- 0 Posts
- 9 Comments
If I understand this correctly, you’re still forwarding it a port from one network to another. It’s just in this case, instead of a port on the internet, it’s a port on the TOR network. Which is still just as open, but also a massive calling card for anyone trolling around the TOR network for things to hack.
I have a similar issue when I am visiting my parents. Despite having 30 mbps upload at my home, I cannot get anywhere near that when trying to access things from my parents house. Not just Plex either, I host a number of services. I’ve tested their wifi and download, and everything seems fine. I can also stream my Plex just fine from my friends places. I’ve chalked it up to poor (or throttled) peering between my parents ISP and my ISP. I’ve been meaning to test it through a VPN next time I go home.
I think I misunderstood what exactly you wanted. I don’t think you’re getting remote GPU passthrough to virtual machines over ROCE without an absolute fuckton of custom work. The only people who can probably do this are Google or Microsoft. And they probably just use proprietary Nvidia implementations.
I believe what you’re looking for is ROCE: https://en.wikipedia.org/wiki/RDMA_over_Converged_Ethernet
But, I don’t know if there’s any FOSS/libre/etc hardware for it.
You are not being overly cautious. You should absolutely practice isolation. The LastPass hack happened because one of their engineers had a vulnerable Plex server hosted from his work machine. Honestly, next iteration of my home network is going to probably have 4 segments. Home/Users, IOT, Lab, and Work.
Annoying yes, but I’d argue that’s likely the simplest and most performant approach. At best (IPTables NAT), you’d be adding in an extra network hop to your SMB connections which would effect latency, and SMB is fairly latency sensitive especially for small files. And at worst (Traefik), you’d adding in a user-space layer 7 application that needs to forward every bit of traffic going over your SMB connection.
I have a feeling routing SMB traffic through Traefik is going to be a performance and latency nightmare. Is your TrueNAS VM’s network interface bridged to your home network? If so, use a static IP and just have clients connect directly. If not, your best bet is likely iptables NAT to forward a port from your Proxmox servers IP to the TrueNAS VM.
Yea, I don’t think this is necessarily a horrible idea. It’s just that this doesn’t really provide any extra security, but even the first line of this blog is talking about security. This will absolutely provide privacy via pretty good traffic obfuscation, but you still need good security configuration of the exposed service.