I used pfSense for years and switched to OpenWRT. I highly recommend OpenWRT. pfSense is kinda trash IMHO. I tried to set up traffic shaping, so I could play games while my roommate was watching Netflix, and it just doesn’t work as advertised. I tried like 20 different configurations for the traffic shaping, following all the documentation, guides, countless forum threads, etc, and none of it worked properly when you actually test it. At the end of the day, I concluded that nobody understands how to configure traffic shaping on it and even the developers didn’t realize it was broken.

OpenWRT, on the other hand, just works better out of the box, and has the right level of customizability for home use. It has a way better ecosystem around it where you can download extra packages with GUIs… it’s just much nicer to use, and doesn’t have the QA problems I had with pfSense.

The situation kinda sucks but it is what it is. Basically, we’ve got private delivery firms with non-unionized employees and gig workers taking up the more lucrative package delivery business, with the crappy money-losing mail business going to Canada Post. Uniuni, Dragonfly, and Intelcom are replacing Canada Post. But Canada Post’s union shot themselves in the foot by going on strike multiple times, for long enough that businesses switched away from using them because they’re seen as unreliable now.

The gig worker model seems to be more efficient and clearly the investors of these companies agree, so I don’t see any economic force that’s going to stop things from continue in the direction that they are. There is still competition here though between these companies for small parcel delivery, so it’s keeping shipping prices down.

P.S. this is also the model for private healthcare in Ontario that they’re attempting - farm out the lucrative procedures to private clinics, with the expensive and risky treatments being done in public hospitals. So watch for that…

I like that this looks like OG Steam.

DirectX 5, that brings back some memories lol. That’s when 3D started to get serious and it felt like there was a lot of innovation happening quickly (competition with 3dfx’s Glide?).

I’m late to the party here, but did you consider just paying for Mattermost? If it meets your needs, and your organization has 250 people, the cost for licensing is going to be relatively small compared to your IT budget (right?). They have “contact us” pricing, which means you can negotiate it.

As others said, spin down the drives when they’re not in use. Make sure power saving is enabled on the drives and tune them to spin down after some appropriate amount of time. (hdparm lets you customize it on Linux)

Consider also sleeping the NAS when not in use. You can try using Wake-on-LAN to remotely wake it up when you need to use it. Saves on electricity and heat! You could also sleep it on a schedule, in case you need to be online for backups to run at particular times.

Licensing representation matters

It doesn’t, because they’re the copyright owners. Think of their software as dual licensed: They run it themselves under a proprietary license, under which they reserve all rights. That has nothing to do with the AGPL version that they license to you. The AGPL doesn’t take away the rights they have as copyright owners, nor does it preclude dual licensing.

(Are you a bot? Your reply is written like ChatGPT, and it has that self-defeating logic that ChatGPT has sometimes… eg. you wrote that you disagree with me, but then parroted the exact thing that I said.)

This is flat out wrong. If you’re the copyright owner, you’re not licensing the code to yourself. The AGPL is the license under which they’re making the open source version available to YOU. The version they run themselves is proprietary.

Look into DeltaChat

Wrapping up this thread, I really appreciate all the opinions and experiences everyone shared! Gave me lots of new perspectives to think about.

Yeah, this might be the way to go. OpenWRT supports hardware NAT with many of these ARM-based routers like many of the MediaTek-based ones, which gives them super high throughput at very low CPU usage. The efficiency blows x86 out of the water. The ability to migrate your OpenWRT config to new hardware (real or virtual) in the future means you kinda get the best of both worlds…

Do not use an SSD for cold storage - it will fail. SSDs need to be plugged in every once to refresh the charge in their NAND, otherwise they’ll lose the data.

This is not a theoretical thing - I’ve had a good Samsung 850 Pro drive fail while being off for 2 years.

Thanks, this is good data!

How fast is your internet?

Do a speed test and run htop… you’ll see CPU usage only on one core spiking. Not a big deal if your CPU can handle it, but the AMD GX-412TC in the APU2 I was using is too slow.

Even if the virtualized router is down, I’ll still have access to the physical server over the network until the DHCP lease expires. The switch does the work of delivering my packets on the LAN, not the router.

Thanks for the tip about the pfSense limit. After running pfSense for like 8 years, my opinion is that is flush with features but overall, it’s trash. Nobody, not even Netgate, understands how to configure limiters, queues, and QoS properly. The official documentation and all the guides on the internet are all contradictory and wrong. I did loads of testing and it worked somewhat, but never as well as it should have on paper (ie. I got ping spikes if I ran a bandwidth test simultaneously, which shouldn’t happen.) I don’t necessarily think OpenWRT is any better, but I know the Linux kernel has multithreaded PPPOE and I expect some modern basics like SQM to work properly in it.

The other thing to keep in mind is to pass through physical nics. Using just the vnics will potentially lead to security risks. That’s the reason I went back to physical fws.

I could throw an extra NIC in the server and pass it through, but what are the security risks of using the virtualized NICs? I’m just using virtio to share a dedicated bridge adapter with the router VM.

If you just use 2 nodes, you will need a q-device to make quorum if you have one of the nodes down

I could just use VRRP / keepalived instead, no?

I should try Proxmox, thanks for the suggestion. I set up ZFS recently on my NAS and I regret not learning it earlier. I can see how the snapshotting would make managing VMs easier!

That is pretty sweet. I have a second server I could use for an HA configuration of the router VM. I’ve been meaning to play around with live migrations (KVM) so this could be a cool use case for testing.

I appreciate the advice. I have like 3 spare routers I can swap in if the server fails, plus I have internet on my phone lol. It’s a home environment, not mission critical. I’m glad you mentioned this though, as it made me realize I should have one of these routers configured and ready-to-go as a backup.

My logic is partly that I think a VM on an x86 server could potentially be more reliable than some random SBC like a Banana Pi because it’ll be running a mainline kernel with common peripherals, plus I can have RAID and ECC, etc (better hardware). I just don’t fully buy the “separation of concerns” argument because you can always use that against VMs, and the argument for VMs is cost effectiveness via better utilization of hardware. At home, it can also mean spending money on better hardware instead of redundant hardware (why do I need another Linux box?).

There are also risks involved in running your firewall on the same host as all your other VM’s

I don’t follow. It’s isolated via a dedicated bridge adapter on the host, which is not shared with other VMs. Further, WAN traffic is also isolated by a VLAN, which only the router VM is configured for.