SolidGrue
I’m just this guy, you know?
- 0 Posts
- 9 Comments
If you just want each physical interface on your server to participate in a single VLAN, set the corresponding switch port as an access port in the desired VLAN, and then configure each server interface as a normal untagged interface.
You would only do tagged frames (802.1q trunking) if you wanted to support several VLANs on the switch port.
I do this, but I also work in tech and have a pretty solid grasp of routing and how that all works. I agree it may seem overkill for many installs, but makes sense for certain use cases. I’ll try to explain without writing a book. I’ll be glossing over a LOT of texture in the following…
In networking, a router is considered to be a node in a graph with multiple host IP addresses, one for each edge. It has an interface-- sometimes physical but more often viirtual-- on each edge (network segment, VLAN) that connects to it, and which usually serves as the gateway IP for that edge. In larger networks where there is more than a single router, the routers must all tell each other which router has which destination network segment, so they all speak a routing protocol like RIP, OSPF or IS-IS. Each of the speakers must be able to identify itself uniquely among the others so the others know which node is making what advertisements. To do this, they each are assigned a unique router ID, which is normally a 32 bit integer value represented as a dotted quad. Customarily this is an IP address, and the protocols further this idea by adopting the highest numbered IP address on the device or the addrss of its loopback interface, if defined.
The point of a routing protocol is for the participating nodes to advertise IP ranges associated with their connected edges. They assert advertisements for each edge when it is active.(I.e., the interface is UP) and withdraw or expire them when the edge is unavailable (I.e., the interface is in any state other than UP). Every time an edge changes state-- goes from UP to not-UP, or not-UP to UP-- that advertisement must propagate across the whole system, and every node must stop forwarding traffic to recalculate its own best path to the remaining available edges. This is called reconvergence, and network engineers try to do things to minimize the number and frequency of these events.
Practically, one of the things network engineers do to try to avoid instability is not having the ID of a speaker change dynamically. Going back to how the device selects its router ID, it considers the loopback IP first, or else the highest numbered IP active on the device at the time of evaluation. Edge interfaces can go UP or not-UP for any number of reasons at any time, thus they are less than ideal to use for the router ID. The loopback interface by contrast is always up. This interface is typically assigned the IP the routing protocol will use for its router ID.
In practice, the loopback is the only interface on a router than can be said to belong to the router itself¹, and not to an edge connected to the router². There are other practical reasons in routing to do this, but they all come back to the fact that the loopback is always up, and therefore it’s always apt to be advertised as an available edge.
So what does any of this have to do with servers, applications and self hosting?
Applications that provide services over the network, DNS servers for example, need to bind to at least one IP address and protocol port. On servers with multiple interfaces, these applications normally bind to all available interface addresses, using the address 0.0.0.0. In some situations this might be undesirable. Maybe you don’t want your pihole serving your internal DNS to your ISP, or maybe you have several VLANs at your house and want to use a single IP address for DNS across all of your VLANs, or you don’t trust the VLAN interface IPs to always be the same.
Adding an IP to the lo interface ensures that IP is always available and reachable. It provides a single place for all hosts in the system to go that isn’t pinned to any one of the possible VLAN interface IPs.
In my own home setup, I define several IPs on the loopback for different containers that all want to use port 8443/tcp for their public port. This gives me the flexibility of being able to assign different services their own IP (which I can then reference by name in DNS) on their native port vis-à-vis the documentation. So my Pihole container has its address and my Unifi controller container has its own as well.
Anyway, this is very much a Done Thing in the industry. Not everyone needs it, but its a useful technique in the right circumstances.
- Considered from to perspective of graph theory, network nodes and the edges they connect are distinct things. A router participates in a LAN, but the LAN is its own thing, and not formally part of the router.
- In large IP networks, there are frequently tra sport topologies like VLANs or other shared.media that connect two or more routers, and are used exclusively to distribute traffic among themselves. Which of the participating routers is said to “own” that advertisement?
What your situation for data backup? You mentioned a homelab and a NAS, are you running regular backups to an off-box store? You could mate it with a few TB of inexpensive USB disk, maybe some software RAID, and use it for off-box backups. Doesn’t have to be fast, just reliable.
Specs like that, you have some options. Virtual assistant, IPCam NVR like MotionEye or Frigate, media server for your car (takes DC voltage, right?), weather base station, ADS-B feeder, smart mirrors.
Or (if you’re in the US) you could repair it and then, if you donate it to a suitable charity, you could take the the cost of the repair as a deduction on your taxes. Probably doesn’t help you that much, but it could maybe really help someone else who needs it.
Or, just wipe it and send it to e-waste.
Sure, you could set up any syslog receiver stack like Splunk (as the other OP suggested) or an ELK Stack or even just syslog-ng or rsyslog to disk. Anything that can ingest syslog format will handle Unifi logs.
Decide how you want to receive, store and parse your logstream data. Once you have a syslog receiver set up, set Unifi (System > Site > Enable Remote Logging) for the Syslog server remote address:port and start shipping logs.
Whatever you do with those logs is out of scope for this discussion, but your logger should at least ingest them and spool them.
DNS is very leaky no matter where you run it, unless you run DNS over HTTPS (DoH). Full stop.
I’m no fan of DoH because it scales poorly. Nevertheless, a combination of Tailscale (or tailscale-like securort overlay mesh network) and an in-mesh DoH DNS relay going to be more secure than most other setups. Relay the DNS out through Tor at your own (performance) peril, but that’s going to he very secure.
I’m not a practitioner of this method, but it’s how I would approach it if I needed to.
+1 for Zoneminder, I ran one for years.
I’m all about Frigate now. It can use a GPU or Edge TPU to inference humans, cars & animals on modect events.
Frigate is next level. Didn’t even have to change the IP cams.
I used to selfhost more, but honestly it started to feel like a job, and it was getting exhausting (maybe also irritating) to keep up with patches & updates across all of my services. I made decisions about risks to compromise and data loss from breaches and system failures. In the end, In decided my time was more valuable so now I pay someone to incur those risks for me.
For my outward facing stuff, I used to selfhost my own DNS domains, email + IMAP, web services, and an XMPP service for friends and family. Most of that I’ve moved off to paid private hosting. Now I maintain my DNS through Porkbun, email through MXroute, and we use Signal instead of XMPP. I still host and manage my own websites but am considering moving to a ghost.org account, or perhaps just host my blogs on a droplet at DO. My needs are modest and it’s all just personal stuff. I learned what I wanted, and I’m content to be someone else’s customer now.
At home, I still maintain my custom router/firewall services, Unifi wireless controller, Pihole + unbound recursive resolver, Wireguard, Jellyfin, homeassistant, Frigate NVR, and a couple of ADS-B feeders. Since it’s all on my home LAN and for my and my wife’s personal use, I can afford to let things be down a day or two til I get around to fixing it.
Still need to do better on my backup strategies, but it’s getting there.