Pfsense is a lot more feature rich than openWRT, especially when it comes to firewall features. Personally I just use openwrt to run my access points.

I would replace that eero unit with an old dell optiplex with pfsense, and forego trying to virtualize PFSense.

Not sure what hardware is in that eero, but if you wanted to keep it as just a basic AP, that isn’t a bad plan.

After that get a second optiplex for publicly hosted stuff. Keep that on a separate port on your PFSense machine, completely firewalled off from the rest of your network via pfsense, only allowing traffic from LAN to your server.

Physically separating your internal network, and publicly hosted services, as much as possible is the goal.

If you can only afford one new piece of hardware, I’d get the pfsense box, and set it up as a wireguard VPN server, disabling the direct port forwards to the VM running Minecraft. Though your friends would need to install a VPN client, and youd have to provide config files.

A used optiplex on eBay usually isn’t much more money to get up and running than most Linux SoC’s after all the adapters and kit is purchased, and they’re usually specced out way better.

Actually if you wanted to do physical DMZ separation, and wireguard you’d really be doing good, but that’s probably a little paranoid.

Heh.

You’re adding attack surface by keeping them separated only by vlan. VLAN hopping exploits exist, especially in older firmware, ESPECIALLY on EoL units.

Pfsense is a proper router/firewall built on one of the most hardened networking stacks on the planet. Plus it catches regular software updates, no matter how old your hardware is. You can run it on an old PC with a cheap quad gigabit nic card from eBay if you’d like.

If I might ask, what do you have handling your inter-vlan routing/firewall? Is it the same box you use to handle the firewall/routing between your WAN and LAN?

Is this machine sitting in your LAN, or on its own firewalled off network with a DMZ? No matter how secure it is, you don’t want it on the same network as the machine you do your taxes on.

A good poor mans option is to get a pfsense box with 3 NIC’s. One for WAN, one for LAN, and one for the machine you publicly host with.

Setup firewall rules so that LAN can reach the MC host on needed ports, but not the other way around.

Well yeah you went to the wrong coast for pizza.

Just like my balls.

Because all-in-one units are usually garbage, no traction. This one is made to go into an industrial drill press, like my old nan use to use.

Live sea sponges might I add.

Personally I keep them dangling from the ceiling along with my sausages.

You’re also talking about about people who are at least legally adults. 18 is a low bar until you compare it to 10.

What a terrible day to be literate.

Jesus H. Tap-Dancing Christ, I have seen the light!

deleted by creator

So how often do you bring livestock animals to climax?

Been using this in my homelab. Pretty great for Linux machines.

If you need to host for a windows network, samba can provide a Windows Server 2008 level AD DC, as well as print and file servers.

You could always install bare LDAP and Kerberos, but then again you could also try eating a cinderblock.

There are alternatives, but they all have their usecases and compromises in comparison. Most businesses want a cookiecutter one size fits all solution. AD is the closest thing.

Which is why I’m no longer interested in supporting them lol.

You don’t get to run a commercial entity under the guise of open source software, and giving back to the community, while prioritizing inter-compatibility with the king of EEE over the most popular FLOSS alternative.

Rocky has been good to me, but I still miss centos.

Honestly the only thing I’ve had trouble getting working with freeIPA with no alternative is some sort of centralized ROM management. Then again they all kinda lack any sync features with retroarch which is what would really bring me to them anywho.

How not? I imagine they paid for their two year old fair and square, like everyone else.

Pretty much. Its nice but I find trying to get it to do anything other than cookie cutter operations requires you to not only go around the GUI, but in many cases break it.

Also lotta shit that was supposed to work sucked too. The GUI always seemed to have a 50% chance of clobbering my ACLs when editing them, and encryption was either entirely password based, or the keys where stored with no passphrase on an unencrypted dataset.

My rocky nas has Luks on mdraid for the root which hold the keys for the zfs pools, and CLI based acl management is pretty ezpz once you learn it.

That’s what I’ve been doing for a good bit now.

I used to do a split environment on ad but I didn’t feel I was really getting anything out of windows, other than ease of use with TrueNAS.

Still haven’t gotten TrueNAS working with FreeIPA, but running a NAS off of rocky isn’t too bad either if you don’t mind the extra setup.

The nice thing about downstream distros is you don’t actually have to deal with redhats shit to use their stuff.

Unrelated but this pissed me off.

using a Microsoft innovation called Active Directory

The only Microsoft innovation there was Embracing, Extending, and Extinguishing LDAP and Kerberos.

I will NEVER forgive boomer admins for allowing that. I don’t mean to be presumptive, maybe its just where I work, but old guard windows admins seem to be fucking lazy dipshits as a rule.

I’ve never met sysadmins/engies who give so little a shit about what they’re setting up and why. If you only care that it works, and not how, why the fuck are you in this industry? Go get an MBA like the unskilled, uncaring sap you are and fuck off from my special interest.

Man that got derailed quickly lol, though I guess it explains why they’re all using domains they don’t own…