Messages

"Domain name needs at least one dot". What did you enter?

1. Wenn man die Zusatzanwendungen unter Proxmox braucht und dafür keine andere Hardware hat, kann man das machen - allerdings möchten viele Leute eine dedizierte Hardware für die Firewall.

Das ist natürlich richtig

2. Ist das Ding teurer als die geforderten 250€.

Ist auch eher exemplarisch gemeint, bei dem Ding gäbe es gerade einen 60€ Rabatt, wo wir dann bei 339 wären bei ungleich mehr Leistung
Das ist auch einer der Gründe, warum ich nicht die kleinste passiv gekühlte CPU vorschlagen würde. Er schrieb was von NGFW mit Zenarmor. Je nachdem, was er da vor hat, kann eine kleine CPU damit überfordert sein. Vor allem, wenn die Internetverbindung über PPPoE aufgebaut wird, sind die kleinen CPUs oft nicht in der Lage 1 Gbps zu liefern, geschweige denn mehr als reines Netzwerkfiltering anzubieten.

3. Sind die Folgekosten wegen der TDP des Prozessors höher (45 Watt statt 6 Watt). Jedes Watt mehr kostet bei 24/7 und aktuellen Strompreisen ca. 2€ im Jahr, das macht dann ca. 40€, wenn ich davon ausgehe, dass die Leistungsaufnahme im Schnitt nur 20 Watt höher ausfällt.

Also ich würde meinen, dass so ein Teil bei rund 10-12W landet. Aber wenn die laufenden Kosten so drücken, ist das natürlich ein Thema.

4. Es sind wieder Realtek-Adapter: https://androidpctv.com/wp-content/uploads/2024/09/Beelink-EQR6-review-t001.jpg und nur 1 Gbps, wobei Ersteres keine Rolle spielt, wenn man Proxmox fährt. Man kann dann allerdings den Netzwerk-Adapter nur als Bridge, nicht nativ an die VM durchreichen (LAN muss man ja sowieso sharen, weil nur zwei NICs vorhanden sind).

Wie gesagt: das Gerät war jetzt einfach nur ein Schnellschuss, die gibt es bestimmt auch mit Intel-Nics, leider kann man sich da oft nicht drauf verlassen, da manchmal unangekündigt Specs geändert werden.

And please use the terms allowlist and denylist instead of those old fashioned biased words.

Ich bin in solchen Fällen eher dazu übergegangen sowas in der Art zu nehmen:
https://amzn.eu/d/567ghXO

Da kommt dann Proxmox drauf und die OPNsense als VM. Dann kann man für Unifi noch eine VM spendieren und hat genug Power für viele weitere Anwendungen. Mit USV und externer Platte für Backups ist das eigentlich ein ganz rundes Konstrukt.


Pppoe Einwahl über die OPNsense würde ich auch eher vermeiden. Bei 1gbps kann man da vor allem mit den kleinen Prozessoren in Bedrängnis geraten. Pppoe unter BSD ist irgendwie nur single threaded. Unter Linux geht das besser.

I usually run Proxmox and then spin up VMs or containers as needed. Every container gets the configuration it needs for the use case. Netbird server also needs a lot of ports to run, port 80/443 would therefore not be sufficient.
I would then suggest to use the OPNsense built-in WireGuard and manually connect what needs to be connected.

Ok, so podman seems to be the issue here. What speaks against using docker?

By the book that's a full mesh, not a hub and spoke topology. In the latter everything goes through the hub.

You're completely right. But it doesn't have to be a full mesh, you can always control which spokes are able to talk to each other.

Good to know that's also a Feature Netbird provides  :). If only it would work in my case  :(.

As for Zitadel, that's the third Attempt I did back then on my Hetzner VPS (after Authentik and Keycloak) and it would NOT work at all. Zitadel was such a Memory Hog that I believe it triggered the OOM Killer due to excessive RAM Usage. Anyways, not an Option on a low CPU/RAM VPS. I have a dedicated Server now with several KVM Virtual Machines, so I could try that.

But I really liked Authentik, it's just an absolute PITA to interface with Netbird. And Netbird Debugging / Troubleshooting Capabilities are quite bad in my View, when something does not work (at all), it's not very clear (at least to me) as to why. And when it works, it's probably fine (until it breaks). I never managed to even get something to show up on the Web GUI so it's really frustrating to be honest  :(.

Code Select Expand

export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started-with-zitadel.sh | bash


that's basically all I did to get it up and running within 5 minutes.

My Netbird host is a Hetzner VPS, ARM64, 2 CPUs, 4 GB of RAM, of which only 1.2GB are used. Postgres as database backend. Can't really see the OOM problems you had.

Granted, it could also be due to the Reverse Proxy (Traefik) Setup and possibly some Firewall Rules (I added exceptions based on Netbird specifically mentioning Hetzner Stateless Firewall although that did NOT make any Difference).

As to Wireguard breaking down ... I see that as a MUCH less likely Risk. Yes, it might be more of a PITA to set up Manually 100 Instances of Wireguard (Ironically in my Homelab, Gitlab and Nextcloud kinda forced my Hand on this one, since I HAVE to use NFS since their Update Script doesn't work with Samba/SSHFS Permissions and I don't have the Time to setup a Kerberos server for NFS - so I just do NFSv3 TCP over Wireguard UDP).

But compare generating a Keypair, setting up one small Config file for each Point-to-Point Connection with a System that might very easily break between Updates (either on Netbird side, or on Authentik/Keycloak/Zitadel side). I'd say Wireguard is very Reliable in that Regards.

Netbird should begin having some Consistency in their config File ... Depending on the Guide you Follow some Config/Environment Variables are NETBIRD_AUTH_XXXX and others are AUTH_XXXX and it's not always clear which Direction they are moving towards (I kinda had to duplicate quite a few of them in Order to suppress some Warnings in the Logs, although that did not solve my Problems).

Netbird is a project under heavy development, so I think things like the naming of config variables will be aligned. But as far as I can tell, it's really solid. Not a single problem while updating or running it.

KISS with Wireguard only or Wireguard + Netbird at the "Price" of having a bigger ecosystem that can break more easily ? Uhm ...

I just saw, that I use Netbird with the default IdP Zitadel and not Authentik or Keycloak. Used the provided script and it was running out of the box.
Of course you add another service (at least self hosted if you want), but I think you gain a lot of features, like Zero-Trust for your clients.

Configuring connections to one single hub is fairly easy. If your central WireGuard hub goes down, you're lost, too.

Connecting all the spokes in a peer-to-peer manner is another story, if you have more than 4 spokes: that's 6 spoke connections and one to the hub, with 5 spokes, it's already 10 connections+ the hub.

With Netbird you're able to configure multiple routes to the same destination, if you want. I think OPNsense and Netbird are a perfect match here.

I think Patrick means to use the tools that are already there: WireGuard.

You rent a VPS at your trusted VPS host and let this be the WireGuard hub. All your other locations connect to this hub and traffic is distributed as needed/configured.

I have this currently in place. Some of my locations also have "old" IPsec tunnels between each other. But I want to get rid off those. I could use WireGuard but then I stumbled across Netbird and I'm directly a huge fan of it.

It leverages the idea of Zero Trust, which I definitely prefer as boundaries are vanishing more and more. In a hybrid environment with multi-cloud and multiple On-Prem locations it gives you the best approach to connect everything with each other. And the best part is: the hub concept is only used, when a direct connection is not possible. Otherwise the spokes are connecting directly to each other.

I don't understand why you didn't succeed in getting Netbird up and running. I'm using it with Authentik and used the script that was provided. No issues at all.

I can only speak for Netbird. In theory it should be possible to use some dyndns service to update the IP of the control server, but a static IP would also be my minimum requirement 8), otherwise yöu can suffer some short outages.

It doesn't have to. You can host this control server at one of your sites on-prem. It needs some ports opened on the WAN side. Netbird is falling back to a hub connection (with the control sercver as the hub to relay connections) as soon as two sites are not able to talk to each other directly, which is the preferred way. Therefore it's a good idea to choose the location with the best internet connection in terms of bandwidth.

Maybe it's something on the network. Do you use STP or similar? That explains things getting sluggish over time and not reacting anymore at some point in time. I would check in that direction.
Are you able to access the OPNsense via console, when it's no longer reachable via network?

You should also consider using Netbird selfhosted on such a small vps as control server.
Netbird is a really nice product. It also adds Rosenpass over Wireguard to be post quantum encrypted.

I use Netbird as a MPLS replacement to connect multiple offices very seamlessly together.

There are some guys building a Netbird plugin for OPNsense: https://github.com/netbirdio/netbird/issues/2200

I really hope that this plugin finds it way to the OPNsense plugins like Tailscale.

Hey, nach langer Abwesenheit wollte ich gerade nachschauen, ob es noch Usergroup Treffen gibt. Wie ist der Stand dazu? Letzter Beitrag hier aus dem Februar?

To accomplish this i don't need a block rule, do I?
On every vlan interface I would have a rule to allow access to non private addresses via the destination invert option. Did I miss something? I rarely had the need for a block rule.
Or do you work with floating rules to avoid having rules on every interface?