but suricata will not automatically correlate primitives into actual alerts from different vlans without transforms, which are cpu-intensive for what they do.

It is possible to offload the correlation to a downstream SIEM or log aggregator like Wazuh or ELK. Again, it’s something I’m currently trying to spool up on. I know it can be done, I’m just trying different things until I do get it right. I appreciate any input.

How did you monitor your vlans with suricata?

At present I only monitor the VLAN serving the ‘computer room’ which includes the servers. It’s where all the ‘stuff’ happens so I figured I’d start with the most important. However I am in the process of learning how to SPAN (Switch Port Mirroring) where you configure your managed switch to copy traffic from specific VLAN port or all VLANs ports to a dedicated ‘monitoring port’ where a micro server is running Suricata. The mirrored traffic will retain their VLAN tags and Suricata can parse these tags.

Those are the lofty plans. LOL I’m still fiddling around with it and Suricata because you have to actually set Suricata up to be able to do that. It doesn’t right out of the box.

So, I have a standalone pFsense box running Suricata (IDS/IPS) on WAN & LAN, pfblockerng (filtering), unbound, ntopng (traffic analysis), and Tailscale as an overlay on the firewall. The servers are on their separate VLANs, IoT, phone, laptops and other devices are also isolated. On the server I run Cloudflare Tunnels/Zero Trust, UFW, Tailscale as an overlay, and Fail2Ban. Everything is ‘default deny until something complains’. I’ve never run oPensense so I can’t speak to their software, but pFsense has been rock solid for me for years. I utilize Lnav to review logs. It’s lean, easy to install, and it just works.

To be quite honest about updates like Docker container updates, I wait until all the early adopters work out all the bugs for me and update when I feel comfortable. Updates to Ubuntu Jammy are usually straight forward and I can’t say I’ve had many issues over the years with Ubuntu Jammy updates. There may be a rare occasion, but nothing really stands out at this moment. The only issue I can think of here recently is when Docker updated but Portainer hadn’t caught up, but that was about a 30 minute fix.

It took me a while to get everything lined out from the modem to the servers, but my track record makes me feel pretty comfortable with how I have everything set up. In fact, literally most of the time, I just enjoy the set up and scout for the next project.

I recommend what works well for me. I assume others are doing the same. It’s a big umbrella. We can all coexist.

Welcome to the club, bro. Pleasure to meet your acquaintance. Sounds like you’ve done your homework. Better than how I started. I just dove in and whacked my head against a wall until something worked. First real Linux server I ever stood up online got taken down in short order. So I went back and did some learning, and took note of what others did/do. Now I’m no pro at it by far. Lots of very knowledgeable people in here. Stick around, pay it forward. good group to hang out with.

With the niceties out of the way, let’s get right down to the the real issues: What are your thoughts on AI? /s

OP, if you ever decide to go the Cloudflare Tunnels/Zero Trust route, I’ve got a set of instructions/notes that have helped a handful of people deploy Cloudflare Tunnels/Zero Trust. I’d be more than happy to share them.

Technically, using Cloudflare tunnels for Jellyfin is a ToS violation. You’re only allowed to do so if you have an enterprise account, which is quite expensive.

I’ve heard people say this, and I’ve heard people say you can’t stream music. Tho I do not run the 'arr stack or Jellyfin, I do run Navidrome almost 24/7/365. But it’s something to keep in mind.

ETA: I am the sole user

Well, you could do network segmentation:

• Put the server in a DMZ or separate VLAN if your router supports it. This isolates it from your main devices (computers, phones, IoT). I’m not sure what router you have buy many consumer routers have a “guest network” that can serve this purpose.

Utilize UFW rules. Mine are:

• sudo ufw default deny incoming

• sudo ufw default allow outgoing

• Anywhere ALLOW IN 192.168.1.0/24

• 22 ALLOW IN 192.168.1.0/24

• 22 on tailscale0 ALLOW IN Anywhere

• 22 (v6) on tailscale0 ALLOW IN Anywhere (v6)

Also:

• sudo ufw allow out to 1.0.0.1 port 53 # DNS only
• sudo ufw allow out to 1.1.1.1 port 53
• sudo ufw deny out to 192.168.1.0/24 # Block LAN access except admin

So now I have SSH capability locally and through Tailscale installed on the server and this prevents the server from initiating connections to other LAN devices. You can do alot with UFW and Fail2Ban in conjunction with Cloudflare Tunnels/Zero Trust.

Have you considered Cloudflare Tunnels/Zero Trust. When you use Cloudflare Tunnels/Zero Trust, you don’t need to fiddle with NAT, open any ports, in fact you don’t need any open ports. You just install Cloudflare Tunnels/Zero Trust on your server, connect to your Cloudflare Tunnels/Zero Trust account, and Cloudflare does the rest. To deploy Cloudflare Tunnels/Zero Trust you will need a domain name. Cloudflare will sell you a domain name but I think most get something cheap from NamesCheap or Pork Bun. When you have secured a domain name, switch the nameservers to the ones that Cloudflare assigns you. Jacks a doughnut, Bob’s your uncle.

ETA: Obviously you’ll need port 22 for administration.

sudo ufw default deny incoming

sudo ufw default allow outgoing

But my qualms and scruples are not your problem

Me being uncomfortable with how you do it is immaterial

I hope as a community we can start to just say “No thank you” when we are offered something that’s done in a way we don’t like

anyone who is not doing that needs to analyse why they feel entitled to shit on someone else’s project.

We goin’ to church today. Preach it my brother! Can I get an amen?

I’m the one who has to die when it’s time for me to die, so let me live my life the way I want to. ~ Jimi Hendrix

Don’t let 'em give you shit about your ponytail bro.

Well, I’ll certainly keep it in the back of my head.

The Homarr (dashboard) team delivered on their promise to decrease the app’s unusually large memory footprint after receiving public complaints a few months ago

Noticed.

Thing is, if I were going to do in house AI, I’d want to do it up right and from what I can gather, a system like that is going to cost me some jack.

I’ve got a drawer full of various models I’ve picked up here and there, mostly used that people were selling. I stumbled across a yard sale once where a guy and his son were selling a lot of computer equipment to raise money for his son to get some newer stuff for college. There was a whole box of them, maybe 10+ and I paid $100 for all of them. I use them from time to time for different projects. Good little learning boards.

But I got bad habits

Yeah, they’re my bad habits

LOL Never heard of FIDLAR.

What if I enjoy my bad habits?

(ie 2500 sq ft; or 232 sq m)

Damn, y’all livin’ lavvy.

A realistic Pi 4B-only estimate is about A$8–A$12 per year in electricity

That’s about what I calculated for my locale. Roughly $0.30–$0.85 per month, around $0.48/month at 4 W. Which is remarkable especially given what you can run on one.

People will buy intelligence from us on a meter’

We have governmental surveillance and we have surveillance capitalism. Surveillance capitalism works so well that governments are now very interested in the data they collect, which is alarming. Unfounded conspiracy theory: It’s probably one of the reasons that governments don’t seem interested in AI’s regulation. If I had the proper equipment to run AI entirely local and efficiently so that the expenditure would justify it, I would.