#off-topic-tech

why i'm gonna check. it might be fine, and just a massive production consistency issue

but yea, def checking since the nasty one he was showing is a corsair one

most i've gotten my 4090 up to is 325W

but would that matter?

4090 was melting too so.... yes?

if its a cable issue its just a question of more pins being bad to reach the melting point and not just a power thing no?

obviously more power will make it worst but like its not everything here clearly

true

anyway, gonna go check and see how bad it is

brb

im too lazy to check mine not to mention if repluged it like 5-6 times now so im just reducing my chances checking

yea, this was important enough of a thing to make me want to check it

luckily, everything looks decent, and my gpu has the little LED to let me know if it's properly seated/connected

and it's an H++ one

and nothing was slidy when i fiddled with the cables

Honestly the only thing im woried about is the weight since mine is entirely held up by the conector

oh yea mine has the floor jack & it 100% makes a difference

guess while im at it i may aswell replug my front usb c for the 70th time

It is so trashed and holding on for deer life

Dangit i forgot my phone cant upload video cause its dumb

there

why sapphire is a good brand - comes with a sag bracket

i mean i could atach it if i had somewhere to but yea some kind of mount would be good

the worst part is thats basically what my pc is a bunch of jerry rigged jank that just works colectively

i called my previous build Frankenputer

like my gpu mount isent screwed in because its the wrong threads so its just sitting in the holes...

and even then one of the standoffs is bent like 30 degrees so its a single standoff doing everything

at one point i had a sata ssd hanging by its cables

well thats just the laptop user experience

400 usb devices and a hanging sata drive

my first aftermarket cooler was a v1, and it was right when ryzen came out, so they just sold an adapter kit for it & it was an updraft cooler

I didn't even look at that connector on mine because I knew I didn't need it anyhow

well, a vertical airflow cooler, fan was right above the gpu

its literally just sitting on top of my gpu unpluged now because i dont feel like turning off my pc to plug it back in and honestly im tempted to just leave it there

Also if you have that much plugged into a laptop get a dock heh

then you can plop it down and plug in one cable

i overdid it by trying to run 3 external drives off of a single 4x usb2.0 unpowered hub

I'll probably get a decent dock for my i

they'd randomly kick off & on, and the centrifugal force started rotating my laptop stand

iPad

I have a keyboard case but i like being able to get it hardlined and powered when im in certain places doing certain things with it

like if im using it for music it'll be nice being able to dock it to all that gear

I've decided the desktop will need a PCIe card to add more

i've had good luck with mine

I don't want to have usb hubs hanging off it

5 external, 2 internal

want the link?

I went over everything and realized i have 1 open type-a

and i have a couple of things not plugged in

no wait i have a type c free back there too...

tinyurl.com/mr4x9bx4

this is the one i use, Inateck

$25 doesn't seem too awful compared to others

why the internal ones?

i threw the gigantic xbox dongle on one of the internal ones so it wouldn't snap off

for like goofy decorations and stuff?

or that

no idea what else it could be used for, maybe a 2.5" external or something weird like that, just sitting in the case

having my side pannel off is actually kinda nice

gives a nice breeze

since i swapped my rad from push to pull

so its blowing towards me now

gonna be hell in the summer buy ay in the winter its lit

just wait till july 🤣

oh great nintek invented melting display outputs instead

genius

i mean, at this point why not

as someone pointed out, 5090 OC is now measured in terms of HP

relocated to the work shop, bit cold but whatever

Still can't get over this 1oz pack of Kester solder my dad had with a price tag of 1.06 on it

It's about 12.50 now. Then again you get ripped off buying 1oz anyhow since you can get 16oz rolls for like 40

the costco method of extortion

Well... they know if somebody is only looking to get 1oz they are likely doing like 1 job and that's it. So they kinda have those types over a barrell

yup

For me buying less than an 8oz roll is a waste of time

at least you'll have one to give to your kid in 50 years 🤣

Solder joints on these boards are small but they add up, probably burn through 1/4 to 1/2oz on an average pedal

Way more on something like a decent size tube amplifier which has a lot of high current AC

End up with some extra beeft solder joints in there

with my talent they wouldn't be beefy but a serious short risk

Remember kids. The excitement of electronics only comes if it can kill you 😄

best i've gotten hit with is 8k volts

I'll need to be exceeding that for a jacobs ladder

Think I'll want like 9k+

need a salvage microwave for it's transformer heh

mine was on my ancient pickup on its original spark plug wires

they were frayed as fuck & shorting on the fenders

oh those will let you know if they have spark lol

lil bit yea

It's enough to create a plasma arc so...

eh, when it shorts it's not quite as bad

I'm saying in general when you look at the end of the wire you vcan see the spark

still felt like one of those electrical muscle exerciser thingies

that's plasma

oh yea definitely

Why I need so much for a jacobs ladder, I have to jump a larger arc at the end

but they sure sound and look neat!

(and can def 100% kill you()

could you go for a higher voltage one with basically no amps?

just voltage mostly

Since I'll probably do something on the larger size I might need to hit 15k+

I just want a 20k watt microwave like that video... so I can cook a hot pocket in under 10 seconds.

i think a blowtorch could do that

just.... light a forest on fire at that point

But it's moar fun with microwaves

fresnel lens would be fun too

that thing melted tungsten in short order

That guys videos are definitely do not try this at home type shit

like really.. do not try

just have a concrete slab under it 🤣

I'm gonna end up knocking out power to the entire neighborhood one day...

and i'll be out there acting as confused as everyone else 😄

wasent that a video

any of yall got a link to that microwave video

i feel like i saw it at some point but now i cant find it

https://www.youtube.com/watch?v=mg79n_ndR68

that dude is great lol

If I had to guess I'd imagine his IQ is fairly fucking high...

yea i knew i got this recomended at some point

iv heard of this guy for sure he rings a bell

He does a lot of crazy projects, usually dangerous heh

I feel like this is the embodiment of here is why safety rules exist

it feels like im watching the weld shop teacher just flinging shit into pots and seeing what happens

one time he made a sodium bomb and lit the ceiling on fire

He also use to discharge the fire extinguishers as a demonstration IN THE CLASSROOM before the fire marshall got tired of refilling them 🤣

idk what's happening, but youtube is completely unusable

I've let it load for 5 minutes and its still like this

Is there an extension that could fix this?

I've tried disabling all my extensions, reinstalling firefox, and reinstalling windows. Nothing works and it always gets this bad after a couple of months

that's a tough one

I did some windows repair scripts in cmd and that fixed it

who was the one that glazes brave? I forgot. Any brave glazers wanna tell me if google sites are just as slow on brave?

Seems about the same as any other browser to me

It looks like you can't use VLC media player to download videos from YouTube anymore. The server refuses the connection from VLC.
Basically Google found the loophole and plugged it.
Something about HTTP Error 403.

Error 403 means that the server is refusing the connection and will not allow one to connect to it.

403 is not server error but ressource error

i.e it does not refuse connection
it simply says you're not allowed to get served what you asked for

There is supposed to be two metal tabs protruding from the side of the pin that lock it in place with some wiggle room:

But those can fold backwards with enough force and fail.

what about the wire itself?

That pic is for Molex Micro-Fit 3.0 female crimp terminal, in this case two dimple type with gold plate inside for AWG 24-20 cable, didn't try to find proper one.

Crimped, and should break next to the crimp before that crimp fails.

When done properly. Basically that crimp is supposed to be fully air tight and stronger than the strands themselves.

i mean is there any crimp that holds the wire to the full plastic casing

No?
Why would there be?
Terminal holds to the case.
Wire holds to the terminal.
Weak point are those two tabs.
You want the terminal to move in the housing.

If the wires were somehow fixed to the housing, the terminal couldn't move.

Just little movement, so it can align properly with the other sides terminal.

yea good point

so 2 tiny metal tabs determine whether or not your connection is solid

But the amount of force needed to fold those two tabs backwards should normally be excessive.

But yes, if the two sides don't align properly and you force the housing in, the tabs will fold.

i was also thinking that maybe people are pulling the connector out by holding onto the wires a bit too much, even unintentionally

Yes, that is exactly why you aren't supposed to pull on the wires.

when i took mine out i couldn't just hold onto the connector, so instead i broke out my ifixit kit and used 2 of the plastic pry tools on either side to back it out

Because then all the force is transmitted via those small tabs.

it's so much more friction than a normal 8 pin to fight with

thankfully mine looks fine, nothing loose on it

Crimp pull testing results, where two in the middle are what is wanted.
But point of crimping is to force the contact and the wire together with such force that you get welding effect between the surfaces

i hope they get it right, issue a general recall of all of them, and put out a decent one

Of this type of crimp, the larger forward tabs are crimped to the conductor itself.
And the smaller last set is for the insulator, with them usually going throught it in the middle, sometimes only folded over.

Also, that is the reason for that "Don't bend the cable too close to the connector" thing.
As that will cause excessive force on those small tabs at the farthest pins away from the bend direction.

And that "pin depth" thing is about the freedom of movement, when contrained by that wrapping.
There is normally about 1mm of movement for the pins fore-aft.

But because that shrink wrap at the end of the wrapping limits the movement of the wires, some will be at minimum, some will be at maximum.

But that Corsair cable seems to have loose pin even in the closeups.

Just watching the video.

oh 100%

i just wonder if that's overuse or a manufacturing defect

He would have needed to pull the wire completely out, and shown that contact.

Might have been one that wasn't fully inserted in factory and didn't lock.
Or might have had folded wings.

Ah, no, he did push it in to the top position, and then back.
The wings are there, but for some reason the lock level is lot lower than the others.

And that first gen did have much more allowance for that kind of thing.
Which was tightened for the new revision.

Corsair might be using bad quality contacts with inconsistent wings.
Or contacts from one manufacturer and housings from another.

But that amount of slop shouldn't be issue.
As even that worst pin at the max depth is is still way above the level where the pins from card side will go down to.

Remember that the card side pins go down to somewhere around here:

And the end of the contact surface on the female contact side is here:

For that dual dimple one.
Need to find pic of the better leaf spring type.

all of it just screams "well, we tried"

and also 0 margin for error or it all burns

So would had needed to pop that specific pin and another one "normal" out and looked at the contacts.
Easy with right unlock tool.

So that JayZ video might be real, or just bad take.
He again didn't know enough to fully investigate and just threw gasoline on the fire.

jay noticing that it's been the end cables that are burned is interesting, which is why i was thinking maybe people are pulling out the connection with just enough extra force on the cables, unintentionally, to loosen them up like that

Of course the burn happens at the contacts.
That is where the highest resistance is, so most heat.

You would need to use very undersized wires to make them heat more than contacts.

Ah, you mean the outermost contacts in the housing.

right, but having the contacts back out even though the clip is secured in place

you'd have no idea it had happened

maybe they should start doing a clear connector 🤣

Yeah, that is where any bad handling by forcing a turn will cause most.

just insane that we're 3 generations into this and still finding serious problems, which kinda makes me think that someone might have already known about it

Turn that cable sideways, and the far pins get pulled.
As the near wires will have too much length, far ones too little.
And because of that shrink wrap etc. only the non-wrapped part of the wire counts.

Less there is visible wire, worse it is.

yea my cable has none of the extra shrink wrap around all the tiny cables thankfully

kinda scary that der8auer was recording 20+ amps going thru one of those

it was worrying enough to see it happening across the industry, but now i've been thrown in with it all with the new pc

Which is the insanity of that connector.
6 pins that all would need to have about same contact resistance to very tight tolerance, or very bad things happen.
As the contacts are without any headroom between the contact spec and the cable/connector spec.

And no monitoring to make sure that is actually the case.

Well, Asus has that monitoring, but still no automatic action, just user warning in OS.

at this point they really should just use a C14

That is only 15A max.

In US, and 10A in EU.

So really not suitable.

stuff a transformer into the GPU 🤣

kinda hoping that someone like GN is able to figure out an easy way to instantly melt the cable in a repeatable way that'd induce a recall

melt all the things

how about the 6 pins are combined into a small copper bar right in the connector and then a single thick wire per bar runs to the other side?

Which wouldn't do anything to the contact resistance?

at this point i wouldn't mind using a fucking bus bar to make a decent connection that won't catch on fire

it would not, but the pins would not be pulled sideways that easily

And that movement is WANTED.

and the copper bar would make a nice heat transfer

Problem is using multiple pins to transfer power at near the contacts max spec, without any active monitoring or balancing.

the pins need some room to wiggle into place, yes. I meant pulling out the pins a little when the cable is bent sideways and pulls on the entire connector

it's like they're trying to keep it small, but given the size of the big cards, that ship has sailed

And then just the specific wire would break, or lose contact with the "bar", depending how those are connected.

This. a phase measurement per pin would resolve most things

I just don't understand why this is not done in the first place. the 3090 at least had 3 phases

More expensive.

why do it right when you can do it cheap

yeah, the negative publicity about the newest 'flame generation' feature of the top gen GPU surely helps to sell more

cornered market

and no hints of any antitrust attempts against it

https://www.reddit.com/r/pcmasterrace/comments/1io4a67/an_electrical_engineers_take_on_12vhpwr_and/

imagine splitting that 1 metal bar in 3 smaller joint metal bars

that sure would increase cost and size tremendously

spoiler : not at all
Nvidia is just fucking lazy

Meaning the way it was done on 3090 TI.
The separation of VRM to different regions, no cost change.
Being able to monitor the current split, to notice stuff is out of whack, few dollars to few tens of dollars.
Having the ability to switch which input specific VRM gets its power, to be able to do active current redirection, again few dollars to few tens of dollars.

So it does cost.
Not that lot, but enough for the manager/exec level to say to skip it as useless.

but that's when it's crazy

skip literal 1/1000 of the cost for a huge stability and safety hazard

Must have that sweet sweet infinite growth...

Not only increased revenue year after year.
Not just increased profit.
Also increased profit margin, year after year, forever.

Current MBA and stock market thinking, as impossible as that is in real world.

geforce pinto

cheaper to deal with any lawsuits than make the cards safer

therefore you don't make the cards safer

We had a Pinto when I was a kid... brand new 😄

Looks like slightly below surface level understanding

Both have usecases where they are superior to the other

Well the wires are undersized there half the square volume that you need for that much power

And that contact is rated for 9.5A, so that the wire is undersized is lesser problem, when overload is happening.

Wire is sized correctly for the contact, and has more headroom than the contact.

Oversizing that wire would just make the contact for that wire to heat up even more.

No ik its sufficient but its half the size to be safe at that power

When that failure is happening.

So oversizing the wire without oversizing the contact would just make the contacts and connector housings to burn even easier.

basically: right now, the cable is losing heat too, so there's less heat burning up the connectors.
make the wire thicker and all that heat is lost at the connectors

Or did I make the same mistake as yesterday again...
In a way I did.
As the total resistance would go down, so the total voltage losses would go down.
So more voltage getting to the cards, so less current for same power.

But basically not worth it to overspec the cable if the pin is crap.

sounds like network stuff: the connection is only as fast as the slowest link

That's also used in the army 😄

Heat lost at each component is voltage drop across the component*current
Cable and pin will have the same current, so higher resistance in the cable means more heat lost there which leads to lower potential and thus less voltage drop across the pin

(not trying to correct you, just adding)

If the card wasn't upping the current to keep the same power.

As the voltage droops.

Yeah

#SkillIssue

its with psu brands and mostly not nvidia to be fair

is derbaur about to melt one of 10 4090 TI's ?

watch buildzoids video

its not PSU makers fault

its NVIDIA skimping on nescessarry protections ( load balancing the cables)

thats a whole thing but its one of two problems

And Nvidia designing a connector with razor thin margins.

https://tenor.com/view/champoy-el-risitas-kek-issou-etu-gif-17837830

Anyone perchance know why im getting massive FPS stutters in Satisfactory when looking in the distance? Specs are CPU 5700x3d GPU 7900XTX 64GB Ddr4 ram. Settings are all highest on 4k.

ram stability probably

No?

Unstable RAM doesn't cause stuttering or like.

mine sure does

MagicZ moment
i think

https://tenor.com/view/tik-tok-gif-4963626947041558937

let the water vaporise and condensate

buy air cooler
look inside
water

efficiency in simplicity

the only moving part is water and a fan

I wonder if it's possible to make easily-bendable long water pipes with same properties to just connect with outdoors or basement without need for a fan

🤔

the more i look at these "leaks" the more i think they are fake

so intel are corrupting shaders and data while nvidia melts itself

computers are great

https://tenor.com/view/gigabyte-psu-explodes-gamers-nexus-power-supply-gif-23202345

https://tenor.com/view/gamers-nexus-gn-power-supply-psu-thermaltake-gif-26526058

and that too

https://tenor.com/view/thanks-steve-intel-gamers-nexus-thanks-steve-gif-2570818544130153718

thanks steve

like : im sorry but there is no way an AMD GPU With 64CU's is only 4% slower than a 4090

or it has FSR UP applied

it is when it's CPU limited

EXTREMELY SURPRISING

i guess...

we ain't gonna know shit until it gets thoroughly tested

💯

even if it is somehow magically faster than a 4090 in monster hunter, it may only be in monster hunter

this is all just people farming for clicks

i do not like hyper rx

its just marketing

AI powered FSR?

it's a driver switch that turns on all of radeon features

we knew this already, the DLL is public but nothing can run it

just makes you able to use multiple features together

some things can

(kinda)

interesting

not well I bet

the dll is FP8 and only really designed for RDNA4, they're looking into making a version for RDNA3

or was it FP16 I forget

either way it's AI

Insta buy for me if it is faster in MH ^^

fp8

lmao whoops

it only seems to run on RTX GPU's

with optiscaler

yeah that makes sense, they support a lot of data paths for ai

i would like to see it run on geforces too

just so you can compare it to DLSS

plus so everyone gets more options

but yes that would be neat

i think FSR 4 will just be DLSS but 10-30% worse

if it was even close to DLSS you could build it into directx and everything would use good AI TAA

no more "this game has dlss, that game has fsr, why aren't they updating the dll" shit

just get rid of this shit

can't even use optiscaler on anything with anti cheat

too bad i dont play anything with anti cheat

i hate anything vendor locked, anything that people use to build a moat

based honestly

i am too old to get sweaty in valorant or wherever

also : why would you want optiscaler in those games ?

Managed to clip my issue. Had to put it in a google drive cause i cant upload it bc its to big. https://drive.google.com/drive/folders/1UXICrZNT7_kZX7TydG4gIxhpYhWXNt8r?usp=sharing

!ot

And bot is taking a break it seems.

thats good

@bot take more brakes

plz

some online games are demanding enough to need good AI TAA and upscaling

i think thats just from the fact that foliage is extremely demanding in this game

i dont think its a stutter issue

(looks more like a performance issue)

Geussing this is it.

maybe putting FSR / TSR / XeSS to balanced would help

i had to drop my preset to medium to not have major performance issues BC of that

ultra/high isnt enough

THat has indeed helped.

all my benchmarks if you are curious

lowering that setting or upscaling ?

Setting

And upscaling i think no idea how to get that to work.

huh, i guess that did give me a 30% perf boost

(thought it was less than that)

Does this even do anything?

yes

but you have to set it to balanced to get a performance bosst

like this

quality will also give you a tiny bit

but its like 1-5% IIRC

Want all native pixels mostly.

no downscaling just means replaving the games TAA W FSR AA

which looks better in my opinion

then sticking to the lower settings will be a better choice

Okey thanks for your help man appreciate it!

anyway
i dont belive i actually tested cinamatic VS ultra on that one setting

so im gonna try that and add it to my benchmark results

here is how all the AA options affected my performance

lumen off main factory
TAA 77
FXAA 77
NONE 78
TSR 63
FSR 69
XESS 67

embarrassing that TSR is slower than FSR and XESS

https://tenor.com/view/champoy-el-risitas-kek-issou-etu-gif-17837830

and looks worse ( IMO )

i would get extreme blotching with XESS which was very strange to me

though to be fair it runs better than XeSS while upscaling
upscaling performance at 75% (TAA for comparison)

TAA 89
TSR 79
FSR 83
XESS 78 (thats surprising)

(well 1fps better)

IIRC this is where i started my benchmarks from

(forgetting that taking a photo in photo mode doesnt clipboard the screenshot)

lumen experiance

i was gonna make another benchmark pass

but
no point

zero difference between the 2 settings

for me

in this scene

If 7900XTX needs anything other than not using Cinematic settings, and the game is GPU limited, something is really wrong...

cinematic

far

i could see that happening at 4K TBH

(cuz res is 4K)

though it is strange that it fixed his issue
when it hardly changed anything for me

+3fps

+9% fps

ps
the red forest runs worse than my factory W lumen on

and needs lumen to look good (IMO)

IT helps with bluring out reflextions and bringing them back atleast somewhat reasonable levels

if thats a 7900XTX that is some awful performance

Oh NO.

RX 6600

because i was getting over 150 cranked with lumen on my 4070ti with no framegen in the red forest

ok yea i was gonna say

like dam if your only getting 30fps with that the AMD delusion is at an all time high

altho in fairness we have about the same performance if i dont use a empty save

like my save is getting rough

Are you at 4k or 1440P

https://tenor.com/view/cat-cats-what-wut-crazy-gif-20900490

https://tenor.com/view/confused-perplexed-what-gif-10834164

i have an RX 6600

NOT an XTX

it doesnt just blurr reflections

it blurrs the entire screen

(like XeSS)

thats just typical XeSS

what res ?

1440

and where ?

but where in the red forest

https://tenor.com/view/hahahaha-gif-27342590

that matters

Wherever i was like 5 months ago when i still cared about the performance improvements

🤦‍♂️

check it ffs

😤😤🤬🤬🤬

(#trolling)

always has been

❓

eh?

chunky area

true

Lot of green bois

<@&387163995947270144>

Thx

😄

why the whole mod team 😭

just ping an mod without idle or donotdisturb on

That's standard practice, and what the mods signed up for lol

You should be pinging the moderator role rather than an individual if it's something that actually requires their attention

if i did that in a regular server

i would have been vaporized

That's really odd

I don't think I'd call that a regular server then

Why its literally their job

Basically every server has some kind of dont ping mods rule

yea, i had to learn about turning off ping the hard way after a a gentle smack upside the head 🤣

Well yeah but
Ping for actual mod stuff is different than unimportant ping

ok, is it possible that having a bunch of usb stuff plugged into the back of my mobo is drawing too much power & occasionally it brain farts & resets it all?

every once in a while stuff like a youtube video playing will pause, 2 of my drives will open up, and my bluetooth will reset

I suppose it would be possible that at times one or more devices draws a little more power leaving everything short... and that could cause devices connected to it to reset

I've had similar issues with those usb hubs before which is why I'm going to just throw in a PCIe x1 card to give me more ports. Make sure they're full speed and fully powered.

I'm down to 2 ports and I'd like to move a couple of the things plugged into the front to the back.

Thats just there so you don't ping mods for no reason whatsoever

I also just checked,and this server has no rules on pinging mods

Only rules on pinging developers

https://www.youtube.com/watch?v=LQjFGx9mEPw
sooo
interesting how it will turn out in the end
after all - be it from government or thru donations, someone pays for the content
there's some appeal in more direct flow, and there are some worries about it as well

GN 🤣

They finally got their fan tester into operation:
https://www.youtube.com/watch?v=JQtyxRtsqvA

Testing one fan with various front meshes as sanity check thing to see if they have their process right.

it looks like it's just my former OS drive causing issues when plugged straight into the mobo

Lol

yes and they showed off the hole sucker calibration plate.. .my new name for it 😄

it's too bad it's not a variable diameter calibrator, otherwise it could have been called a sphincter

wat

^didn't watch

nod

And really for all we know they also have a sphincter adapter for something

They didn't show us ALL the plates...

Wat
https://videocardz.com/newz/gigabyte-radeon-rx-9070-xt-purchased-and-unboxed-ahead-of-launch

Lol

Black market sales is wild

https://www.youtube.com/watch?v=shFUDPqVmTg
let's just all be adults here

babyrage type of finishing statement

was looking around quarternary cycles
courses.lumenlearning.com/suny-sustainability-a-comprehensive-foundation/chapter/milankovitch-cycles-and-the-climate-of-the-quaternary/

https://tenor.com/view/aminagifs-gif-25043494

the cable:

are those fuses for each pin lol?

at this point it's probably an improvement

with fiber, no matter what server you choose you should get roughly gigabit right?

I did a couple of servers in California and this was the best I could get

No you'll get whatever the ISP has provisioned on that line heh

I have fiber at 600/600, it's cabable of well past 1Gbps though

No.
With bad ISP you usually get that paid for speed to their first router, if even that.
Anything past that can be way lower.

And almost all big US & Canada ISPs belong in that bad category.

And even with good ISP, the speeds in general Internet, outside of that ISPs own network aren't guaranteed.
Just that good ISPs try to also negotiate transit agreements to give good speeds to large enough amount of Internet to not cause issues for normal users.

Because the speed you pay for is at minimum just the line speed to their end of the line.
And from the device you connect there (their ONT equivalent) in a switch, they might oversubscribe a lot already to their first router.

Gigabit between ONTs, then 100 subscribers in same switch cluster being forced into shared 10G pipe, (10:1 oversubscription), instead of 100G pipe (no oversubscription).
Or even just 1G pipe (100:1 oversubscription).

But when the speed depends on where you are testing to, that is mostly about transit agreements and capacity at transit points between your ISP and other networks onwards towards the target server.

In this case the transit from you to the test server is good.
But the transit back from the test server to you is just horrible.

Can confirm since I work for an ISP. Most people think they have their own dedicated fiber and they always get full speed without realizing they are sharing bandwidth with multiple customers

Almost all ISP's use PON since it's cost-effective

Example for GPON

And I was just talking about the connection from that GPON OLT onwards to the first actual ISP router (default gateway).

And then from that onwards to general Internet.

Yes, with GPON, there is also oversubscription in the fiber portion too.
With "classic" point-to-point fiber there isn't, and neither was there with ADSL or VDSL.
Cable modems also have oversubscription in the cable wiring portion.

My neighbors use ISP which offers DOCSIS (cable) and they had speed issues in the past because too many people were connected to a single street cabinet where the amplifier is installed I think

Never worked with cable so I don't know much about it

With cable modems there is "cell" where the cable wiring is just shared medium connected together and the bandwidth is shared between all subscribers connected to it.

Also, I recently noticed someone ran over those cabinets and knocked them down and ISP hasn't fixed it yet lol

Kind of like that GPON, just with coaxial cable being connected together without active ISP side device.

One port on ISP side connected to X number of subscribers, with Y amount of the bandwidth in that coax being set aside for DOCSIS, and rest for cable TV.

With separate downlink and uplink allocations.

Where certain amount of actual internet speed in upload needs more coax bandwidth allocation than same amount of download.

Found an image online of one of those cabinets

More TV channels with better quality, smaller the cells need to be to support same amount of subscribers.

Before cable modems, those cells used to be gigantic with just one way signal boosters.

With DOCSIS the signal boosters need to be bi-directional, or there needs to be DOCSIS ISP side modem instead at that location.
Or even nearer to consumers to split the old cells into smaller parts to give decent actual speeds.

Basically juggling amount of TV channels vs. actual bandwidth against cell size (smaller means more expensive for the cable operator, and possibly needing more cabinets etc.)

Here, cable ISP basically installs a large street cabinet which covers the whole district and then small cabinets with amplifiers in front of each apartment building

But question is.
Do those small cabinets contain amplifiers, or converters from coax to fiber too, for the Internet traffic.

Haven't seen them opened yet but I think those smaller cabinets only have coax

Classic before DOCSIS was just amplifiers, with shared wiring between the local cabinet and the disctict cabinet that actually did the TV transmission sending.
And first cable operators just converted those amplifiers to two-directional ones.
But as traffic has grown, usually they either have had to split that district level coax to multiple runs, or just run fiber to each local cabinet and install DOCSIS ISP modems at those.

Either to run more coax, or run fiber.

Damn, can't find an image of the whole cabinet but this one looks like it's from the district cabinet (large one)

Based on the number of fiber runs in the wall compared to the four actually getting used in this cabinet, I would expect there is coax run with TV signals and fiber run with internet traffic going to each local cabinet.
And then one-way amplifier for TV signals, and DOCSIS ISP modem with fiber connection in the local cabinet.
But cannot know.

With those 4 in use fibers being used to send the TV programming to be converted into coax DVB-C signals in that top right large box.

@twin dew Found it!

This one is from the large cabinet

Passive coax splitter/combiner on right.
Probably four coax amplifiers at the bottom.
And possibly DOCSIS ISP modem on above those.
Left side might be just fiber connection box, splitting those two visible fibers from the black cable going to it from underground runs.
Which is coming from different red ground pipe than the coax ones.

Leftmost is probably amplifying the incoming TV feed before splitting it 4-ways, one going with that white wire probably into some kind of filter, before getting used in the rest.
But also being sent in two cables onwards to more cabinets.

Guess I'm staying with fiber (PON), no active elements and the network structure is easier to understand than DOCSIS 😅

Translated image btw

Starlink at BestBuy costs $400 just for the receiver device.

And the relevance of that statement was?

About network speed. Paying more for Satellite internet than ground based telecomunications. Even more bandwidth limited.

we finally know who was behind that leak

Le Dumb redditor

Slated 😂

How do you see what category isps fall in without actually signing up for their services

Reviews/comments from current and previous customers?

In US and Canada, you are fucked, just with somewhat differing things by most of the ISPs, outside of few small regional entities.

Where I am, I'd be suprised if anyone even does a speedtest other than when a tech shows them the speedtest. Although most of my isps here are national so maybe someone would be knowledgeable enough to at least do a speedtest from a different server than "optimal"

this is it today when apparently the people aren't using the internet anymore

I am on a college net routed back to a local carrier, and I get basically half the download but identical upload with cross-country speedtest

919/938 within MI 430/972to CA

Anyone else feel like internet today is much worse than it was 10 years ago?

For example, so much misinformation, videos of grifters giving "advices", google results full of websites with AI-generated text, clickbait videos, ragebait videos, etc....

and so many things I can't think of right now

Of course it is

I feel like 2005-2014 was the golden age and everything from that point went downhill

Intel is soo f"cked

😭

Ooof

3$ an employee is wild

Could someone please unplug Intel's life support

all algorithms on the internet promote whatever gets the most clicks, not what's accurate, so it rewards everything you just listed; google search itself was enshittified in a similar way

www.wired.com/story/tiktok-platforms-cory-doctorow/

enshittification

Here is how platforms die: First, they are good to their users; then they abuse their users to make things better for their business customers; finally, they abuse those business customers to claw back all the value for themselves. Then, they die.

the internet has become a place of profit

https://www.youtube.com/watch?v=gthgfuipNRk

the meta section is fucking hilarious

i mean, they can carry it, the issue is with how long they can carry it

i bet this entire channel is on the GN stream rn lol

didn't notice

now i am 🤣

8k watching

dunno what there doing but it keeps crashing

the stream or the pc

the pc

well actually its 3D mark that keeps failing but there blaming it on the pc so im lost

do they keep dropping temps too low?

too high i think

ah

i mean that'll do it either way

they said 53C+ would crash because how high the clocks are

think he said they're at 3120mhz

this whole smoke cooling is sick tho lol

i wonder if they have an O2 oximeter in the room

wait, are they just using the nitro as an ambient temp dropper?

and not right on the die?

ah got it

yes lmao

🤣

there making it suck the liquid nitrogen smoke to cool it

we got smoking 5090's now

they should put a pot on the power connector

power connector was like 15C on the temp cam earlier

surprisingly cool but then again they said ambient is 16C

any recommendation for m.2 nvme ssd for offline reliability ?

I dont care about speed

I want it R.E.L.I.A.B.L.E

i.e : read and write good
data comsistency after half a year offline

Storm blew through... internet out for hours. Yay for tethering to my phone!?!

STILL down... storm must have screwed something up royally

Ahh,NVIDIA s new selling point : flame generation

or a particularly nasty way to do designed obsolescence

Im not the only one taking tinfoil hat theories then

further tinfoil hat theory: this is nvidia pissing off board partners enough to make them quit

So that nevedea can be a monopoly in another thing

they're already a functional monopoly with more than 50% of market share

this would be a move to full vertical integration on top of that

I notice a lot of AI generated content websites.

Internet line still dead

the luck..... i just happen to fall inside the one small area that's knocked out

doxing 101

This is the deep south.. seeker finders might want to bear that in mind heh

You mean Griffin?

I figured it would be more widespread though... then again if it were they might already have it fixed

Yep in fact I can hear the Atlanta Motor Speedway from here... just barely

Too bad I... don't like NASCAR

Drag races can be fun 😄

I've taken my car and bikes to the drag strip to see how they do but never really go into it. The driving is so small part of that. Rather do circuit racing

Wow that place has a seating capacity of 125,000, and that's not including all of the RV space in the middle

not really mainstream here

so much fun on Valentine's day
https://www.youtube.com/watch?v=vr2An2QgJVA
too much

This is what is rooted in our culture.

Modern version.

a lot of cobblestones.

Somehow I expect that lot of people are only interested in NASCAR for the crashes.

Maybe some, not all

Most are actually into the strategy and such

you don't draw 125k + a parking lot of ull of RV's for crashes

And the speed is impressive.

It literally can send cars flying.

I do find other forms of auto racing more exciting personally but yeah

It's also hard to get a real idea of how steep those turns are at a NASCAR track until you stand on one

it's no wonder they can carry that much speed

And the retail CPU sales are drop in the bucked compared to the overall sales of consumer line CPUs.

Hasn't AMD made some recent gains in data centers as well?

Intel is slowly losing grip on the boutique shop builds to consumers, but not really in the large-OEM space still.

I did specify consumer line CPUs.
Closing the server side out.
Where AMD has been very strong in sales for years already.

ive also never seen a **halo **product also be the **Best **selling product

IIRC the Intel Rebate thing from Athlon 64 days still hasn't fully gone through various courts...

its pretty dificult to sell less efficient CPU's than the competition to server

Still took multiple generations of that before the swing really started.
"No one got fired for buying Intel" (as the new version which used to be "IBM".

makes sense

Partly because of that same rebate thing etc. which made large server OEMs take time to start really invest into AMD lineup.

The first Ryzens I wasn't ready to upgrade yet plus I wanted to wait and see given previous history.... next gen came out and I was basically sold after seeing it's performance, next gen i was ready to upgrade

I can't even imagine having used an intel chip for this thing

Direct consumer sales is very fast to swing.
Ready build boutique is little slower.
Large OEM level complete system is very slow and Intel has always used rebates etc. to try to keep AMD out completely.

I still think this is rather impressive.

lift is a pain in the butt for nascar cars 😄

especially when a lot of engineering goes into preventing...that lol

Nascar did force some regulations to try* to prevent this.

Power though, sometimes it's too much

They added this to the roofs.

You can have a brutal lookinc wreck in those things and just walk aware sore

The air just lifting a few tons up into the air, like it's a leave in the wind.

..or one that doesn't look that bad and it snaps your neck

They engineered that one out tho

They engineered what out?

the tpye of thing that killed Dale Earnhardt...

By forcing using neck and head "locking" stuff to protect the neck.

yeah basically just locks all that in place

But yeah that accident didn't even look bad, not by NASCAR standards. Super tame

And all that was already in use, not just forced.
And some drivers, like Earnhardt, had decided to not use it.

The danger was known, just that some drivers didn't like they couldn't move their heads.

I mean, c'mon that looks ridiculous.

If people saw this in a movie, most (who don't know lift) would think it's CGI and bullshit (impossible).

Yeah, but fast enough plate has lot of lift.
And the underside is basically a plate in most sport cars.
When you aren't in right orientation, the various downforce producing devices don't work and you just get the lift from bottom being in wrong angle.

I understand all the science behind it.

But I still find it fascinating to look at.

Lot of high end sports cars can drive in ceiling once they hit high enough speed.

Because if they didn't generate that much downforce, they would be uncontrollable.

Honestly, I spend too much time looking at cars being lifted by air 🤣

Don't work is a bold statement. Just saw a video where they showed how the roof "spoiler?" works.

The picture I posted. The plate that goes up. And you can see it happen in last gif I posted.

You see on the roof, that there is a plate standing in an angle, and then closes.

Meant the normal downforce generating aerodynamics.
That is special extra to cause specific type aero effect when the normal stuff has been lost.

The stuff that is engineered to keep the car sticking to the surface when going forward like intended.

Because otherwise the pure speed would cause them to lift up like that on any bump, even when going straight.

Oh, but that's just for every car?

those plates don't do jack unless the care is going backards...

and they are basically the same as spoilers on an aircraft wing, tons of turbulence... no lift and lots of drag

they have plates on the side too

only those need to be working moving foward... if you are moving backards then well.. um.... hmmm

Yeah, point is to slow the car down fast if it stops going nose forwards, with passively deplying aero-surfaces.

So it doesn't get so much airtime once the bottom starts generating lift.

Tell that to this guy https://www.youtube.com/watch?v=mjktUfqruN0

not technically impossible...

4 months ago.

Also, you almost immediately deleted that video.

The link I mean.

"The new flaps are designed to deploy more quickly than the previous design, and include canvas "parachutes" on their underside to further disrupt airflow when deployed."

cough... a.... spoiler heh

Because I didn't wanted to post that link but a gif?

"A race car's body is designed to optimize downforce, but if that body is spun so air is flowing in reverse, lift is generated instead of countered.[2] The roof flaps' job is to disrupt that airflow and prevent lift.[5]"

like.... i said

And you have the video right now?

just to disrupt airflow

it's a... s spoiler

You: that doesn't work. Nascar: we are improving the system.

How can it not work. But Nascar is still investing in it? 🪿

That was my point 🤷‍♂️

i didn't say it doesn't work

Not you, but Baldur 😄

ik said it doesn't give downforce

oh

It works?
Just not perfect?

And that the lift-up at speed if downforce generating aero is lost by going sideways/backwards is thing that happens to all cars at high speeds.
NASCAR is just the only racing where that happens regularly and they try to mitigate it to extent they easily can now.

the airflow over those things is... pretty nuts

"various downforce producing devices don't work"

That was about the normal aero designed to be used when going forward normally.

yeah i mean the care is an egineered as the rules allow to get it to stick heh

When those don't work, because you aren't going in right direction for them to work anymore.

Funny, how it was an option to limit the engine. But everyone was like; naaaah.

Then the bottom turns into lifting surface on any bump.

Doesn't F1 have regulations for engine power? Or was that Nascar?

they gove over that stuff down to the mm... maybe less on things like the downforce type spoilers and shit

it's nuts how many rules there are areally

In most fast cars, the bottom is also part of that downforce generation with specific shaping.
But that shaping only works when going forwards.

I vaguely remember an organisation limiting the engines for safety.

Well at some point the tracks won't be able to contain it

But hey why not find out just how fast you can go through turn 1 eh

NASCAR engines are limited to 358 cubic inches (5.86 liters) of displacement. These power units maintain a traditional V8 configuration with an iron block, emphasizing durability and power. The engines produce a target horsepower (HP) of up to 670 HP. Teams must adhere to these specifications, ensuring that the V8 engines maintain a balance between power output and reliability, with no team allowed to exceed these limits to maintain a level playing field.

In the Cup Series, NASCAR has historically employed restrictor plates to limit engine power for safety reasons. These plates restrict airflow to the engine, cutting its power and, consequently, reducing the speed of the cars on the racetrack. More recently, NASCAR introduced a system involving tapered spacers, which serve a similar purpose to restrictor plates but allow for more precise control over the engine’s horsepower and torque.

It was the restrictor plates. I heard about it in a documentary.

Basically those fins are about giving extra air resistance when going sideways, but don't affect much when going straight.
So when you start going sideways, they both slow you down, and try to turn the car back forwards (or when gone too far, to go backwards.
And the pop-up spoiler is to slow you down via air resistance when not going forwards.

Yeah I remember hearing about the plates

And we have moonshiners to thank...

🙈 So silly I know this stuff about NASCAR

lol

while I will never see a nascar race in my life probably.

I only know shit because I have family into it

Baldur, you got time?

Probably.

Would it be stupid of me, to put proxies etc straight on my Synology in containers?

I know Herg recommended to me, to put it on a PI5 (and then I started to look into mini computers etc).

But now I am questioning myself again, if that is smart 🤔

Usually would be fine.
In theory raises the attack surface onto the Synology a little, from inside the LAN.
But usually it would be perfectly open already from inside the LAN.

And in the very remote case that there is some kind of "external" exploit, it would still require someone from inside the LAN, to try to access some site where that attack is deployed from, via that proxy.

Basically IMHO that little extra security wouldn't be worth the cost in work, electricity, etc. for home network.

That was a worry of mine, that if they break out of the container, they are straight into my nas. If they break outside a container on seperate device, they still have to navigate my network. And depending on how I set that up, I can add extra security?

But point is, how can someone attack (reverse-)proxy server program.

Either they need to already be in your LAN.
Or there must be some very weird exploit in the proxy server software and someone from inside the LAN needs to visit site which then attacks using that exploit.

Or docker container?

containers still are an attack vector.

No it isn't.
As you need to first get into that container.
And if the only program that is network aware inside that container is the proxy software, how do you get in?

Unless you deploy container image with backdoor in it.

Docker is vulnerable.

If you think its 100% secure, then you are wrong.

The ones I have seen have been in the Docker web management interface(s).
Usually in extension interfaces or extensions.

The container is open somehow, else it can't communicate with outside. Container (has open port)-> Synology (has open port) -> LAN -> Internet.

Or you close the port on synology, then it's fixed.

"could be abused by a malicious extension in Docker Desktop"
Etc.

Point is that you need to secure the management of that Docker.
And I would expect that by default to be via Synologys management interface.

With optional remote access direct, which should be disabled in most cases anyways.

Sadly, yes 😦

No, remote access.

Well, I can enable remote access. Or I can install portainer agent on synology and control it from another device. But I didn't do that.

And those direct Docker remote access services should be blocked/disabled in that Synology, so that the management is only via that Synology management interface.

Same as with any such tech, the expectation is that the remote management is in separate management-only-network that is very protected from anything else.

"should" being the keyword.

Meant to configure the Synologys own firewall to block them.

Synology OS has software firewall in it.

yeah, I know

but it has no rules.

Yes?
Because by default they are meant to be plug and forget devices where the access is only from same LAN.

Point it is that it would be trivial to configure that to block everything but its own management interface and file sharing.
And even limit access to that own management interface to only specific MAC and/or IP as source.

Mhm, then why do so many people set it up seperate?

And I mean, seperate devices.

Because NASes etc. aren't actually that common?
And there are lot of instructions on how to do stuff with Pis for things like that, but not so much for other ways to do them.

I personally don't understand the point of (reverse-)proxy at all in home use.
There are other ways to do most of that stuff, and MITMing HTTPS to do checking on that is bad idea for most cases, as you then lose ability to check the certificates etc. on your actual computer, as everything will be signed by your own self-generated cert instead.

So for anything not SSL encrypted, there are better ways.
And for SSL encrypted things, you must MITM all that traffic intentionally, if you want more than IP.

Reverse proxy protects your app when you open it up to the internet?

How, over any other thing that snoops that traffic.

I mean, just google around.

No need for self signed these days, letsencrypt is a thing

That is for servers.
Having reverse-proxy before the server.

Doesn't work when you are trying to analyze traffic going to other servers.

Oh, so a NAS isn't a server? 🤔

Afaik, a NAS is just a server. If I want to put a app on it, and open it up to the internet, a reverse porxy is recommended.

https://www.youtube.com/watch?v=Cs8yOmTJNYQ

This is the video that started my interest in this topic.

The point of that is that there isn't public IP for the actual server.
So the attack surface is only the actually public services, not everything on it.

And how to protect rest of your home network if the computer hosting internet accessible services has been hacked.

But will need moment to watch the video.

It's not 1 thing you implement. It's firewall + proxies + ...

proxy is open for the internet, everything behind it should be hidden.

"And how to protect rest of your home network if the computer hosting internet accessible services has been hacked."

That's why I asked about seperate device.

And anything that gets passed through that proxy will still hit that actual service program as is.
If there wasn't some protocol analysis level protection noticing known attack and not passing the data.

But like I said, I need to see what is the idea in that video.

Because so far the video has ignored the actual NAT-router-firewall in the center of the various images.
And this has almost exclusively talked about home hosting HTTP(S) server.
Not any other kind of server so far.
Just hasn't explicitly said it.

Also, treafik I am going to use for crowdsec. I forgot.

www.crowdsec.net

Which is again purely for HTTP(S).

What? Crowdsec?

That image at least.

Just high level overview of architecture.

Traefik itself seems to support HTTP, possibly HTTPS, and generic TCP.
No UDP, and no protocol analysis on anything but HTTP(S).

But proxies are used for more than what you described.

Ok, it does support UDP, but the TCP and UDP stuff seems to just be about load balancing etc.

yup

If you have multiple servers handling same thing in parallel.

So were you planning on hosting WWW-pages from your home network to public internet?

I understood you were only planning to host VPN from public source.

And everything else was to need that VPN to access.

vpn into an app for personal use (from outside my LAN)

Or to be in the LAN.

That's my start. (or end-goal as a start)

Might give more access down the road. But first thing to do, is make a wall around my LAN. Then build in a gate, with a good gatekeeper. In the beginning, the gatekeeper will only allow me in (VPN).

crowdsec is just to get rid of all the bots probing 😄

Basically the only relevant things on that specific video, if not doing public HTTP(S) server from your home, was that splitting the LAN into multiple ones, for different purposes and security levels, is good idea.
And that having some kind of IDS/IPS is good.
Where that IDS/IPS can be for example that Traefik with Crowdsec, for the specific types of traffic that combination supports.
Which isn't most types.

And that splitting into multiple happens on suitable NAT-router with firewall.
Most consumer ones cannot do that, as they only support single internal network for most part, outside of more limited guest-WLAN SSID.

Everything else was specific to HTTP(S) hosting from home to full public use.

In that video, the reverse-proxies were there to make port forwarding rules more specific, and to move authentication and monitoring stuff from the actual servers to separate device for management and performance reasons.

Where using cloudflare removes lot of that known bad traffic already so it never hits your own connection and overloads that.

How does this communication work? VPN on device 1 = ? protocol ? = VPN on device 2

And then that local reverse proxy was more for that management side and more granular traffic monitoring like that crowdsec addon etc.

How does a VPN communicate to other device to **create **tunnel?

VPN client outside your LAN hits your NAT-router, which forwards the traffic to the VPN server.
Which then makes that VPN clients traffic seem to originate from that VPN server.

Because you mention "HTTP(S)", I don't see that as a bad thing to secure?

So https?

Point was that that is only relevant if you try to server web pages to Internet, from your LAN.

Without having to use VPN to get inside the LAN first.

And for that kind of limited service availibility, the attacker would first need to attack that VPN server software to get into the machine running that VPN server software, or to connect as VPN client.

And any crowdsec or like solution would need to be deployed on that NAT-router, or the VPN server.
Or as some other monitoring solution in the "pipe" that sees that traffic.

It will all be on one device, or that was my question earlier.

Best would be on that VPN server, as that will then see both the VPN traffic coming in, and the actual traffic going out of that VPN server.

To rest of the LAN.

Or would need to be transparent separate device between VPN server and rest of LAN(s).

Which is why in my case IDS is living on the main NAT-router, and I have multiple LANs where any traffic between the LANs needs to pass through that same NAT-router.

And that's why I asked about VLAN a few days ago

But for that VLANs are just implementation detail.
Point is to design the arch, and then convert it into VLANs before physical implementation.

First, it's technical possible to all throw this in containers on one device right?

Basically just means that instead of multiple LAN-ports and multiple cables and multiple switches, you can use one LAN-port and one cable and one switch.

[DEVICE 1 >> DOCKER-CONTAINERS: vpn -> treafik -> crowdsec -> app?]

You don't really have "apps" in this case.

For "best" security for this, you would want:
NAT-Router-Firewall with multiple LAN/VLAN support.
VPN-Server.
NAS.
Rest of LAN.

Where that VPN-server could in theory live on the NAS as container, but would probably best for it to live in DMZ zone, and NAS & rest of LAN in LAN zone.
With IDS/IPS of some sort on that NAS-Router-Firewall and limited traffic what that VPN-server can send towards the NAS, and none to rest of the LAN.

In theory that VPN-server could also live on that NAT-Router-Firewall instead too, as container or virtual machine.

I do have an app in this case? That's the one I want to get access too.

It's the whole point of this setup.

Having an app in a docker container, being accessible from outside my LAN.

With security.

And you expect someone to break into that VPN, and then access that app.
And then to have reverse-proxy to protect against that?
Instead of just more generic IDS/IPS solution instead?

Nobody expects fire. Doesn't mean you shouldn't install fire alarm 🤔

and again

reverse proxy doesn't protect me. reverse proxy + crowdsec does.

https://github.com/crowdsecurity/crowdsec

Remember, any attacker hitting that App would first have to had compromised that NAT-router (which should have no publicly accessible services), or that VPN-server software remotely.

Point was to go for more generic IDS/IPS solution, over reverse-proxy that only gets used for one specific kind of traffic if the VPN-server is compromized.

Which might include Crowdsec in the mix.

So that ANY traffic from that compromized VPN-server, or even trying to compromize that VPN-server, gets included in the checked traffic.

Mhm. Good point.

Also, no? reverse proxy + crowdsec before VPN, not after.

Cannot do anything, as that VPN traffic is encrypted in way that that reverse-proxy can only filter based on IPs.

[proxy + crowdsec] filters out unwanted traffic, rest of traffic goes to VPN.

Oh right ...

So basically only IP based filtering based on source address would work at that point.

Which can be already done with almost any good software firewall solution or any other IDS/IPS solution.

Well it would still protect VPN a bit.

security is adding layers.

not just one layer.

So I was thinking, the more layers, the better 🙂

And don't forget, I do this as a hobby. To learn.

Which was the point on doing that IDS/IPS on that NAT-Router-Firewall.
Which would be in front of all other devices.
And if that VPN-server is then split into its own (V)LAN, where the traffic has to pass through that NAT-Router-Firewall before hitting rest of the LAN, then you get also monitoring of the decrypted traffic.

But I don't want to use my ISP firewall. It's crap UI.

You cannot for this stuff.

Watching Gaming Historian makes me feel old AF

Would need to set that ISP device to Bridge mode if possible, or to do double-NAT or like.

Sorry

With second router behind that ISP device.

I mean, I don't want to use firewall on ISP router.

So you are suggesting. Don't do treafik + crowdsec (free). Buy second router and put firewall on it?

Point was that that reverse-proxy part you are stuck in is mostly just HTTP(S) thing.
And the generic solution you are looking is that Intrusion Detection System (only warns that traffic happened) or Intrusion Protection System (blocks the traffic in real time)

Point was to for example get that mini-PC, and use it as router-firewall.

Ah, that I can do.

A lot of folks buy off lease office small form desktops and shit for that oo

ISP router in bridge mode, goes to switch as one VLAN that only connects to that actual router.
And comes out same port (or different port if the device has at least 2 LAN ports), goes to switch as another VLAN
And that second VLAN is what other devices use.

dw, already on that. M715Q

depends on what size you want and how much of a deal you need

shit even the rack stuff is pretty cheap

www.lenovo.com/us/en/p/desktops/thinkcentre/m-series-tiny/thinkcentre-m715q-tiny/11tc1mt715q

Or have two separate devices, one as that NAT-Router-firewall.
Second as VPN-server.
Where there is third (V)LAN where that VPN-server device lives on.

Can find second hand for 50 euro.

then some memory for 18 euro and I got 16gb for 70 euros.

So VPN traffic comes from internet.
Passes through ISP router.
Goes to actual router.
Gets firewalled and if passes, goes through IDS/IPS.
Gets forwarded to VPN-server.
Gets inspected by VPN-servers firewall.
Gets unencrypted.
Gets inspected by VPN-servers firewall.
Gets sent back to the actual router.
Gets firewalled and if passes, goes through IDS/IPS.
Hits actual LAN.

I was kind of hoping to put VPN on same device as the rest (the mini PC)

And that can be easily done with just service on same OS.
As container inside that OS.
Or as virtual machine.

I can always later buy second device and seperate. But as a start, I don't want to swim in devices.

With that virtual machine being most secure, and that specific device supported HW virtualization.

I'm glad I don't have to spend too much brain power on this sort of stuff... the wonders of having a guy lol

It's not where you go it's who you know...

Just "not as secure" as completely separate machine.
As if that VPN-service gets hacked, then if container or virtual machine, you can try to attack via those towards that base OS running the router and IDS/IPS.

But perfectly fine in reality.

Baldur is my sanity check in this case. I look stuff up on the internet. Then make up a plan. Then validate it with Baldur.

That was just about the "most secure" solution.
With that "run the VPN-server on the router" is the common solution and good enough.

I think at some point to worry about more on that kind of connection you have to almost be planning to piss somebody off or something lol

• So VPN traffic comes from internet.
• Passes through ISP router.
• Goes to actual router.
  [MINI PC]
• Gets firewalled and if passes, goes through IDS/IPS.
• Gets inspected by VPN-servers firewall.
• Gets unencrypted.
• Gets inspected by VPN-servers firewall.
• Gets firewalled and if passes, goes through IDS/IPS.
• Hits actual LAN.
  [NAS]

Past a point somebody already has to put in work to get at you, they go for easy targets unless you specifically are being targeted

So that would be the flow with MINI PC?

Go to the next level and harden your linux installs 😄

arch linux needs hardening?

I like your pfp

Yes, basically after ISP-router, but before NAS, it would be internal to that mini-PC.
With possibly virtual machine internal LAN in mix that VPN-service was running inside container or virtualization instead of the "main"/"hypervisor" OS.

i dunno what arch installs by default

nothing 🤣

typically it has to be installed intentionally as it's a whole... thing

your system will not function normally out of the box without work heh

Crowdsec has Suricata log support for example.
Where Suricata is open source IDS or IPS solution with automatic rule updates etc.

Thanks for your input. Long conversation. But ... we agree. That it's wisest to put it on seperate device and not all on my NAS?

I was kidding... mostly. But if you really really did want to be secure that would be the path along with the networking stuff.

And that I should start with a good firewall.

It sounds like you're already planning overkill for a home setup so... you should be fin elol

Some of the services could be on that NAS.
But you would anyways first need proper router&firewall solution.
And that can then easily be used to run light services on it in virtualized OS or like.

Yeah, 100% overkill. But it would give me some piece of mind. Peace of mind?

IDS or IPS depending on how you configure.

Well having too much won't hurt... other than adding complexity

If you don't know what you are doing, I think you can really mess security up.

And actually enlarge the attack vector, instead of making it smaller 🤣

plus you'll know how to do stuff if you need it in the future even if you don't NEED it now

That's why I am thinking about it for a few weeks now. And not just implementing it and see what happens.

start small and expand on that

if you start with a million new things it'll be way way harder to know wtf went wrong

Basically my own solution is that NAT-router-firewall-IDS (to be converted into IPS later).
With very secured access to and only accessible service being SSH with certificate from LAN side with additional limitations.

Then DMZ with single physical server, with very secured hypervisor OS, and then services in multiple virtualized machines.
And separata LAN.
(also IOT network for single IP camera that I don't want neither DMZ or LAN have general access to).

With each virtual machine OS with very restrictive firewalls, so that you cannot attack between them easily via network side, only by compromising the hypervisor somehow.

oh wow Grsecurity went commercial at some point

ssh... wow. Oh SSH only inside lan?

I have a machine that is maintained entirely via SSH

if it had a display i'd have a damn hard time seeing it from here too...

It's in the walls, Jim. 0_0

Meaning I can access that firewall machine from one machine in LAN, with right certificate.
So need username, certificate and certificate password to access.

I mean... I could remote desktop but by

in LAN gotcha 👌

pretty sure the switch my buddy got for me is all CLI

And DMZ doesn't have even that access to it.
Basically compromise DMZ machine, you still cannot easily attack that firewall machine.
It does expose DHCP and DNS to DMZ, but IIRC thats it.

Could in theory move those later to that server into another VM.

oh, I forgot. There will be a switch before the mini PC. Not sure if that adds another attack vector.

In a way, if that mini-PC only has single LAN port.
You basically need to configure that switch to not give management access over the VLAN that is for the WAN side.
And trust that there isn't some exploit that goes around that.

In the switch firmware itself.

Or just add second LAN port with USB or PCIe/m.2 adapter to that mini-PC.

That's why I asked about how many LAN ports me device should have.

because it would be switch -> mini PC -> rest of LAN.

and I though we can fix this with the VLANs.

VLANs allow the router to not need multiple ports.
But if the WAN is also via the switch, then in theory the switch is internet accessible, if configured wrong or if that management access restriction side has exploits.

Separate WAN, and separate LAN side ports on router are better for that reason.
But nominally not needed with VLAN capable switch.

I'm not aware of any case where there was such vulnerability, but theoretically they can exist.

Just that getting kind of device you were looking for, with 2 LAN ports, is significantly more expensive than ones with just 1.

And USB-dongle will work in almost all cases as second port if needed.

i just have to... get around to all that. He has a AP too. And a rack. And a rack UPS...

Do I need a server closet. Well no but eventually I'll have one.

And of course having just single 1Gb/s Ethernet port for both WAN and LAN side shared with separate VLANs will limit the combined upload/download to 1Gb/s, not 2Gb/s like with separate ports.
As all traffic will hit the one port in both directions, once going into the router, second time leaving it.

and PoE too which is perfect for phase 2

So 1000/0, 500/500, 0/1000 as example theoretical splits.

"But if the WAN is also via the switch, then in theory the switch is internet accessible, if configured wrong or if that management access restriction side has exploits." what do you mean by this?

Moment.

All I see on my GS308T is VLAN. Nothing about WAN.

WAN, Wide Area Network.
Internet without firewall/router before it and switch.

Yes, but how is my switch WAN accessible?