I had looked into openstack a while back but left it thinking it was too complex. I was looking at Apache’s Cloudstack then.

I see now that a contributor has got Debian in the official list of supported distributions. Which means my distro-morphing idea should work in theory with OpenStack. This is a great idea, thanks. I will look at OpenStack more seriously now. Does look like it will need some effort though

No, I do not trust my computers that much. Quite unfortunate, really that I’ll have to build a whitebox switch to get what I want

I never considered tailscale for my LAN, but it’s certainly an intriguing idea. I suppose running Headscale as a VM on my router isn’t that difficult. Thank you, I will think about it a bit more

Thanks

asking for people to solve a solved problem

Solved using devices that run proprietary software (which is, I imagine, frowned upon in such communities) which we don’t control at all. Heck, even Mikrotik who has a good rapport with this community uses a proprietary Linux distro with a severely outdated kernel for their devices. For something as critical as internal networking, I’m surprised I do not see more dialogue on improving the situation.

Let me try and explain the problem. I want to build a setup where I have multiple clustered routers (I’m sure you’ve heard of the clustering features in PFSENSE/OPNSENSE/DIY approach using Keepalived). But if I want to use VLANs without using a switch running god-knows-what under the hood, I’m going to need a LOT OF ports. Unfortunately, 6+ port PCIe cards are quite expensive and sometimes have many other problems.

This is why I’m trying to find simpler solution. The solution that you mention doesn’t seem to be a solution at all, but just the community giving up on trying to find one and accepting what is given. I was hoping for a better outcome.

I’m using Cisco terminology so it likely means VLAN trunking unfortunately (unless I missed something)

Thank you for that. I’d also like to ask you: is that a possibility too if one were to configure a trunk port on a switch and plug the PCs in?

Hmm, so virtual interfaces on the router won’t work? I admit I’m a bit stumped, would you be able to give me an ELI5 on why this is the case? I will try and read up more, of course

The computers will be running OpenBSD. I am researching hardening methods for them and also seeing if it is feasible for me to get Corebooted hardware. I didn’t mention it because I didn’t think it was important.

I feel like my post is being taken very negatively with people finding faults in my words rather than in the networking concept. Would you happen to know why?

Thanks but as I mentioned that will not scale. I’m interested in if separating computers by subnets will work. Have you tried something like this?

It’s not that they are expensive, it’s that they run archaic proprietary OSes which the consumer cannot control. I cannot trust such a switch when the rest of my network depends on it. Please let me know if something in the post didn’t make sense.

Thank you for the wonderful comment. I am talking about the operating system (Debian vs CentOS if I remember correctly) when I mention Hardening.

I haven’t seen a concrete example of anyone applying CIS policies on the XCP-NG base, neither have I seen any mentions of securing the XCP-NG base by companies using them in production. I understand that having a walled-off dom0 is great and I like that about Xen, but not seeing dialogue on base OS level security is making me a bit uncomfortable about XCP-NG. Not sure if it is immutable, if it is then that would relieve some of my worries.

Personally, I think Proxmox is somewhat unsecure too. I believe something like following relevant STIG recommendations, kernel self-protection, hardened malloc and other things (there’s a huge list but I’ll be brief) should be essential. Ideally I would’ve preferred that the Proxmox project took some of the measures that the Kicksecure project does in hardening debian but I don’t see any mention of something like that. If I end up wanting to run Proxmox, I’ll install Debian, distro-morph it to Kicksecure and then follow the instructions for Proxmox (not sure how I’ll keep from using the Proxmox custom kernel but we’ll see).

Why aren’t you just using Kodi?

Mostly Kubernetes and sometimes podman

OS-hardening is exactly what I meant. Thanks

Thank you for your comment, I will save it. This really cleared it up

It is possible. One can have IMAP hosted on their server and simply use the SMTP server operated by a different entity. There are companies offering SMTP servers for free as long as you’re under the limit.

Thanks. After speaking with some others here, I’ve realised that this is actually quite doable (in theory). The other commenter has a great note on DKIM and SPF that I’m sure will help anyone looking to do this. Thanks for your help, I’ve also found a lot of companies offering a free SMTP server for a limited number of emails (which is more emails than I’ll ever send so it works for me).

The previous commenter mentioned mxroute and I got sendgrid from your comment. I will look at these products, is there any other provider that you recommend?

Amazing comment. Saved. Thank you so much.

Indeed, I have thought about hosting my own email, but the problem of dealing with IP blacklists made it seem not worth it.

Thank you so much for the explanation on DKIM and SPF. It makes sense to me now, indeed I didn’t really have a clue about either of these before I read your comment. Thank you for breaking it down.