Search results

Good, then I do not have to repeat what's there in "summary" and "update". But there are a few more things to consider, i.e. spoofed source address. Do you realise your system could be tricked by botnet to be part of drdos, sending icmp-packets (as part of your REJECT policy) to innocent victim?

One more reason to switch finally to single common nftables, instead of {ip,ip6,arp,eb}tables.

If you know the difference between "REJECT" and "DROP", then you also know why using "REJECT" is bad idea...

Cisco ASA is not top firewall of these days, but stil much better than simple iptables (actually, they can not be compared at all). But I think hypervisor should do the only thing hypervisor must do: to provide virtualized hw for VM. Nothing more. Everything else should be offloaded elsewhere...

If you have plenty of RAM, why you do not disable swap altogether? I have been running Proxmox without swap for a few years, without any problem... I always hear the same "you need swap in case you run out of ram" crap. And what if you run out of swap too? Why should I have "x" GB ram and "y"...

That it FQDN (fully qualified domain name), not hostname. You should define hostaname as "ct102-haproxy" with dns-domain "whl.meilocal.net"...

As I see, you still have ~3.3GB of free memory. So why should you do that??? Honestly I do not understand this obsession. You have memory, so let OS using it! Every modern OS folows one simple rule: any using of memory is better than not using it at all. If you are trying to keep as much free...

There are other factors you should consider, not only TBW, i.e. P3700 as "pro" SSD has power-loss protection. There are also differences in firmware (P3700 is optimized for server load), controller of P3700 has more channels, etc, etc.

Are you sure you imported PVE-key?

What an interesting idea! I never knew such an adapter existed. I'm not sure if my headless mini-box can detect miniPCIe-GFX, but it has miniPCIe-slot (and usb for keyboard) so it is definitely worth trying! I'm going to order some miniPCIe->PCIe riser on aliexpress right now...

Let me ask you something: Why are you not using the first VM as router/firewall/nat for the rest of your VMs with private IP? There are a few very good reasons to off-load this task from Proxmox-host to one of VMs...

I checked forum, and found some old threads concerning this. I know Proxmox can run on headless server, with no graphics adapter. I know Proxmox can be installed over Debian which can be installed on headless machine. But it is "less than optimal" for me, as I would loose that nice "all-zfs"...

A few months ago I have installed Proxmox in VirtualBox-VM on my Win7-PC. You can also find plenty of "proxmox in virtualbox" videos on YouTube. So it is definitely possible. Do you have VirtualBox Extension Pack installed?

If you have leased dedicated server, then you can create whatever VM you want. Just create one more, download install-image of firewall of your choice, and install it. With i.e. pfsense of ipfire you can achieve much more (and more easily) than with PVE... imho hypervisor should do only one...

imho such a job should be done by router/firewall-vm, not by pve-host itself...

Yes, you can. I already discussed this some time ago...

I'd say it depends on your budget, network topology, number of ports you need, port type (rj45/spf), functions required, etc. Buffalo has "value" series BS-MP of smart-managed 10g-switches. Ubiquity has also some entry-level "EdgeSwitch" or "UniFiSwitch" 10gb-switches. Or Netgate ProSafe XS700...

I always thought predictable network interfaces were there exactly so that kernel does not rename interface, if you just add new one. So how's that possible (if as you say, Proxmox renames the old interface)?

Probably because it is not fix, just workaround...

https://www.intel.com/content/www/us/en/solid-state-drives/ssd-dc-s4500-s4600-brief.html Endurance: S4500: 1 DWPD S4600: 3 DWPD