I think you're right, but the company is taking a different posture.
You can either:
- accept you don't know who is sending traffic in any case and spend your time doing your best to plug the visible holes
- accept you don't know who is sending traffic in any case and spend your time making the underlying systems more resilient with this in mind.
Firing employees doesn't fix bad security, it just covers your ass for a little bit.
Option 3 is to treat any elevated risk with suspicion. Firing an employee is cheaper then tasking a security team to ongoing monitoring something that would normally just be blocked in its entirety.
Option 3 is to treat any elevated risk with suspicion. Firing an employee is cheaper then tasking a security team to ongoing monitoring something that would normally just be blocked in its entirety.
Sounds like a coverup for bad security? Many companies today bitch and moan when they can't use your IP to track you. This sounds like that but way worse.
Its kindof weird how there is an almost 50/50 mixture here of people with knowledge and then leering retards with completely made up opinions based on nothing lol
I could be wrong, but I don't know if any security system can distinguish between legitimate traffic and attack traffic if it's coming from the same IP address. If hackers breach their network with stolen credentials and they trace it to the IP address of an employee, how can the employee prove that it was not them but someone using the tor node they host? I suspect some companies even get squeamish when they detect a Plex server considering there has been a couple cases in the news where a company was hacked via an employee's Plex server.
I would say you're in for a bad time if you're IT staff because there is a much more reasonable expectation that you might know how to pull it off and you're in a position of trust.
If you are a tech-illiterate Jane in accounting that has this happen, it becomes pretty clear to everyone you didn't do it.
The Plex incident has a couple ways to skin it.
You shouldn't allow large bandwidth pulls to be happening to or from residential IPs
You shouldn't allow the Plex app on your endpoints.
You shouldn't let people download files from residential IPs
Its kindof weird how there is an almost 50/50 mixture here of people with knowledge and then leering retards with completely made up opinions based on nothing lol
Given that there has been issues with people leaking their residential IPs of late I wanted to provide a guide for self-hosters to funnel traffic specifically for Kiwifarms through a ProtonVPN tunnel facilitated by their router.
Reason being I often have to finegle with my VPN as I travel (or my bank does not like my VPN a given Tuesday) and I often forget that I disabled something by the time I reach somewhere I wouldn't want to leak the IP of like my house.
I generated this through Claude this time around, I really cannot advertise how useful this is for removing "UGH" factor from projects at the configuration and troubleshooting level, which cause me to get distracted and walk away from a lot of projects. You can even take this markdown guide and upload it to Claude to personalize it to your needs and reduce your token use from generating it yourself.
Markdown (GitHub flavored):
# Routing kiwifarms.st through ProtonVPN on OPNsense
A walkthrough for using OPNsense policy-based routing to send traffic for a specific destination out a ProtonVPN WireGuard tunnel, while leaving the rest of your traffic on your normal WAN.
---
## 1. Generate the ProtonVPN WireGuard config
Log into [account.protonvpn.com](https://account.protonvpn.com) → **Downloads** → **WireGuard configuration**.
- Pick a server (any country works; if you want a specific exit, note where it is).
- Give the config a name like `opnsense-kf`.
- Leave NetShield / Moderate NAT / etc. at defaults unless you have a reason.
- Download the `.conf` file.
Open it in a text editor — you'll need these values:
| Field | Section | Example |
|---|---|---|
| `PrivateKey` | `[Interface]` | (your private key) |
| `Address` | `[Interface]` | `10.2.0.2/32` |
| `DNS` | `[Interface]` | `10.2.0.1` |
| `PublicKey` | `[Peer]` | (server's public key) |
| `Endpoint` | `[Peer]` | `185.159.157.1:51820` |
| `AllowedIPs` | `[Peer]` | `0.0.0.0/0, ::/0` |
---
## 2. Create the WireGuard instance in OPNsense
**VPN → WireGuard → Instances → +**
- **Name:** `ProtonVPN`
- **Private key:** paste the `PrivateKey` from the config (OPNsense derives the public key)
- **Listen port:** leave blank or set `51820`
- **Tunnel address:** the `Address` value (e.g. `10.2.0.2/32`)
- **DNS server:** leave blank for selective routing (handle DNS separately, see step 10)
Save, but don't enable yet.
---
## 3. Create the peer
**VPN → WireGuard → Peers → +**
- **Name:** `ProtonVPN-Server`
- **Public key:** the `PublicKey` from `[Peer]`
- **Allowed IPs:** `0.0.0.0/0, ::/0`
- **Endpoint address:** the IP from `Endpoint` (before the colon)
- **Endpoint port:** the port from `Endpoint` (after the colon)
- **Keepalive:** `25`
Save.
Go back to your Instance, attach this Peer to it, enable it, and tick the master **Enable WireGuard** checkbox at the top of the Instances page.
---
## 4. Assign the WireGuard interface
**Interfaces → Assignments**
- Pick `wg0` (or whatever the WG instance shows) from the dropdown → **Add**
- Click the new `OPT*` interface
- Enable it, name the description `PROTONVPN`
- Leave IPv4/IPv6 config type as **None**
- Save, apply
---
## 5. Create the gateway
**System → Gateways → Configuration → Add**
- **Name:** `PROTONVPN_GW`
- **Interface:** `PROTONVPN`
- **Address family:** IPv4
- **Gateway:** the Proton tunnel gateway, typically `10.2.0.1`
- **Far Gateway:** ✓ check this (it's outside the interface subnet since you have a `/32`)
- **Monitor IP:** `10.2.0.1` or `1.1.1.1` — something reachable through the tunnel
Save, apply.
> Confirm the gateway shows **Online** under **System → Gateways → Status** after a minute. If it doesn't, the tunnel isn't actually up — check **VPN → WireGuard → Status** for handshake.
---
## 6. Outbound NAT for the tunnel
**Firewall → NAT → Outbound**
If you're on **Automatic**, switch to **Hybrid** and save. Then add a rule:
- **Interface:** `PROTONVPN`
- **Source:** `LAN net` (or specific clients/network you want to allow out the tunnel)
- **Destination:** any
- **Translation:** Interface address
Save, apply.
---
## 7. Alias for kiwifarms.st
**Firewall → Aliases → Add**
- **Name:** `KIWIFARMS`
- **Type:** **Host(s)** with the FQDN entered (OPNsense will resolve and refresh it periodically — older versions called this "Hostname")
- **Content:** `kiwifarms.st` (and `www.kiwifarms.st` if you want)
- **Description:** anything you like
Save, apply.
> **Note:** kiwifarms.st has had hosting/IP churn over the past few years. The hostname alias handles that automatically as long as the domain still resolves. If they switch domains entirely, update the alias. If they're behind a reverse proxy or CDN-style host, the IP set may include addresses shared with other sites.
---
## 8. The policy routing rule
**Firewall → Rules → LAN → Add**
> Place this **above** your default LAN → any allow rule.
- **Action:** Pass
- **Interface:** LAN
- **Direction:** in
- **Protocol:** any
- **Source:** `LAN net` (or a specific host/alias if only one machine should use the tunnel)
- **Destination:** single host or alias → `KIWIFARMS`
- **Description:** `KF via ProtonVPN`
- Click **Advanced features** → scroll to **Gateway** → select `PROTONVPN_GW`
Save, apply.
---
## 9. Kill-switch rule (recommended)
If the tunnel drops, the policy rule above stops matching and traffic falls back to your normal WAN — defeating the point.
Add a **block** rule **below** the pass rule:
- **Action:** Block
- **Interface:** LAN
- **Source:** `LAN net`
- **Destination:** `KIWIFARMS`
- **Description:** `Block KF if VPN down`
> **Order matters:** pass-via-VPN first, block second.
For more reliable kill-switch behavior, also enable **System → Settings → General → "Skip rules when gateway is down"** (or the per-rule equivalent). This makes the pass rule disappear when Proton is offline, letting the block rule catch the traffic.
---
## 10. DNS consideration
Your router (Unbound, by default) will resolve `kiwifarms.st` over your normal WAN. That lookup leaks the fact that *someone* on your network asked for that domain to your ISP/DNS provider.
If that matters to you:
- **Option A (simpler):** Add a domain override in **Services → Unbound DNS → Overrides** for `kiwifarms.st` pointing to a DNS server reachable through the tunnel (e.g. `10.2.0.1`, Proton's DNS).
- **Option B:** Run a second Unbound or dnscrypt-proxy bound to the VPN interface and forward only that domain to it.
Option A is usually sufficient.
---
## 11. Test
From a LAN client:
```bash
# Should show your normal WAN IP
curl https://ifconfig.me
# Should show an IP that exits via Proton
curl --resolve kiwifarms.st:443:$(dig +short kiwifarms.st | head -1) \
https://kiwifarms.st -o /dev/null -s -w "%{remote_ip}\n"
```
Easier check: load the site in a browser and look at any "what's my IP" widget the site itself shows, or check Proton's dashboard for active sessions.
Dead stupid check: add ipconfig.me to the earlier alias and then see if your IP changes after you remove it. If it does, it works!
---
## Troubleshooting
If the tunnel handshake fails, the most common causes are:
- Wrong `PrivateKey` paste
- Wrong `Endpoint` port
- The Proton account already has that config "in use" elsewhere — each downloaded config is bound to a session, so generate a fresh one if in doubt
@SchloppyI.T.Man, nice guide. Something of note for Kiwis that want to adapt that to work with other sites. I may be wrong but as best I can tell that will only resolve www.website.tld so if the site you’re going to have subdomains eg www.accounts.website.tld that will need its own entry in the hosts list as you will expose your IP by going to what is technically a different site. I’ll post the script I run on an interval for Mikrotik hardware to deal with this in a bit. It’s a dirty script that I made Claude make but it does the job.
I run this script on a 4 hour interval just in case any of the IP addresses change. Any IP addresses that are marked with "wg-domains" in the Address Lists area of my Mikrotik router are sent over my VPN. I also have a separate VLAN on my network where all outgoing traffic is routed through the VPN, this is for torrent clients and NZB downloaders and a couple of VMs.
The way the script works is that I need to add just the top domain for any website, eg kiwifarms.st to the main list. That top level as well as any subdomain possibilities listed below in the script are checked and added to the "wg-domains" list. There is also a section to manually add in IP addresses that will also be on the list, I use this for the various VPSs that I have as I am careful to only create accounts (from a VM on the VPN only VLAN) with companies that have a very lax KYC over my VPN and then to pay using Monero. This way these companies never get my real IP and I avoid the trap of connecting to the VPS from my real IP too.
It is only when the script has finished checking all the domains that the updated "wg-domains" addresses are inserted. Early versions of the script would wipe that list and add IPs as they were resolved meaning there would have been gaps where my IP could leak.
I know this could be cleaner, but my coding abilities are comparable to that of a journalist.
I plan to overhaul all of this in the autumn when the weather turns. With Mikrotik's updated container stuff that can be run on rOS devices I plan to have a small container perform a much more graceful poll for every IP that belongs to a domain and then feed that into a csv file or similar that will be visible to an updated script and then to have that import instead. This will be cleaner and save me from having to think about updating the subdomains list when I realise I have forgotten something.
Reason being I often have to finegle with my VPN as I travel (or my bank does not like my VPN a given Tuesday) and I often forget that I disabled something by the time I reach somewhere I wouldn't want to leak the IP of like my house.
Biased toward desktop users, but you can make it work if you set a system proxy, e.g. on your mobile device etc: I think my approach would be to run one privoxy instance on my home net, and one on a VPS in a datacenter somewhere. You configure each with e.g. whitelisted domains for that node, and pick one to be the default. Then you can point your device or devices at one privoxy node and have them sort which node they come out of. If you're not familliar with privoxy, it's an http proxy (that automagically eats ad domains, btw). I use it in conjunction with tord/i2pd to make browsing the clearnet and onionsites/eepsites seamless in furryfox, since you can configure rules like .onion -> socks5t localhost in it, and point furryfocks at privoxy.
Biased toward desktop users, but you can make it work if you set a system proxy, e.g. on your mobile device etc: I think my approach would be to run one privoxy instance on my home net, and one on a VPS in a datacenter somewhere. You configure each with e.g. whitelisted domains for that node, and pick one to be the default. Then you can point your device or devices at one privoxy node and have them sort which node they come out of. If you're not familliar with privoxy, it's an http proxy (that automagically eats ad domains, btw). I use it in conjunction with tord/i2pd to make browsing the clearnet and onionsites/eepsites seamless in furryfox, since you can configure rules like .onion -> socks5t localhost in it, and point furryfocks at privoxy.
I'm sure you can also offset this by relegating this activity to the router. Although I do like this proxy idea for my given devices in general, it covers yourself a lot better. I figured the router to tunnel solution was best initially because I always know that the farms will accept VPN traffic and that I'm regularly going to come home, not thinking about what device configs I've changed that would otherwise expose me. I think the next implementation for coverage is going to be explicitly for my phone since that's PII
Personally, I have a box on my network who is the designated wireguard handler, and my router has static routes for private ips to route through that box. I cobbled all this together years ago before wireguard was in the kernel and was working with a dinky router fw and couldn't put wireguard on it (I have since swapped to openwrt). It's been working for me so I haven't reworked it from scratch but honestly I'm probably overdue for a refresh. Kinda thinking of doing a pfsense or opensense router on some ewaste x86 hardware I got lying around
The Venn diagram of knowledge base for this topic and my question is a single circle, so I'm asking here. It could incorporate a "home lab" anyway.
With the addition of one more wired media device to my home network necessitating my first switch, and a resolution that this year I will finally not have wires trailing everywhere, I have decided to fully overhaul and sort out my home networking. I'm looking for advice, suggestions, recommendations, whatever.
I'm toying around with getting a managed switch so that I can have a tagged VLAN network so that devices of dubious province (TV, DNLA devices...) can be wired without being on the same 'network' as my PC. And I want them wired because their wireless performance just has never been up to snuff - Amazon streaming freezes, etc. I've also been going back and forth about buying a Blackwell Pro GPU for some AI work and this is relevant because those things are mostly blowers and loud as Hell and if I can figure out a way to do it, I'd like my PC in a different room to my monitor, keyboard, etc. (room candidate is at least 10m away, however). I want segregated Guest wireless as well but that's so standard these days it's barely worth mentioning. I might consider getting some fat mechanical hard drives and doing a media server, though there's no immediate rush on that. I am curious about PiHole or my own superior DNS set up or firewall or anything like that (for example, I know there are Open Source DNS services). I don't know much about all that though, so would love to hear what others have done.
Money can be spent within reason. So if some cheap mini-PC as a thin client to my real PC makes sense and is viable, maybe I could do that. Things like this. My current PC was originally going to be a NAS. But then I thought - if I spend a couple hundred more on the CPU it'd be really capable if I wanted to run a bunch of Docker containers. Then it was "but if I do that, I really need at least 64GB of RAM" and then it was "I need a new case for this anyway..." and pretty soon I had a replacement PC. So maybe I still need a NAS. I'm thinking about home security cameras as well.
This is a very open ended question - I'm aware. To distil it down, I guess I'm asking: "What brands of switches and routers, what neat things have people done in their home networking, how are people managing external access to their home network when away from home, does anyone have their desk far away from their actual PC and if so, how, what about those optical cables they have these days instead of that Cat-n family and should I be looking for routers and switches that use that, etc.?"
And why the fuck are 10Gb NIC adaptors for my PC so insanely pricey?
I'm toying around with getting a managed switch so that I can have a tagged VLAN network so that devices of dubious province (TV, DNLA devices...) can be wired without being on the same 'network' as my PC.
Do you own or do you rent? I assume you own if you're going to be running cables. I run 2 physical networks in my house. One is 10G fiber for my stuff and the other is for cameras and other various Internet-of-Trash which cannot get to the Internet.
If you're going to be doing a lot of Ethenret runs, I suggest buying the new style of crimper/ends where the twisted pair "pass through" the platic ends and the crimper cuts them off. These are way easier to deal with than the older style Ethernet termination. Fiber I just by pre-made. Termination kits for fiber are stupid expensive.
I've also been going back and forth about buying a Blackwell Pro GPU for some AI work and this is relevant because those things are mostly blowers and loud as Hell and if I can figure out a way to do it, I'd like my PC in a different room to my monitor, keyboard, etc. (room candidate is at least 10m away,
Sounds expensive. I just have an Radeon R9700 Pro and I can hear that thing upstairs when generating images. The RTX 6000 looks like it should be quieter with the cooling more like a traditional gaming GPU.
If you care about high refresh rates, you're going to have trouble with a PC in a second room. DisplayPort has trouble once you get past 8~10 ft, even with the best cables (Club3D typically). I do have a long run (50ft) Gator HDMI cable from my TV to gaming PC, but the TV runs at 60Hz. It runs fine, but occasionally I get a glitch.
If you plan on running a lot of remote machines, the BliKVM is pretty good, and they have an 8-port KVM hub for it that is rack mountable.
I am curious about PiHole or my own superior DNS set up or firewall or anything like that (for example, I know there are Open Source DNS services). I don't know much about all that though, so would love to hear what others have done.
PiHole just runs a modified dnsmasq (daemon that provides DHCP and DNS to your home network) that adds in some fancy graphs for showing DNS blockage. If you really want to understand your home network, I suggest building your own router. You can use a miniPC or get an old Intel Atom system off eBay or just an old box you have lying around with at least two NICs. Install a Linux distro, look up some iptables tutorials on NAT/Masquerading (or I guess nftables, the iptables replacement), establish your firewall and run dnsmasq.
It might be easier to use OpenWRT to get started since they have a lot of tutorials and its supported on a lot of embedded boards. The Bananna Pi has a lot of router tutorials.
Dnsmasq can be configured to cache/handle your local network's hostnames, but you can also point it to a local DNS server instead of your ISPs for everything else. PowerDNS Recusor and Unsplash are two open source options you can find on most distros.
It's pretty rewarding, and now you have total control over your ingress/egress. You can hook up your Internet-of-Trash devices to their own NIC on your router with its own IP range and not allow it to reach the Internet, while still allowing your home network to reach those devices.
10GTek is my go to for 10Gb NICs and Transcievers. Most of their NICs have Intel chipsets and they have great compatability. The transcievers have gotten more expesnive lately. They use to be dirt cheap and work on everything. You can sometimes get a tray of them for cheap used.
MikroTik makes affordable 10Gb switches and they're good quality. I have one Ubiquity I bought used and it's been solid too, but new they can get pricey.
"What brands of switches and routers, what neat things have people done in their home networking, how are people managing external access to their home network when away from home, does anyone have their desk far away from their actual PC and if so, how, what about those optical cables they have these days instead of that Cat-n family and should I be looking for routers and switches that use that, etc.?"
As was mentioned I too like Mikrotik for both routers and switches. But for my home router it's a mini X86 PC running PFSense, but I'd probably recommend OPNSense these days. Fiber or copper doesn't matter much. fiber is nice for longer runs. 10G NICs aren't too bad compared to where they were.
Remote access.... I have both Wireguard and OpenVPN on my home router so I can always get in even when I'm places that block ports, some don't allow UDP, some don't allow UDP and block TCP to anything except 443... etc. For this to work your ISP needs to allow incoming traffic and if your IP isn't static then your router needs to update a dynamic DNS record, I use Route 53 but there are plenty of others out there. Some people recommend Tallscale but I don't recommend outsourcing your home network security. If you can't allow incoming through your ISP you can get a cheap VPS/Cloud server and VPN into it from home and then VPN in to it remotely and use it as a router to connect the two.
One thing I can't recommend is making your own cables. Wiring should be between jacks, which you punch down, and then the patch cables should be those bulk ones from insert cheap store here. You've got better things to do with your life than make cables. I only make a cable for special needs like outdoor cameras where I need strange lengths, and thus far never cat 6.
Remote access.... I have both Wireguard and OpenVPN on my home router so I can always get in even when I'm places that block ports, some don't allow UDP, some don't allow UDP and block TCP to anything except 443... etc.
I've never used Mikrotik so I'm interested now due to the multiple mentions. I don't have to do all this on a super tight budget but obviously I don't want to waste money and the MikroTik looks to be cost effective.
Do you own or do you rent? I assume you own if you're going to be running cables. I run 2 physical networks in my house. One is 10G fiber for my stuff and the other is for cameras and other various Internet-of-Trash which cannot get to the Internet.
Yep - I can do what I like here. But I don't want to do lots of redecorating so in extremes I can get some floorboards up or skirting boards off to put something behind it but that'd be annoying (but doable) so we're probably looking at a bunch of trunking along the walls. Or just plastic cable loops hammered in where I can get away with one cable. Eh... maybe I should do this by the book with proper little network sockets here and there. PITA, though.
So you say you have fibre for your stuff. How much stuff is your stuff? Some of my devices will be ethernet only so I'm thinking one of those switches that has both ethernet and those SFP module sockets?
So get a router with support for SFP and run that to the switch. But at least on the MikroTik range I can't find one with a good combo of ports that isn't huge. I may stick with just faster Ethernet. I do need the switch to be managed so that I can have the different VLANs. Unless you're saying you run two entirely separate physical networks?
If you're going to be doing a lot of Ethenret runs, I suggest buying the new style of crimper/ends where the twisted pair "pass through" the platic ends and the crimper cuts them off. These are way easier to deal with than the older style Ethernet termination. Fiber I just by pre-made. Termination kits for fiber are stupid expensive.
Sounds expensive. I just have an Radeon R9700 Pro and I can hear that thing upstairs when generating images. The RTX 6000 looks like it should be quieter with the cooling more like a traditional gaming GPU.
Very expensive. I've been on the fence about it for a while. The RTX Pro 6000 does have a non-blower model, but it's also a 600W GPU which is more than I want, tbh. Everything else is a blower.
If you care about high refresh rates, you're going to have trouble with a PC in a second room. DisplayPort has trouble once you get past 8~10 ft, even with the best cables (Club3D typically). I do have a long run (50ft) Gator HDMI cable from my TV to gaming PC, but the TV runs at 60Hz. It runs fine, but occasionally I get a glitch.
If you plan on running a lot of remote machines, the BliKVM is pretty good, and they have an 8-port KVM hub for it that is rack mountable.
I'm not a gamer. I like very high resolution (5K) but it's more code, text, spreadsheets etc. than games. Still, good refresh rate (120Hz) is a plus even for that. This sounds like a problem area unless I get a thin client set-up and even then, ultra high resolutions are beyond many iGPU set ups.
PiHole just runs a modified dnsmasq (daemon that provides DHCP and DNS to your home network) that adds in some fancy graphs for showing DNS blockage. If you really want to understand your home network, I suggest building your own router. You can use a miniPC or get an old Intel Atom system off eBay or just an old box you have lying around with at least two NICs. Install a Linux distro, look up some iptables tutorials on NAT/Masquerading (or I guess nftables, the iptables replacement), establish your firewall and run dnsmasq.
This I have considered and it sounds good. My concern is most about look (this will have to be somewhere visible in my home and not a 1990's mini-tower with wires coming out the back) and WiFi. Routers I can buy can have lots of aerials and Wifi 6 or 7. I don't know what my options are WiFi with setting up a PC as a router.
It might be easier to use OpenWRT to get started since they have a lot of tutorials and its supported on a lot of embedded boards. The Bananna Pi has a lot of router tutorials.
Dnsmasq can be configured to cache/handle your local network's hostnames, but you can also point it to a local DNS server instead of your ISPs for everything else. PowerDNS Recusor and Unsplash are two open source options you can find on most distros.
Frigate is the software - check. Looking at that now. This is an argument for trying to get my PC in its own little room, tbh, where it would naturally be closer to the cameras, if they're wired. You have wired cameras? I guess I need a PoE/PoE+ switch. This is going to take some thinking about how to route cables to the outside. I want to minimise drilling through the exterior walls.
10GTek is my go to for 10Gb NICs and Transcievers. Most of their NICs have Intel chipsets and they have great compatability. The transcievers have gotten more expesnive lately. They use to be dirt cheap and work on everything. You can sometimes get a tray of them for cheap used.
MikroTik makes affordable 10Gb switches and they're good quality. I have one Ubiquity I bought used and it's been solid too, but new they can get pricey.
As was mentioned I too like Mikrotik for both routers and switches. But for my home router it's a mini X86 PC running PFSense, but I'd probably recommend OPNSense these days. Fiber or copper doesn't matter much. fiber is nice for longer runs. 10G NICs aren't too bad compared to where they were.
Remote access.... I have both Wireguard and OpenVPN on my home router so I can always get in even when I'm places that block ports, some don't allow UDP, some don't allow UDP and block TCP to anything except 443... etc. For this to work your ISP needs to allow incoming traffic and if your IP isn't static then your router needs to update a dynamic DNS record, I use Route 53 but there are plenty of others out there. Some people recommend Tallscale but I don't recommend outsourcing your home network security. If you can't allow incoming through your ISP you can get a cheap VPS/Cloud server and VPN into it from home and then VPN in to it remotely and use it as a router to connect the two.
One thing I can't recommend is making your own cables. Wiring should be between jacks, which you punch down, and then the patch cables should be those bulk ones from insert cheap store here. You've got better things to do with your life than make cables. I only make a cable for special needs like outdoor cameras where I need strange lengths, and thus far never cat 6.
So I would like to do fibre if only for the much smaller and discrete cables. But I can get enough speed with ethernet and they seem to be more expensive. So I'll see what my options are. I've tried setting up a Wireguard VPN into my home previously but for some reason my then router wasn't having it. Never did work out why. I will be getting a new router for all this though (off the shelf or making my own) so one way or another I'll figure this out. Cheers.
So I would like to do fibre if only for the much smaller and discrete cables. But I can get enough speed with ethernet and they seem to be more expensive.
10G is 10G it doesn't care if it's copper or fiber. As you've seen the NICs with SFP+ slots for fiber(or copper) tend to be more server grade and thus more expensive. I run a mix. My main server which sits just below a 10 port 10G TP-Link switch was fiber, but the new motherboard came with 2x10G copper ports, so now it's copper. My office is on a 2x10G Fiber link to a Mikrotik SFP+ only switch with copper SFP+ to the desktops. But it looks like I'll be able to swap one desktop back to fiber as I've managed to free up an x4 slot and can re-use an older card. One thing when you're buying SFP+ modules for copper, if you can then I recommend getting the 100 Meter(or at least 80M) ones. They run cooler than the old 30M ones for more money, of course. One other thing you'll see is the fiber SFP+ tend to be much cheaper than copper and the "cables" don't cost too much more. And the fiber SFP+ run cool to the touch.
I'll put in another vote for Mikrotik routers/switches/wireless. My home setup is an rb5009 connected into a CRS310-1G-5S-4S+IN acting as the central hub with a couple of CRS310-8G+2S+IN (one in my office, the other in the living room). Wireless is handled by a cAP ax on the landing. It really good gear without going too crazy with pricing.
I am curious about PiHole or my own superior DNS set up or firewall or anything like that (for example, I know there are Open Source DNS services). I don't know much about all that though, so would love to hear what others have done.
You can run pihole on any routerOS device with Mikrotik's container support - https://help.mikrotik.com/docs/spaces/ROS/pages/84901929/Container. I was doing this on an older implementation of Mikrotik's container support and it was a bit of a faff, I understand it is a lot better now since routerOS 7.2x.
My pihole is running on a Debian VM on an old M1 Mac mini because I wanted to handle DNS though Unbound - https://docs.pi-hole.net/guides/dns/unbound/
and if I can figure out a way to do it, I'd like my PC in a different room to my monitor, keyboard, etc. (room candidate is at least 10m away, however).
They have tradeoffs. Copper transceivers get HOT. They use more power. Also they can get flaky. Not bad though. I have some short runs where copper can only get 7~8Gb and the fiber does a solid 9.5Gb in iperf. Not a big deal really for most use cases, but something to be aware of. Directly attached copper (with the transceivers on the cables) seem to have better connectivity than Ethernet:
Also fiber can't to Wake On Lan. For that you have to use copper with a card that supports it (or you can use the onboard Ethernet for WoL and a 10Gb NIC for transfers)
So you say you have fibre for your stuff. How much stuff is your stuff? Some of my devices will be ethernet only so I'm thinking one of those switches that has both ethernet and those SFP module sockets?
I have three of these. They're pretty solid and are managed (web interface with a lot of controls, speed testing, etc.) A lot of the machines don't really need 10Gb. I really only use the full bandwidth between my NAS and my workstations when moving media, AI models, ZFS snapshot backups, etc.
Yea if you want 120Hz, you really need relatively short display port cables. You can try to buy the longest Club3D cable available and use it for a few days. If it works and it's long enough, you can feed it through a wall or under a door or whatever. HDMI might go further, but your monitor and card need to support one of the newer HDMI standards for the refresh rate you want. I only use HDMI for my TV, so I don't know what's out there and what works.
Yea my cameras are all on a small 5-port PoE switch in my attic. I forgot to use grounded cables though. They've worked fine for years, but you should probably use grounded cables (they have metal Ethernet ends), just in case there are power surges or whatever.
So maybe I still need a NAS. I'm thinking about home security cameras as well.
