i once had to look at a firefall appliance cluster, (discovered, it could not do any failover in its current state but somehow the decider was ok with that) but when looking at its logs, i discovered an rsh and rcp access from an ip address that belonged to a military organisation from a different continent. i had to make it a security incident. later the vendor said that this was only the cluster internal routing (over the dedicated crosslink), used for synchronisation (the thing that did not work) and was only used by a separate routing table only for clustersync and that could never be used for real traffic. but why not simply use an ip that you “own” by yourself and PTR it with a hint about what this ip is used for? instead of customers scratching their head why military still uses rcp and rsh. i guess because no company reads firewall logs anyway XD

someone elses ip? yes! becuase they’ll never find out !!1!

i really appreciate that ipv6 has things like a dedicated documentation address range and that fc00:/7 is nicely short.

ipv6 in companies… ipv6 is not hard, but for internal networking no company (really) “needs” more than rfc1918 address space. thus any decision in that direction is always “less” needed than any bonus for (da)magement personnel is crucial for the whole companies survival…

for companies services to be reachable from outside/ipv6 mostly “only” the loadbalancers/revproxies etc need to be ipv6 ready but … this i.e. also produces logs that possibly break decades old regexes that no one understands any more (as the good engineers left due to too many boni payed to damagement personnel) while other access/deny rules that could break or worse let through where they should block (remember that 192.168. could the local part of ipv6 IF sone genious used a matching mech that treats the dot “.” as a wildcard as overpayed damagement personnel made them rush too fast), could be hidden “somewhere”. altogether technical debt is a huge blocker for everything, especially company growth, and if no customer “demands” ipv6, then it stays on the damagement personnels list as “fulfilling the whishes of engineers to keep them happy” instead of on the always deleted “cleaning up technical debt caused by damagement personnel” list.

setting up firewalls for ipv6 is quite easy and if you go the finegrained “whitelisted or drop/block” approach from the beginning it might take a bit for ipv6 specials to be known to you, but the much bigger thing is IMHO the then current state of firewall rules. and who knows every existing rule? what rules should be removed already and must not be ported to ipv6? usually firewalls and their rules are a big mess due to … again too many boni payed to damagement personnel, hindering the company from the needed steps forward…

ipv6 adoption is slow for reasons that are driving huge cars that in turn speed up other problems ;-|

maybe start with an adjustable setup:

• rent a cheap vm, i got one for 1€/month (for the first year,cancel monthly) from ovh currently
• setup 3 openvpn instances to redirect all routes through the tunnel, one with ipv4 only, one with ipv6 only and one with both
• setup the client on your mobile phone and your laptop both with all three vpns to choose from
• have the option to choose now and try out ipv6, standalone or dualstack depending on what vpn you switch on
• use this setup to blame services that don’t support ipv6 yet or maybe are broken with dualstack 🤣
• rise from under-the-stone (disabling ipv6 only) to in-sunlight (to a well-above-industry-standart-level !!! “quick” new network technologies adopting “genious”) 🤣
• improve your openvpn setup from above to be reachable “by” ipv6 too if you haven’t done it from the beginning, done: reach the pro-level of the-late-adopter-noob-group

(if you want, ask for config snippets)

btw i prefer to wait for ipv8😁 before “demanding” ipv6 from services i use 🤣

i am happy to have a raspberry pi setup connected to a VLAN switch, internet is behind a modem (like bridged mode) connected with ethernet to one switchport while the raspi routes everything through one tagged physical GB switchport. the setup works fine with two raspi’s and failover without tcp disconnections during an actual failover, only few seconds delay when that happens, so basically voip calls recover after seconds, streaming is not affected, while in a game a second off might be too much already, however as such hardware failures happen rarely, i am running only one of them anyway.

for firewall i am using shorewall, while for some special routing i also use unbound dns resolver (one can easily configure static results for any record) and haproxy with sni inspection for specific https routing for the rather specialized setup i have.

my wifi is done by an openwrt but i only use it for having separate wifis bridged to their own vlans.

thus this setup allows for multi-zone networks at home like a wifi for visitors with daily changing passwords and another fror chromecast or home automation, each with their own rules, hardware redundancy, special tweaking, everything that runs on gnu/linux is possible including pihole, wireguard, ddns solutions, traffic statistics, traffic shaping/QOS, traffic dumps or even SSL interception if you really want to import your own CA into your phone and see what data your phones apps (those that don’t use certificate pinning) are transfering when calling home, and much more.

however regarding ddns it sometimes feels more safe and reliable to have a somehow reserved IP that would not change. some providers offer rather cheap tunnels for this purpose. i once had a free (ipv6) tunnel at hurricane electronic (besides another one for IPv4) but now i use VMs in data centers.

i do not see any ready product to be that flexible. however to me the best ready router system seems to be openwrt, you are not bound to a hardware vendor, get security updates longer than with any commercial product, can 1:1 copy your config to a new device even if the hardware changes and has the possibility to add packages with special features to it.

“openwrt” is IMHO the most flexible ready solution for longtime use. same as “pfsense” is also very worth looking at and has some similarities to openwrt while beeing different.

ich you have adhd and asperger or better, you might end up beeing trained by yourself for ignoring google’s, microsoft’s or other f’uped up so called “autocorrection” and ‘automatically’ overlook single mismatching words but recognize the sentence as a whole without actually reading it word by word. some can read entire pages with a single look on it without focusing on a a specific region or i.e. the center while still beeing able to later rephrase the content of the entire page.

1up for all with special (dis-)Abilities!!

my 2 cents just in case…:

A raid6 is not a replacement for backup ;-) i use rdiff-backup which is easy to use, stores only one full backup and all increments are to the past while it is only possible to delete the oldest increments (afaik no “merging”) i never needed anything else. The backup should be one off-site and another one offline to be synced once in a while manually. Make complete dumps (including triggers, etc) from databases before doing the backup ;-)

i like to have a recreateable server setup, like setting it up manually, then putting everything i did into ansilbe, try to recreate a “spare” server using ansible and the backup, test everything and you can be sure you also have “documented” your setup to a good degree.

for hardware i do not have much assumptions about performance (until it hits me), but an always-running in-house server should better safe power (i learned this the costly way). it is possible to turn cpu’s off and run only on one cpu with only a reduced freq in times without performance needs, that could help a bit, at least it would feel good to do so while turning cpu’s on again + set higher frequency is quick and can be easily scripted.

hard drives: make sure you buy 24/7, they are usually way more hassle-free than the consumer grades and likely “only” cost double the price. i would always place the system on SSD but always as raid1 (not raid6), while the “other” could then maybe be a magnetic one set to write-mostly.

as i do not buy “server” hardware for my home server, i always buy the components twice when i change something, so that i would have the spare parts ready at hand when i need it. running a server for 5+ years often ends up in not beeing able to buy the same again, and then you have to first search what you want, order, test, maybe send back as it might not fit… instable memory? mainboard released smoke signs? with spare parts at hand, a matter of minutes! only thing i am missing with my consumer grade home server hardware is ecc ram :-/

for cooling i like to use a 12cm fan and only power it with 5v (instead of the 12v it wants) so that it runs smoothly slow and nearly as silent as a passive only cooling, but heat does not build up in the summer. do not forget to clean the dust once in a while… i never had a 5v powered 12V-12cm fan that had any problems with the bearings and i think one of them ran for over a decade. i think the 12volt fans last longer with 5v, but no warranty from me ;-)

even with headless i like to have a quick way at hand to get to a console in case of network might not be working. i once used a serial cable and my notebook, then a small monitor/keyboard, now i use pikvm and could look to my servers physical console from my mobile phone (but would need ssl client certificate and TOTP to do so) but this involves network, i know XD

you likely want smart monitoring and once in a while run memtest.

for servers i also like to have some monitoring that could push a message to my phone somehow for some foreseeable conditions that i would like to handle manually.

debsums, logcheck logwatch and fail2ban are also worth looking at depending on what you want.

also after updating packages, have a look at lsof | egrep “DEL|deleted” to see what programs need a simple restart to really use libraries that have been updated. so reboots only for newer kernels.

ok this is more than 2 cents, maybe 5. never mind

hope these ideas help a bit

Missing in the picture: Apple.

I cannot code like this currently, because my girlfriend occupies my laptop with doing her yoga.

tuché?

see, capitalism works!

1. sell 10million packages each with missing 2% of contents.
2. sell those 200000 extra packages with the contens you “saved” (no, not 204000 with again missing 2%, see below why)
3. do not pay taxes on extra packages you sold as you can “proof” you sold all 10million paying those taxes.
4. receive 200000 * price of package as personal taxfree extra income.
5. write that one guy who complained about missing 8grams of pasta a sorry letter
6. complain about time loss and costs writing a single sorry letter and pay paper and stamp out of “marketing” campaigns budget
7. complain about the world not trusting companies
8. complain about people using badly adjusted scales
9. complain about someone selling none-genuine products on market with your logo faked.
10. assume that those packages with missing contents could be just those fake products.

done a full circle.

but… kitchen scales are really bad. most other scales as well. i tried to find (electronic) scales that are actually precise:

for low weights i ended up with a scale with 0.01 gram precison, but it could only measure a bit more than 100grams (and also included a 100gr calibration weight)

for higher weigths i only found a scale for post offices measuring packages. the only thing the vendor “really” promised was that multiple times measuring the same thing would be showing the same weight (nope the best “affordable” scale on the market here did not promise to measure correctly, just to measure over and over the same…)

i guess the options for accurate measuring of more than 100gr are:

• old style mechanical scales daily adjusted
• high priced industry/laboratory scales with warranties

fun fact:

after i bought that 0.01gr precicion scale, amazon showed me small plastic clip bags with green leaf signs on it as “recommended” products for month, while i used the scale to mix just small amounts of 2-component epoxy resin in projects.