 Yay, you are live Welcome to vlog. There's a number 329 what a beautiful day it is It's actually nice out so I decided to do vlog earlier because I'm gonna leave the basement but it's actually about I'm late as I left the Basement studio that I record into go outside and then realized. Oh, that's right. I gotta go back inside and do a thing I could I've done it from outside before but Wasn't ready for that quite today. I didn't say everything set up but We're gonna talk about a couple things today zero trust Defining it and I realize a lot of people define it Based on the words and I don't like the term zero trust at all I understand the goal as defined by NIST and we'll talk about that But I don't it from a marketing term It's uh, it bothers me and there's so many people that I mean logically I'm not blaming people for this. It's the naming problem logically It seems like it means you should trust no one because zero trust, but it's defined a little differently. So Anyways, I'll ramble I'll ramble on about that in a moment Where I'm gonna be and when I like to bring that up here at the beginning for those wondering where you can run into me or something and uh Where is that gonna be? We'll throw that first one up here because it's only 16 days away for MSP geek con. So I'm pretty excited about that. I'm geeked about it the uh Let me speak geek on is uh, I'm gonna be speaking at it. That's not official I wasn't official before it's I guess official now. I think I believe that's been announced If not, it's been announced So that I'm excited about So 16 days, I'll be there and then I'm gonna be speaking at uh with my friend Jason Slagle over at it nation secure 2023 So me and him are me him and cyber mantley. We're all doing a talk Jason had helped put together for all this So that's that's exciting for sure And uh, but those two those two things I'm I got going on there Um, let's jump into some feedback real quick. So I think there was some feedback I like the feedback I get from people. Um To do to do all right, this one made no sense Uh, so I can't understand what they're asking Ah, this one and I see the person asked is is uh in here And I don't know. I've not really um looked at what the best recommendation is for 4g 5g I don't really You know, it's kind of a hodgepodge a lot of our clients locally here in detroit or even outside of detroit Many of them have two different internet providers. So when it comes to like backup internet, we're not always installing cellular It's not it's not that many of them I we have clients that have I believe a handful of peplink ones. Those are really popular Um, I don't have any particular preference I know one of our clients or maybe more at least one maybe more have starlink as a backup internet connection um I I had a company that had site to site like from a wisp The wisp broadcasts over to them because they were right within their range um, but You know, then their primary provider was just comcast and so I don't have any Uh particular love or preference for any one brand or whatnot But so and I don't know that there's a lot of value in reviewing them There it's kind of a niche thing and I don't know that that would get a bunch of Uh reviews and they're also very subjective to the area they're in um Depending on where you are the I was actually aggravated because my phone was so slow when I traveled somewhere My phone was just out of crawl every time I did every time every time I tried to download anything The phone was just out of crawl and I don't know, um, it works fine here in detroit And I was just trying to download some podcasts and I'm like it says they have 5g. I'm in a city I've got all the bars So it of course it may have been just that time when I'm stopped and traveling through there that there was a problem So it's it's really hard to try to review those to see what the consistent speed is over time Unless you used them But then if I used them and I bought four of them and set them up here Now you know what it works in this area where I'm at not how it will work in the area. You're at over time. So yeah Fun stuff, I think that do I have any more? um What else was there? Oh I'll see Someone want to know is The neck 8 800 and the crypto support in there So That's listed on their page what it supports. I guess I don't understand Um But if you look at the decade 80 200 they have all their crypto that they support listed on here I believe it's in all the specs Oh, where's the crypto support? That's why I didn't understand the question you were asking what it supported So hopefully this answers that person's question like Do do do do do because it's yeah, this has qat crypto in it the Specifically the chip that it has because it's got an intel atom with qat So a s and a qat especially if watch I don't understand if watch dog Is supported I don't know what that means that's the question they asked maybe that person's here and can answer what um What watch dog is Yeah, why not just log in to our pf center real quick and I'll look because we have an 8 200 of mine that I Can log into whenever I want What does it say? Because it says go to system advanced System advanced We'll go to Miscellaneous tab and we'll share this tab with everybody So this part I can share we'll scroll down And you can see what's in here. So I don't know it's there's aes qat bsd crypto dev and uh I don't know what watch dog is because it says do they have watch dog So watch dog is not in here. So I guess that would answer the question is watch dogs not supported. So Uh, have you tried running a cpg and a coat on for teleboxes? I'd like to use one box for pf sunset guard. Maybe headscale. Um, I'm probably going to do that soon We actually have some more boxes that we ordered and Should be in soon and I will do some testing with that but as far as I know they work fine on protect leboxes There's they have on the protect le sight protect lee I I don't know what google's trying to do but anyways Uh in their solutions under hypervisor They have like a partnership with xcp and g they so You know as far as I know it works perfectly fine on xcp and g I don't know of any issues with it Give me a thing about services differences, but regional i'm worried about the devices are stable perform well without overheating and the like I I mean peplink is a pretty popular brand. I don't know of any overheating problems with it I've seen some people just get the the little Verizon boxes. Um, I'm not aware of any functional I mean any of the brand name ones. I can't imagine they fail that much when you go to the least popular Cheapest you can find on amazon brands. Well, that might be a whole another thing. So Oh, you know, I see the email you sent Like reading the whole email out There's you wrote a lot And most of the mom and pop shops are never where we use these uh most of mom pop shops if they're You know somewhere in a city. They have dual internet connections from two different providers And I I always anytime there's a option to get provider uh internet Like from a you know Comcast or wide open west charter, etc. One of the coaxial ones or having a d we have a lot of clients have dsl backup I know the dsl is slow, but it's better than a sell backup in my opinion. So nonetheless um, hopefully answers the questionnaire Well service watchdog is different. That's that's the thing about this is service watchdog is service watchdog It's a service that watch dogs Let me find it real quick here and I'll pull it up If you didn't know And we only have one thing in there. I don't think I've done a video on this as a topic Service watchdog is an option in pf sense where you can have it monitor a service That you have running And tell that service to start in case it fails and then notify you on that failure So I that's service watchdog. So I don't understand what the encryption watchdog is on there that part doesn't make any sense Like asking if it's in there How reliable is neck your neck eight transfer speeds back say I have to calculate 50 of those and can reach those speeds on the website for real Uh neck eight has a very detailed testing process for how they determine the speeds They give you two performance numbers They give you they give you the iMix traffic and the iPerf version of it. So it's quite accurate Yeah, so I don't see any accuracy problems with the way neck eight does their speed test They they've got a documented process they're using Um, what's that software they're using I already forgot the name of it Um, it's the one from sisco that that does iMix traffic testing, but they've got a documented in a blog post I'll see all right So that I you could probably google it Yeah, chris's email was about, um cellular backups Oh, yeah, the second email is just asking about the qat crypto which one was available That's what their their question says doesn't have it and doesn't have watchdog as an option I don't know what watchdog as an option is under crypto But the cellular backup is is the Is what the topic or context was from chris's question For true nascale, how important is the graphics card for plex servers? The beneficial to have the fastest graphics card you can afford for the benefit of having dual graphics cards I don't know because I just don't do any transcoding. Um, I'm current. I used to use plex. I moved to mb I never use the, um Transcoding feature now one of my staff, uh, maybe they'll answer this question because they do I just don't do it I don't I don't change anything. I just download the movie from a legit source You know rip it from some proper dvd. I have and I play it. I don't Don't have a graphics card installed Or done it. I there's benefits to doing it, but that's outside of what I'm Using it for so I spent no time on it Oh, let's see Uh, zorus is not available in europe. Have you tried anything else? You can recommend dns filter Uh, dns filter works a lot different than zeros. Um I'm I we did try dns filter and it weren't wasn't particularly happy with it So I I don't know what I could recommend in the european market Uh, I I don't have an easy answer for that I installed ntop png and started uh and started shipping the data to Victorian medics and it doubled the amount of series and db Victorian metrics. I don't know. I'm not familiar with that Hmm Uh, we hadn't yeah, travis is just doubling down on we had not had good experiences with dns filter I have a few I don't want to dump on the people. I think they're nice people over there But I didn't I wasn't really big on their product I and I don't want to speak ill because when we tested it was um pushing a year ago And maybe they fixed some of the issues we had so evaluate it yourself I don't want to cast an opinion. Um, that would be unfounded on them I don't there's nothing there was just features that didn't have at the time Um, like an easy way to disable the agent, but that may have all been fixed. Um, so I don't know How soon will 10g support be on pf sense? I've already Set your monkey link. It's time to move further pf sense has 10 gig support So it's been my my 8200 has 10 gig support. So 10 gig support is definitely on Uh pf sense and has been for quite a while You know, I there's probably a few other companies out there doing stuff similar to Zoros, but I'm really It becomes a challenge because my understanding from talking into Zoros and other people is Their the laws in europe make this hard Um, so the companies like if the if the laws say hey, you can't do this or can't do that when it turns to that Um, if they have trouble complying because maybe they don't understand it I would look towards european companies that maybe have a better grasp on it But I don't I don't really know that many because the other you the other u.s. Companies may have some of the same challenges until they've kind of navigated it It's the same reason. Um, we do consulting in europe, but we don't do right now Any managed services in europe because I would have to make sure before we took any of those and I don't have There's not been a client offer big enough yet We would have to research to make sure we can comply with all the laws of that particular country And that is a different intricacy the consulting is one thing But when you want to provide service and support the laws may be different I have to make sure we are well covered on that so we're not violating any laws, especially unknowingly um with things How many simultaneous transcoded streams you need? I think that's probably the question I you would ask of if you need Any simultaneously transcoded streams whether or not you need a video card in plex or mb uh victoria metrics is like prometheus but can receive data and influx db And uh, graphite formats as well. Okay Oh, yeah, we do have 25 g in the office We'll uh We'll be support for unifyos or wire guard site to site tom is only support wire guard site to client. Yes, um Let's talk about that in a moment Because that is definitely um a challenge That we'll be talking about uh, let's pull up because I had to pull up here before I forget I just want to get this out of the way in the order I had them in for those wondering because this this is actually a pretty short answer um And it's the problem was zero trust and people having a hard time understanding it but the Zero trust does not mean trust no one and this was a debate that started with uh a tweet from network chuck who said He didn't think bpns were particularly secure and I said hold on You know I it sounds like some bs here and then he defined it better But then people were saying and the company he recommended which was twingate Is not a zero trust company because you have to trust them and I was talking about tail scale and people said Well, that's not a zero trust solution because you have to trust tail scale and I'm like Which is version of zero trust? I mean, I can say I zero trust you and that might be a definition We use but let's talk about the nist definition Of zero trust just briefly here because this is where I do like when there's publications So we can have a common language or framework by which we can say things And I just want to make people very clear on this and I thought about I don't know if it's worth doing a video But the question comes up a whole lot Because companies love zero trust as a buzzword And it makes sense from the way nist defines it But the buzzwording doesn't help people understand it and it's about where you authenticate it And also this does not mean open vpn is not part of your zero trust solution It just means letting someone inside your network becomes the No longer becomes the point of authentication and that's the biggest part about zero trust I wanted to bring this up because this is something that's just a lot of people don't take the time to Read it's a short paragraph It's about how you do this But maybe I'll do a video on this as its own topic if people are interested where I break down like what it looks like to Validate because it's kind of a trust but verify is more about zero trust So zero trust you look at the old world way of doing it You're like, oh I get inside the network and you trust me because I'm on the inside perimeter of your network I'm no longer outside Well, zero trust is more about hey, you're inside the network. That's fine But that's not the validation point the validation point is each service you access We validate who you are that's more about zero trust You're going to validate the End point to make sure ownership of the endpoint is the person you went on there And you're going to make sure the person has some type of validation to the services They want to access not giving them or granting them validation just by the mere fact of being inside the perimeter of your network so yeah, that might be a That might be a A good topic because then I can actually diagram it out like this is the user This is how we validate this user. This is you know, a zero trust situation versus the validation Just based on them being inside the network. This is actually one of the reasons like When I'm talking about a lot of these things where people like, oh, no, what are you gonna do if they get inside my network? Well, well each one of my services still has username password authentication tied to the services I don't validate based on the Location of them inside or outside the network, but for you know, reducing risk surface um Means, you know, I reduce my risk surface by requiring vpn and I'll I'll use bit warden as an easy example We host bit warden internally behind a vpn Being inside my network doesn't get you access to our bit warden. It just gets you to the login page We still validate who the person is that they're able to log in there. So there's still validation mechanisms On there and that's that's just one of those little details I think it's really important to make sure people are very clear on and understand with zero trust It's not it's not that you trust no one and when you talk about tools like tail scale Or any overlay network how they work is they You know, keep you an always on vpn But that doesn't stop your validation just because they're connected to your overlay network And those services that you have tied to that overlay network. That's not your validation point. That's just a You know getting you to the point where you start doing the validation Uh, yes, I do use ube keys with bit warden Video day and life in tom. I don't know you just watch me reading a lot. It's not exciting Reading a few meetings more reading look at a project consult with a client So there's plenty to talk about um on that I heard it referred to as deep trust this is your trust. Yes, that's probably a better I've heard that too, but if I said we're building a deep trust system People will be confused if I said we're building a zero trust system because there's a publication By nist that defines it. I agree. I don't like the whole You know, if it was deep trust architecture that would to me that would make more sense Maybe we can just petition to get it renamed but and then all the marketing people be mad. So Uh, do you remote control your client servers and connect wise control ninja or only via vpn rdp depends on the client manage clients are going to be um Connect wise controls unmanaged clients that we may have some limited visibility into might be rdp But generally speaking managed clients are uh connect wise control. They have ninja on them as well Oh, let's pull up the unify stuff Because this is the next thing I want to work on The chart doesn't make any sense yet because it's all just a bunch of yeses because I need to figure out What's going to go in here, but I am working on an updated version of all this So, can we zoom to 125 there we go We'll shrink this a little and I think yeah, everything should be on the page now So they finally fixed it and what I'm going to do when I have this spreadsheet done here These are all clickable by the way So you can this is each one of the help pages related to the vpn So as you go down to each one of these It's going to be so you can get to the help page for any one of these to explain it in their own words How it works because there's always going to be a lot of confusion because of the way they do things at unify and They also this is where I'm Got to validate this part bpn policy routing This is where their next challenge is going to be now. They've done a great job of finally Getting with the os version 3. This is a 3.2 point. Oh, I think it is or 3.0 point 0 2 0 The latest version of 3 version of their unify os the latest one that's available as of today, which is may 4th of 2023 Does have all the support now? So Well, no teleport is not their site to site teleport is their phone system So this is once again back to where we things can get confusing. So we click on the teleport and teleport is a zero configuration vpn How does it work Mobile app ios and android Why they call it that I don't know So this is also part of why I'm going to just make a chart to explain all of this so I can do a review But just explain what all their wording means because this right here Is a wording that makes it harder for people to understand what it is Now they do have in their beta a upcoming feature called magic vpn and magic vpn is going to be able to do site to sites with some sanity I'm looking forward to it because this was a cool feature if you were using The unified controller software and the earlier usg models You could just build site to site just tell them all to talk to each other and would build it for you I thought that was a beautiful thing and then that broke when everything went to these dream series ones So when you went to the dream series systems, you couldn't do all the easy site to site So you had to do it all manually, but even now what doing it manually The challenge is the policy routing is very specific and even though they finally got wire guard on here Which hey great wire guard, but no wire guard for site to site And I got to make sure I'm clear on how all the rules work for all of this as well So it's just going to be It's going to be a lot of details that I got to put together because it's it's not about if something works It's how it works and does it work well? And that's where the challenge is going to be and I'm going to add some of the other fields from this Because there's certain things that it just doesn't do so I will make sure that the Integration support for some of these, you know, like whether or not it has any of the let's encrypt certs or whether or not Like how it works some of those things are going to be Little more tedious, but I'll have to talk about them PF sense the interface itself Does not have Two FA built into it. No, but you well technically no, but you also can Because you can use something other than the pf sense Built-in auth to authorize yourself So you could use radius as the back end and then or something else And then you would then have to validate against that so it could have it But by default. No Twin gate I there's nothing about it that made me go. Wow. This is amazing. I looked at it I thought their documentation wasn't that great I also don't like the fact that they called themselves like a bpn replacement And they don't have good documentation on what transport less I looked unless I'm overlooking it They didn't have good Information on the transport layer and that bothers me when companies don't just lay it out there For example tail scale who has amazing documentation and an open source client because twin gate is fully closed source the lack of Transparency like I said, it just kind of makes me look at a company go Why aren't you being more transparent about like how you do transport security because that matters The people at tail scale are using wire guard on the back end So they didn't try to reinvent their own security or do anything different You're like, yeah, we're just using wire guard and we orchestrate wire guard connections pretty simple And I think that's great Can pf says to sso logins for microsoft? Um on the interface I don't know if you can do that. I don't I know I wouldn't want to do it Um, you might you can do it for like the vpn, but for the web interface. That seems like a dumb idea Um, that's my opinion at least I don't I've said people ask that I We actually had someone I take that back You can definitely at least because we have one client do this until they broke it Um and locked themselves out of their pf senses. They They have a go I think it was google ldap We tied the google off to their login for their pf sense because they thought it was a good idea Right up until they broke it and could get into their pf senses So yeah I don't know why I I don't have a good reason for that firewalls Like I I'm fine with like central management with certain restrictions on it, which can be good the people at Neckate are working on that for pf sense, but tying all the pf senses to An active directory authentication matter of fact, it's funny that um, I was on a talk a while ago about security And people were telling me I was dead wrong when I was talking about how bad of an idea of tying your nas to your Active directory was for managing the nas not for user authentication for file sharing But for managing the nas I said it should not be tied to your active directory And this is a few years back But people were razzling me and other security people stood up and said why are you razzling tom about that? Like this is you know, this is not a good idea and what happens is You someone gets their ad popped and then next you know, they take over the interface to all their different uh nas systems I'm like, yeah, that's why it's a bad idea. Keep your backups and everything else. So Yeah, keep it all separate only Minimal amounts of you know federate authentication where it's needed. You don't have to log into pf sense that often so Well at least you shouldn't I don't know Oh, let's see I missed any other questions on there Well, hopefully this answers some of the questions so about the the unify firewall stuff I have we just reset our our Unified dream machine pro. I want to do a factor reset and we're going to do some testing To make sure i'm clear on all the new features and how they work So I can do an updated review on it, but You know, I don't know that this will change my mind and start having me recommend these to people. Um I hate them less now. I think they've become a lot better. I just don't know why My worry is how long before they come up with a new idea that changes things or are they Decided that normal vpn is okay. That's the part that uh bother me. It's like the It's one of those weird things says they had for a while there You didn't have to adopt it to the cloud Then they had a few versions where you had to adopt it to the cloud and then he made it like it's a feature announcement Oh, you don't have to adopt it to the cloud. I'm like, why did we ever like you took that feature away? It was it was the ability you took the ability to weigh to have it locally managed And then you act like it's a big deal to put it back. So I don't like when companies kind of do that Is definitely It makes me suspicious of them. Uh, so it's trust is earned over time and a company that's been taking our ability to Locally manage things away and give it back to us That seems that seems sus to me, you know You mentioned content figures complex and pf cents. What are other options for pf sense owners? um pf blocker is the best way to do it but content filtering I got an entire video called content filtering It's all about why content filtering is complex And it's you know, it's all you pesky people want in privacy and in encrypted sites, you know It's just created such a headache for people who want to See all the traffic so we can filter it or spy on you, you know The that is that that is really the challenge that comes in is As the internet has moved towards a more encrypted back end if you will a transport layer You know, let's encrypt leading the charge here to get more and more sites encrypted This blinds your firewall to that so the challenge now is how do we filter stuff if we can't see it? And that's where everything gets complicated and just a number of websites What is the criteria by which you filter on? Categorizing the internet was easy in the days of Yahoo being the first search engine The internet's much different today and sites don't have a good compliance themselves to flag what they are Major sites are easy But it's all the littler sites that become very challenging to constantly index and keep that up that being said You now have a subscription you have to buy to buy the feeds This is also what makes it complicated as well is paying for those feeds to be updated all the time Another issue with sso and admin is you would not want to use elevator account for stuff like that Not your regular logon I mean you yeah, you want to make sure you're using Very specific accounts that even have access to it But like I said, I don't really see the benefit of having your login to pf sense tied to azure or You know google or any of those Uh, is there a way to set up wp to an enterprise pf sense with azure ad instead of local free radius? Uh I don't know what that pfs. I mean instead of the pf sense radius It's yes, you can there's ways to do it and you're probably not talking about pf sense You're on the unify wireless is my guess Or whatever wireless you're using as long as your wireless Devices your access points support it. Yes, you should be able to have them do the authentication It is a pain when you lose internet and the udm pro stops working because it doesn't have internet. Yeah Twinkie it was so easy. I could have done it blindfolded I think tail scale is easy. So I mean I ease of use Does it the questions I have I mean they've gone through security audit. So I don't know anything insecure about it It is and this was the discussion that came up It's It is not it is solution because it is a proprietary solution from a third party company You're just putting your trust in a third party company to manage your connections to be fair the whole point of a dream brand routers integrated Is the integrated cloud key and cloud management? well No, the dream of unify is having you be able to self host and manage it There was no good reason I can think of that you forced people to register with the unify cloud That that's the part that didn't make any sense uh unify You know being one of the things that makes them stand out more than anything else is the self hosted controller and That is something that other companies just don't do They avoid it. They want you to tie and lock into their cloud so they can charge what they want for things That is the big unique thing when it comes to unify is that you know, they let you self host it It's it's part of their brand and I think that's great. So Here's your self-hosting controller. You want you to host but by the way You got to tie to our cloud thing that just kind of goes against what I feel how they work. So, yeah um Is the dream wall viable nbr You know, none of the dream ones have much in there. So I don't really see I don't know how much Extra storage you can add. I've not really dug into the uh dream machine nbr So I don't or dream wall version of it I don't know how much storage you can add at least with the the other ones you can put a drive in there. So Yeah, see Categorizing it was also easy where most sites uh weren't behind a cdn You know, and that's that's a different challenge if you were to just go by the ip addresses It wouldn't work anymore that worked in the past but with content delivery networks And many of them being the same you the content delivery network looks at your sni header and goes Hey, you just requested this therefore. Let's deliver you the site you asked for but it may all be coming from a singular IP address. Yes Uh, nope. I haven't had a time to test smb3. I haven't I haven't done um Any real testing with the 7.2 synology? Do I have a video about radius? Uh, I have a pf sense video about radius management management solutions on the cloud is awesome. It's awesome till it's not The price always seems to go one way up despite computers costing less and compute time costing less your cloud will cost more tomorrow Where is cody as a dream wall? Yeah, I I I think the dream wall is stupid. I'll be honest like I don't get the um I don't really get the form factor. So I mean it's sold out anyways Uh, let me pull it up real quick. Last I look at what's sold out Which I don't think it's actually Because of demand. I don't know but whatever they oh dream wall and stock so Get one if you want a dream wall. They were sold out the other day when I was looking at them There's just a dumb form factor They also don't make the most sense for pricing because so here's a dream wall which it's basically You know if I if I were to buy a dream machine se and a switch I think I'd have a better experience like I am I am I Yeah, this is So this does kind of an integrated 128 ssd in it. So we do have that but we don't have an extra bay to add a larger drive so What am I getting? I guess it does have a wi-fi 6 in there But for a thousand I feel like the experience would be better by buying this And a switch and a wi-fi access point. I mean am I I don't know am I wrong? I am just confused by that Uh Because well this has the poe so really I just need this plus a access point and now I've got a few less ports For 4.99. I don't know the price point isn't making me go. Wow. So Maybe I'm wrong on this. I don't know Is it okay to run docker vms on your nas or should I use an assert for that for homelab use? I mean That's the whole idea of Trinascals to be able to run Your applications right where your nas is I think there's a lot of efficiency to be grabbed out of that You may not see this in the enterprise space, but from the homelab and home users I think there's a great level of efficiency you can have by doing that. So I don't see it as a problem Yes, Cody's got one You can't add a hard drive in that can you Cody Not that I know of at least Dream walls removed from the ui store. Uh I have a vp and a pf sense my internet connection So my internet connection is always vp to use vp has dns too But I still see my own traffic status dns. She's over in top g. How do I encrypt my own traffic? Well, what do you mean? Encrypt your own traffic It depends you're talking about inside your own network You want to have an encrypted between you and your pf sense? Your dns. I I guess I have to understand the context of the question better I've had a few instances where anything I manage in the cloud is that issues no more than anything Host your own data centers. Yeah Dream walls silent Uh, that's not my big concern Just an sd card. So you can only add like two cameras Yeah If only scale has some better tools for vms now It's kind of like crap if you want to mess with something more serious like k8s. Uh I mean, they're getting better with the way they're engineering in its scale But obviously there's some challenges building What it's an ambitious project is what they are definitely doing Um with true nas scale, but with ambitious projects comes lots of bugs That's that's the status of that project I don't I like it. I'm using it. Uh my daily driver is a True nas scale system so It works. I'm even running some apps on here They're all up to oh look pressure rss has an update home assistant has an update Sync thing has an update net data. Everything needs an update. Let's go ahead and see if it breaks something. Let's upgrade it Doing it live Upgrade I've actually had the upgrades go quite well. It's not been much of a headache for me. So um How do you how do you documentation for your customers and share between? Your engineers In the past it was in a wiki in the future going forward. It'll be hudu hudu Any improvement with the encryption issue? No, this is A bug that was not fixed in the latest version So if you do file transfers, um, and you are using an intel atom chip, you're gonna have a slow time That's just what that's what I have figured I No one's ever answered my forum post with any more articulate of an answer So, uh, I I might reach out because I have I have some other people I might just message Directly I was hoping to get it put in the forums. I don't like messaging people directly ever I actually know who probably knows the answer and I'll just message them and then relay the answer back to everyone if I have a Concise issue. So So your isp you want encrypt? Um, then you should move the vpn from instead of on pfSense to your computer So you should vpn the traffic from your computer out, you know I'll throw out there because I've used them for a long time PA. You know, they have their little internet You can use open vpn and tunnel all the traffic off of your computer. That's another way to do it so I would love to see a nas fender with proper automatic ha storage But if you buy more than one also Automatic kates back end by the ha storage reach node cluster runs a load I think that's what you're trying to go through with scale. I don't it's gonna be a long time for they get there. So Uh, what do you use for inventory management? Um, snipe works if you haven't heard of snipe it. It's an open source product. It's actually pretty slick Well, I'll throw them a shout out here so They they make uh, you can it's open source Hostable they have a demo They have a blog you can see all the new features and stuff like that. They have a cool website um So that's yeah check out um snipe it it Self-host of bit warden requiring 443 Uh to be open s to sell certain on my nas More or less secure to use a bit warden a cloud account for my personal family use Uh for personal family use, um I You know, I wouldn't um Self-hosting seems like overkill. So I there's bit warden is solid and secure Even if you know me and my wife use bit warden My personal bit warden. I just use in bit warden. I the business one we happen to self-host it because I can um, but my wife's uh, and me We in her shared password is just using normal bit warden for ours Like I didn't feel like spinning up a separate instance for it Uh, what do you recommend inventory? Here we go next one down True nas scale like true nas rancher proxmox and one appliance is going to take a while to mature. Yep. It's complicated Uh, how do you encrypt everything in your land? Um, I encrypt everything I care about encrypting I'm not worried about encrypted dns in my land. I just don't care enough It's it's just something that doesn't bother me. So I I don't bother encrypting my dns request I just use normal dns. So someone could if they were on my land sniff my dns request Seems unlikely scenario. Um, but yeah Uh PIE with wire guard through pf sense. Nope. I probably works. I've never tested it. Um, I'm using open vpn It's one of those ain't broke. Don't fix it. So I haven't had a reason to use wire guard Uh, we moved from wiki Uh, and eventually we'll be on who do that's going to take some time I just seen a 45 guys were cheating about making a homelab nas. Maybe you want to work with uh on that Other people liking snipe it. Yes Is there any standard rule To follow in selecting ui d and g i d insurance? Uh, I make sure it's the user you want. I don't I don't understand the question perhaps Best privacy phone with google 6a7 pro graphing os booted even disable camera. Yeah Nope, I'm not doing a guide on that Just it's so unnecessary. I don't know why I would do it Like I don't have a use case for it would be a good way I should go back. I used to say that a lot. I'm definitely going to say it again Don't have a use case for that You know, it's all those things like uh, there's There's not if there's there's a diminishing return on it And if it's gonna if I'm gonna take the time to do a video on something, uh, like I'm going to do a video on graylog Um, I got graylog all set up and finished. So I'll spend time doing next It'll provide value if I have unlimited free time. Sure. I could do all kinds of esoteric Things just for funsies, but the problem really comes down to I try to figure out which videos I can find the time to produce that are going to produce the most value for people like You know, the graylog one's taking a little bit longer than expected, but it's about done Um, one of the things I wanted to do and I I haven't updated this yet Let me log into graylog because I can actually I could just show you what I've done Um I wanted to update the extractors. So I've been writing new extractors and making sure they're all good So I can Go here Share this tab instead. Um I want to make sure because I know the popular one's going to be here But these will all be published on github so you'll be able to see and edit all the extractors I just made one for open vpn. So it parses the users In open vpn to make sure we grab the proper, uh, things we need here. So Yeah, it's this is going to be to Helpful to create nice parsed data into fields. So then when you create alerts, which by the way I now customize the alerts. So they'll let me know in a slack message when each user logs in Um, it's just little things like that. I know people have asked before about a graylog and Because You know, it was harder to well, not really harder To well, not really hard to do. I just didn't take the time to really make the video about it So this video has a lot of those details. So let me actually show you this Um Throw this tab back up there now. Um, I'm even going to put together like It says open vpn user logged in via and it gives the ip so I know when people log in It throws a message in our slack channel for this So hopefully that makes some sense Oh, let's see I have a hard time making content for something. I'm not interested and don't have the use for yeah I completely agree. If you haven't followed dbtech on youtube, he's definitely got some uh great videos and Uh, me and him chatted quite a few times This is the challenge like there's only so many hours in a day to be able to do these things and That's the problem. There's only this many hours to get things done I try to figure out what's going to create the most value See bitward if it goes down. Yeah, if bitwardens, uh, if I stop bitwarden, you still have access to all the cache passwords Bitwarden is encrypted all the way. Yep Uh gray log can use webhooks. So yes, whatever you want to use webhooks for Uh, I don't know why I would want to have Integrating pf sensor gay log and influx. I've never done it. I don't have a reason to do it So no, I don't have any tips on it. I know there's some guides out there. Um, but I don't use it So Since I don't use it. I don't have a reason to Uh Do a video on it I don't know why people use it I know people ask about it. I I don't know the big draw for it people really like pretty graphs I do know that that's you know, I I guess if you I have to report to some Less skilled manager who loves loves pretty graphs Then you probably need to spend a lot of time making pretty graphs. Good news is I don't report to someone who requires pretty graphs Uh, so what do you use gray log for? It's a syslog. Yeah Um gray log is the consolidation of all the logs from all over going Um Into one place so I can correlate any access data that I have going across all my servers 32 nodes zima board these zima boards are pretty cool if you haven't seen them Um, I think a few people have gotten them. Uh craft computing did a video about it So we're on the same page of what we're talking about. That is these here hackable single board computer. These cools. It's got the um The slot on it. So definitely makes it pretty neat uh, you don't We don't manage gray logs for customers. They're used in co-managed environments But we do not manage them for customers Uh shipping everyone's logs over to one central log server would be a bandwidth headache So it's not something for production like that Do you sync ntp for this? Uh No, just use ntp and pf sense. It's fine I'm not I'm not looking for scientific accuracy like the ntp server and pf sense works perfectly fine I've seen people. I mean if you have some Very time sensitive applications, then yes, you may want to get You know, they sell devices hardware ntp that pulls off of um any pulls off gps to pull time I I haven't run into a need for that Uh key pass xc can import and import the whole thing if you need to count email pay You know store and yeah full privacy, you know, it's interesting. There was actually a um, uh new Yeah, this is recent Oh, apparently there's more than one Uh The older one, let's see There was a recent key pass attack And I seen him bleeping computer. I just google it and there's a few other ones that come up But there's basically some targeting of key pass and some some of the newer malware variants They would look to see if you have key pass to copy it. So Thought that was interesting. It shows the popularity of key pass And targeting it by the way does not mean gaining access the database the key pass uses is encrypted So it's not a it's nothing wrong with it But the fact that they take the time to target it shows that it's getting popular Can you view multiple gray log databases from ui like multiple low key db's from one graphon? Uh You can put every you can build multiple. I guess this is I could show how this works if you go to the system indexes you can uh You create all the different indexes. So I break them all out into separate ones, but you when you're querying it You can pull them all together into one So like all my true nas ones go here all my things for screen connect here at a proxy the wiki The unify system the office pf sense each thing I have its own input to and then And I'll be explaining this in a video of how you set these up because I'll walk you through the process of this This is what takes a lot of time to set up in terms of making sure people grasp and understand it I have a flow chart to walk you through how data gets ingested How the extractors work to break the data out into different tables and how you land it in each one of these here But you could just create as many as you want use create an index set Go through and create it and then you create an input and then you can create a input that goes to a stream And the stream streams the data In there in between there's an extractor that you may or may not want to use to extract the data into some type of format So that's the whole process for gray log the gray log doesn't have as good a documentation as they could there's such an amazing product with Okay documentation their forums are really good That's actually where I pull all the information to learn how it all works is the forums the forums are better than a documentation So my video will be a walkthrough of that process of how to get it done my old video explains this as well I'm just modifying the video because there's there's not a dramatic difference But there's some differences between gray log four and five So my four video is still relevant matter of fact You can go back even a few versions of gray log. It's it's kept a very similar interface for a very long time Let's see Well, yeah, I see people talking about You can go down the stratum rat hole. You need to have very accurate timing for things. Yes for sure Hi tom, thanks for your content. Is it possible to use web hosting solutions behind cgnat? I can get cloud flare tunnels to open ports. I need Is it possible to use web hosting solutions from behind cgnat cloud flare tunnels is the answer More than anything else. Um, they're probably the easiest one to get set up If you want to host some service to make it public, but you're stuck behind cgnat That's why cloud flare tunnels are so popular. It works really well for that. I think it's a solid use case And i'm not clear on this because I just haven't tested If I think tail scale is coming out with something uh similar Tail scale This is the new So I haven't I have not tested this here, but tail scale funnel if i'm not mistaken is a way to Make something work in a similar way, which I thought was kind of cool So you're able to It says in alpha, but this is an old blog post. I believe it's in beta now So you have more I like it that there's more than one option for this I think we'll see more companies doing it. There's there's not a good Nothing is easy. It's not that these don't exist. There's not as easy of a way to do this with Out cloud flare tunnels like there's could you do this with self-hosted ways? Yes You spin up a server in linode or somewhere like that that's public and create a connection So you forward your connections from behind your cgnat to your cloud connection But cloud flare tunnels is an easier quicker way to get this done Oh, the joy of finding your exact open source question on a forum and the spear scene to post is six years old and no one ever replied Yeah, that's a challenge. Um, that's why I'm that's why this gray log video took longer as I created the documentation And I'm gonna I'm gonna have written documents documents along with my video tutorials so people can follow along either way Uh, you cannot open ports for your mail server. WHN dashboard for example um I'm not an expert on the limitations of cloud flare tunnels, so I don't know If you could host mail on or not my guess is no, I don't think that's possible. Um What is oh you want the whm dashboard out there? Yeah, I don't I don't see why you can't get the whm dashboard out there. Um, but the The mail server I don't think so And I wouldn't offer it as a hosting service by the way I mean, this is just a side project you want to open up some ports to the internet type of project Let's see. All right. All the questions are answered. Just move on to the next thing. I wanted to talk about Close all these too many tabs open. Oh, let's see This Is the next thing I'm working on how to do the video on this. Um Oh, yeah, everyone hates this one. Oh, yeah, I got it working, but I'm not telling you how Yes, that is that is the pain on the internet. Um For sure. I don't know why you'd want to do this. I've had people ask I think it can be done, but I have no interest in doing it So I have no experience doing it and no interest in doing it, but I think maybe you can do it I don't know Possibly I'm not positive of he proxy will break open vpn It's an I don't I wouldn't think it's a good idea Uh, but Synology is a great idea And I think there's we this is actually not the biggest project But this is this the most recent one that's on our table at the moment Um But we do a lot of these Synology products and I I realized when I posted this picture Um, a couple people commented on my twitter, but I've heard this before and I just got an email from a business That wants some help as well They were they aren't realizing how large you can scale Synology and how many business Businesses we sell Synologies to uh, so I'm going to do a video about it. Yeah, here's the bigger one um So here's an even larger camera project with uh, Synology Synology absolutely scales very well to good size camera systems And uh, it's a great combination with these Amcrest cameras combined with Synology So I'm going to do a breakdown of the I've done the breakdown of like the ones we use like for home users But I'll now talk about ones we may use for business And how we set them up and how we Uh do these pre-deployments because the pre-deployments are A big piece of this where we organize everything get it all ready get it all adopted set up label everything So we can set it up for the clients and just let people know that Synology is absolutely a great solution For this because their licensing is extremely reasonable because it's perpetual licensing And of course someone's going to want to know and it'll be a follow-up video of how does it compare to unify? One it's a lot more affordable and it's usually in stock so that's um, definitely a Good thing When it comes to you, you know building a scalable camera system is being able to get it. As a matter of fact to go back to the other picture um One of the other aspects That can be a challenge and let's go back over here as you may notice That this customer had some white cameras some black cameras The the colors of the cameras are dependent on which rooms are going in because some rooms are going to be dark So they wanted dark cameras some of them are going to have I guess white painted walls and they wanted white cameras and they're on the outside areas So there's some interesting aspects To doing it and not to mention with this analogy you can mix and match all the different cameras on there It makes a huge difference and I got an email someone back because they had asked me about this And I thought it was pretty neat. We actually set it up and have it working We talked about this. I think two live streams or maybe it was the last live stream. Let me log into the system and Get it ready here but um We're surveillance station You can in the different cameras You can do a time lapse recordings of the uh Unify cameras and at the same time it's also in the unify So this is in the unify and simultaneously sending data over to my synology at the same time combined with and this was the um Question was could it also do the time lapses and it does so that's actually kind of a neat They call smart laps So we can have smart laps videos going from the unify to get all this with the synology pulling in the data So i'll be talking about that as kind of a neat way to put those together Have you played with the time lapse project? Yes, I have the time lapse is really cool double mvr. Absolutely Uh, what's with the hard icon positioned exactly on top of the chat comments terrible ui implementation Not my ui implementation. So I don't know But the we'll pull this up real quick if we go to The smart laps that I have Go to the recordings Pull one of these up, but yeah, this is what the smart laps looks like. So this is a time lapse So they they works great Maybe something more interesting maybe my front yard would be more interesting. There we go Yeah, I don't know that's really interesting, but that's what the time lapse looks like Hey, look that I took the truck somewhere Uh fond memories of tom closing up his hot tub. Ah, it's just a lily. I use it in the winter It looks cool when the when everything's rise. I like how you know, we haven't had much try This is still the rainy season here in detroit Then it's night. It was raining all day that day. I don't think any of these are interesting But it works The time lapse smart laps feature and you can use it with unify um You can set you define the frame rate you want for those you can tell it exactly how many frames Whether you want it to span days weeks. I think it'll go into months So you can have something that is like a video compressed down to 30 seconds, but it may represent, you know 90 days worth of it. They they have a lot of fine-grained controls when you're setting it up It's a little confusing when they set it up. Um, but once you goof with it a minute, you can figure it out Just get a calculator ready Because they I don't know why they don't just have it in a more clear Uh way when they display it. So when you're editing the task itself um It's this is what it actually says. So it this is how it asks the questions for you to calculate and figure it out For each one minutes the smart laps recording will real time Approximately 24 hours of frame intervals are 24 seconds apart So it's just spelled out a little bit differently. I wish they had little sliders to make it easier, but well, whatever It's it's once you set it. You just kind of leave it alone. You figure it out. You set up the job You set up the retention policies. It's important to set up retention policies So you keep these for whatever range you're wanting to keep them for and uh This one goes all the way back to two seven. Maybe there's snow in this one. Hey, look snow Snow goes away snow melts snow comes back I thought I had one that was like it covered an entire week Yeah, here's one this one covers a week. There we go. So it goes faster yes Uh sonology has not only motion alerts. Um, this is what's really cool is it does detection Of objects combined with the camera. So I don't just get an alert for motion. I don't want alerts for motion I want alerts for you know person in my driveway or vehicle in my driveway or vehicle in my backyard Or or anything like that. Like it's it's much more specific and um That's why I like this analogy because they have if you're using the camera's ai detection system Then to give you that piece of information. So if we look at my um, we'll do the front one here So if we go to edit this particular camera advanced, um, and then event detection advanced Uh, human and vehicle detection is what it's doing. So it actually alerts me Not based on the cat that walks from although once in a while It thinks the cat's a person. Uh once while it misidentifies a cat So, uh ai is not ready to take over yet, but when it's not misidentifying cats It's really accurate. So I actually know uh, when there's a motion in there and it tells my phone What's the file size on the one week? Um, I don't know It's compressed quite a bit. So not very big Because it's only you know Um, see if it tells me So if we go So the one week one is a uh 1.7 gig file Yeah, so less than two gigs Uh, can it do detection for persons objects who are known unlike like frigate ai based? Um, the Advanced one can if you have one of their dva models it can make a database of people And then do it but this that's specifically with the dva model. Um, that you have to have for synology So that's not a camera function. It's a synology function. So Yes, um frigate's kind of neat because it can do that as well The problem is like frigate's a cool project, but it's nothing I would sell or support commercially yeah, the um Unify protect the same using g4 cameras to see people on cars Uh project has not misidentified my dogs yet. Uh, it's kind of hit and miss I've seen it. I've seen it misidentify things But yeah, it works Yeah, 1.3 terabytes for two weeks Make sure you're using something like h265 I'm still using h264 Because some things don't like viewing h265 So that's that's my solution for that Yeah, frigate is really cool If you got the time to configure it. Yes So people know what we're talking about Uh frigate nvr with real-time object detection for ip cameras Yeah, that's the whole um It's a rabbit hole to go down there. It's fun to play with and all that but it's everything comes down to time This is not unlimited hours in a day. So without unlimited hours. Yeah Uh, do you install any kind of grounding on poe cameras outside of home's buildings? No, no just use standard cable They're fine. They're bolted to the house. I have had no issues doing it that way Um shinobi's another one. So is zone minder. Those are other projects out there None of the open source, uh nvr tools out there. I've seen it all are like commercial ready where I would support them Yes, I have a separate vlan for all the cameras I have a video called securing your nvr and I walk through the process of that because people always get confused of The way you secure an nvr, and I'm like it's you lock down that network and maybe make an exception for your Unless you're lucky enough to have a analogy with two network ports But if you have a analogy with only one network port, no problem just Open up the one port you need for the analogy to be remotely accessed and leave the cameras So they don't the cameras don't need to get online Yeah, I all all the ai cameras. It's not just a dig at uh at all at unify, but all the ai cameras, um They get things wrong sometimes, you know, they're They're doing the best they can but when you're taking you're also not the most expensive devices in trying to Apply object recognition with limited data sets To a flat object, um, you know, it's it's the challenge with ai sometimes. It doesn't always get it right Matter of fact, let's pull up my twitter. Did they respond to me on twitter? It's this I'm wondering if they do see I See home profile So let's share this Huntress had tweeted this and we were we were laughing about it because They're like Hey, look, it's you know, I find your lack of EDR, you know star wars day Blah blah blah, but look at how many fingers fader has like ai gets a lot of when you know Ai generate images are fun, but it does not know how many fingers people have it seems to give them lots of fingers Fingers are hard Oh, man, it's um, it's a challenge for sure I actually was playing around and uh, it turns out If you want a vader hacking a computer You can have that and and it actually seems to do a pretty decent job. I'm actually impressed. I mean, he's got kind of a big helmet here But that's definitely Darth Vader hacking a computer there So definitely a good time Thank you for adding some enjoyment and entertainment. Hey, I like that's what If I my goal is to find that happy middle of entertainment education, you know, edutainment if you will so Um, I do know this because if you put in This is one of the other creations I did that I'm really happy with um We started talking about this discussion if it knows how to make red pandas So ai is like I get red pandas now. I don't think red pandas have that I don't know how many claws they have actually now. I need to now. I need to look this up to to get it the right How many claws red and uh Red pandas have a soft dense wool Have five widely separated toes and semi retractable claws. Okay. So it got it somewhere. It's just one two three four so I guess if one's like that, but Yeah, um, I have no preference on video doorbells. I don't have a video doorbell. Um, So I don't have any preferences on them I've never I'm not big. I don't know the um video doorbell thing's not really Uh, then hi am I list of wants at all? I know people are really excited about them and I get it They make sense if you have people come into your door all the time I don't so maybe it's because people don't come visit me. I I'm just like lea my answer is just leave it on the porch um And I'm fine with that and this is you know, I have a porch camera So I'm finding a porch camera and then I can just look at porch camera and You know see like there was a package on the porch or whatever or was the Somewhere I can just look for the um events that triggered on my porch. I don't look a bee or something Yep, there's someone coming to my porch So that's that's my solution is just knowing when people are coming to my porch All right. Well, I think I want to wind it down here Now that you have a video doorbell everyone knacks Ah fun stuff for sure All right Well, thank you everyone for joining. This was fun. I'm gonna go back to doing I have a few more things to finish so I gotta Uh, if I can tomorrow goals record green log video tomorrow Today finish a few more business things that I gotta do my my time sometimes gets split between business things I have to work on and uh, you know the video thing the business things take You know, I still have a business to run. So some of that takes up some time sometimes There's there's back end things that have to happen So thank you for everyone joining looking forward to more conversations and everything else and uh, see you next time And maybe if I feel real inspired doing a live show over the weekend I always say I'm gonna do it. It's kind of hit and miss if I do it You know enough people comment I do it so All right, thanks everyone