing of what I think might be happening to your private traffic: traffic diagram
One major benefit to this approach is CloudFlare does not need to revoke an entire public certificate authority (CA) if a singular private tunnel’s Certificate Authority is compromised.
I somewhat wonder if CloudFlare is issuing two different certs. An “internal” cert your servers use to serve to CloudFlare, which uses a private CA only valid for CloudFlare’s internal services. CloudFlare’s tunnel service validates against that internal CA, and then serves traffic using an actual public CA signed cert to public internet traffic.
Honestly though, I kinda think you should just go with serving everything entirely externally. Either you trust CloudFlare’s tunnels, or you don’t. If you don’t trust CloudFlare to protect your services, you shouldn’t be using it at all.
Just serve the CloudFlare certs. If the URL is the same, it won’t matter. Doesn’t matter if you’re talking to a local private address like 192.166.1.100 or a public IP. If you’re accessing it via a DNS name, that is what is validated, not the underlying IP.
PS. If you tried this and are having issues. We need more details about how things are set up, and how you are accessing them.
I think I misunderstood what exactly you wanted. I don’t think you’re getting remote GPU passthrough to virtual machines over ROCE without an absolute fuckton of custom work. The only people who can probably do this are Google or Microsoft. And they probably just use proprietary Nvidia implementations.
I believe what you’re looking for is ROCE: https://en.wikipedia.org/wiki/RDMA_over_Converged_Ethernet
But, I don’t know if there’s any FOSS/libre/etc hardware for it.
If you are fine with the slim: US amazon.
I’ve heard good things about used/refurb HP (elite desk and pro desk) and Lenovo (m700 and m900) mini-pcs. A quick search shows they’re going for ~120-140$ for a quad core with 16 gigs of memory.
Check out minisforum, for example this intel mini-pc. They have a ton of selection, not just that one example.
From the article, “These systems range from ground-based lasers that can blind optical sensors on satellites to devices that can jam signals or conduct cyberattacks to hack into adversary satellite systems.”
Recently LTT built a $100k PC desk for a Minecraft streamer. Sometimes the over the top engineering/materials (and thus cost) around something is the entire point. If they gave it a fair shake, and still called it a bad product, and then returned it. There wouldn’t be an issue. It being a bad product isn’t the issue.
In the LastPass case, I believe it was a native Plex install with a remote code execution vulnerability. But still, even in a Linux container environment, I would not trust them for security isolation. Ultimately, they all share the same kernel. One misconfiguration on the container or an errant privilege escalation exploit and you’re in.
You are not being overly cautious. You should absolutely practice isolation. The LastPass hack happened because one of their engineers had a vulnerable Plex server hosted from his work machine. Honestly, next iteration of my home network is going to probably have 4 segments. Home/Users, IOT, Lab, and Work.
Keep in mind, RAID is fault tolerant, not fault proof. For critical data, keep in mind the 3-2-1 rule. Stored in 3 locations, 2 separate mediums, 1 offsite.
I’ll second this. 4k at 25 mbps might be OK for a sitcom or drama without much action or on-screen movement. But as soon as there’s any action, it’s gonna be a pixelated mess. 25 mbps is kinda the sweet spot for full fidelity 1080p, and I’d much rather watch that than “4K”.
No thanks!
At it’s most basic, a satellite will have two systems. A highly robust command and control system with a fairly omnidirectional antenna. And then the more complex system that handles the payload(s). So yea, if the payload system crashes, you can restart it via C&C.
Annoying yes, but I’d argue that’s likely the simplest and most performant approach. At best (IPTables NAT), you’d be adding in an extra network hop to your SMB connections which would effect latency, and SMB is fairly latency sensitive especially for small files. And at worst (Traefik), you’d adding in a user-space layer 7 application that needs to forward every bit of traffic going over your SMB connection.
PS. Also to confirm since you mention LetsEncrypt, you aren’t planning to expose your smb server over the internet are you?
I have a feeling routing SMB traffic through Traefik is going to be a performance and latency nightmare. Is your TrueNAS VM’s network interface bridged to your home network? If so, use a static IP and just have clients connect directly. If not, your best bet is likely iptables NAT to forward a port from your Proxmox servers IP to the TrueNAS VM.
I have a similar issue when I am visiting my parents. Despite having 30 mbps upload at my home, I cannot get anywhere near that when trying to access things from my parents house. Not just Plex either, I host a number of services. I’ve tested their wifi and download, and everything seems fine. I can also stream my Plex just fine from my friends places. I’ve chalked it up to poor (or throttled) peering between my parents ISP and my ISP. I’ve been meaning to test it through a VPN next time I go home.