 Welcome to the homelab show episode 39 questions and answers Some of you have been filling out that feedback form and we're excited to do some Q&A I know there's a lot of questions to get thrown around because we do this as a live stream But yes, we Want this to have the goal of ending as a podcast therefore we don't get to read all of your questions during normal episodes But we will be reading them here So those of you that are just listening of course you'll understand what the question was and me and Jay's thoughts on the answer and You know that was actually the slogan. I missed the most from Radio Shack. You got questions. We got answers I I thought that was such cool branding not enough to save the company from poor business management But it's some good branding with that. I think the whiz kids were the best branding ever because you got a free comic book that Advertised a Tandy and those kids were cool because they had a computer and I didn't oh, yeah Yeah, I remember that so yeah the someone I don't know this to be true You take it for what it's worth. I seen someone posting it. I think it was on Twitter So if it's on social media, I don't necessarily believe it But someone said that some of the radio checks reopened as independent brands Independence they're still under the same Radio check but they're now an independent. I don't know if this is true But I thought that's kind of interesting that they could reboot the brand at all. I don't know I'll see how that goes is interesting But I speak for a lot of people when I say, you know talk is cheap, but where's the TRS 80 Where's my TRS 80? That's where it all started for me the history of all of that is fun But it comes down to what brand are they now versus What because in the end they weren't weren't quite the the tech nerd heaven that they were when I was young when I was young It like Jay says about the TRS 80 and things like that, but welcome to the show One day we'll do maybe a What do you call it? We'll do a history episode because boy, you know working in tech a long time there is a history So here's some more Q&A and feedback You can leave is to whether or not we should do a old history of tech show Maybe that might be kind of a fun topic as well So we're just listening to us talk about random stuff is probably a show in and of itself But we go down the rabbit hole quite a bit and we have to catch each other sometimes and like back to reality Dude, it's time to talk about the thing back to reality speaking of reality. We have to pay the bills That's a reality. I have to live with and paying the bills is right now Well, no there are sponsor and have been since the beginning here of the show We would love to have you sign up with planode user offer code. That's in the link down below They have been great to work with great if you want to get started on it We actually host a lot of our infrastructure of this podcast that you're listening to included in running on WordPress Which I don't know if wordpress is really worthy of a podcast episode because I don't know that There's a lot of homeland people setting it up But you can use if you want to get one set up and as we've done before you can use the templates They have to get it deployed if you don't want to deploy it yourself over on the node And it's a great way using some of the pre-deployed templates They have to kind of figure out how to get something set up set one up with the node use some of their auto-approved templates Use our offer code to sign up for the node And it's a great way if you don't have a lab yet and don't have the time to set up an entire lab They can help get it going for you We like to thank them for the sponsor show and like I said use the offer code down below to get signed up And let the node know you heard about it from the homelab show. That's that's important Because we're gonna be doing some contract renewals for ads and things like that and load node may have heard me Just say that so email inbound the node. Yeah This is the housekeeping we have to do some people say we wish you'd have sponsors If someone could just throw enough money at us to cover sponsorships There's there's alternative methods, but as much as that sounds good. It's not it's a lot harder to do in person Listen to Leo Laporte discuss, you know running the twit network He's very open about a lot of the challenges that come with figuring out ways to set everything up as a subscription And I think all of us can agree we've all paid too much in subscription fees because it's so confusing now When you want to watch a live stream or listen to something do I have to pay a service fee or a subscription? I don't know I Think I I speak for both of us when I say all of you out there that are contacting us like every single week asking us to Add a sponsorship for really shady windows product keys from God knows where we're not interested Yeah, yeah, yeah Fun time that too Yeah, that's that's actually funny. It's weird, you know being on this side of the house With me and Jay both being content creators. We definitely get approached by all kinds of crazy things, especially those product keys people so Every week every single week Yeah, all right lots of Q&A here. What's the first question? We're gonna start at Jay I'm going to start with an easy one because it's easy Because well, I don't know I think that's part of being a content creator At least in my opinion is that you admit when you don't know something because nobody likes it when yes I know everything about that thing and and I'm the expert About butter FS. I am not an expert admittedly. I Actually haven't looked at it yet. It is on my list It's one of those problems where there's so many things on my list that I want to check into Because I just love all of this stuff so much, but unfortunately, there's only 24 hours in the day and we were sent a comment about You know butter FS and that's one of those things that I want to get into really bad and that the Snapshots if I'm understanding the comment correctly is that it's based on CFS's design I don't know. I'm you know, I'd have it looked into that at all yet But we get a I bring this up because we get a lot of Questions and feedback about butter FS asking us to do more content about it And until I have a moment to do my own video on that and dive into it myself There's really little I could do but I just bring it up to let people know that it's going to happen I don't know when I don't know what episode it's going to be I think it's safe to say it'll most likely happen next year Which is just coming up, but you know, that's you know, 12 months So it doesn't narrow it down too much, but it is something I want to look into and if it is something I think might Fit an episode. Maybe I'll pitch it and see if it lands. Yeah Butter FS is definitely pretty cool I mean I give it someone once called me the cult of ZFS time You're falling into that and I don't like monoculture. I think we are better served by a diversity of different tools But unfortunately ZFS is one it's really popular It's really well-developed and a lot of efforts have been put into it And of course my favorite tools that I use are frequently built with it such as the true nas and free nas platforms So yeah, I'll admit to knowing way more about ZFS than butter FS. Oh, yeah But you know the interesting thing about that is, you know, I understand why people might think that you know You're but that someone might be biased towards a specific technology the reality of it is that Honestly, it's just down to hyper focus like if I check out a movie and I love the movie by the way the new spider-man is Amazing I'm at the tell people about it, right? I'm just kind of you know chair in that love of something with other people if I'm checking out a Product or a piece of software and I just love it I have to tell people about it and it's not biased so much as it is like being overly Enthusiastic I think is a better way to describe it But when it comes to these things like I mentioned We don't have time to go through everything although we want to because I guarantee you if Something was to happen in the universe to where The name that'd be really cool. I would totally get to all these things a lot faster But at the end of the day if we're already using something It's super easy to make content about that and when it comes to storage That's really hard because if you think about it I have terabytes of data and to really give butter butter FS a chance I would really in a ideal world just want to copy everything on my ZFS stack over to it to you know, give it the same use case in the same test But that's a lot of work when you're just syncing data over and testing snapshots and all the things you normally do The production time for video on that, you know, it takes longer So that's why it hasn't happened yet and some of these in some of these cases There's like 50 solutions for one problem in which one do we go with? Yeah, and it's also that the nervousness even though, you know, three two one follow all the proper backup procedures Moving terabytes and terabytes of data is a lot and risking all of it because it's still time Cool, I have it all backed up off site. I still have to restore that somehow if I if I moved everything to butter FS and it failed now I have that problem and I say move everything because I can't just move one thing I have replication between three different ZFS servers If I change one of them the butter up as butter FS to my knowledge doesn't replicate to ZFS Therefore it's a big change over so yep And I can do a tutorial about it pretty easily by just copying a handful of ISO images to it and you know Just making a snapshot restoring it just just to show people how it works But it doesn't necessarily mean that I could give it a recommendation because I don't feel like that's enough for me to say Yes, I recommend this. It's perfect. I just tried it with a few ISO images. I mean, that's barely even an adequate test so There's there's a lot of interesting back-and-forth that we talk about off-camera before we decide to do any particular piece of content But butter FS is something that fascinates me. So I really think it's going to happen. So I'll let you guys know when yep Onto the next question here. I have a net gate SG 1100. I love it and I want to play What services are the easiest to move off my firewall without losing functionality of my network or making it more difficult? All right, the moment you start moving the services from a nice integrated single place It's gonna get more difficult, but it's gonna get more fun my my version of fun You can take and set up things like port mirrors if you wanted to Dive into like a security tool or a sim tool where you monitor all the traffic and start digging into it It's easier, of course when it's in a firewall But as you start breaking these things off it can be interesting pie holes a popular project PF blocker is the replacement so to speak So PF blocker is great running on PF sense but some people like some of the features in as they should because pie hole goes a little bit more with the way it has the Web interface and it's it's a slick system. It's got pretty graphs in it and things like that and it has extended functionality So that's like one of the easy ones. You can probably break off and set up a pie hole Due to and don't ask me why Due to indiscriminate ways that YouTube determines things pie hole is a taboo word and I've learned on YouTube YouTube doesn't like the discussion of it too much. It seems to be mixed They hated it then they liked it and there's some people that got some good videos on it now It's to me a hot button topic. So don't ask me to do a video on that. I have in the past I want it again. That's probably the easiest one. You can move off of your PF sense firewall other things I don't know Squid filtering. I don't even recommend you have it on your firewall But if you wanted to play with like proxying you could do that ha proxy though doing a reverse proxy for things That's absolutely something. I think jay probably made me have a few videos on how to do reverse Do you have a reverse proxy video with engine xj? Not yet I mean, I do have That used as part of other tutorials but not as the namesake of the tutorial And what's hard about that reverse proxy situation is It's really hard to give people a you know, thorough explanation of it that'll work for most people because Depending on the app that you're proxying to there could be different engine x rules for example And it's really hard to find a balance of you know, you're always going to need this and there's different ways to tackle this But if I was to do a proxy in front of next cloud that may not work as well For wordpress or vice versa depending on what you're running or especially if you're running something like awx, which is another thing I get asked about a lot Proxying to that is a different thing entirely. I had a music server one time Add a proxy to that differently. So it's you know, it's really hard to find the balance of When to use one option versus another and how to structure a tutorial around that but once I figure out a good Middle ground I would love to tackle that. Yeah um Other things I can't really think of too many other things you would take off of for the firewall I mean hand building a firewall in eliminating all together is a way more complicated task I've I've actually known a few people have done it But they realized that there's a reason that things like pf sense exist to help make managing firewalls In the big picture of things easier. I think it's a great learning experience I don't discourage people who want to learn But if it all depends on how what level of network engineering for most of the functions that stay on the firewall are probably best suited to Generally speaking stand there now once you move into the enterprise network These are generally separate functions anyways firewalls do routing and then proxies do filtering And dns is usually handled gem really speaking by the active directory systems that are integrated within that network. So yeah, I would say In my opinion If you're anytime you're dealing with a network home lab project that is when you're probably wanting to dedicate a weekend to it and In some ways that might be a little bit easier now for some people because depending on where you are in the world You might be quarantining. You may not be But if you have like a weekend where especially here in michigan when it's the winter time regardless of pandemic or not There's not much to do. There's not much going on. So yeah, I'm going to dedicate this weekend That's exactly what you should do for a networking project. I don't think I've ever had Regardless of how experienced I was at the time Of network project that was quick if you're implementing vlan subnets Um moving firewall rules I guarantee you things will break in ways that you did not anticipate. It's just the way it is It doesn't mean you're not good enough. It doesn't mean that you're not a good networking person It means that you just got hit by reality. That's just the way it is So it's not something. Oh, I'm just going to spend an hour and move my firewall rules off just spend the weekend as a network project and Redo your networking because things are going to be broken the Plex server is not going to be working People won't be able to get to it Your phone will be going off if you share that with someone else and they can't watch the last three matrix films That's the way it goes, right? It's it's just a long process But it's a fun one and I've always just dedicated a weekend when I have nothing going on This is the project I'm going to do when I implemented vlan's for example That was a weekend project when I switched from having my manual firewall set up with ip tables to pf sense that was a weekend project So, um, I'm not saying that to scare anyone. Um, I think a certain subset of our audience Might get excited by that weekend project really that sounds great. When do it? When can I start? I'll start this weekend It's almost friday anyway So that's that's when you should do it But it it's a lot of work, but it's fun Because you'll you know solve real networking problems And you'll learn a lot during the process every single time Yep, and I'll uh, I have not had a chance to have videos on this but the good news is they have Which is security union. Um, there's you can dive into security union Which is a full open source uh sim tool to get into things I don't know it's eventually once I have my new studio built I can have more time in one area to focus on something because it's so in depth I may do a long long deeper video on security union I've used it using it and I think it's great, but it is a lot to get set up. So Um Let's see moving on to the next one. Hopefully it's enough stuff Oh, uh, but vpn obviously you can do the honor off the firewall too. We'll just throw that one in there But that's I've got plenty of videos on vpn um Can we get an episode on live patching is kind of something we talked about and covered in linux patch management episode 32 So I think we covered that. Do you have some more thoughts on that j for live patching? Yeah, I'll just give some summary thoughts because Um, I don't really feel like it's a topic that could that could actually make an entire episode because it would be over too quickly There's too many Um, a sides to deal with. Um So it's not quite as simple. I mean it is simple and it's not but it's just not an episode's worth but in in short summary Um live patching is great because you could essentially just you know live patch the kernel on your linux server That's what it actually means So you could have that cbe fixed potentially without rebooting now rebooting for us in home lab is not really as big of a deal as it is for enterprise because At most we're going to upset the kids when the plex server is down. So what they can they can wait You know, I have a patch app to apply and that's not really a big deal But at the same time, um, I think even though reboots aren't Um as egregious to us, it's still annoying to us and we still don't like it all the same And when you get into this the problem is that the linux kernel itself supports live patching That's why we could do this but it they don't build the interface through which you inject those live patches for that You're often dealing with a license agreement or a support agreement that costs money And at that point is it really worth it now you could get a get around this by using Canonicals live patching utility if you use Ubuntu at all That's free for up to three systems before you have to pay for it. So right there you have that ability Um, there's tux care, you know, they are a sponsor of my channel But you know, I actually like them a lot and I use it Because they they facilitate this for you and their cross distribution because with canonical service That's Ubuntu only if you are a red hat person you pay for that which is actually a lot of money That's only for your red hat systems and then other distros have their own So the so the only one that I'm aware of personally that is cross distribution is tux care But then the other side of this is that that's going to patch your kernel if you want to patch You know like shared libraries you could still need a reboot Just because of a shared library not because of a kernel So it's you know live patching isn't always going to defeat the reboot for you And then if you if you're like me and you really really want live patching on desktops because you don't want to even reboot your computer Well, what happens when your invidia driver gets updated and you kind of have to reboot otherwise things are wonky Live patching is great, but it's not as Consistent as I would like it to be it's more or less a very specific use case for it I would say just use the free canonical service if you're using Ubuntu If not just turn on unattended upgrades and Schedule it to reboot while you're sleeping anyway, and that's probably the easiest way to solve it Yeah, hopefully that covers that aspect of it. It's you know, one thing I will say Is the live patching is less of an issue to me partly because Like even with my forum server I think the reboot time because I mean, you know where It's so fast like it's just something I think about it's not like windows where I go Oh, man I'm going to reboot the server across my fingers is going to take a long time a lot of the linux Especially in a virtual machine instances for stuff by run the reboot time is like 12 seconds 13 seconds It's so with modern systems is so fast It's something I just think a lot less about because by the time someone goes I think it's you know a problem with town's forums at five a couple times. Oh never mind another backup and running like Yeah, I mean you could put a banner up or something like you'd like that if you wanted to you know The maintenance period is whatever the hour is or something like that and have it reboot then I just don't see it as much as big of a deal But I do think it's really weird that in 2021 Rebooting after updates is still something that we have to do. I mean if you were to ask me 10 years ago I would have predicted that is not something we would be doing right now that Beyond kernel live patching would be live patching all the things or maybe things would be containerized so well that You could you know reboot them and nobody would notice because one container takes over you have some kind of load balancing That's easier and easy easy approachable But that's not what we have today It's still a little chaotic live patching is a step in the right direction. But I mean it's just not perfect It's good But I wouldn't start shelling out money for it unless you have a business case in my opinion Yeah So, uh, the next one is interesting and I think this is maybe We'll dive into this because there's some questions we don't have and there's some question There's some answers of you about this Which firewall should I use on linux and i always for you know, like a bunch of security example ufw works great It's easy to control. It's easy to manage Um, I know there's other ones out there and I have not dove deep into I usually just go with what the distro recommends But I know there's going to be people who have Uh edge cases use cases That may exceed the capabilities and functionality of whatever's built in which is why there's competing ones Me and jay, I've never really dove deep into Why I would swap the firewall out to be a different one because that's what kind of what the bigger question is Which is the best one to use on my linux distribution? The one you configure though and that you configure well is going to be Uh, the most important one because if you don't know something very well And this is where people I've often find themselves getting in trouble is when they don't know a product very well and they misconfigure it and leave things open Yeah, that's sometimes can cause Quite a quite a bit of controversy and this is specifically talking about the firewalls on your linux system itself This isn't talking about using it as a gateway using it as a router But just that you should take the time to properly configure and think about the connections Especially if you're doing a secure server and I'll give an example The security I have on my servers and this is how you can help prevent lateral movement So several my servers are on the same subnet and what if one of those servers got cracked? What if someone got into one of them? This would be terrible But to prevent lateral movement the servers actually aren't allowed to talk to each other because there's not ever a reason That they are and if there is a reason they are Or have a specific thing you need to talk to then there's an allow rule for only that other thing They need to talk to for example I have syncing on some of my servers to constantly be synchronizing data that's generated for off-site backups So I haven't allowed for syncing what they are not allowed to do for example because I use reverse proxies To control the web interface on them If I'm running something or hosting something that talks to a reverse proxy It is limited in scope by the firewalls who only talk to the proxy that way from a lateral movement standpoint You can't go on one of my servers and talk to the web interface on an adjacent server Because what if there was some flaw in a you know in the web server version And that's where you want to start your attack trying to get to that login page Well, you can't you can't launch it from an internal server. So it's still important to uh, most important I should say to Completely understand the firewall have all the rules configured and lock them down accordingly to only You know principles of least privilege. What does it need privilege access to the reverse proxy? What else nothing, you know for testing purposes I turned it off when I was you know trying to figure out why something wasn't working Then when you're done you lock them back down So my advice for most of the firewalls and maybe in a future topic we'll dive into this a little more It's just thinking about when you lock down the server Does that port need to be available? Does you know sh is common on a local subnet? But does it need to be extended outside of there? Or is there specific machines that you are using for management? Maybe you have a jump box or maybe you're using you know something to A bastion setup and the only thing it should talk to then is the bastion service now You've limited in scope the ways that methods ology So that's the most important takeaway from firewalls is they should be used to help limit the scope and access to something I don't think it's as important unless you're doing something really large scale where you're concerned about Well, should I swap out the ufw simplistic system that they have over here in ubuntu with something more advanced? Well, first you have a use case that exceeds what the current built-in system can do because it is fairly robust So that's kind of my opinion on it. What do you think jay? Well, I agree with everything you said and i'm also going to add to it that When we start talking about firewalls there's so many different angles that the person asking the question could be coming from because Everyone has his or her own reason for running a home lab It could be because they want to get that certification They want to you know work on learning something that they use at work or maybe they just like it Maybe they're just having fun with this so the question was asking You know ip tables eb tables arp tables nf tables firewall the ufw, you know about all these different things Part of that it that makes that confusing is that some of those are front ends to the underlying firewall system But the bigger question is why are you interested in that? Because that really determines the answer Because if you're just wanting to know which one is more secure, that's a different conversation then someone Asking about well, I heard ubuntu is switching the underlying firewall system to something else in the next release And I just want to stay ahead of that or it could be somebody that is just so fascinated by linux They just want to learn these different technologies because they want to You know immerse themselves in linux knowledge. There's all kinds of different reasons and that determines How we go about answering this question because when I think about all these different firewall technologies I generally tend to keep it simple. I did used to use ip tables manually at one point, but then went to pf sense So for me, you know, I had my fill of learning it and I learned it fairly well. I was satisfied Okay, I just I'll just take a pf sense going forward but yeah, why do you want to learn it and That's why it's hard to cover all these because If even if we did a whole video about it It's going to serve one subset of the audience that are using it for that reason But then everyone else that's curious about firewalls for a completely different reason They're not going to be satisfied by that episode. So it's It's really gray because there's so many different technologies and there's different ways to approach it But I do agree with you that it's all about Does your current solution? Is it fitting your use case? Are you changing just because you want to try something new and learn something new? Or do you have any reason to feel that your current solution isn't good enough? So that's a just a big rabbit hole of of a conversation But I would just summarize it by agreeing with you, you know depends on the use case And the capabilities of what you're using right now whether or not it fits your needs absolutely The next question is about overlay networks Um, the overlay networks I've covered is going to be Zero tier nebula and tail scale and overlay networks is a really Interesting and I think going to be going in the future a very popular topic I think overlay networks is the best name for them They also title themselves a software defined networking which it is but stn is a broad topic that means lots of things overlay networks is A little bit more specific and specifically what the concept is is we have a network adapter on our system There for why don't we add another network adapter that creates another Overlay network and what this means is you you can have in all of them work essentially in a very similar principle You have this extra network adapter that shows up that's part of a network, but it's not it's all part of a VPN style network So if me and j who are completely in separate locations decide we want to join an overlay network We each have our main adapters ip and then we have an ip that is in the same subnet Where me and j can share things as if we're on the same network and then you start popping nodes everywhere The nodes are independent of geography and location of where they are That's the same premise the way all these overlay networks work It's a really great concept because now instead of you having to establish a vpn and that moves and i'm at a different ip address for each one of these the way it works is i can just move around Any device anywhere swap networks and they all connect to some type of beaconing public server That determines where all of these devices are so nebula and all those are great tools to use Nebula is fully open source. I've actually become friends with the developer of that. I did a video on it. It's really cool It's very very devops focused. It's actually what they used to manage all the servers at slack. So does it scale? Yes, why was it invented because nothing scaled quite to the size that slack as the company was um, so talking with ryan and the team that developed it was really cool Uh, and that's how I based my video on I just thought it was a great product. It's fully open source. So It's wonderful, but it's one of the harder ones The way other side of easier to use is going to be tail scale is super easy to use The clients are open source, but the back end is closed source That is the web management portal and seem goes to zero chair They have on a series of open source clients, but the management platform that's not obligated for you to use by the way is all done in a um closed source type thing so they It's all something it's fun to play with it's definitely a great concept in networking And it it's really solves a lot of problems when it comes to just having devices everywhere We've seen actually a lot of commercial use for things like this where companies deploy lots of iot devices and they just tie them all to a Overlay network so they can monitor all the devices see all the devices communicate with them And they don't have to deal with whatever happens someone change their internet provider It doesn't matter the iot device went from network a to network b and the same companies a completely different subnet Doesn't matter. We always have the overlay network. So yeah, they're definitely really cool Uh, they're a lot of fun to play with the tail scale Specifically because it's a pretty well funded. It's still kind of in startup mode One of the things I recommend in tail scale is look for their blog post on nat It is the best lesson in nat traversal You'll ever get it is probably the most singular place. I've seen such well documented But they describe how they get around that and how they deal with nat issues But it's wild the level of detail They went into to describe all the different things of how nat traversal works. It's actually a great education It's something I like about tail scale. They've dumped a lot of data out there That's just very educational for those of you that want to Understand network engineering better because it's all problem Problem we encountered how we solve it and you're like I didn't know nat could do that I didn't know nat traversal work that way. Oh, that's how udp whole punching works And so it's actually kind of a fun dive into Becoming a better network engineer as well. So that's my thoughts on overlay networks Big fan of them. I think there's a I've actually Done consulting with some vc firms that contacted me because they see my videos on it And like you seem to know a little bit about this stuff And so I've actually had some projects that consulted. They just want to know who to throw money at that's what that's my relationship of vc firms Hey tom, we always want to know uh Is this a cool product or not? The weirdest phone calls I get are those but it was fun I'm gonna let's talk into them about it and then I'm like you guys watch my youtube video on it and I'm obviously excited about them. I think they're pretty cool. So yeah, yeah, they are I like them. I like overlay networks a lot too. And I think it It gives us capabilities that we didn't know we needed And in my opinion when I first heard of this technology, I'm like Well, that's how I thought networking works Until I figured out and learned how networking works and it's not how it works But when I was like knowing nothing about networking at all when I was first starting I kind of envisioned it like this, but it's it's not that It's But it is easier for a lot of people like at one point, you know My son comes to me and wants to have people Or his friends access the Minecraft server we use in the house So here I am, you know trying to set it up for public availability Which I did and creating firewall rules to make it so that you know, they can't do lateral movement And that was that was a you know good hour project there But then nowadays it's like hey, how can I have my friends play Minecraft with me? It's like oh, yeah, just you know install zero tier and have them install the same thing and I'll show them how to do it And then I don't have to mess around with my firewall or anything like that. It just works I think it's really great. I don't necessarily know if I can consider it software to find networking though I think it does fit, but That's one of those terms. It's like dev ops where you ask somebody What is dev ops or and people that question need to get 10 different answers, right? Um, yeah in my opinion I think of overlay networks as a network abstraction and software to find networking as the virtualization Layer of networking where you have a cloud provider And you're creating a you know a router a you know firewall appliance They that all exist in software that it's a software equivalent of an entire network layout in a company whereas Overlay networks are kind of like built on top of the network You already have or that runs off of the network that you already have So it's almost like it's a virtual second network card on your computer In addition to your main one. Um, just to kind of paint that picture for someone It's that's kind of how it works and I really like the idea and the concept a lot I do agree it's going to get even bigger Because I remember when the only way to do this was to pay like at&t or whoever like something like 1200 dollars a month Yeah And that was out of reach for everyone like we were all thinking man wouldn't it be nice if we had a like some kind of a WAN link between our two houses so we could just play land games or something like that that'd be so cool But we can't afford to do that and now it's free and it's easy. Um, I love that. I just love that about it It's definitely it's one of the cooler features. We're gonna we're gonna see a lot more in it I'm positive 222 will bring us more talk about that Now something that's been around for a very long time and I I've never really brought it up as the topic But Jay probably has more to say about than I do is rss feeds now For the most part like the way we set up the podcast We do offer rss feeds. They're completely publicly available We have the links on our site and it's a convenient way to download and grab podcasts and this is before Really any new stream or any stream of information? I mean this goes back to like the slash dot days and Well, I mean slash that still exists, but it's not as popular as it was But rss has always been a really cool Way to get this and I used it back in the day of nntp or the news groups because i'm old school man I've been on the internet since We used nntp more than we use worldwide. Well, that was my earlier days of doing it I actually used to use thunderbird for the longest time. I don't remember what I used before thunderbird For rss feeds. I don't do as much with them as I used to I think Jay still uses them a little bit more But they are definitely a great way to Aggregate a lot of information together from a multitude of sites without having to deal with those pesky people reading ads and things like that because it kind of gives you likes all consolidated headlines to Pull in some of the articles and things like that. Matter of fact, I I can date myself even more I used to have an rss tool that worked on my palm pilot in the earliest days of it It was like rss a little bit different But it would aggregate news sites filter it and pull it all into my palm pilot because palm pilots didn't have the internet But when you dock them the application that pushed the data to them could pull it. It's the same kind of Complexity to it but it's really slick but go ahead and what do you I think you had a tool you're using I hadn't heard of for managing rss I do I I have to say I love I absolutely adore rss. It is one of my favorite things on earth because It's just so great that you could have the news that you want to read fetched for you in one place rather than Oh, I think I'm going to go to this website for this news and I'm going to go to this other website for this You could have all those pulled into one source and I feel really sad that rss is not as popular. I don't think it ever Truly hit mainstream it kind of came close though because it was used a lot at one point but it never hit mainstream and it seems like the usage is going down and I don't like that because You know, everyone now, you know, they're just going on their Smartphone and getting news that way, which is okay what I the reason why I like rss is because I can use a service that can Synchronize and I don't have to worry about like when I was using thunderburden You know that for rss the issue would be like. Oh, I have I read the article on my desktop It doesn't show that I read it on the laptop. I may not remember that I already read it. Oh, yeah I already read that and then I have to you know mark them all read manually because they don't sync Um, I stopped using thunderbur for that and I started using something called tiny tiny rss Which is a hosted app that you can use you could throw it in a linoad instance or a virtual machine where a raspberry pi even doesn't matter and um, what you do is you could have you could visit it from a web browser On all of your computers read your news if you mark something read on one Any other computer you read your news on will also show it marked as red If you star an article because you want to read it later It'll be started on all of them and then you could hook it into you know Desktop clients and phone clients. I have one on the phone that actually syncs to it as well So regardless of where I am or what device I'm using my red articles are synced That's great. And that's why I love it now the reason why I haven't done a video on tiny tiny rss Is because I'm not sure if I want to I mean I do want to But when I look at the community I look at um, and I'm not going to name names or anything like that If you if when I was looking up an answer to a question that I had I ran into a problem setting it up And this has happened a few times where I'm googling for something And I'll often land on the tiny tiny rss community for the product And I see users getting outright attacked like um, a certain person or one of the developers is just so rude to everyone that That's why I never did a video on it because if people have a problem Obviously, they're going to google it or they're going to ask in the comments or they're going to google it and then they might actually see how Rude the community is. I hope that's not the case now Spend a number of months as I checked into this but it's kind of turned me off of doing a video about it But at the same time I really think that rss needs a renaissance. It needs to come back We need to push it. Um, it's so much more useful now That I think it's ever or ever could have been in the past if we would just give it another chance. I think Um, it's actually a really amazing piece of technology. Yes, it's old But sometimes the oldest technology will gain prominence. Look at arm. For example, that's not a new platform That's not a new technology But you know, everybody's talking about it as intel continues to make people angry Sometimes an older technology is exactly what we need in the present and I think rss is that so Maybe something else will come along and I'll talk about that in a video or a fine. I'll find some way to Um do a video about something related to rss, but I just love it I just love synchronizing news which is really important for a content creator To keep track of red articles and on red articles because I like to keep up to date Like I'm sure all of you guys do too. So Um, I'll see if it can you know land in a video in some kind of way in the future Yeah, um, the last question, uh, well actually no, no, yeah, there's two more, but um, One of them though, I want to address this one because I know there's been like two or three comments in the live stream That are all related to this is all about purchasing a hardware for your home lab This is uh, so I thank you very much jeff from craft computing for diving into this topic and explaining it My answer is I don't really buy a lot of hp servers jeff does have some hp servers But he has like a long video that he explains which hp servers require licenses Which ones don't and all the confusion around it. Um, so i'm going to defer to i if you just type in jeff craft computing hp server You'll find it. It's really easy to find Um, I've always avoided hp servers because some of them they they've decided to hide some of the software updates We have paywall paywalls the other thing weird about hp servers is i've noticed just a lot of them Take forever like an inordinate amount of time with blank screens from the time you turn them on until to time Something happens or they sit at what you think is a locked up illo screen Which is the illo Lights out management tool just sits there just chilling for a little while I've never been a fan of hp servers because of that Dell on the other hand easy to find parts for Easy i'm not saying del's not quirky. I'm saying del is very predictably quirky I know exactly what to get and it's easy to find on there On ebay. It's easy to find parts for them del's model number tracking go in there and You know drop in the the service tag number and know everything about that server del's kind of in my go-to and also super micro Specifically there's a there's a site. I'm gonna double check before I make this claim lab gopher Make sure this site still is up and running Yes, it is lab gopher.com is a site for uh peruse and ebay and organizing instead of having to search through descriptions It'll help narrow down different things that are for sale on there So ebay is still for your budget minded not production. I want to buy something used and use it For that i'll recommend one of the refurbishing companies such as tech supply direct We've used them many times in the past. I've talked about them on my channel But if you're looking for you know budget homelab, i'm just getting started Obviously if you can find someone local so you can save on shipping awesome Not an option for everybody not everybody's lucky enough to have a recycling company within a few miles of their house So they can go grab stuff, but if you go on ebay And you type in things like someone specifically earlier in here asked about buying a nas server So if you type in like free nas or true nas in ebay, you'll find a lot of companies and one of them is going to be um Unix surplus they have lots of stuff that has already figured out for you Has compatible hardware for true nas Because they know what works with true nas. They know who they're selling this to They're selling to someone who wants to build a nas and by the way if it's compatible with true nas It's probably compatible with many other nas software because it means that the System is set up in a j-bot just a bunch of disks and is able to pass through and give control to the operating system So that's it's actually search what you're looking for. There's pro i haven't looked in a while There might even be someone posting xd ng type stuff the good thing about xcp ng though if you're looking for like building a hypervisor with that Is if you go to the hardware hcl for citrix hardware compatibility list For citrix send server. There's a list of servers that are supported They'll have like general models from dell hp and other companies that will also help you with compatibility So you know that it's there my word to the why specifically for the xcp ng folks is if it says broad com Expect to replace that network interface broad com is among the worst of the network offenders I have people asking me really strange questions like hey, I get really slow performance. What can I do for broad com? I send them to a thread. I have in the xcp ng forums on this and they go Yeah, but what can I do to tune it and i'm like please note that thread is all about why even the tuning parameters don't work With those Intel network cards are generally your friend I believe melanox are right up there too for being friendly for both nas and hypervisor storage And it seems goes for like vmware or there's um compatibility list for your if for those of you that are doing stuff in vmware I don't know this proxmox have a hardware compatibility list or is it devian and it's just as happy on most things Um, they might have a compatibility compatibility list, but I I've always focused on the fact that it's devian and devian is devian The nice thing as devian is devian is That's kind of answers a lot of it devians were relatively Robust when it comes to compatibility. So yeah So on my end, I have some random tips here about about this some of which I mentioned before But I think at this point, you know, we've got a lot of new people in our audience So, you know, I should summarize this again just to kind of make sure You know, I get these points across because I've learned some lessons the hard way Um, the first thing is to use what you have if you have a desktop in your closet It doesn't cost you any money to pull it out It doesn't cost you anything but your time to pull it out install something on it install linux on it If you're never going to use it anyway, I mean, why not at least try? Yes, it might be old Yes, it might be slow and it might not be that great, but it's just sitting there Why not give it a shot? You might be surprised you might actually get some good performance out of it Maybe that could be a server. Maybe it only has two gigs or am okay That's not great for a hypervisor But it might be great good for a hypervisor If you're running nothing but containers you could actually get more out of it that way So you can make good use of the hardware that that you have The second thing is if you need or want to buy something never do it out of impulse And I'm using myself as an example here because I do this all the time And I never learned my own lesson. Don't be like me like I get it in my head Like I want to do a thing. I'm going to do that thing today. It's happening today I will obsess over it. It's going to happen. No matter what so all the way to the point where On a saturday morning when most stores are closed I'm like, I need another server today I need one today and i'm going to get one and next thing I know The only store that's open is this really cool server store. I forgot the name of it in selvania, ohio So here I am driving on a saturday I don't know if it's one hour or two hours away Just to go to selvania ohio the only place that's open that sells servers second hand and I go there to buy a server I come out with like three of them Because they just have l power edge servers in bulk and they're really good servers And I got a really good deal on them. But what I didn't know is that these particular servers are very power hungry They're very loud I didn't do any research They did serve the purpose I bought them for But my electric bill went up a little bit and that's one mistake I made there. I should have You know before I went to that store I should have already known like which models had lower power usage and I would have bought those instead But I just wanted something right now and that's not how you should do it So know how much your power bill is or the electric cost in your area because you could live in an area where You know electricity is dirt cheap You could be like someone in in hawaii actually, which I've heard that it's very expensive out there So if you buy power hungry server and you live in a place that you know Has not or doesn't have cheap electricity. That's a problem Know that going ahead going into it also know if you have like a small apartment or something And you don't really have a data closet That something's going to be kind of out in the open and there's no way around it Then you probably want to research which servers are quieter versus louder So those are some things that you want to keep in mind Generally speaking look for lower power usage CPUs if that matters to you But then again if it's just going to go in a closet and electricity is dirt cheap Then it's fine. You just get whatever works. So those are some of my tips there just never buy an impulse Use what you have Pay attention to power usage and just just take your time and do some research first I know you're eager to get started and I'm sure nobody is impulsive as I am Just take your time Yes, it's uh and it's it's not easy There's so much research you can do to it and you can then end up with analysis paralysis for sure when you're doing it Yes, so true one last thing I'll leave the audience with on this question is have a look at the Dell precision desktops Yes, I know they're not servers technically But anything is a server if it's serving something, right? Um, some of these precision desktops I forgot which model I want to say the t6600 but don't quote me on that You'll definitely need to google this and in fact check me on this They have some desktops that are for engineers meaning that they have some xeon processors in these and They're not your normal desktop But they're often cheap because they were just sold a lot You could probably get one at least before the pandemic for like a hundred dollars hundred us dollars and you have like Like a 12 core xeon or something or more And they have low power usage which is actually great and there's nothing wrong with using a desktop So have a look at those two because you'd be surprised those delt precision towers They could depending on the model they could be resource friendly and they could also be very cheap Absolutely now the final question we have is something I think I don't know if it's going to be a show topic, but maybe at some point It's worth diving into for sure. What we have here is the How to a whole explainer on search is what someone asked and if you google search to this you can find some Visuals it says what is the certificate chain of trust so that in parentheses? There's a few different explainers I've seen that show a pretty top of the search results for that But your certificate chain of trust is the root certificate combined with your intermediary certificates Then with your end entity certificates and essentially it's sometimes confusing of why something trusts something and Let's encrypt has made this a lot easier You're one of the my favorite tools to use for setting up like reverse proxies because Yes, they offer wild card certificates And they allow you to create these chains of trust now this all starts with though How does your browser know to trust something? What is a self sign certificate? So a lot of things to say we set up my true nasty server. It has a self science certificate Well, that's no fun You know, it's going to give me that stupid you wish to proceed click your error that you're going to get So how does something know it trusts it? Well, it starts with they have a root certificate And then we're going to use let's encrypt which is part of the intermediary intermediary And let's encrypt has to do some validity the root tickets are really a narrow group Unfortunately, that group has gotten big over time, but sometimes they fall out What was that one is the the incident with the Hong Kong post? I believe is uh, one of the old security incidents remember that Yeah, that was on Steve Gibson's podcast Steve Gibson covers that if you if you see Gibson Hong Kong post I think if you search that you'll find a podcast where he dives into What happens when too many things get in the root trust But the root trust is a very narrow number of companies that we all hope are behaving properly And they offer the first level and that has to start with their root stores being within your Let's say we're going to use browsers as an example here, but this actually works for software as well So once you have these root certificates on anything we have these common They don't change much then they have granted a level to the intermediaries and then the intermediaries then grant you And specifically let's talk about let's encrypt the ability to have certificates on things that they verified you own That's encrypt can verify in different ways that you own a particular domain or That you can do a deal what they refer to as a dns challenge response So there's there's kind of a lot that goes into it. Maybe it's worth it to do in a show topic It's just a really hard thing and Steve Gibson does have some episodes on this It's a harder thing to do as a podcast, but I think it's a very worthwhile time for you to understand How all these different certificate chains of trust work Yeah, I think it's probably good for a video with a diagram or a flowchart or something on there Yeah, and that's why I said if you google like what is the certificate chain of trust There's a lot of visual elements that you'll find coming up as part of the explainers They have to how these work now this also does apply to software And it's one of the things that breaks a little bit of confusion because for example Linux packaging has to be signed in order to be installed and that can create a confusion obviously Because I first I wouldn't you know early days of linux. What do you mean? This is all transport over HTTP How do I know that someone doesn't man in the middle of my package updates and drop something in? Well, once again even software is using this chain of trust and there's a root store on debbie and or into One two and other distributions as well to verify that these packages were compiled with a certificate So this goes into the way software is done There's a lot based on that there's a lot of writing on this I should say So I want to at least give you the resource so you can start diving into it deeper I don't know if it's something I I'll be is articulate enough to put together an episode in in a Audio format that's for it, but I is maybe something me or jay will sit down and cover that well Well, we'll cover in a topic. I sorry. I'm laughing and Yes, uh is how I'm going to reply to my staff. I will they just asked in my live stream about buying lunch That is so that is awesome. You know, I'm in a live stream So they posted as a question live from whether or not I would like lunch and so yay I would too actually um, no, I'm kidding. Um, so You know, I'm glad this question was brought up because it is the token Home lab problem Like if there was ever like some kind of preconceived notion about what a home labber is like this is totally it like Like I have to think about this from the humorous level, right because Obviously if you go to like a very popular online store and you get a message that says are you sure you want to trust this site? You're probably not going to spend your money there because why would you do that? There obviously is some kind of an issue there and you don't want your credit card information in the clear obviously so But on the in the home lab. I mean if you have everything behind your firewall it's not remotely accessible And the worst thing you have to do is click the ignore button in your browser to get to your web app That's inside your network. It takes you all of one or two seconds to click that ignore button But us, you know, we home lab people we hate that Is easy as it is to click that ignore button We can't stand the fact that it comes up. We can't stand the red X or whatever in the address bar It drives us baddie for no reason It the world goes on the world is totally happy with or without you having ssl in your land, but um, we Really kind of hyper focused on these small small details and it's and I'm not trying to under You know to make it seem like this isn't really a big deal because to us it kind of is Because we want to do things the right way Even if doing the right way is more work than just ignoring the problem I think it's really cool that we have that mindset because it just shows how passionate we are About home lab and I love the fact that people are actually worrying about this And the people that worry about it in their home lab are the same people that if they're not already employed professionally in it When they do become professionally employed, they'll tell their employer. That's a bad idea You're going to get owned if you do your search like that. I know because I do it in my home lab What's a home lab? Trust me. You don't want to do that thing It's a bad thing and it's going to have problems because you're finding these things out as you build your own Home lab and it's just a really cool thing to uh to walk through Maybe we'll do an episode about it. Maybe we'll do a video about it We probably should do something at some point. So stay tuned Yeah, I do know my videos on h.a. Proxy are quite um popular and there's no reasons I did I knew this was just something that is really it's probably even more targeted at home lab because it's not as Many businesses we have using h.a. Proxy It's more something so a bunch of people internally most of the businesses are going to Have commercial applications that are Hosted in whatever web environments and they have certificates and management for all of that I of course one thing I admit to being agitated by is the the number of Different systems we run into that don't use let's encrypt that still require us to buy search because they only offer that as a process Which is always annoyed me but yeah, so maybe I wish there was more of it in the business world I I've been puzzled by why why some of them don't just embrace the world of let's encrypt They just have an archaic way of doing it They force you to use whatever certificate authority they choose and that's just the end of the story for them How much you want to bet that those companies that don't get with the program and adopt let's encrypt are probably still using internet explorer six Oh god, yes, they are so there's It I would complain more about them But they're the least of my problems is that the the rest of them all has to do with the archaic Nature and terrible user interface like we have a plenty of other obstacles with Commercial software to overcome, but it's also I see the other side of it One of my clients asked one of the softwares they use is for a carpet management would be an example And it's really hard because it's not like there's a ton of there's a lot of carpet companies out there that You know are selling carpet But there's not that many companies that bother writing software and there's probably not too many startups to go You know what I'm going to solve in the industry these carpet companies need a better tool It's a lot to start writing some of these tools. So that definitely something That I won't get too far off topic, but there's some challenges with commercial software There really is but I think just just a kind of a humorous side note. It's like When companies don't get with the program It's like you want to work for those companies because you're not going to learn the it stuff you want to learn I mean I think some good metrics to use for whether or not you should work for a company is if The cto uses the term map quest as a verb for asking their secretary to print instruct or driving directions Probably not a tech focused company if internet explorer is still used Probably not a good tech company to work for no judgment just saying trying to keep everybody safe from anxiety I've uh, there's some pretty simple ways to know that a company doesn't take technology seriously And um, you know not being on board to flex and crypt means that They probably just don't like it because it's free and free is bad because some companies are that way There's all kinds of mindsets out there But you know, that's why we do homelab because we know better We want to learn the right way to do things and learn how things actually work And that's you know, one of the reasons why we do what we do Um, I'll so this kind of goes back to the firewall question someone asked the question What is more secure servers on one network but blocked by firewall from talking to each other or servers on different vlands Well, the firewall if you're on a local subnet the firewall like as in If you're using pf sense just as an example But whatever your firewall software, it's managing the interconnections between vlands Vlands are also sub or subnets if your server environment and you have like four or five servers around the same subnet It doesn't go through the firewall. You're going to rely on the firewall for Each individual server. So which is better putting them on separate Well, if you put them on separate subnets You Increase the distance between them because now unless the threat actor who gets a hold of a server Has awareness to even look at those other subnets Then it technically might be more secure because there's nothing else on that subnet The likelihood of them finding something on a subnet if you also have it locked down less likely I mean, there's ways you can find it depending on how much they dig into it. So obviously separate subnets is going to be I really a little bit higher level of security not like substantially night and day But there's another level there depending on how firewall off you have the server If you have the server wide open just because it's on that subnet Well later a movement becomes a little bit easier if there's a flaw they can exploit and gain privilege But overall it becomes impractical because this is where the question usually goes Yeah, sure if you're only setting up two or three servers, you know, put them on a separate subnet from each other That's fine when you're deal with companies that have 70 80 90 servers Creating a different subnet for everything becomes kind of a little bit of a management problem and more of a It's it becomes impractical to manage at large scales So it's kind of just figuring it out and I've seen people tell me that you should everything should be 100 separate But it also creates sometimes its own challenges on there So you kind of figure out the balance of what's the risk factor on there? Silo them off with principles of least privilege so they don't just talk to each other Ad hoc unless there's some need for them to talk to each other and go from there Just you do the best you can there's not anything that will 100 guarantee security But at least put some effort towards it because you're going to make it harder And it doesn't take much effort you'll find a lot of times And we can go back all the way to aquifax aquifax was one exposed external server that was on the same subnet as other servers Then they lay you know started with apache struts But then they were able to leverage lateral movement because once they pivoted into the network All the servers could talk to each other So they really didn't have anything it sounded like from my understanding of the debrief That stopped you from laterally moving between servers. So yeah, that is that's an example of how not to do it That's exactly right. I think when it comes to networking Don't try to do too much at once you will just create more work and frustration for yourself For example, if you draw up a plan where you want 10 different vlands for your fit for your stuff And you're just starting out with networking. Please don't do that Create one vlan. Okay. Just create one for one purpose and implement that one vlan and and take pride in yourself After accomplishing that don't try to promise yourself. You're going to do like all these different things all at once Start small build yourself up. Okay. I want to learn vlands. I'm going to create one vlan A good way to do that in a good, you know use case is your iot devices That's a perfect thing to start with because you could create a vlan just for that in that alone And that's it and then you start understanding how vlands and subnets work and at that point You might say to yourself. Hmm. Maybe I might want my streaming media devices to be On a different vlan with that, you know, the broadcast domain is lower So maybe that would be less interference on my network if I segregated that a certain kind of way Then you walk through the use case and add more to it I think that's the best way to do that. Just don't you know bite off more than you could chew at first And also when it comes to vlands and subnets Um, the way I think about it depending on the firewall software Everyone's different depending on what the defaults are But if I was on your system and you know, I was I hacked into your network and I'm just doing like a IP lookup I want to know all the IP addresses you have and I see oh it's a slash 24 network And you have like 100 devices But wait a minute the default gateway Has a different IP address scheme than the rest. Hmm. Let me interrogate that Then I go into that and then from there find all your other networks It's not going to take me too much time and the lateral movement will be easy because The routing tables are often built like automatically So and that's great because you don't want to have to like build in your routing table Auto, you know, manually every single time you add a new network You're you know, typically tcp ip figures that out But there's nothing stopping you from just going wherever you want to go as long as you're you're able to access the gateway um, but the firewall Typically is what stops you from moving from one vlan to another because in the firewall you could say This vlan is for desktop computers and that's all it's for and my iot vlan should not be able to talk to my desktops It can get out to the internet, but not, you know, no lateral movement there Then you could start using firewalls to really kind of dial down How to access things but don't go like you said so crazy that you're creating a vlan for every server. That's just insane Don't do that. Yeah, it becomes a little impractical and uh, maybe a non-popular opinion, but your phone's an iot device This is a thing that comes up a lot. Uh, think about this from your standpoint your phone one You probably already have your own distrust builders made by apple or google Those are pretty little too predominant ones that that are going to be the majority of what people are using Your phone is also designed to be in hostile environments because well you wander around with it and I know ideally guest networks on every open wi-fi should be isolated But I know the reality of them not being So your phone's kind of been expected to be on a hostile network Good what I run into is a lot of people that go Hey, I want my phone on my secure super secret network But it needs to talk to my iot devices because get my chromecast or in certain name of your favorite Streaming device working and my answer is just your phone belongs on the iot world It's if you wanted to have direct communication with all those iot devices. It's an iot device It's in I can't really think of reasons. They want my phone on you know the non iot I just leave it over there to me. It's an iot device. That's how it talks to my chromecast It's my desktop. It's my more private applications that I'll keep locked down So that's my thoughts on that just to throw that out there for a common question I get over and over again. Tom, why is your phone on an iot? I need to lock my phone on a separate secure network. I'm like, do you ever use public wi-fi? I mean a lot of phone will auto connect to it. It's just phones generally speaking don't have ports open So right and it's it's literally A rat like the biggest rabbit hole of homelab in my opinion to get into that becomes very frustrating Like you come up with this awesome network plan and you find all these edge cases for example um If you have a media network for all your you know Roku's and things like that for your streaming uh video and things that you have an iot network for all your smart plugs and whatnot Then you think about it. Wait a minute. My phone is an iot device But I also want to stream media as well So do I consider my phone a media device an iot device? In my desktop, I want to you know cast to the tv sometimes But my desktop is in the desktop vlan The chromecast is in the iot vlan or the media vlan So now I have to create some edge cases here and some devices could actually be considered different things And that's when just like oh my gosh What did I get myself into and you have to really try to attack these problems? But to some of us they're fun problems to solve But that is the biggest rabbit hole of homelab in my opinion Yeah, it it definitely is one of those things that people They over complicate themselves to the point of detriment, but it's also I think a learning experience to do so Because if you work in Hospitals we work with a probably an easy example A lot of their networks are divided out and they throw the doctors, you know Their phones everything are part of an iot network that they're like, yeah Please don't put patient data on it. And by the way, you're on this network The only devices if they do have some some hospitals are a little bit more advanced Do have some different tablets that will be connected to a secure network But they're also not allowed to do any type of web browsing they use some type of kiosk style application I know when I go to the doctor I think it's cool that they have it because my check-in they hand me a Tablet and I get to just touch buttons and it makes it so easy to check in. I actually like it I like it too. It feels advanced. I just swipe around type in a few information It's pre-filled out with some of my info in it and how's your how you feeling today, mr. Lawrence? Here we go Yeah, it's like I my hand has No resilience for holding a pen anymore Like I type everything I rarely I I get anxious when I have to you know fill out a stack of paperwork I'm thinking really is 2021. Why am I filling out a stack of paperwork? And just before I even get halfway through the first page my hand hurts But I could type like crazy. I think it's like I'm losing like I could still write obviously I lost and I don't read anything Honestly, one more it hurts It does and one more thing I'll mention for rewrap this show up is someone says, you know You you can also Use open vpn on your phone. You can even use this in wire guard open vpn. You can use this inside your local network There's one option or what's even might be even simpler is if your phone needs access to something Like you need to be able to copy files back and forth the overlay networks like zero tier for example Do work on your phone and actually so does nebula and I think tail scale I'm pretty sure I have a phone I have too But yeah, the overlay network option on your phone is another option where you can create a limited scope Or you can say hey, here's my nas server that is on a secure network And I want my phone to specifically have a limited access So I can transfer photos from my phone to my nas without having to put your phone on the other network It's an iot device with limited access Via one of those overlay networks to that. So just our thought you can do on there. So How about an ssh jump box on a raspberry pi? There you go ss these jump box that was mentioned in here as well So you can ssh to it. So hopefully that clears that. Oh, I think this person may have asked this before but it recommended homelab switches with good vlan support is I there's a reason we have an episode just on unify Unify is wildly popular in a homelab. I think it's a great product for not only the homelab But for a lot of the small business networks is one of the easiest ones to manage vlan's hands down If you like something a little bit cheaper, but also has some more complexities You can look at microtik What you save and money you're going to pay in time learning it. Maybe you like their interface I don't care for it much, but it's a functional. You can get things done once you get over the learning curve The netgear are a popular choice one of the challenges across and a video i'm actually going to work on at some point Is just showing all the interfaces to like five different switches and having people scratch your head going Why do they all implement everything differently? Welcome to switch world where no there's not an absolute consistency The only consistency that i'll mention in a runner-up if you're also budget-minded is tp link. I've done a review on them I've never used tp link and don't know if I would in a commercial environment but uh tp link just copy pasted the ui the Ui from ubiquity. It's as simple as that I even make that comment and show side by side. It's unbelievable how much tp link looks like unify So both of them share an ease of use when it comes to deploying vlands with just doing pull downs instead of It's not that it's hard It's figuring out the nuance of how to tag and untag ports great If you're going to network engineering takes time to learn it highly recommended If you're going I just want some vlands and need to get some things working So I have you know another project I'm already done Having a pull down and just putting a vlan on a port through a web interface Way easier than dealing with the tagging untagging and grasping all those concepts So I've covered I've covered both if you look up. I have a video. I did on microtik and their switch os I have a video I did on edge and their edge os which is another ubiquity product to show how vlands are done so yeah, it's uh Is a challenge and someone did ask and the answer is yes A tp link is a chinese company. So use at your own risk There's some fuzziness that I will completely be upfront about that We just don't know when they produce your software. By the way, none of it's open source. So All of it's kind of use at your own risk on that open source switches It's a pipe dream. They kind of exist. I don't know where we're at with that in the world Not not and not in a production level. That's um, I mean it is oddly there's open source in the enterprise level of switches There's less open source in the There you can actually build a switch out of a few different open source products That's a little bit more complicated and most of the equipment other than buying it used on ebay Is not as budget oriented. So that'll send us on a different rabbit hole Yeah, or you could just get like a you know Debian desktop with a bunch of pc i express slots and gig of it nicks and then just you know make your own switch Essentially, um, and if you really want to go down that rebel. So technically. Yeah an open source switch does exist Install debian or some kind of linux on a device and you know have have fun. Um, but but it's going to be a little frustrating Yeah Yep. Yep. Yep. So definitely, um Yeah dust off those cc and a manuals as someone said in there for sure Uh, oh one last question. How do do vpns? I I have a vpn versus, um, like zero tier I'd break down the comparisons of how they're alike and how they're different. So I've broken those down It's just a completely it's a different architectural design And I've got if you look for overlay networks and nebula on my channel I've got diagrams to kind of break down the different use cases and how they connect So hopefully that answers that so yeah All right, um, I think that's it the, um Seeing any I god this this one I will One last one last one last one I will say this because I do have to go but the Single sign-on solutions for home lab. I don't think there's anything great out there I know c2 identity, which is this analogy product is trying to come up with some stuff I know The popular ones google offers single sign-on to lots of applications. Um Obviously microsoft the elephant in the room. There's plenty of other, you know, commercial solutions out there But I don't know if any of them are easy solutions for home users to implement There's not really a great and I don't expect a one to be there anytime soon for identity management I mean you can do some stuff on synologies for it, but Yeah, that's that's a uh I don't know. There's no easy. I wish it was a better answer Uh for central identity management. Synergy has some stuff out there, but it's kind of for priori tary Synology In everyone someone pointing out like free IPA free radius and all these different tools you can tie together But none of them even in a Linux world. They're not smooth. Would you agree to that Jay? Yeah, I would it's just one of those things where you have to understand that even in corporate IT This is problematic and not very straightforward and it might seem that it's straightforward because you know If you work at a company and you have a single sign on you're like wow, this is cool But you don't know how many edge cases quirks Custom tweaks and things went into that behind the scenes that you may not have been there for when they were designing it And I have been in a in you know a couple of times responsible for implementing this at companies I'm telling you there's a lot of edge cases here So it might look like it's something that we have because they do you know The administrators did their due diligence and setting it up But you are really asking for a rabbit hole at that point because you could set up your own LDAP server And try to set up roaming profiles, which is not always going to work. Well, especially with permissions And you're going to have some apps that are just not going to tie into that anyway that you have to implement something It's it's doable, but how much how important is it to you and how much time do you have? Yeah Yeah, it's not there's not anything. I've seen that's beautifully turnkey. There's a bunch of other projects out there Someone's probably gonna throw in the comments. I know some exist as I said beautiful and turnkey. There's a there's a Qualifier in there. It's not that they don't exist at all. They don't exist in the most usable formats That's probably the best way to say it. So I would actually say that turnkey does exist on the side of the SSO solution But the apps that you're tying into it are where you fall into a problem because I would use something like I forgot the name of this one Where it would say this app is supported and it was actually last pass in this example For the company. I'm not saying last pass to be popular here, but it's just an example where oh, it's supported great So I'll have a single sign on no it's supported in the sense that we have an icon for it And you could put the icon on the thing Um, that's that's it. It's it's actually not supported And then you'll be manually creating users anyway And then some of my my personal favorite is when it is fully supported Or so you think and you create a user on one and then the app works nick a log in But then it doesn't support deleting an account from that app So if you delete an account, then you'll have hanging accounts But they don't tell you this when they're selling you a solution for sso. Yes, we support all these apps support What kind of support are we talking about? Having just the ability to put an icon on a screen in my opinion doesn't constitute support And then you run into the edge cases based on the applications. That's where you really run into a problem Um, there's just varying levels of support for things and it's not going to be as consistent as you want it even in This most perfect form. So just keep that in mind Yep, all right And uh, I think that's it. I mean I I'm positive we could go on forever. Um, but we don't have forever to go on I would go on for another hour if I if I could believe me Yeah, oh, uh, I will add one last thing I'm just going to as a statement. So we did our last episode on ssh keys We didn't mention this but for those of you that created your keys without passwords Yes is the answer to can you add a password to an existing ssh key? Look up change password on a stage key and it's the same process But if there's no password the changing of the password is actually the adding of a password So you don't actually have to rekey everything to do that. I just wanted to bring it up from our last show Um, someone had asked me and I was like, I didn't know the answer and jay says I don't know either But it turns out what we uh, you can you can just simply add a password to your existing keys So hopefully that um helps with anyone who's trying to follow our guidelines of yes You should have a password on ssh keys But if you didn't don't worry If you have 200 systems of your key in it before you start replacing all that key You can change the private psyche to add a password. So Yeah, one last thing i'll mention on my end This is this is it for me someone brought up, you know sso or federation. It's not the same thing and I I agree and I know that it's sometimes I keep the explanation a little Short, but sometimes things are assumed, you know, someone's asking about sso But they're also talking about account creation They kind of assume that everything is related even when it's not Once for logging in and then you have another service to sync your accounts But you still run into a problem no matter what where, you know, you you lock down a user account But for some reason they could still access the app Why well there's edge cases no matter which way you look at it and Some features that aren't related in a specific technology are assumed when someone wants to Have a solution. They're really wanting all the things all at once. Um, so there's just so much to it Again, what's your time worth? Yeah Right. All right. Well, thanks again for everyone who joined us for this episode Please hit our website the homelab.show so you can contact us there send the questions get them all compiled We love doing these q&a episodes and uh, we'll see you next time and are we recording next week j I think we said yes, I think so. Yeah, I'm pretty sure yep. It falls on a wednesday It's the in between the holidays, but uh, you know talking on a podcast is Can we even call this a job? No, it's just a hobby that happens to work out well Yeah, the hobby that works out well. So yeah, we'll continue our hobby that works out well at 11 EST on wednesday next week So thank you very much for everyone who joined awesome Hit that like button subscribe button or if you're you'll see a podcast just leave us a review somewhere and much appreciated. Thanks Yep