 Check there. We go strange. I don't know why it changed Gotta learn your Ripley Alta for there we go. Is it working? Hey, look at this Don't that's a that's an odd problem. I don't know what made the sound switch on it Strange Strange this is a good way to get comments. I should just start them all on mute Drives engagement so everyone's like you're on mute and I'm not wearing my you're on mute shirt. I'm actually wearing my Fin security search I'm going to give a shout out real quick here though and Throw a link in every here's just so a link for people too. I Want to I'm working on a video and I don't know exactly how I'm gonna cover the video Because I've done a video before this is kind of just an update to Something I've covered before that's a commercial tool, but I will do a few disclosures here in a moment Let me get the screen pulled up so Finn security and If you're not aware Finn is a fishing tool the fishing tool we use. No, this is not an advertisement. Yes I'm an investor so I want to make that very clear. I am Choosing to talk about a company. I invested money in because I think they're a great tool And we do use them at CNW are so I'm kind of giving them a shout out here because they did something that I wanted them to do for a long time and that is you can click a button and get a free trial It's a simple thing in my head It's a complicated thing to the developers the people involved and the people who think you should talk to people before you sign Up for things. I said no, I hate signing up for things where I got to talk to people I want to talk to no one to sign up for something and that is That was my push and investor meetings So that is finished it is finished. I should you know PHIN. All right, you get it Nonetheless, this is the security wear and strain tool that we use I'm giving them a shout out But as I said fold disclosure, I have a bias towards them So that's all I'm saying about it is that they have the free trial option I'm I was seeing about maybe I'll do an updated video on Finn talking about it But I've got a video you can find if you type in Finn That breaks down me and the owner talking of how it works It's something we use at CNWR and as I said it's something I'm an investor in so yes They have a bias to like it, but I think they make the best tool out there That's why I put my money into it and that's why we use them at CNWR. So that's it. That's my shout out to Finn so Yeah, this is you're exactly right I hate the contact form approach for a demo or price Don't worry. You don't need to you can click free trial. You do have to sign up for the trial But all the data is sent to you. You don't have to talk to a person to do anything It's pretty simple and I'll leave it at that. It's a really simple process. They made it easy So yes, absolutely. Oh, let's see One of the things I like about Finn is I see people saying they like you can like the other ones You like one of the things that Finn does better is the integration for automation. That's where it's at. I that's It's very hands-off and that matters a lot to me. So yes Am I caught up on Star Trek? Hmm. I mean, is there anything new out? I Has anything come out in 2024 yet? I so if the answer is no to 2020 I didn't watch any sir check in 2024 I believe all the series that I watch have ended in 2023. I mean they have more coming They just haven't released them yet. So yeah Hi, Tom student run at Michigan Tech. We're thinking about running authentic to aid and MFA with our AD ever use it I have not used it. So I don't really have any thoughts on it. I Have used employment Grafana It Grafana seems to be a favorite of the homelab people. I know I can't say it's not using business I know some business people that use it. I don't use it because I don't have a use case for it But if you want pretty graphs Grafana makes pretty graphs. So yeah Definitely oh Discovery dropped a new episode today. Okay, that I'm looking forward to Westworld thumbs up on Westworld. I like I like that series It was good, too. I finished the fallout series by the way fallout Would you ever consider making a video on how you mounted your Amcrest cameras here home and ran ethernet wiring? uh There's none secret about doing it. It's hard. It's there's there's not like a There's not a magic sauce to doing it. So it's like Yeah, you got a I don't know. There's not there's not much to do it from video standpoint. You mount them or you mount them It's hard running them in a house, I hate this we don't even do residential our wiring guys don't so Follows good Finished fallout. Yeah, she cool Yeah, it it Westworld does fall off after that first season it does you know first season is So good second season maybe but yeah, it kind of curves down It's unfortunate. It is unfortunate. The first season is the best season of that for sure All right, what were we going to talk about? Let's What is the order at which I put things true nas there is a lot of people that have questions about true nas I I don't I try to get aggravated because I don't really get aggravated I may come off sounding aggravated to some people But there's people who just couldn't grasp a few comments of people really struggling to grasp the concept of how snapshots work. I Did my best the videos a little bit I tried to put as much information because my years of doing true nas videos I know the questions people ask and I try to cover them, but some people are still Doing it. Hopefully if anyone I am very open to suggestions if someone has a better way to explain how things work so You do residential camey make it pretty penny because businesses around here won't touch it Yep, I'm among those people that just don't want to do it. Well, I more the teams are around there It's also residences It's a tricky market. So Yeah, hope fallout doesn't fall off Um, yeah, I'll probably do an updated Um smb migration When I don't know what they have something by gracious you're asking about is uh, I might do an updated video on sink things It's been a few years. There's enough new features to talk about More anything else but the same thing is definitely one of those Uh tools I've been using forever So that is definitely um, it's one of my go-tos. I sink thing is Let me pull one of these up here log into one of my true nases But yeah, sink thing is always something. I think there was an update to it. Yeah, it's up to date Oh, I get more updates. So update all the things Um, but yeah sink thing love sink thing. I run it on my true nases Not all of them have sink things not everyone needs it because I have I have a lot of true nases But yeah, it's a solid tool for sure I don't know if I have an answer Run slower on linux and windows. I don't know if I have an answer for that I've not noticed that much of a speed difference, but I'm not also I'm not rebooting machines and seeing which way Uh, I didn't do like a benchmark on windows and a benchmark in linux to tell you which one's the fastest So I'm not sure on the speed issue, but you're gonna scale in file shares Uh, it'd be nice to be more advanced logging files touch than something I need Uh, but the file protocols don't even seem to have it. Yes, they do Matter of fact, we should switch over to Here, um, that's one of the new features in dragonfish So if we go here to our shares Is it right? audit logs, there we go So yes, they have a smb audit logging So that is a feature now in the new version shunas. Well, it's in release candidate right now Uh, yeah, I'm going to start reviewing some of the firewalls. They finally have come around to being a better firewall and That means I'm going to review them. So yes Uh question shunas using cash rise Is it worth it? I have an entire video about is it worth it? It all depends on your workload Most workloads probably won't benefit from it, but there are certain workloads that do so there's not like a yes or no answer It's extremely workload dependent Like do you need synchronized rights and you need absolute, uh Data integrity of those synchronized rights and you probably need a slog drive on there Yeah, it's syncing will work. That's one of the uh tool things that jay from learning likes tv he's he uses syncing for his, uh um syncing of his retro games Oh, so this right here. I will actually talk about that. Well, you're probably referring to and let's go over here to discover apps is um Is it on this one? Which server is that going to be on? There's a way to have it do permissions uh, that's I don't know if it's a great idea, but it can be done So there's a way to have it do permissions. It's a matter of if you're doing this between two true nas systems and syncing the file permissions between them I Yeah, but I don't know that it's necessarily my use case. I'd have for it Um, my I I don't use it at all for that and I wouldn't uh, because it's just kind of becomes a pain I have uh recent videos on this to dive deeper in there, but essentially true nas core runs free bsd true nas scale runs, uh, debian and there's going to be a lot more development on there Random question zfs de duplication on crypto files. Does it work? Ah, I believe so, but usually De duplication other than niche uses is not a great idea because there's a huge performance hit now They do have some updated code coming to zfs that's going to fix the performance to make it better But better is relative there's a lot of overhead in running de duplication and Is are I should say are are the files you're putting on there because it's all done at the block level So are the files the same and because it only works within a data set even if the files are Stored encrypted on that data set now if you send two encrypted files that are encrypted outside of true nas no It's not going to do anything at all So yeah That's the it is um is tricky I know about the smb audit line of the issue is that It does not give enough information regarding new files written to a share, but it does give the file size Ix system says smb can't do it. Well, if the smb can't do it then It can't be done. I I don't I don't have an easy solution for that if it's not a feature of samba then it's probably not going to work uh video topic Hyper v architecture microsoft's virtual relation manager tech could look at how enabling role changes and windows could help clear misconceptions, um My can my view on hyper v is that it sucks. So I have no intentions of doing a video on it Matter of fact, you know Microsoft Reared its ugly head and exactly why hyper v sucks twice this year First was the hyper v problem that came in february with one of the updates that broke hyper v Second was the update that caused a memory leak in domain controllers Which also led to people's hyper v crashing which are two reasons not to use hyper v It's built on windows. The other reason is it's built on windows That's and microsoft has decided all of you are beta testers because What are you going to do not use windows? That's kind of microsoft's attitude right now They don't care about testing. Well, they care about testing. They care that you do the testing not them Think about using uh three mso ones as a proxmox cluster. I'm go ahead. I mean Proxmox has that built in. It's a pretty neat feature to have seph in all that built in to build a cluster go for it Uh, all the new features come up pro coming out from proxmox and sureness means more choices for network layout and storage My sureness, uh, boot disk and I hadn't backed up the settings Oh, my chance boot disk died and I hadn't backed up the settings. Luckily the data wasn't encrypted But I still ran into trouble importing the pool Uh, even posting your forums and they helped you there. Good glad glad they were able to get it back for you Thankfully I managed to get it working with dragonfish now. I'm wondering if there's a way to get it back to the stable version dragonfish is pretty stable and it comes the stable version of dragonfish comes out in Uh, like seven days So I would just do that What email solution do you build customers? Uh, we Use office 365 and google for our for our clients depends on the client Probably the majority of the clients have office 365, but there's still some of google Yep, we have uh, lots of companies that are moving away from vmware, uh, as well xcp and g I mean, we've got companies that have moved like a thousand vm's just like you We just put a bid together for a company moving about 600 virtual machines over so Yeah, it's the thing our jumbo frames relevant on sef. Um Probably now I should do a video on that updated because once you go to 10 gig and plus networking jumbo frames There's a lot to it. They they did a good discussion on this in, uh, what was it? the, uh Two and a half admins podcast, I think two episodes ago They had a good discussion on this as a topic and the problem is in the olden days And there's lots of advice still based on it because there's a forum post from 2008 that still says absolutely jumbo frames changes your life It'll it'll bring joy to you and amazing amounts of speed gains Well, that's great. If you're still running 2008 hardware, it brings less joy and more potential headache doesn't mean there's not some Tuning that can be done that helps the jumbo frames, but it's not going to be the night and day you think it is When it comes there the older systems, it was easier when you chunk things out into, you know, 9000 mtu And you're like, great, I can stick all this data in there and i'm not processing as much Uh in the transactional data, but the smaller slicing up means there's a lot of small processing that the Chips have to do that. They were less capable of doing years ago, but more capable of doing now. So it becomes Kind of a lesser return I use proxmox extensively at my company and uh, you're pretty much You rely on uh community help to do it. Yeah, that's the thing. I mean xcp and g has a whole reseller program and a Partner program and a support sla agreement. So it makes them a little bit different Let's see here Um, I don't have any preference for sysco devices use whatever sysco device you want Yeah, two and a half admins. Like I said about two episodes ago. They talked about the jumbo frames I inherited crap apc ups. That seemed to be original install managing them. Yeah Uh eaton, I've liked some of the eaton stuff. It all depends. I mean none of them are perfect Yeah updates a new pf sense. Let's swing the pf sense. I think I've answered a handful of true nasty questions here Um, feel free to pop more and I have my true nasty pulled up Actually did it update Let's log in and watch See if the update's finished Hey Updates finished. So cool We purchased from neck gate, that's how we do our systems and Right now I have this neck gate system here. I am running the release candidate on it. This is our lab system But the I love what they're doing here and this is going to be when you do this update This is one of the features I really want to talk about is how they do this The new update system uses a watchdog timer And essentially when it's doing the updates. Well, by the way, too, it's also got like configuration history in here Uh, you can clone. Um, you can clone the boot environments and set different ones activate one time boot But specifically the update mechanism This is where the boot environments are really awesome for people who are specifically in the it msp space and One of those big changes is the fact that one it Does the update it updates a new version of the boot environment But leaves your old one intact then when it reboots If that boot environment doesn't come up within x number of seconds It reboots back to the previous boot environment So if you're doing remote updates all's you have to do is wait a few minutes And the system will come back online if the update fails and that is awesome. That is a Uh feature that i'm like it's going to make remote updates so much easier for people in the it msp space that use them like us Um, so when you have remote firewalls, that's you know, that's always the scary part is updating It's not managing them remotely. It's oh boy. There's an update So the new boot environment stuff is really cool um DHCP server I'm still using the isc one. I know you can switch it, but I don't think it's feature complete yet um Let's go over though some of the new things that are in here Uh default password control this isn't expected um change just uh policies and rules around passwords In terms of like what you can have as a default so that uh this right here is what I was talking about the enhanced process using zfs snapshots for the updates Yes, that's cool Packet data flow export This is interesting. Uh, they're I'm gonna have to play around with this and see how that works So let's see if we click on learn more is it in the documentation? Yeah, so it's basically using uh net flow net flow five To send the data out so you can send the data to where you want it. So that's pretty cool Another change enhanced gateway recovery process with this option of reset connections made through backup gateway when the primary gate was Outline this feature is a lot of attention to fail back to a primary gateway after downtime Uh can be this can be especially useful for metered links. That's cool I this is a this is going to be an interesting feature because a lot of times people have like a cell network as a backup So being able to push it back Mobile group pools that sounds interesting Oh, uh, this update optimization for cpu supporting avx 512 and avx 2 Uh, so smoother operations. So it's good. Um ivc kernel modules very cool there and What is the other smaller issues that are in here? Those are some big changes though I mean look wise is pretty much the same Are you have any for uh, are you aware of any support for nsv 4 style acl's and trunas being added? The cml is probably my number one reason we're staying in trunas core for now uh Nope, I don't know that's a question asked in the trunas forums on there because I don't think there's an option for that I could be wrong What do I do? I have an nfs share set up. I think so Yeah, I don't think it has I'm not sure so that's a question for them Looking to replace my switch with a low power low noise one gig switch philance I don't I mean I like the unify stuff meeker tick is usually pretty cheap But I don't really know what all the features you're looking for is Uh, the boot environment thing is not a feature of the community edition Yeah, I so open sense has finally caught up with some of the security features that pf sense has had for a while So yeah, I assume it does uh base itself on the watchdog timers Uh, nothing's immutable in tech. I don't like that term without context around it Uh, best way to start a pf sense on a cheap necky 1100 versus buying chinese cheap box Uh, building your own kind of freight 11 herby a little anemic. Yeah, I'm not gonna lie Finding some really cheap box like this like this cotom one, you know There we go. I mean these are cheap That it's gonna cheaper than this is the use system. So yes Um, how do you handle firmer? How do you handle firmer updates of harbors automation or xcpg possible new tanix migrates vms checks are successful before doing other hosting a cluster Is automation? Yes, automation is fully possible. You could do automated migrations Enrolling pool updates Uh, I got an old so-called you UTM 220 is dual core two gigs is it worth pf sense is it worth Loading pf sense on it instead of virtually eyes it. I mean Those will probably work Boot environments are nice. I'll agree with that Why are they optimizing for x64 v4 platforms? I don't know that's a them question How do you typically secure nfs? Do you just use that storage only network and secure it via firewall rules and access that vlan You put storage on a dedicated network for nfs and you can do ip filtering. So inside of your true nas config You can go to the shares for nfs Go down here to the advanced options and this is my lab. So there's no security settings on here But that's generally how you do it I I don't think open sense has zfs boot environments Let me look maybe i'm wrong Is it natively built-in is what i'm trying to figure out so looking into forums here You know, that's the one thing Open sense sucks that still documentation So people talk about it, but there's not much documentation on it That is certainly a feature missing from the open sense like if you type in pf sense boot environments You land direct the first the first result is their documentation page on it The third or fourth result still isn't the documentation page for open sense. Do they have a documentation page? Do they have a documentation page on it? I guess I should ask Yeah, only optical and nandrum are truly. Yeah Yeah, I actually started looking at this as well. They updated a firewall video for 2024 here um The quotes on chinese mini pcs are great for pf sense. They are not perfect. So there's a reason That this one's labeled like it is Please note that it's labeled i gb zero one and two now one would think that this one right here would be i gb zero And you would be right that it used to be i gb zero um, then it died This network port just quit it was working and then it decided it's not working And then all the networks got goofed up because they all shifted over one So yes, this isn't how i gb zero for some reason and this one is non-existent. It does not show up in a hardware list Random because it works otherwise. That's why it's sitting here. It's kind of a weird problem. So yes When's that wi-fi video coming coming soon? Okay, so you it does it from the command line on open sense. I'm assuming that's what you're referring to Um, I mean they post on april 1st like many other companies said about things. So I don't know that that's actually happening Uh, what's your strategy for backups? Yeah s3 min i o works good. Um I I have Three locations. So I don't actually have to back up to the cloud I can switch things between my three locations and we have a colo which I've well the company has data on the colo I don't personally I am definitely excited for mspg con Uh, did you ever apply a WAF or some module inside of engine extra pf sense? Uh, there's not exactly There's not a web application firewall, but there is ha proxy inside of pf sense Yep, I did cover some of the pf sense updates Uh, I'm not going to waste my time with open sense and zen armor in there ebb and flow of companies they lay people off I people make a bigger deal about it than it is you got to you got to measure what percentage that is and investors want to see movement sometimes like whoever's holding the money going we should get rid of three percent one percent Whatever that number is and uh, yeah, welcome to the corporate world where you're a number until you're The number's got to go this way a little bit. So some of the people go away with it Uh infoband for home lab. I think 10 g is fine, but yeah Do you find the lack of pf sense uh features compared to other appliances? You know the feature I really think pf sense is lacking is I mean 40 net has so many flaws and so many zero days in it I feel that's a lacking feature uh in an enterprise firewall and palo alto join them In in their crusade for this. Let me point this out This is the feature that people ask about that. I hate and We're to the point where and let me uh No, that's not working There we go. Share this tab instead SSL vulnerability all these companies that have them 40 net avanti sisco palo alto now is added to this list And they're back This is just an indefensible You know, I I shared this on twitter and linked in in some other places I feel that these old ssl vpns are Not a feature. They're a bug or bug ridden So I don't know. I I don't feel that lacking with the pf sense compared to the other ones The reality is you watch all these different threats that hit these companies and you're like, but tom won't In certain name of some magical threat that goes, you know inside the firewall. Will that save us? No, it won't matter fact Those are always latent Uh Tools like they they rely on enough information being out there to hopefully see some ip addresses and block them And it just doesn't seem to hold up very well. By the way You can use pf blocker and throw a threat feed in there along with Um, you a paid subscription to the et open Uh, or what is the other emerging et et rules for suricata or the snort subscription rules and You know, uh They're as good as any other firewall at that point. Um, I don't do filtering on a firewall. I think it's a terrible idea Uh, we use oit VoIP Um, I don't the problem is pf the problem pf blocker is it it doesn't have fine-grained control Uh, so we use it for certain features like Sink hole in countries that you're not in those are good if you have if you have ports open If you're not even opening ports, why bother setting it up? Uh, I have no idea if you can stall q emu q emu in pf sense never tried Um, but on my to-do list they've asked me to do a video on it a couple times. It's just low on my priority list It's not that interesting to me. I think they do an amazing product for protecting a website I More and more we're opening less and less ports besides vpn So modifying it is not something I would ever do in production because I only liked production supported things on pf Sense I don't like random Uh, things not that I think that there's some random company. I just don't have a lot of client use case for it It's not like we have that many pf senses that are out there Sitting in front of web servers. Just not a common. It's a common. Home lab use case. It's an uncommon use case for any of our business clients Well, if you're running h.a. Proxy and you have a need to filter it You have to run it on wan. There's not really another option So it's not I don't recommend it on wan and the problem is if you have h.a. Proxy the only way to do it's on wan Which means you're just going to get a bunch of noise You're going to block a lot of things um It's whatever you put in the feed list But I don't even use it for that because I use you block in the browser because it works better What is tail scale in detail tail scale is an overlay vpn network It was one of the ones that zero tier was probably the first one I spent time reviewing the second one being tail scale the two of them are really good But tail scale has done a great job Shockingly as a private company. We kind of joked like how have they not become evil yet? Um, they they keep growing and matter of fact when they said when they announced they were doing changes You're like, ah, here here comes tail scale. They're going to change the Feeds that they charge users. They actually gave people more things for free So uh tail scale has actually been an interesting project. I also like net bird but tail scale having As they may refer to it in the business world first movers advantage of building out a large scale Overlay vpn system they have a lot of product that they're integrated in I kind of want to do a video on net bird I've just been busy Net birds are pretty cool one But I did a video where I break down several overlay overlay vpns If you type in in my channel overlay vpn, you'll find my reviews of them Uh, do I think that they'll migrate pf sense? I don't know it comes down to it takes a monumental amount of effort in terms of like what you have to pay the coders It's a cost-benefit thing If they move away from bsd and they move it over to linux cool We all like linux over here and we realize the bsd ecosystem is kind of shrinking The question is will net gate spend the money on the developers doing it? by the way interesting side effect of this the pf sense and open sense arguments go away because net gate currently is about 15 or 16 percent of the Contributes that go into bsd if they stop contributing to bsd because pf sense is an upstream pusher of those commits and Open sense is a downstream receiver of those You'll actually see open sense probably fall off greatly if pf sense were to move But will they move? I don't know Um, it comes down to they have to do a cost benefit. They have to decide do we spend the money to do it? Uh, I'm not gonna I don't I don't really have an interest in zen armor The other problem is things like zen armor are gonna keep getting Less and less effective because more and more sites are using more and more encryption matter of fact the Is it called a camera is it encrypted? Hello, or is that the one that got replaced the latest one they're working towards But the more as they encrypt the sni essentially whatever mechanism ends up winning to do that That is what destroys any of these tools like zen armor. They're effect their effectiveness goes down even further It's right now zen armor and any of the tools that do web filtering are able to do so because they're able to look at The sni headers, but as that gets encrypted I'm just looking at the long term. It'll work for now But as the web changes and as more things get encrypted they break Uh, my default browser is uh chrome for work and firefox for personal, but I don't do much personal web surfing Uh, awesome open source and so does christian lempa. Both of them have uh videos on net bird What do you think about defined networking? They use nebula. It's a great service I think theirs is pretty cool Do you have a cert you recommend? You know watch my other video on certs? um Me and j talked about it, but i'm not I don't have any certs. So I can't really uh say that Uh, when you say open ports, does that include vpn inbound ports? Uh, is that where you use pia blocker? Yeah, but I don't worry as much about vpn inbound ports because they require certificates if you're using wire guard or open vpn Open vpn being the more popular one we use for users because it requires a certificate to start talking. I don't it's not my Worries so to speak Uh, open vpn is a well vetted protocol There hasn't been a flaw that's been that's gotten people past the need for a cert in a long time And uh, that's one of the reasons I like open vpn. I mean it hey if you're using pf blocker to geo block So there's less people banging on that particular port. Cool. You can reduce it Uh, but it's not like my it's not what he's seeing up at night I think the benefits and probably the main benefit for home labbers is the main category for filtering Yeah, it right now it works and because not everything's encrypted, but as it gets encrypted. Yeah uh tls Encrypted client hello ecl. That's what it was called. I remember it was ecl. I couldn't remember um How what it was what the ecl stood for but yes Is it impossible? Uh, it's not exactly There's they have a write up on kind of a way to do it But no not really one ip doesn't work very well Uh, my answer for squid is don't use squid squid is a security nightmare the uh, basically Last year and I shared this out and it caused some controversy But basically even neck gates like yeah, don't use squid because The a security researcher poked a squid and found a bunch of flaws the team at squid replied. Yep Those flaws exist if someone wants to fix them go ahead This is one of those challenges right now in the open source world of everyone wants their free tool But if there's not enough people to maintain it the free tool kind of falls apart and squid is in that life cycle Where they have too few people it's used all over the place But too few people contributing to it. So it's become kind of a mess and yeah, that's uh, I would avoid squid Uh, nope. I don't use next cloud and production. I just don't have a need for it Um, what would you recommend to stop or minimize man in the middle attacks? Uh, certificates Encryption, um, I guess it depends what type of man in the middle attack you're trying to mitigate Oh, you had a trial for Coursera. You're able to get three search before time lapse cool Yeah, they had a they had a switch that never made it out of ea um There I think they have some new ones coming but they did have their leaf switch is what they called it Which was supposed to have a lot of them their Aggregation switches aggravation switches was named in my system. Those do support sfp 28, but there's only four ports on those ones Uh, it's a hundred. Oh a homeland license for t and s t and sir. I don't know. I haven't used t and uh, Tinser as they pronounce it Are you guys doing any access controller? You're waiting to get into it? No, not our niche We we're not a big access control company We've I mean we installed a bunch of the unify controllers and stuff like that, but access control is not our Uh, not our niche We don't do that much cabling and wiring either. So we do some but not it's not it's not our primary business Uh, what rules do you apply for the homeland? I have a video for Pf sense small business. I should probably I should probably make a new one just called pf sense for the home Uh, but You know, I have an iot network. Uh, and I call that uh nsfw not safe for work network And I have a work network. Uh, we're work things can happen So any my chromecast and random people's phones and friends that come over all go on the Uh iot network and then the other network is my network. That's not that network Oh, and I have one I have one more network. That's for uh, just my cameras Uh, do you know how well tells co works ipv6? Nope. I turn ipv6 off I don't know english is hard Is is is it a niche or a niche? I think it's a niche Uh, kind of like the unify usw ultra switch being pricey. Uh Yeah, what you know, let's u i.com switching They have their pro max switches Which have lots of lights and which ones have the Yeah, you got to go to their These ones These are the ones that do have um 4 10 gig where's the ones there we go Yeah Aggregation So they have a few they have the sfp 28s yet for 4 sfp 28s on that model tomato tomato, yes I have vlands for iot servers guests and home users while i'm okay with the first three I'm not sure what to apply for the home vlan iot servers guests and home users I mean, I don't I don't necessarily understand the question You run a pretty big msp do you find the lack of single pane of glass for administering your pf sensors deployment a problem? I got three i'm Looking out for and what are you doing in it every day? The updates come out every like there's three updates a year. What what are you going into pf sensors every day for? I guess that's my maybe that's the part i'm missing I prefer never to run a captive portal Captive portals are just a headache. I avoid them at all costs Are using any web-based photo management system? um I don't have the patient's form either. I I mean I use synology. So I have a private backup of my photos Synology's I I know it's not open source. I wish it was but synology's at least stable um I I just haven't seen any good open source photo management And if you asked my friend jay from learn Linux tv, his answer is really simple He's like I just organize everything in the folders like you know when he goes on vacation or take some photos that he cares about He takes them off his phone and he puts them in the folder he wants and he just has structured folders. That's it There's no management software that he's using for it How far does cnw or offer regular onsite support? um I would say probably within 60 plus I don't know Maybe 30 miles of our Detroit office and 30 or 40 miles of our Toledo office. I I'd have to draw it around um, I think all and maybe travis will chime in but Yeah, there's not exactly It's not I don't think we have an exact number But I think all the clients that we regularly offer we have some clients though that have Remote offices that we service from time to time that I know are further but mostly It's let's just throw a number out there Of what we're targeting for is within probably 30 or 40 miles of either of our Detroit office or our Toledo office Uh, can you a video or vlog there's a on vgp you pass through an nvidia? I don't have one of those and i'm not likely to do it Um, I'll dig into to see what they're doing. They do have that feature they added so if you go here And i'm assuming what they have under router advertisements I imagine this is for You know what? I bet this is they they're just integrating frr They have a page on it Not exactly Oh, is this all ipv6? Oh, this is all ipv6 stuff. Okay so That's all for ipv6 Yeah, I see it like travis says here, uh travis Travis's project manager at cnwr So anything anything higher than two-hour drive is going to incur heavy travel expenses To the client 90 percent of our supports can done remotely. That's true too. 99 I'd say probably 99.9 percent of our support is done remotely. We have a lot of out-of-state clients too, so I I don't think outside of learning Most people have a real use case for layer three Routing options inside their switch for learning. Yes for most home users I don't know that they I mean, it's not that you can't come up with your own use case for it But they usually don't have environments that really need that Uh, what is something that everyone should be using soap everyone should use soap Like to bathe I'm assuming you're using shirnan's replication to your other sites. Are you doing snapshot method or different snapshots. I send snapshots to the other sites With snapshots to get confused is the way timeshift works where Where people say it takes a snapshot of your drive. So I thought true nas was the same Uh, I'm not used time. I think there is I think you're referring to the linux backup utility called timeshift And I haven't used it if you had to choose one zero trust platform or service. What would you pick? I have no idea there um That's uh Yeah, I I don't really have an answer for that one Soap. Yeah, it's so the old soap calls the soap apis are terrible to work with. Yes Sponsored by soap Yeah, and just like said if you're if you're wanting to learn how to do it I think having a layer three uh in your home lab is great. So what do you you know running vlan's on your Uh, our cisco and building routes in between and everything else great learning opportunities So there's definitely opportunities there to learn all that stuff, but yeah But route advertisement through ibv6 fun stuff that that's built in now Do I have a tail scale set up in here? Yeah looks like it Tail scales in here everything else looks pretty much the same Actually, what I should look at is that they add any more packages to this Oh, what's this peanut butter? I love peanut butter Thank you. Thank you Iperf Available packages not what I installed bandwidth bind Cron I don't see anything new in here You know, it's funny. They still have some of the squid stuff in here and top ng No, they still have squid in here. They tell people not to use it, but it's still in here Actually to break everything if they there's so many people using it so You know, I didn't look where do they have status Center system logs. I haven't played with the um IP flow stuff at all. Where do they put that? It's in here learn more Where is the option for the ip fix flow? Well, that didn't take me where I wanted to go I'm probably looking Where is that at? Well somewhere in here. I'll find that later It's under firewall. There we go the the brain trust of people in here they're They're realizing that uh packet flow data right there. I should have looked at the most obvious save apply and we can add description source destination meat You know, I'm pretty sure you can um Let's look this up Make close to me tabs open But I think you can do this in gray log Yep, it looks like you can Gray log supports net flow. So we this is actually uh, this will be a fun video So, you know, when I get the new version set up, I'll uh build a gray log net flow importer Uh, can you delete dhc pieces dhc police is mainly so an ip goes free and under device uh static ip Uh, you I always set reservations for everything. Um, so I don't have to worry about that That's my recommended way for doing it reserve everything that you care about having it land where you want it to land But dhc peas get In the address pool they get recycled over time. Anyways Do you know where you can I can get a cheap static ip because my isp is a dynamic one Yeah, uh hosting companies that's probably going to be your best bet for that is uh go to the hosting companies and They'll have they have options for that digital ocean vulture incident pride uh static ip's you can use wire guard Back or something depends on bandwidth. Yep Yeah, I might do an updated video on that because uh, I believe there's a really easy way to do this with tail scale where You can set tail scale up On your public ip then tie your pf sense to it and build it as an exit node Like it's a there's plenty of ways to do this But this way requires some of the fewest number of steps That's what a lot of home users are looking for is how can I do this in the minimal amount of steps in the easiest tutorial? Can the tutorial be like this many minutes fewer and fewer minutes so I can get to the goal of having this as my public ip address Yeah, and this is a great idea Right here. I always leave plenty of room at the top and bottom of my dhcp range for anything I like to set as static. I actually move All move everything to the end I like all the dhcp stuff to be the high numbers and then it's Less digits to type in the the bottom half is reserved depending on the network for my statically set addresses Um, I think we only have like one or two companies left using it They have all just kind of not renewed and disappeared um In terms of their demand for it, uh, we move some of them the pf sense. I think I can't remember what other people got I think pf sense most of the time Oh, by the way, open sense 24 six 24.1.6 was released a if using zen armor Uh, not recommended upgrade yet. It'll break it. Yeah, that's fun Yeah, I love that alex is doing the tutorials. It's cool. Alex. I think you saw her for red hat when I first met him Uh, he was actually on a few the first few episodes Uh in url first within the first 10 episodes we did of the homelab show. Uh, he's a mutual friend of me and jay's, but alex is great Yeah, it's really cool to see him over there at uh tailscale Yeah, this is this is something to always consider You have bandwidth limitations. So if you Decide to do something such as you know moving over to a uh One of the cloud companies for that you will have to pay the fees that get attached to that and that may not be reasonable to you I have 150 plus iot devices at home and at every access point can support So I have uh three of them share amongst them is there a better way to do it rather than Uh multiple no multiples the answer You know when you're doing wi-fi planning and things like that there comes capacity limitations Of what you can do with a single ap you can get higher density ap's to support more devices, but yeah So every reason why the homelab show shows starts from episode 27 on any other platform on youtube Yeah, that is some weird bug of when you have too many that no one's been able to really tell me why But it's some publishing problem with wordpress. I don't know um The solution really is for us to move it to some other platform I just don't like spotify or all those other services that much. I'm trying to get it easy for people to download Um, I don't know. It's not something I put enough time into to solve. I I guess Yeah, I I actually host um my forums right now and my uh lauren systems website Both of those are on linode. Um, so if you I I'm happy with the amount of bandwidth I have for that Um, let's encrypt let's encrypt is what I use for everything I I I never understood these companies I think they're just fleecing you for some money when they try to sell you these SSL Starts like seriously use let's encrypt it works amazingly well It's you know managed by the uh linux foundation. I can't find a reason not to use it Can you use it as a tftp server? I don't know. I've never tried if there's some way to make that work. Yeah That's something I've tried much of For your home lab. You don't want to create I create my one certificate not dependent. I mean you can build your own I just you can google this is not something I'm going to do a video on But yes, people can build their own certificate authorities and Tie it all together and then install those certificates or trust them within all of your devices That is something that can be done It's charging for ob and ev makes sense Not on websites anymore. No one knows when they go to a website Outside of maybe people in this audience Uh, pretty much no one bothers to look if they're oh before I before I put my credit card in Did they did they get an ev search or an ov search? I need to know before I put my credit card in now software signing is separate But I'm specifically talking about website cert certificates No one I think at all checks at all. So No one's like, oh no Drop in stuff There are some situations where you can't use let's encrypt such as I well, I mean If you're trying to sign software. Yeah, that's not what it would be for but I'm not sure what web application you have that wouldn't use it From a web application standpoint, I don't see any problem with let's encrypt But that's from a web application standpoint, you know, if you have use cases outside of that, well, then that's a whole different topic Yeah, and this is exactly it. Uh, it's been I think a few years now since The browsers stopped displaying the ev info they used to have do you remember when chrome had a little secure thing up there In firefox did something similar? Yeah Uh, soon. No, I wouldn't say soon is an option for when that'll happen CFS expansion will come. But yeah, I don't I wouldn't say soon on that I think there's a there is a future by which this will exist that future is not today pf son pf sense plus ha proxy plus let's encrypt is a glorious thing and I 100 agree with you SSL search for banking. Um, I I'm gonna go Once again outside of the people inside of this live stream the average consumer does not go hold on We make sure my bank has an extended, you know ev cert Before they actually log in I'm just throwing it out there. I don't think that happens off Well, knack captive portal is a little bit different, but actually, um, I would say captive portal I don't see many reasons why it wouldn't work with let's encrypt I don't know about network access control systems that might be a little different, but I mean Let's encrypt is a pretty widely accepted uh certificate authority, so Yeah, I'm sure the banks have that anyways, so I I am not saying I'm not telling the banks not to use it I'm just telling I'm just saying that I'm willing to bet. Um, there's a lot of banks not using it I'm going to bet no one checks if they are aren't It's hosting your own mail server viable today any use case that makes sense for homelab email. Uh, it's a fun learning opportunity I Used to run my own mail service for years and years and years, but I finally I think I shut them down in 2016 or 17 That's the last time I ran them out to look, you know, I do I still have a backup on my mail server on I see if that still exists. I'm curious Nope, I moved it off of I archived it. I thought I maybe still had a copy, but I had the copy running. Um Maybe it's 2017 or 2018 when I got rid of it, but yeah, I wouldn't I wouldn't If one is a security risk if you're not keeping up with it, uh, but it's a good learning opportunity to understand how mail works Make a video, uh, try and restore backup with modern xcp and g I've got videos on that topic This is the real challenge for sure. Uh, personal mail servers are You cannot send from a comcast Wide open west most of your consumer ip blocks are blocked Uh, matter of fact, it was a rant. I've been a long time listener to the two and a half admins podcast for a while Microsoft blocked linode. So if you chose to Put linode as your mail server microsoft for I think almost three or four months just blocked linode The entirety of linode you couldn't run a mail server on and send an email to someone who was using microsoft So yeah, they're just such a headache to You know, everyone's trying to solve the spam problem. The one solving the spam problem. Um, they rely on blocking ip addresses But then the spam is coming from People who are using at outlook.com at live.com at yahoo.com at gmail.com. That's all those are the the places where I get spam from They're not solving the spam problem. Well, those almost universally on my Google g-suite account end up in the spam bucket, but that's where they're always coming from Yeah, and gmail blocking microsoft the other week and then microsoft announced that they're going to A limit how much email can be sent? Uh, because they they realized they were a spam problem So it's it's a Even though we've consolidated it to just a couple providers. We didn't solve the spam problem at all Uh, it's now this is nice thing is it is becoming more globally enforced But back to the point of the spam's not coming from random domain that hasn't gone through validation It's the stupid emails I get that are tom. Would you like to buy a list of people from at outlook.com all the time? So or at gmail.com Uh, yes, I still use mail gun for my discourse server Oh, so they were blocking uh, hensner as well SMTP to go. Yep, that's that's the thing you have to find a relay service to accept the to take your email and then relay it back out Yeah, the the mail server thing is not something I'd recommend You know, this question comes up a lot is uh, do you set up, you know WP enterprise or free radius for your home network or is that total overkill? I think you're gonna aggravate your your if you're in the network by yourself You're fine if you have to share the network of friends who you want Friends or family who also want a network. Um, it's more of a headache and here's the reality of it And this is where people get caught up on the wrong thing They'll spend a lot of time and it's a great learning opportunity. So if the goal is learning awesome run with it um If I let you on my network, what would you do? you know, that's kind of the bigger problem of Being on my network doesn't really get you anywhere now first because I shared that screen earlier and this is true I do have a lab nfs share that I set up for temporary demos for doing youtube videos. Yes, if you were on my network you Somehow got onto my wi-fi you've breached the perimeter now You're on inside of the network and I'm in like they say in all the hacker movies Where are you gonna go? What's you gonna do? Well, the first thing you're gonna find is an fs share Then that's also the last thing you're gonna find which by the way that's on a demo system That'll be shut down at some point. So as I'm talking about as of today When you got into a production network that we have at work, for example, you also would find yourself Not getting very far. We have very restrictive lists Inside of the network for people who are on the list We filter by ip and the only thing that filters doing is just one more layer to get you to another login screen That has 2fa so the fact that the systems we run internally also have 2fa and there's no assumption That because you're inside the perimeter that you have any more permissive access than a random stranger That is kind of a better mindset and as long as you're locking down every step of the way Much better. So someone getting in my wi-fi doesn't Doesn't exactly scare me. It's not my it's not what keeps me up at night because you'd have to then figure out How to get into I mean even my internal synologies I've went through the trouble of setting 2fa up on Even though they're not exposed to the internet they're not exposed to the outside world So you would find my synology and you go. Well, I need his username his password and then I need his phone to get the rolling digits That's I've got the bar set that high and as long as you're always thinking that you know The term I've heard used a lot is kind of work under the assume breach model Where you lock everything down just because someone's inside your network doesn't give them any more permissive access So yes, it's overkill But hey do it if it's a learning opportunity see Trunas core upgrade Trunas scale looks slicker Uh Is it viable? I think Trunas scale is actually really reliable I'm I'm I have no problems with it at all. This is what I've been using it in several production systems Oh, what about the honeypot feature? I mean it's novel if you want notices if someone's in the honeypot Honeypots are a fun thing to have on your network because then you know if someone's on your network The way I know is I've done a video on this. I like ARP watch If something new shows up on my network I get a notice That's my notice like hey something new is on the network. Well, why would there be something new on the network? Nothing new should be on my network. Uh, I love ARP watch. That is great But honeypots are good too because the same answer Why did someone try to log into this thing that no one should log into honeypots are a great way to trigger that Um, there's no official 2fa and pf sense as far as the login. I I don't worry about that much. Um It's it's one of those things too that 2fa is nice. Don't get me wrong, but My pf sense passwords are it's not exposed to the internet and they're really high entropy So someone would have to uh have acquired that that's not something easy to acquire is that pf sense password granted Yeah, you could do that, but you could technically and if you're trying to pass a compliance audit Uh ip restrict the web interface on pf sense to a certain ip address And that is a second factor of authentication even though it's a static one Uh lin store in lin bit specifically does have some videos comparing them to seff Um, I don't they're different solutions. They're both good solutions, but they're different So I recommend if you it's a blog post they have that's from late last year or earlier this year about comparing lin bit and seff Have I tried the update protection? I haven't tested it. Um, but I know it has it for the pf sense 24 03 Um, I believe art watch Uh, I know it's in pf sense Looks like there's a linux version as well I'm using art watch inside of pf sense I switched my nas from true nas scale to Uh from true nas scale To true nas is really low what gives uh it only I've got a video on caching which will be irrelevant in version 24 But the linux version of scale only by default uses 50 percent in Up to version 23 once you go to version 24. It will take advantage of all the cash inside of true nas No, we're certainly not doing 404 today. I'm I'm going to run out of steam soon I'm going to go a few more minutes because I need to go get some exercise and it's beautiful outside Um, no, it's not an end of life. This is a little This is where it's a lot of confusion. Maybe I'll bring chris moran So you can chris mor on the channel so he can Talk about this chris mor's head of development over there at ix systems for the true nas project And it's not an end of life, but they are saying we're not cram a new features into it We're going to bring it up to uh version 13.3 and we're going to keep it stable and patched We're just not adding a lot of features. So He was cheese finally went into life. There we go. Well, they they were on life support. Those are old Uh permissions should carry over from true nas to true nas because the permissions are all set within the zfs system I've not really had a permissions problem when I go from version to version. That's not where my troubles are If there's troubles What kind of I love virtualization technology I don't it's my kind of go-to answer when people ask what I think about the future of tech But that's where i'm going to leave us. I will Be back again soon. I have some fun stuff to go do right now Um as I realized it's almost 430 and 430 was the time I wanted to cut things off Yeah, that's virtualization is just magical, isn't it? Uh true nas core is already feature complete doesn't need new features. Uh true nas scale is turning into A lot of features. Yes, you're correct. So um Yeah, they're It's not I I still have um A couple core systems. We have clients using it. I'm not we're not switching them anytime soon It's one of those ain't broke. Don't fix it. We're keeping it patch keeping it up to date. IX systems is still Putting updates out for true nas core. So it doesn't have to be replaced today um So, yeah, but that's where i'm gonna leave it. Thank you And by the way, I forgot to throw this up earlier, but I always mention to people Um, I still reply to people who send the emails to vlog Thursday at lornsystems.com I've realized vlog Thursday at lornsystems.com is hard to spell I have a catchall address that goes to the spam box and sometimes I go through there and look for varied ways people spell vlog Thursday It's it's been some amusement to me. Um anyways And I don't always go in that box. A lot of those just go to nowhere um, I have a wan Failover video and I have a sd wan video that explain it actually my sd wan might help you understand better how that works These short answers. No, you can't just aggregate Um speed together probably not the way you're thinking. There's a way to make it work But not necessarily the way you think it works But thanks you everyone from joining email me ping me forums at lornsystems.com LinkedIn check out fin like I said earlier in their new sign-up thing if you're looking for a Uh side security fishing thing that's who's shirt. I'm wearing today if anyone cares and uh, that's about it. All right. Thanks everyone