my home server needs to be reconstructed and i’m seeking ideas on how to future proof it. here’s some ascii art in a screenshot to help describe how it’s currently setup:
description (left to right):
- laptops, smartphones, tables, etc connect to an access point configured on a windows 10 virtual machine (vm). the windows10 vm uses pci passthrough on the wireless adapter and this is done to get gigabit wifi speeds since intel’s drivers won’t allow linux to do this in ap mode; but will allow it just fine if you’re using windows.
- requests from the wifi clients are passed via dns & ip masquerade to another virtual machine based on pfsense
- pfsense serves as the router, firewall, vpn, ad blocking & web hosting and it’s also configured to use pci passthrough on the primary network interface to gap internet traffic from the server
- the center of the drawing shows how i perform data backups using a 3 gig wired connection with a hardware switch and i setup the host ubuntu server to manage dhcp on the secondary network interface & the devices that are connect to the switch. the data is stored using rsync and harddrives are setup to use an extremely large lvm made of several different types of hard drives.
i’ve rebuilt this server multiple times each time i encountered a “gotcha” or a surprise that i had not anticipated and it made some needful component stop working; so i’m seeking advice from Lemmy on how to redesign this to mitigate future surprises.
some of the surprises i’ve encountered so far are:
- the pfsense logs overfilled the root volume of the bsd based vm because logrotate was configured for linux. the image is hardcoded with a single volume so i will need to find a way to borrow some space from the backup volume using nfs and configure the logs to write there instead of locally.
- i have no key for the windows10 vm; so i’m forced to clone it’s qcow image and manually configure the hotspot each time the 30 day free trial from microsoft expires. I intend to improve upon this creating an ansible job to rotate this virtual machine every 30 days automatically and include powershell based tasks to configure the hotspot in windows automatically
- intel limits the speed for linux native internet connection sharing to 100 megabits (already mentioned & fixed above)
- the local users home volume overfills when trying to take my google backups (already fixed)
- my cats & dogs LOVE the taste of cat6 capables and cat6 is required for 3 gigabit speeds (also fixed)
constraints:
- don’t spend anymore $$$
- gigabit wifi speed is A MUST
- 3 gigabit backups speeds are a must too
I use one as a backup when problems happen and I go this route for the additional features that routers usually don’t have like the spam blocking or vpn or Internet accessible storage like a cloud.
The Windows vm only faces internally so I’m okay w it not getting support and it’s only purpose is as an access point
There is room some future proofing.
All your mobile devices connect directly to that Windows. Consider them ‘unsafe’. Consider Windows ‘unsafe’ as well.
‘unsafe’ + ‘unsafe’ = incubator for all kinds of trouble IMHO.
i’d like to replace it with something else; but the wireless network adapter is intel and i can only get 100 megabits using the linux driver whereas i get 1 gigabit using the windows driver.
The attacking bots will surely be liking all your ‘buts’ ;-)
I hope you help me better appreciate your recommendation better; the windows machine only faces internally so if there’s bots they would be coming from my personal Linux laptop or work MacBook and those things never leave the house.
It feels like if pfsense is unable to help them out; then I stand little chance of doing myself so myself.
The standard (automated) attacker manipulates the ‘inside’ device first (for example, it executes a JavaScript) and makes it perform an attack on the WiFi router, to which the device is connected.
If the inside device is a windows pc and the WiFi router has it’s inside port open for administrative actions, this is an easy game. Millions of WiFi routers have been turned into bots this way.
In your case the WiFi router is windows. This is different from the usual plastic router, but still not really a safe situation.
The router is a pfsense virtual machine based on openbsd; Windows is only the wifi access point and no administration whatsoever is conducted from it.
However the delineation between router and Wi-Fi access point gets murky for me here since the an access point is a effectively router, but by this same loose definition, it’s also, effectively, a proxy.
Since this Windows virtual machine is headless like is host server, so the only possible entry vector would come from its clients entirely made up of Linux, android, and Mac machines. If those are compromised; then I don’t think there’s any way for me to stop it.
An AP is just a WiFi point, you can use pretty much any AP with your pfsense router.
That’s what most of us do, using this windows VM just for WiFi is only going to cause you a headache in the future.
it causes headache now since, but i don’t think i have another choice if i want faster than 100 megabit speeds.
Pretty much any wireless AC AP from the last 10 years can hit those speeds with no headache, no keys, and no Windows.
802.11ac will hit 600-800Mbps easily, and those APs are dirt cheap since it’s old tech.