Ah, got it. That plan should be great. You can segment your own wired+WiFi network with that hardware, and even do Wireguard from the hAP ax2 to get whole-network egress via an outside VPN service at a good data rate, if you want.
The other devices you might consider as the router are the GL-iNet Slate series. They will be slower as a VPN router, but they’re pretty small and light. They come with a skinned OpenWRT, but in most cases you can install a build of the unmodified OS if you want.
Sure. That plan would work. You might want to be sure that this is permitted at your university.
Universities often have strict rules about what should connect to their networks.
That isn’t what I would choose for your situation. CRS3xx switches are fast at switching (layer 1 & 2), but not as a NAT router, which you probably need.
Better to pick something from the Mikrotik Ethernet Routers range, assuming you don’t want your personal LAN to have WiFi. The L009 or basic RB5009 are both good options in the same price range. Choosing depends on your upstream connection speed. Both are fanless.
Or pick a Home/Office Wireless device if you are permitted to have your own WiFi access point. The hAP ax2 is small, affordable and performs well at 1Gbps. If your upstream connection is 1Gpbs this is probably what I would choose even if you don’t want WiFi as long as this is enough ports. Just turn off its WiFi radios to use it wired-only. If you have a 2.5Gbps upstream port then hAP ax3 is a better choice.
All the Mikrotik choices will require some learning if you want anything beyond a basic router configuration. But once you get it like you want it they are very solid and reliable.
OpenWRT and OPNSense are easier to jump into without a lot of effort, so if you don’t want a networking hobby I would use one of them. Pick up pre installed device if you want it easy. Or get a mini PC with a few network ports and install the OS yourself to get more power for the money.
How about creating your own LAN within the untrusted network?
Something like an inexpensive OpenWRT router would do fine. Connect all your devices and the server to the router. They are now on a trusted network. Set up Wireguard on the OpenWRT router to connect to Proton so that your outbound traffic from all your devices is secured.
Could also be a stale DNS cache entry on one device or the router. If you ping your duckdns fqdn from the device that can’t connect while on your home network, does it resolve to the correct public IP?
I still think a firewall/nat issue is more likely tho.
What is your router make and model? You need to enable hairpin NAT.
The port is forwarded from your router to the pi, right? If so, you could test for the router as the bottleneck using the router’s WAN side IP address as the target.
This should give you a good data point for comparison. If it’s also slow then you can focus on the router performance. Some are slow when doing hairpin NAT.
I’d say your chances are very good. Even their high end rackmount models work with the usbhid-ups driver. Don’t think they would change things up in this regard since they would also need to change their software.
It’s probably still IPv6 related. If you use something like Network Analyzer on your phone while only connected to the mobile network you may find that it only shows an IPv6 address and DNS server, no IPv4 config. That could explain the difference. Particularly if you were using the maximum typically permissible MTU. Your provider might also be doing some 6to4 tunneling somewhere that adds overhead and causes size problems.
You might want to do a DNS leak test from your phone with the wireguard connection down and then with it up to make sure you’re tunneling DNS. This will be clearer if you set pihole to use something upstream that an ISP is unlikely to use - quad9 for example.
Btw: does anybody know what bad things actually happen if there is no metal cage that blocks all the radio?
Noise happens. Could be no problem, or it could hurt your wifi or mobile data connections, or maybe raise a neighbor’s ham radio noise floor. I saw this recently when setting up a pi to run BirdNet-Pi. The USB3 connection to an SSD caused enough noise in the 2.4GHz band that the onboard wifi radio could only connect on the 5GHz band.
To start - moving services from bare metal to rootless Podman containers running via quadlets. It’s something I have had in mind for a while but keep second guessing the distro choice. Long-ish release cadence, systemd-networkd and a recent Podman version in the native repos, well supported, and not Ubuntu.
So far openSUSE Leap seems like the winner. A testing machine is up to install everything, write some deployment scripts, and decide on a storage layout and partitioning scheme.
If anyone has another distro to recommend that checks these boxes let me know!
I like rolling release for the desktop, but only want critical patches in any given month for this server, and a major upgrade no more than every 3-4 years. Or an immutable server distro. But it doesn’t seem like networkd is an option for the ones I’ve looked at (Fedora CoreOS, openSUSE MicroOS), and I am not sure if I want to figure out Ignition/Combustion right now.
Next project - VLANs on Mikrotik.
OP - Navepoint makes good racks for reasonable money. I have a Pro series 9u from them and it went together without any problems. It’s on the wall with a pretty big ups in it.
If you want to keep using networkd, you might want to consider if multiple interfaces are causing the wait. NM doesn’t care, but networkd gives more granular options for dependencies. If you have wired and wireless and only one in use the systemd-networkd-wait-online.service waits for a timeout period. You can find lots of info on it related to boot delays with that service.
Try the --any switch on the systemd-networkd-wait-online.service launch configuration. This will tell the wait-online service that any single routable interface is enough, you don’t need them all.
Run:
sudo systemctl edit systemd-networkd-wait-online.service
That adds the override.conf for the service. Add these lines:
[Service]
ExecStart=
ExecStart=/usr/lib/systemd/systemd-networkd-wait-online --any
The other possibility is if you have virtual .netdev devices configured (VPN, bridging, etc) and some of them are not essential for the machine to be online, you can set RequiredForOnline=no on the ones that aren’t essential.
It’s not bad to get running, and the alerting is really flexible. You can add Nagios and syslog alerts easily too.
Using it here. Love the flexibility and features.
I’m running NUT on the host os - no container. If that’s an option for you it will probably be much more reliable.
Huh. Losing USB access?
It’s not very exciting, but: Network UPS Tools (NUT).
Keep everything in good shape in the event of a power outage.
Here’s my messy-cabled 9u rack.
It has:
Everything is set up for low energy consumption (~90w), remote admin, and recovery from power loss.
For DIY consider a setup that supports ECC RAM to help prevent corruption. Any good server motherboard should do.
Unraid is pretty easy to get going on. That’s probably the direction I would take in your situation.
Also, if you’re not doing 3-2-1 backup now might be a good time to consider an off-site backup plan. That 4-bay Synology at a friend’s house with a VPN path would be an option for critical data. You could give them some partitioned space on there and on your new NAS to compensate for the power usage. Setup Borg or Restic and it’ll be encrypted on the remote NAS, and benefit from incremental and dedupe to minimize bandwidth usage.