<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Hugo | DevOps | Cybersecurity</title>
    <description>The latest articles on DEV Community by Hugo | DevOps | Cybersecurity (@hugovalters).</description>
    <link>https://dev.to/hugovalters</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1175774%2F8a57b46a-da15-4ac2-ab41-fbe56c6a99a5.jpg</url>
      <title>DEV Community: Hugo | DevOps | Cybersecurity</title>
      <link>https://dev.to/hugovalters</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/hugovalters"/>
    <language>en</language>
    <item>
      <title>pfSense vs OPNsense: A Pragmatic Comparison for Self-Hosters</title>
      <dc:creator>Hugo | DevOps | Cybersecurity</dc:creator>
      <pubDate>Sun, 12 Jul 2026 14:15:03 +0000</pubDate>
      <link>https://dev.to/hugovalters/pfsense-vs-opnsense-a-pragmatic-comparison-for-self-hosters-43c9</link>
      <guid>https://dev.to/hugovalters/pfsense-vs-opnsense-a-pragmatic-comparison-for-self-hosters-43c9</guid>
      <description>&lt;p&gt;I've been running firewalls since the days of m0n0wall on CF cards, and I still remember the sinking feeling at 2 AM when a bad pfSense config push locked me out of a remote office. The Soekris box was blinking its lonely LED, and I was three time zones away with no IPMI. That was 2008, and the lessons from that era still apply today: your firewall is the most critical piece of infrastructure you'll touch, and choosing the wrong platform means accepting unnecessary risk.&lt;/p&gt;

&lt;p&gt;This guide is for self-hosters, homelab operators, and small-to-medium business IT admins who need a production-grade firewall without the Cisco price tag. By the end, you'll understand the architectural differences between pfSense and OPNsense, know which one fits your operational profile, and have concrete migration paths if you need to switch. I'm not here to sell you on either — both are better than any consumer router, and both can ruin your weekend if you don't respect them.&lt;/p&gt;

&lt;p&gt;:::note[TL;DR]&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;pfSense and OPNsense both run on FreeBSD with pf packet filter — the core is identical&lt;/li&gt;
&lt;li&gt;OPNsense ships with boot environments, WireGuard, and Suricata built-in; pfSense requires packages for these&lt;/li&gt;
&lt;li&gt;pfSense has better cloud marketplace presence and commercial support; OPNsense has better defaults and upgrade safety&lt;/li&gt;
&lt;li&gt;Choose pfSense for enterprise/cloud deployments with existing ecosystem investment&lt;/li&gt;
&lt;li&gt;Choose OPNsense for self-hosted environments where uptime and modern defaults matter
:::&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Prerequisites
&lt;/h2&gt;

&lt;p&gt;Before diving in, you should have:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;A dedicated x86 machine or VM with at least 2 GB RAM (4 GB recommended for IDS/IPS)&lt;/li&gt;
&lt;li&gt;Basic understanding of TCP/IP, subnetting, and firewall rules&lt;/li&gt;
&lt;li&gt;Access to the hardware's console or IPMI for initial setup&lt;/li&gt;
&lt;li&gt;A backup plan — both firewalls can brick themselves on a bad config&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Architecture &amp;amp; Base System — FreeBSD Under the Hood
&lt;/h2&gt;

&lt;p&gt;The fork that created OPNsense in 2015 wasn't about technical capability — it was about licensing and development philosophy. Both projects started from m0n0wall, both use pfSense's original codebase, but they've diverged in ways that matter for daily operations.&lt;/p&gt;

&lt;h3&gt;
  
  
  Kernel and Boot Environment
&lt;/h3&gt;

&lt;p&gt;pfSense migrated to HardenedBSD with version 2.5, using a monolithic kernel by default. ZFS is available but requires a manual installation — the installer still defaults to UFS. OPNsense has been on HardenedBSD since version 19.1, with ZFS as the default filesystem. This difference seems minor until you need to recover from a bad upgrade.&lt;/p&gt;

&lt;p&gt;The boot environment feature is where OPNsense pulls ahead. With ZFS, you can snapshot your entire system before an upgrade and roll back in seconds if something breaks. pfSense requires manual ZFS setup and doesn't integrate boot environments into its upgrade workflow.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# OPNsense — built-in boot environment management&lt;/span&gt;
bectl list
BE                        Active Mountpoint Space Created
default                   NR     /          1.2G  2026-06-01 14:23
upgrade-24.1              -      -          1.5G  2026-07-10 03:15

&lt;span class="c"&gt;# pfSense — requires manual ZFS boot environment creation&lt;/span&gt;
&lt;span class="c"&gt;# This is not part of the standard install&lt;/span&gt;
zfs snapshot zroot/ROOT/default@pre-upgrade-2.7.0
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;⚠️ DECLASSIFIED / TRUNCATED VERSION&lt;/strong&gt;&lt;br&gt;
You are reading a truncated version of this technical guide. &lt;br&gt;
To read the full, unedited deep-dive (including all configuration files, architecture diagrams, and high-res images), &lt;strong&gt;&lt;a href="https://www.valtersit.com/guides/networking/pfsense-vs-opnsense-a-pragmatic-comparison-for-self-hosters/" rel="noopener noreferrer"&gt;visit the original post on Valters IT Docs&lt;/a&gt;&lt;/strong&gt;.&lt;/p&gt;
&lt;/blockquote&gt;

</description>
      <category>pfsense</category>
      <category>opnsense</category>
      <category>firewall</category>
      <category>freebsd</category>
    </item>
    <item>
      <title>Site-to-Site IPsec: Connecting Offices Without Losing Your Mind</title>
      <dc:creator>Hugo | DevOps | Cybersecurity</dc:creator>
      <pubDate>Sat, 11 Jul 2026 14:15:03 +0000</pubDate>
      <link>https://dev.to/hugovalters/site-to-site-ipsec-connecting-offices-without-losing-your-mind-1948</link>
      <guid>https://dev.to/hugovalters/site-to-site-ipsec-connecting-offices-without-losing-your-mind-1948</guid>
      <description>&lt;p&gt;I have spent a significant portion of my adult life staring at log buffers, watching two expensive routers scream at each other in a language they both ostensibly speak, yet neither understands. There is a specific kind of hell reserved for the sysadmin trying to connect a MikroTik at a branch office to a Cisco ASA at the headquarters. &lt;/p&gt;

&lt;p&gt;You’ve got the subnets right. You’ve got the public IPs right. You’ve even double-checked the Pre-Shared Key (PSK) five times. And yet, there it is: &lt;code&gt;phase1 negotiation failed&lt;/code&gt; or the even more insulting &lt;code&gt;no proposal chosen&lt;/code&gt;. &lt;/p&gt;

&lt;p&gt;If you’ve ever found yourself clicking through 50 different permutations of "3DES," "AES-128," "SHA1," and "MD5" just to get a tunnel to stay up for more than ten minutes, you aren't doing engineering; you're doing digital alchemy. It’s 2026. If you are still relying on legacy IKEv1 and "guessing" which encryption suite your vendor implemented correctly, you are a dinosaur. It is time to standardize, move to IKEv2, and stop treating your Site-to-Site tunnels like a delicate chemistry experiment.&lt;/p&gt;

&lt;h3&gt;
  
  
  The Rant: The "Phase 1 / Phase 2" Mismatch Hell
&lt;/h3&gt;

&lt;p&gt;The core problem with IPsec is that it was designed by a committee that hated simplicity. Unlike WireGuard, which has one way to do things, IPsec has five thousand. &lt;/p&gt;

&lt;h4&gt;
  
  
  1. The Multi-Vendor Alphabet Soup
&lt;/h4&gt;

&lt;p&gt;Every vendor (Cisco, MikroTik, Fortinet, Juniper, Ubiquiti) has a slightly different idea of what "Standard" means. Cisco might default to a 24-hour lifetime for Phase 1, while MikroTik defaults to 1 day (which is almost, but not quite, the same depending on how they count seconds). One vendor might include the "Local ID" in the identity check, while another ignores it. &lt;/p&gt;

&lt;p&gt;The moment you try to connect two different brands, you enter the Mismatch Trap. You spend four hours on the phone with "The Cisco Guy" at HQ, both of you insisting your settings are correct, while the logs show a confusing mess of "Invalid ID Information" and "Notify: No Proposal Chosen."&lt;/p&gt;

&lt;h4&gt;
  
  
  2. The Legacy Burden
&lt;/h4&gt;

&lt;p&gt;Most people are still using IKEv1 because "that’s what the tutorial said." IKEv1 is a bloated, slow, and insecure relic. It requires multiple round-trips to establish a session, it handles NAT poorly, and it is prone to fragmentation issues. If you are still using Main Mode or Aggressive Mode in 2026, you are inviting instability.&lt;/p&gt;

&lt;h3&gt;
  
  
  The Mechanics: IKEv2 and the Glory of NAT-T
&lt;/h3&gt;

&lt;p&gt;If you want to keep your sanity, the first rule is: &lt;strong&gt;IKEv2 only.&lt;/strong&gt; #### 1. IKEv2 (Internet Key Exchange v2)&lt;br&gt;
IKEv2 was designed to fix everything that sucked about IKEv1. It has built-in support for MOBIKE (mobility), which means your tunnel can survive a brief IP change. It has a much more streamlined handshake (fewer packets, less latency). Most importantly, it handles &lt;strong&gt;Dead Peer Detection (DPD)&lt;/strong&gt; as a core part of the protocol, not as a vendor-specific hack. If the tunnel drops, IKEv2 knows immediately and starts a re-negotiation.&lt;/p&gt;

&lt;h4&gt;
  
  
  2. NAT-Traversal (NAT-T)
&lt;/h4&gt;

&lt;p&gt;In the age of CGNAT and multi-layered NAT, IPsec usually dies because it relies on protocol 50 (ESP), which doesn't have "ports" like TCP or UDP. Many cheap ISP routers have no idea how to handle ESP and simply drop it. &lt;/p&gt;

&lt;p&gt;NAT-T solves this by wrapping the entire IPsec packet inside a UDP header on port 4500. This is mandatory for modern offices. If even one side of your tunnel is behind a NAT, you must enable NAT-T, or your Phase 2 will never initialize.&lt;/p&gt;

&lt;h3&gt;
  
  
  The Fix: Standardize Your Suite (AEAD)
&lt;/h3&gt;




&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;⚠️ DECLASSIFIED / TRUNCATED VERSION&lt;/strong&gt;&lt;br&gt;
You are reading a truncated version of this technical guide. &lt;br&gt;
To read the full, unedited deep-dive (including all configuration files, architecture diagrams, and high-res images), &lt;strong&gt;&lt;a href="https://www.valtersit.com/guides/networking/site-to-site-ipsec-connecting_offices_without_losing_your-mind/" rel="noopener noreferrer"&gt;visit the original post on Valters IT Docs&lt;/a&gt;&lt;/strong&gt;.&lt;/p&gt;
&lt;/blockquote&gt;

</description>
      <category>networking</category>
      <category>vpn</category>
      <category>ipsec</category>
      <category>mikrotik</category>
    </item>
    <item>
      <title>Network Segmentation: VLANs and Firewall Rules for Production</title>
      <dc:creator>Hugo | DevOps | Cybersecurity</dc:creator>
      <pubDate>Fri, 10 Jul 2026 14:15:07 +0000</pubDate>
      <link>https://dev.to/hugovalters/network-segmentation-vlans-and-firewall-rules-for-production-2hlh</link>
      <guid>https://dev.to/hugovalters/network-segmentation-vlans-and-firewall-rules-for-production-2hlh</guid>
      <description>&lt;h1&gt;
  
  
  Network Segmentation: Isolating Services with VLANs and Firewall Rules
&lt;/h1&gt;

&lt;h2&gt;
  
  
  Introduction: Why Your Flat Network is a Liability
&lt;/h2&gt;

&lt;p&gt;I once walked into a post-mortem where a single compromised WordPress plugin led to an attacker pivoting from a public web server to a PCI-compliant payment database in under 90 seconds. How? The network was flat — one VLAN, one broadcast domain, no firewall rules between services. The attacker ran &lt;code&gt;arp-scan&lt;/code&gt;, found the DB server, and started exfiltrating credit card numbers over port 3306. The CISO asked me, "How do we stop this?" My answer: VLANs and firewall rules, applied correctly.&lt;/p&gt;

&lt;p&gt;Flat networks are fine for your home lab. In production, they're a breach waiting to happen. The problem is blast radius — if an attacker compromises one service, they can pivot laterally to everything. VLANs create logical barriers at Layer 2, and firewall rules enforce who talks to whom at Layers 3-4. Together, they're the minimum viable defense for any multi-service environment.&lt;/p&gt;

&lt;p&gt;This guide is for senior engineers who already know what a VLAN is but need to design, implement, and maintain segmentation that actually works. After reading, you'll be able to kill lateral movement in your network, avoid the common misconfigurations that make segmentation useless, and sleep better at night.&lt;/p&gt;

&lt;p&gt;:::note[TL;DR]&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Flat networks let attackers pivot laterally — segment everything with VLANs and firewalls&lt;/li&gt;
&lt;li&gt;Use 5-10 VLANs for "trust zones" (web, app, db, management, DMZ), not one per microservice&lt;/li&gt;
&lt;li&gt;Default-deny firewall rules between VLANs; stateful inspection is mandatory&lt;/li&gt;
&lt;li&gt;Version-control your firewall rules and monitor dropped packets&lt;/li&gt;
&lt;li&gt;Test segmentation with &lt;code&gt;nmap&lt;/code&gt; and &lt;code&gt;tcpdump&lt;/code&gt;, not just &lt;code&gt;ping&lt;/code&gt;
:::&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Prerequisites
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Access to a managed switch (Cisco IOS, Aruba, or similar) with VLAN support&lt;/li&gt;
&lt;li&gt;A Linux host (Ubuntu 22.04+ or Debian 12) with &lt;code&gt;iptables&lt;/code&gt; or &lt;code&gt;nftables&lt;/code&gt; installed&lt;/li&gt;
&lt;li&gt;Basic understanding of IP addressing and subnetting&lt;/li&gt;
&lt;li&gt;Root or sudo access on the Linux router/firewall&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  VLAN Fundamentals: The Logical Barrier You're Probably Misconfiguring
&lt;/h2&gt;

&lt;h3&gt;
  
  
  VLAN Tagging 101 (802.1Q) — What Most Tutorials Get Wrong
&lt;/h3&gt;

&lt;p&gt;VLAN tagging using 802.1Q inserts a 4-byte tag into Ethernet frames to identify which VLAN a packet belongs to. Most tutorials skip the critical part: &lt;strong&gt;disable DTP (Dynamic Trunking Protocol) on every switch port that shouldn't be a trunk&lt;/strong&gt;. DTP negotiates trunking automatically, and if an attacker plugs into an access port that has DTP enabled, they can negotiate a trunk and perform VLAN hopping — accessing traffic from other VLANs.&lt;/p&gt;

&lt;p&gt;Here's the Cisco IOS config to kill DTP on access ports:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;interface GigabitEthernet0/1
 description Web Server Access Port
 switchport mode access
 switchport access vlan 10
 no switchport trunk dynamic
 spanning-tree portfast
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The &lt;code&gt;switchport mode access&lt;/code&gt; forces the port to access mode and disables DTP negotiation. The &lt;code&gt;spanning-tree portfast&lt;/code&gt; skips STP listening/learning for faster convergence on end-host ports. On Aruba/ProVision switches, the equivalent is:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;interface 1/1
   vlan access 10
   no vlan trunk dynamic
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;In Linux bridging for virtualized environments (e.g., KVM with Linux bridge), you configure VLAN tagging at the interface level:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;ip &lt;span class="nb"&gt;link &lt;/span&gt;add &lt;span class="nb"&gt;link &lt;/span&gt;eth0 name eth0.10 &lt;span class="nb"&gt;type &lt;/span&gt;vlan &lt;span class="nb"&gt;id &lt;/span&gt;10
ip addr add 10.0.10.1/24 dev eth0.10
ip &lt;span class="nb"&gt;link set &lt;/span&gt;eth0.10 up
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;⚠️ DECLASSIFIED / TRUNCATED VERSION&lt;/strong&gt;&lt;br&gt;
You are reading a truncated version of this technical guide. &lt;br&gt;
To read the full, unedited deep-dive (including all configuration files, architecture diagrams, and high-res images), &lt;strong&gt;&lt;a href="https://www.valtersit.com/guides/security/network-segmentation-vlans-and-firewall-rules-for-production/" rel="noopener noreferrer"&gt;visit the original post on Valters IT Docs&lt;/a&gt;&lt;/strong&gt;.&lt;/p&gt;
&lt;/blockquote&gt;

</description>
      <category>networksegmentation</category>
      <category>vlan</category>
      <category>firewallrules</category>
      <category>infrastructuresecurity</category>
    </item>
    <item>
      <title>Deploying Encrypted DNS Internally: DoH and DoT Guide</title>
      <dc:creator>Hugo | DevOps | Cybersecurity</dc:creator>
      <pubDate>Wed, 08 Jul 2026 14:15:04 +0000</pubDate>
      <link>https://dev.to/hugovalters/deploying-encrypted-dns-internally-doh-and-dot-guide-1ed1</link>
      <guid>https://dev.to/hugovalters/deploying-encrypted-dns-internally-doh-and-dot-guide-1ed1</guid>
      <description>&lt;p&gt;I was on-call when it happened. 3 AM on a Tuesday, and every single production server in our us-east-1 region started resolving &lt;code&gt;api.internal.example.com&lt;/code&gt; to a server in Belarus. Our recursive DNS resolver had been MITM'd by an attacker who'd gained access to a network tap in the colo facility. Four hours of chaos, a panicked VP, and a post-mortem that boiled down to: "Our DNS was plaintext over UDP, and we trusted the network."&lt;/p&gt;

&lt;p&gt;That was 2022. If you're still running plaintext DNS internally in 2026, you're not just behind — you're negligent. This guide is for senior sysadmins and security engineers who need to deploy encrypted DNS (DoH and DoT) in their infrastructure without breaking everything. By the end, you'll have a working deployment, a migration plan, and the scars to know what goes wrong.&lt;/p&gt;

&lt;p&gt;:::note[TL;DR]&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Plaintext DNS is a massive security liability: on-path tampering, passive surveillance, and cache poisoning at the network edge&lt;/li&gt;
&lt;li&gt;Use DoT for internal infrastructure (predictable, low overhead), DoH for external-facing resolvers (evasion, compliance)&lt;/li&gt;
&lt;li&gt;Start with Unbound or CoreDNS — skip the overengineered solutions&lt;/li&gt;
&lt;li&gt;Certificate management is the #1 cause of failure: automate rotation or suffer at 3 AM&lt;/li&gt;
&lt;li&gt;Migrate gradually with opportunistic mode first, then enforce with firewall rules
:::&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Prerequisites
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;A Linux server (Ubuntu 22.04+ or RHEL 9+) for your DNS resolver — don't use your laptop&lt;/li&gt;
&lt;li&gt;Root access and basic familiarity with &lt;code&gt;systemd&lt;/code&gt;, &lt;code&gt;openssl&lt;/code&gt;, and &lt;code&gt;tcpdump&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;A DNS zone you control for testing (e.g., &lt;code&gt;dns.internal.example.com&lt;/code&gt;)&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;kdig&lt;/code&gt; installed (&lt;code&gt;apt install knot-dnsutils&lt;/code&gt; or &lt;code&gt;yum install knot-dnsutils&lt;/code&gt;)&lt;/li&gt;
&lt;li&gt;At least 30 minutes of uninterrupted time — this isn't a 5-minute config&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Why You Should Care About Encrypted DNS (And Why Plaintext DNS Is a Security Liability)
&lt;/h2&gt;

&lt;p&gt;Plaintext DNS over UDP is the cockroach of network protocols — it's everywhere, it's ugly, and it survives anything. Here's what it exposes you to:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;On-path tampering:&lt;/strong&gt; Any device between your client and the resolver can modify DNS responses. This isn't theoretical — I've seen attackers redirect traffic to phishing pages by poisoning ARP tables and injecting fake DNS responses.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Passive surveillance:&lt;/strong&gt; Your DNS queries reveal every service, every internal hostname, and every external dependency you have. An attacker who sniffs your DNS traffic knows your infrastructure better than your CMDB does.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Cache poisoning at the network edge:&lt;/strong&gt; If an attacker can inject a single fake DNS response before the legitimate one arrives, your resolver caches it for the TTL. This is how the Kaminsky attack worked, and it's still effective against poorly configured resolvers.&lt;/p&gt;

&lt;p&gt;The false comfort of "internal network" security needs to die. In 2026, your internal network is not a trusted zone — it's a blast radius. If you're still running &lt;code&gt;dnsmasq&lt;/code&gt; with no encryption, you're basically leaving the keys in the ignition with the engine running.&lt;/p&gt;

&lt;p&gt;Here's what plaintext DNS looks like on the wire — run this on any server that's doing DNS queries:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Capture a single DNS query to show how much leaks&lt;/span&gt;
tcpdump &lt;span class="nt"&gt;-i&lt;/span&gt; any &lt;span class="nt"&gt;-X&lt;/span&gt; &lt;span class="nt"&gt;-c&lt;/span&gt; 1 &lt;span class="s1"&gt;'udp port 53 and dst port 53'&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This will show your query in clear text: hostnames, timestamps, and source IPs. Every network hop between you and the resolver sees this. If you're thinking "but we use DNSSEC," you're missing the point — DNSSEC validates response integrity but does nothing for confidentiality or transport security.&lt;/p&gt;




&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;⚠️ DECLASSIFIED / TRUNCATED VERSION&lt;/strong&gt;&lt;br&gt;
You are reading a truncated version of this technical guide. &lt;br&gt;
To read the full, unedited deep-dive (including all configuration files, architecture diagrams, and high-res images), &lt;strong&gt;&lt;a href="https://www.valtersit.com/guides/networking/deploying-encrypted-dns-internally-doh-and-dot-guide/" rel="noopener noreferrer"&gt;visit the original post on Valters IT Docs&lt;/a&gt;&lt;/strong&gt;.&lt;/p&gt;
&lt;/blockquote&gt;

</description>
      <category>dnssecurity</category>
      <category>encrypteddns</category>
      <category>devsecops</category>
      <category>networkhardening</category>
    </item>
    <item>
      <title>Proxmox SDN: Software-Defined Networking for Multi-Node Clusters</title>
      <dc:creator>Hugo | DevOps | Cybersecurity</dc:creator>
      <pubDate>Fri, 03 Jul 2026 14:15:03 +0000</pubDate>
      <link>https://dev.to/hugovalters/proxmox-sdn-software-defined-networking-for-multi-node-clusters-452p</link>
      <guid>https://dev.to/hugovalters/proxmox-sdn-software-defined-networking-for-multi-node-clusters-452p</guid>
      <description>&lt;p&gt;I got the call at 2:47 AM. A junior admin had deleted a VNet while five production VMs were running. All of them dropped off the network simultaneously. The &lt;code&gt;/etc/pve/sdn/&lt;/code&gt; directory had no backups. We spent the next four hours reconstructing VNI-to-VLAN mappings from memory and stale monitoring logs. That was the night I stopped treating Proxmox SDN as optional infrastructure and started treating it like a core system that demands the same rigor as your storage backend.&lt;/p&gt;

&lt;p&gt;This guide is for senior DevOps and sysadmins running Proxmox clusters with more than three nodes. If you're still editing &lt;code&gt;/etc/network/interfaces&lt;/code&gt; by hand and managing VLANs through a spreadsheet, you're one misconfig away from a production outage. After reading this, you'll be able to deploy VXLAN-based SDN with head-end replication, configure VLAN-backed zones for legacy environments, implement firewall security groups, and avoid the mistakes that cost me that 2 AM call.&lt;/p&gt;

&lt;p&gt;:::note[TL;DR]&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Proxmox SDN abstracts network configuration from hypervisor bridges into zones, VNets, and subnets&lt;/li&gt;
&lt;li&gt;Use VXLAN with head-end replication for clusters over 5 nodes — it scales to ~100 nodes without multicast headaches&lt;/li&gt;
&lt;li&gt;VLAN-backed SDN is a stepping stone: you hit the 4094 VLAN limit faster than you think&lt;/li&gt;
&lt;li&gt;SDN firewalls and security groups provide tenant isolation that VM-level firewalls can't match&lt;/li&gt;
&lt;li&gt;Backup &lt;code&gt;/etc/pve/sdn/&lt;/code&gt; before every change — there's no dry-run mode
:::&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Prerequisites
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Proxmox VE 7.x or later (SDN is stable since 7.2)&lt;/li&gt;
&lt;li&gt;L3 routing between all cluster nodes (no STP loops)&lt;/li&gt;
&lt;li&gt;At least one dedicated physical NIC or VLAN trunk per node for SDN traffic&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;pvesh&lt;/code&gt; CLI access on any cluster node&lt;/li&gt;
&lt;li&gt;For VXLAN: UDP port 4789 open between all nodes&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Core Concepts – Zones, VNets, and Subnets
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Zones = Network Domains
&lt;/h3&gt;

&lt;p&gt;Zones define the encapsulation method and underlay requirements. Proxmox supports four types: VLAN, VXLAN, EVPN, and Simple. Your choice determines how far your network can scale and how much your network team will hate you.&lt;/p&gt;

&lt;p&gt;I once audited a cluster where a team used a Simple zone for ten nodes. Simple zones are flat Layer 2 domains with no isolation. They learned about broadcast storms when a misconfigured VM generated 200 Mbps of ARP traffic that saturated every host. Use Simple zones only for single-node testing.&lt;/p&gt;

&lt;p&gt;Here's the decision matrix:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Zone Type&lt;/th&gt;
&lt;th&gt;Underlay Requirement&lt;/th&gt;
&lt;th&gt;Max Networks&lt;/th&gt;
&lt;th&gt;Use Case&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;VLAN&lt;/td&gt;
&lt;td&gt;L2 adjacency&lt;/td&gt;
&lt;td&gt;4094&lt;/td&gt;
&lt;td&gt;Small clusters, existing switch infrastructure&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;VXLAN&lt;/td&gt;
&lt;td&gt;L3 routing + UDP 4789&lt;/td&gt;
&lt;td&gt;16 million&lt;/td&gt;
&lt;td&gt;Multi-node, multi-site, cloud/colo&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;EVPN&lt;/td&gt;
&lt;td&gt;BGP + VTEP&lt;/td&gt;
&lt;td&gt;Unlimited&lt;/td&gt;
&lt;td&gt;Carrier-grade, dynamic routing&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Simple&lt;/td&gt;
&lt;td&gt;None&lt;/td&gt;
&lt;td&gt;1&lt;/td&gt;
&lt;td&gt;Single-node, testing only&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h3&gt;
  
  
  VNets = Virtual Networks
&lt;/h3&gt;

&lt;p&gt;VNets map to VLAN IDs or VXLAN VNIs. They're your tenant networks. Naming conventions matter: &lt;code&gt;prod-db-vlan100&lt;/code&gt; tells you what it is; &lt;code&gt;vlan100&lt;/code&gt; tells you nothing after you've created fifty of them.&lt;/p&gt;

&lt;p&gt;Here's a VLAN zone configuration:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# /etc/pve/sdn/zones.cfg&lt;/span&gt;
vlan: prod-zone
    &lt;span class="nb"&gt;type &lt;/span&gt;vlan
    bridge vmbr1
    vlan-id 100-500
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This creates a zone named &lt;code&gt;prod-zone&lt;/code&gt; that uses bridge &lt;code&gt;vmbr1&lt;/code&gt; as the trunk interface and allows VLANs 100 through 500. The bridge must exist on every node before Proxmox will activate the zone.&lt;/p&gt;

&lt;h3&gt;
  
  
  Subnets = IPAM and DHCP Integration
&lt;/h3&gt;




&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;⚠️ DECLASSIFIED / TRUNCATED VERSION&lt;/strong&gt;&lt;br&gt;
You are reading a truncated version of this technical guide. &lt;br&gt;
To read the full, unedited deep-dive (including all configuration files, architecture diagrams, and high-res images), &lt;strong&gt;&lt;a href="https://www.valtersit.com/guides/proxmox/proxmox-sdn-software-defined-networking-for-multi-node-clusters/" rel="noopener noreferrer"&gt;visit the original post on Valters IT Docs&lt;/a&gt;&lt;/strong&gt;.&lt;/p&gt;
&lt;/blockquote&gt;

</description>
      <category>proxmox</category>
      <category>sdn</category>
      <category>vxlan</category>
      <category>virtualization</category>
    </item>
    <item>
      <title>How to Protect Your Homelab and API with a Free Self-Hosted WAF (SafeLine Docker Install)</title>
      <dc:creator>Hugo | DevOps | Cybersecurity</dc:creator>
      <pubDate>Thu, 02 Jul 2026 14:15:04 +0000</pubDate>
      <link>https://dev.to/hugovalters/how-to-protect-your-homelab-and-api-with-a-free-self-hosted-waf-safeline-docker-install-575g</link>
      <guid>https://dev.to/hugovalters/how-to-protect-your-homelab-and-api-with-a-free-self-hosted-waf-safeline-docker-install-575g</guid>
      <description>&lt;h3&gt;
  
  
  Why I Stopped Trusting Cloudflare Alone
&lt;/h3&gt;

&lt;p&gt;My site recently crossed 5,000 daily visitors. Sounds like a celebration. What it actually means is that the volume of garbage hitting my server — automated scanners, credential stuffing bots, SQL injection probes — scaled up with the legitimate traffic.&lt;/p&gt;

&lt;p&gt;Cloudflare catches most of it. Most. The remaining 5–10% that leaks through the CDN layer goes straight at your origin, and if you're running APIs or self-hosted services, that origin is the actual target. Enterprise WAFs from Fortinet or F5 would solve this, but they start at thousands of dollars per year. That's not a homelab budget. That's not even a small business budget.&lt;/p&gt;

&lt;p&gt;Enter &lt;strong&gt;SafeLine WAF&lt;/strong&gt; — a completely self-hosted, Docker-based Web Application Firewall with a legitimate free Community Edition. No call-home telemetry. No per-GB pricing that punishes visibility. Just a container that sits between the internet and your services and kills the bad traffic before it reaches your application layer.&lt;/p&gt;

&lt;p&gt;Here is what changed after I deployed it, and exactly how you can do the same in under ten minutes.&lt;/p&gt;




&lt;h3&gt;
  
  
  What SafeLine Actually Does (And What It Doesn't)
&lt;/h3&gt;

&lt;p&gt;Before you deploy anything, understand what you're getting.&lt;/p&gt;

&lt;p&gt;SafeLine is a &lt;strong&gt;reverse proxy WAF&lt;/strong&gt; built on a modified Nginx engine called Tengine. All traffic goes through it first. It inspects each request against a rule engine, blocks anything that looks malicious, and forwards clean traffic to your backend service.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;It blocks:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;SQL injection (&lt;code&gt;' OR 1=1&lt;/code&gt;, &lt;code&gt;UNION SELECT&lt;/code&gt;, etc.)&lt;/li&gt;
&lt;li&gt;Cross-site scripting (XSS) payloads in headers and query strings&lt;/li&gt;
&lt;li&gt;Path traversal attacks (&lt;code&gt;../../../etc/passwd&lt;/code&gt;)&lt;/li&gt;
&lt;li&gt;Scanner and bot fingerprints (Nuclei, sqlmap, Nikto, Masscan)&lt;/li&gt;
&lt;li&gt;Brute force attacks via rate limiting&lt;/li&gt;
&lt;li&gt;HTTP protocol violations&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;It does not replace:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;A firewall at the network level (&lt;code&gt;ufw&lt;/code&gt;, &lt;code&gt;iptables&lt;/code&gt;, cloud security groups)&lt;/li&gt;
&lt;li&gt;Proper secrets management&lt;/li&gt;
&lt;li&gt;Input validation in your application code&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;SafeLine is one layer. Defense in depth means you still need the other layers.&lt;/p&gt;




&lt;h3&gt;
  
  
  Community Edition vs Pro — What You Actually Get for Free
&lt;/h3&gt;

&lt;p&gt;The free Community Edition covers everything a homelab or small deployment needs:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Feature&lt;/th&gt;
&lt;th&gt;Community&lt;/th&gt;
&lt;th&gt;Pro&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;WAF protection&lt;/td&gt;
&lt;td&gt;✅&lt;/td&gt;
&lt;td&gt;✅&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Custom block rules&lt;/td&gt;
&lt;td&gt;✅&lt;/td&gt;
&lt;td&gt;✅&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Dashboard + analytics&lt;/td&gt;
&lt;td&gt;✅&lt;/td&gt;
&lt;td&gt;✅&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Sites supported&lt;/td&gt;
&lt;td&gt;Unlimited&lt;/td&gt;
&lt;td&gt;Unlimited&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Rate limiting&lt;/td&gt;
&lt;td&gt;✅&lt;/td&gt;
&lt;td&gt;✅&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;CAPTCHA challenges&lt;/td&gt;
&lt;td&gt;✅&lt;/td&gt;
&lt;td&gt;✅&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Dynamic protection rules&lt;/td&gt;
&lt;td&gt;❌&lt;/td&gt;
&lt;td&gt;✅&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Support SLA&lt;/td&gt;
&lt;td&gt;Community&lt;/td&gt;
&lt;td&gt;Priority&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Authentication protection&lt;/td&gt;
&lt;td&gt;Basic&lt;/td&gt;
&lt;td&gt;Advanced&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;For a homelab, personal API, or small production deployment: the free tier is enough.&lt;/p&gt;




&lt;h3&gt;
  
  
  Prerequisites
&lt;/h3&gt;

&lt;p&gt;You need:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;A Linux server (Debian/Ubuntu/Rocky — anything with Docker support)&lt;/li&gt;
&lt;li&gt;Docker Engine 20.10+ installed&lt;/li&gt;
&lt;li&gt;Docker Compose v2&lt;/li&gt;
&lt;li&gt;Ports &lt;code&gt;80&lt;/code&gt;, &lt;code&gt;443&lt;/code&gt;, and &lt;code&gt;9443&lt;/code&gt; available&lt;/li&gt;
&lt;li&gt;At least 1 GB RAM free&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you don't have Docker installed yet:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;curl &lt;span class="nt"&gt;-fsSL&lt;/span&gt; https://get.docker.com | sh
systemctl &lt;span class="nb"&gt;enable&lt;/span&gt; &lt;span class="nt"&gt;--now&lt;/span&gt; docker
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h3&gt;
  
  
  Installing SafeLine WAF — The 60-Second Method
&lt;/h3&gt;

&lt;p&gt;SafeLine ships an automated setup script that handles everything: pulls images, creates the &lt;code&gt;docker-compose.yml&lt;/code&gt;, sets up volumes, and starts the stack.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 1 — Run the installer:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;bash &lt;span class="nt"&gt;-c&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="si"&gt;$(&lt;/span&gt;curl &lt;span class="nt"&gt;-fsSLk&lt;/span&gt; https://waf.chaitin.com/release/latest/setup.sh&lt;span class="si"&gt;)&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The script will ask for an installation directory (default: &lt;code&gt;/data/safeline&lt;/code&gt;). Accept the default unless you have a specific reason to change it.&lt;/p&gt;




&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;⚠️ DECLASSIFIED / TRUNCATED VERSION&lt;/strong&gt;&lt;br&gt;
You are reading a truncated version of this technical guide. &lt;br&gt;
To read the full, unedited deep-dive (including all configuration files, architecture diagrams, and high-res images), &lt;strong&gt;&lt;a href="https://www.valtersit.com/guides/security/safeline-waf-docker-homelab-api-protection/" rel="noopener noreferrer"&gt;visit the original post on Valters IT Docs&lt;/a&gt;&lt;/strong&gt;.&lt;/p&gt;
&lt;/blockquote&gt;

</description>
      <category>security</category>
      <category>docker</category>
      <category>waf</category>
      <category>nginx</category>
    </item>
    <item>
      <title>Proxmox Network Configuration: Bridges, Bonds, and VLANs</title>
      <dc:creator>Hugo | DevOps | Cybersecurity</dc:creator>
      <pubDate>Sun, 28 Jun 2026 09:32:12 +0000</pubDate>
      <link>https://dev.to/hugovalters/proxmox-network-configuration-bridges-bonds-and-vlans-2m5g</link>
      <guid>https://dev.to/hugovalters/proxmox-network-configuration-bridges-bonds-and-vlans-2m5g</guid>
      <description>&lt;p&gt;I once spent a Sunday afternoon restoring a client's 12-node Proxmox cluster because someone thought &lt;code&gt;balance-rr&lt;/code&gt; on a single switch was a good idea. The switch's MAC table filled up in 47 seconds, the STP reconvergence took down their Ceph storage network, and three production databases went read-only. The root cause wasn't a hardware failure — it was a network config that looked fine in a 3-node lab.&lt;/p&gt;

&lt;p&gt;This guide is for senior sysadmins who manage Proxmox in production. You already know how to install Proxmox and create a VM. What you need is the battle-tested knowledge of how to design and debug network configurations that survive kernel updates, switch failures, and junior admin mistakes. By the end, you'll be able to architect multi-VLAN, multi-bond setups with confidence and debug the inevitable failures without panicking.&lt;/p&gt;

&lt;p&gt;:::note[TL;DR]&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Default &lt;code&gt;vmbr0&lt;/code&gt; on a single NIC is for testing, not production&lt;/li&gt;
&lt;li&gt;Use LACP bonding (&lt;code&gt;mode=4&lt;/code&gt;) for any host with redundant paths&lt;/li&gt;
&lt;li&gt;Separate storage traffic (Ceph) from VM traffic with dedicated bridges and VLANs&lt;/li&gt;
&lt;li&gt;Always test network changes with &lt;code&gt;ifreload -a&lt;/code&gt; before rebooting&lt;/li&gt;
&lt;li&gt;Version control your &lt;code&gt;/etc/network/interfaces&lt;/code&gt; files
:::&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Prerequisites
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Proxmox VE 7.x or 8.x installed (physical or virtual)&lt;/li&gt;
&lt;li&gt;Root shell access to the Proxmox host&lt;/li&gt;
&lt;li&gt;At least two physical NICs if you're following the bonding examples&lt;/li&gt;
&lt;li&gt;A managed switch that supports LACP (802.3ad) and VLAN tagging&lt;/li&gt;
&lt;li&gt;IPMI/iDRAC/iLO access for out-of-band recovery&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Why Default Proxmox Networking Will Bite You in Production
&lt;/h2&gt;

&lt;p&gt;The default Proxmox installer creates a single bridge (&lt;code&gt;vmbr0&lt;/code&gt;) attached to one NIC. This works beautifully for a home lab with three VMs. In production, it's a single point of failure that will fail at the worst possible moment.&lt;/p&gt;

&lt;h3&gt;
  
  
  The "It Worked in My Lab" Trap
&lt;/h3&gt;

&lt;p&gt;Here's the default config that Proxmox generates:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# /etc/network/interfaces — default, dangerous for production&lt;/span&gt;
auto lo
iface lo inet loopback

auto eno1
iface eno1 inet manual

auto vmbr0
iface vmbr0 inet static
    address 192.168.1.100/24
    gateway 192.168.1.1
    bridge-ports eno1
    bridge-stp off
    bridge-fd 0
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This config has exactly one failure domain: &lt;code&gt;eno1&lt;/code&gt;. If that cable gets unplugged, the NIC fails, or the switch port goes down, your entire Proxmox host goes dark. No SSH, no web interface, no VMs.&lt;/p&gt;

&lt;p&gt;I had a client who lost all connectivity during a routine kernel update. The update triggered a driver reload on &lt;code&gt;eno1&lt;/code&gt;, the NIC came back with a different MAC address (thanks to a firmware bug), and the bridge refused to forward traffic. Without a bond for failover, they were down for two hours while someone drove to the datacenter.&lt;/p&gt;

&lt;h3&gt;
  
  
  The Hidden Cost of Complexity
&lt;/h3&gt;

&lt;p&gt;I'm not saying every Proxmox host needs four bonds and eight VLANs. If you're running a single host with three VMs for your home media server, a single bridge is fine. The complexity tax is real — every bond, VLAN, and bridge you add is another thing that can break.&lt;/p&gt;

&lt;p&gt;But if you're running:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;A multi-node Proxmox cluster with HA&lt;/li&gt;
&lt;li&gt;Ceph or any other distributed storage&lt;/li&gt;
&lt;li&gt;Multiple tenants with separate network requirements&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Then you need proper network segmentation. If you're running Ceph on a single bridge shared with VM traffic, you're already fired. Ceph's OSD heartbeat traffic and replication will fight with your production VMs for bandwidth, and when the cluster gets busy, you'll see OSD flapping and slow requests.&lt;/p&gt;

&lt;h3&gt;
  
  
  The One File to Rule Them All
&lt;/h3&gt;




&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;⚠️ DECLASSIFIED / TRUNCATED VERSION&lt;/strong&gt;&lt;br&gt;
You are reading a truncated version of this technical guide. &lt;br&gt;
To read the full, unedited deep-dive (including all configuration files, architecture diagrams, and high-res images), &lt;strong&gt;&lt;a href="https://www.valtersit.com/guides/proxmox/proxmox-network-configuration-bridges-bonds-and-vlans/" rel="noopener noreferrer"&gt;visit the original post on Valters IT Docs&lt;/a&gt;&lt;/strong&gt;.&lt;/p&gt;
&lt;/blockquote&gt;

</description>
      <category>proxmox</category>
      <category>linuxnetworking</category>
      <category>vlan</category>
      <category>bonding</category>
    </item>
    <item>
      <title>Lock Down SSH: Configuring Two-Factor Authentication (2FA) with Google Authenticator</title>
      <dc:creator>Hugo | DevOps | Cybersecurity</dc:creator>
      <pubDate>Sat, 27 Jun 2026 07:05:49 +0000</pubDate>
      <link>https://dev.to/hugovalters/lock-down-ssh-configuring-two-factor-authentication-2fa-with-google-authenticator-2mf6</link>
      <guid>https://dev.to/hugovalters/lock-down-ssh-configuring-two-factor-authentication-2fa-with-google-authenticator-2mf6</guid>
      <description>&lt;h1&gt;
  
  
  Secure Your Server: Forcing 2FA on SSH Connections
&lt;/h1&gt;

&lt;blockquote&gt;
&lt;p&gt;🖼️ &lt;strong&gt;&lt;a href="https://www.valtersit.com/guides/security/lock-down-ssh-configuring-two-factor-authentication-2fa-with-google-authenticator/" rel="noopener noreferrer"&gt;Image: 'Hacker trying to bypass SSH with Google Authenticator shield' available in the full article here&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Every single day, automated bots and bad actors scan the internet for open &lt;code&gt;Port 22&lt;/code&gt; configurations, attempting to brute-force their way into vulnerable Linux servers. While using SSH Keys is the standard best practice, adding an additional layer of Time-based One-Time Passwords (TOTP) ensures that even if your private key is compromised, the attacker cannot gain access.&lt;/p&gt;

&lt;p&gt;In this guide, we will configure &lt;code&gt;libpam-google-authenticator&lt;/code&gt; on an Ubuntu/Debian server to require both an SSH Key &lt;strong&gt;and&lt;/strong&gt; a 6-digit Google Authenticator code.&lt;/p&gt;

&lt;h2&gt;
  
  
  Prerequisites
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;A Linux Server (Ubuntu/Debian). &lt;em&gt;For this lab, we are using a highly secured VPS provided by our infrastructure partner, &lt;a href="https:/zone.valtersit.com" rel="noopener noreferrer"&gt;Zone.eu&lt;/a&gt;.&lt;/em&gt;
&lt;/li&gt;
&lt;li&gt;Root or &lt;code&gt;sudo&lt;/code&gt; privileges.&lt;/li&gt;
&lt;li&gt;The Google Authenticator app (or Authy/Bitwarden) installed on your smartphone.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Valters IT YouTube Tutorial
&lt;/h2&gt;




&lt;h2&gt;
  
  
  Step 1: Install the PAM Authenticator Module
&lt;/h2&gt;

&lt;p&gt;First, update your package list and install the required Google Authenticator PAM (Pluggable Authentication Module).&lt;/p&gt;

&lt;p&gt;&lt;code&gt;sudo apt update&lt;/code&gt;&lt;br&gt;
&lt;code&gt;sudo apt install libpam-google-authenticator -y&lt;/code&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Step 2: Generate the TOTP Secret
&lt;/h2&gt;

&lt;p&gt;Run the authenticator command as the user you use to log in via SSH (do not run this as root unless you explicitly log in as root).&lt;/p&gt;

&lt;p&gt;&lt;code&gt;google-authenticator&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;The terminal will prompt you with a series of questions:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Make tokens time-based?&lt;/strong&gt; Press &lt;code&gt;y&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;A giant QR code will appear in your terminal. &lt;strong&gt;Scan this with your authenticator app.&lt;/strong&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Save your emergency scratch codes&lt;/strong&gt; in a secure password manager. If you lose your phone, these are your only way back in!&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Update your ~/.google_authenticator file?&lt;/strong&gt; Press &lt;code&gt;y&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Disallow multiple uses of the same token?&lt;/strong&gt; Press &lt;code&gt;y&lt;/code&gt; (Protects against replay attacks).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Increase time skew window?&lt;/strong&gt; Press &lt;code&gt;n&lt;/code&gt; (Unless you have severe clock drift issues).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Enable rate-limiting?&lt;/strong&gt; Press &lt;code&gt;y&lt;/code&gt; (Limits to 3 logins every 30 seconds).&lt;/li&gt;
&lt;/ol&gt;




&lt;h2&gt;
  
  
  Step 3: Configure PAM for SSH
&lt;/h2&gt;

&lt;p&gt;Now, we need to tell the PAM system to require the Google Authenticator module for SSH connections.&lt;/p&gt;

&lt;p&gt;&lt;code&gt;sudo nano /etc/pam.d/sshd&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;Scroll to the bottom of the file and add the following line:&lt;/p&gt;

&lt;p&gt;&lt;code&gt;# Require Google Authenticator 2FA&lt;/code&gt;&lt;br&gt;
&lt;code&gt;auth required pam_google_authenticator.so&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;Save and exit the file (CTRL+O, Enter, CTRL+X).&lt;/p&gt;




&lt;h2&gt;
  
  
  Step 4: Force SSH Daemon to Require 2FA
&lt;/h2&gt;

&lt;p&gt;By default, SSH might skip 2FA if you are using an SSH Private Key. We need to explicitly tell the SSH daemon to require &lt;strong&gt;both&lt;/strong&gt; the public key and the interactive keyboard prompt (which will ask for the 2FA code).&lt;/p&gt;

&lt;p&gt;&lt;code&gt;sudo nano /etc/ssh/sshd_config&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;Find and modify (or add) the following directives in the file:&lt;/p&gt;

&lt;p&gt;&lt;code&gt;# Ensure PAM is enabled&lt;/code&gt;&lt;br&gt;
&lt;code&gt;UsePAM yes&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;&lt;code&gt;# Allow interactive keyboard authentication&lt;/code&gt;&lt;br&gt;
&lt;code&gt;KbdInteractiveAuthentication yes&lt;/code&gt;&lt;br&gt;
&lt;code&gt;# Note: On older versions of Ubuntu, this might be called 'ChallengeResponseAuthentication yes'&lt;/code&gt;&lt;/p&gt;




&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;⚠️ DECLASSIFIED / TRUNCATED VERSION&lt;/strong&gt;&lt;br&gt;
You are reading a truncated version of this technical guide. &lt;br&gt;
To read the full, unedited deep-dive (including all configuration files, architecture diagrams, and high-res images), &lt;strong&gt;&lt;a href="https://www.valtersit.com/guides/security/lock-down-ssh-configuring-two-factor-authentication-2fa-with-google-authenticator/" rel="noopener noreferrer"&gt;visit the original post on Valters IT Docs&lt;/a&gt;&lt;/strong&gt;.&lt;/p&gt;
&lt;/blockquote&gt;

</description>
      <category>ssh</category>
      <category>linux</category>
      <category>2fa</category>
      <category>security</category>
    </item>
    <item>
      <title>Split Tunneling: Performance vs Security in the Remote Work Era</title>
      <dc:creator>Hugo | DevOps | Cybersecurity</dc:creator>
      <pubDate>Sun, 03 May 2026 12:33:03 +0000</pubDate>
      <link>https://dev.to/hugovalters/split-tunneling-performance-vs-security-in-the-remote-work-era-2bmf</link>
      <guid>https://dev.to/hugovalters/split-tunneling-performance-vs-security-in-the-remote-work-era-2bmf</guid>
      <description>&lt;p&gt;I recently sat in a boardroom where a non-technical CISO was pounding the table, demanding that every single byte of data from 500 remote employees be forced through the corporate VPN. "Full Tunneling is the only way to ensure security!" he shouted. &lt;/p&gt;

&lt;p&gt;Meanwhile, back in the server room, the network engineers were watching the office's primary 1Gbps fiber uplink choke to death. Why? Because half the staff was working from home with Netflix running in the background, or downloading 50GB Call of Duty updates, and all that irrelevant, non-business traffic was being hauled across the country into our datacenter, decrypted, inspected by a firewall that was never sized for that much throughput, and then shoved back out to the internet.&lt;/p&gt;

&lt;p&gt;Congratulations. You’ve successfully "secured" your network by making it completely unusable for everyone. &lt;/p&gt;

&lt;p&gt;If your "Security Policy" involves turning your office into a bottlenecked proxy for the entire internet's entertainment traffic, you aren't an architect; you're a glutton for punishment. It’s 2026. We have the tools to be surgical. It’s time to talk about Split Tunneling—the right way.&lt;/p&gt;

&lt;h3&gt;
  
  
  The Mechanics: Full Tunneling (The "Hammer" Approach)
&lt;/h3&gt;

&lt;p&gt;In a Full Tunnel configuration, the VPN client modifies the operating system's routing table to set the "Default Gateway" to the virtual VPN interface. In networking terms, we are pushing a &lt;code&gt;0.0.0.0/0&lt;/code&gt; route into the tunnel.&lt;/p&gt;

&lt;h4&gt;
  
  
  1. The Bottleneck Problem
&lt;/h4&gt;

&lt;p&gt;When a remote worker is on a Full Tunnel, their computer says: "I don't care if I'm looking for a spreadsheet on the internal file server or a cat video on YouTube—send it all to the VPN." &lt;/p&gt;

&lt;p&gt;This creates a massive "tromboning" effect. A packet goes from the user's home in New York, to the office in Chicago, gets inspected, and then goes back out to a server in Virginia. This adds massive latency (RTT) and consumes twice the bandwidth on your corporate circuit—once for the "ingress" from the user, and once for the "egress" to the destination. &lt;/p&gt;

&lt;h4&gt;
  
  
  2. The False Sense of Security
&lt;/h4&gt;

&lt;p&gt;Admins love Full Tunneling because it allows them to use their expensive "Next-Gen" Firewalls to perform Deep Packet Inspection (DPI) on all user traffic. They think they are catching malware. In reality, most malware today is delivered over encrypted HTTPS (TLS 1.3) with Certificate Pinning. Unless you are performing invasive SSL decryption (which breaks half the modern web and opens its own can of privacy worms), your firewall is just watching encrypted blobs fly by. You are killing your performance for a security benefit that is largely theoretical for most remote workloads.&lt;/p&gt;

&lt;h3&gt;
  
  
  The Mechanics: Split Tunneling (The "Scalpel" Approach)
&lt;/h3&gt;

&lt;p&gt;Split Tunneling is the practice of only sending specific, corporate-owned IP ranges through the VPN tunnel. Your internet traffic (Google, YouTube, Office 365) goes out through your local home ISP, while your internal traffic (Jira, GitLab, Database) goes through the VPN.&lt;/p&gt;

&lt;h4&gt;
  
  
  1. The Routing Logic
&lt;/h4&gt;

&lt;p&gt;Instead of &lt;code&gt;0.0.0.0/0&lt;/code&gt;, the VPN client only adds specific routes—like &lt;code&gt;10.0.0.0/8&lt;/code&gt; or &lt;code&gt;192.168.50.0/24&lt;/code&gt;—to the tunnel interface. The OS sees that a request for &lt;code&gt;10.0.5.20&lt;/code&gt; matches the specific VPN route, but a request for &lt;code&gt;8.8.8.8&lt;/code&gt; falls back to the default local gateway.&lt;/p&gt;




&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;⚠️ DECLASSIFIED / TRUNCATED VERSION&lt;/strong&gt;&lt;br&gt;
You are reading a truncated version of this technical guide. &lt;br&gt;
To read the full, unedited deep-dive (including all configuration files, architecture diagrams, and high-res images), &lt;strong&gt;&lt;a href="https://www.valtersit.com/guides/networking/split-tunneling-performance_vs_security_in_the_remote_work_era/" rel="noopener noreferrer"&gt;visit the original post on Valters IT Docs&lt;/a&gt;&lt;/strong&gt;.&lt;/p&gt;
&lt;/blockquote&gt;

</description>
      <category>networking</category>
      <category>vpn</category>
      <category>remotework</category>
      <category>security</category>
    </item>
    <item>
      <title>Tailscale &amp; ZeroTier: Why You're Fighting CGNAT and Losing</title>
      <dc:creator>Hugo | DevOps | Cybersecurity</dc:creator>
      <pubDate>Sat, 02 May 2026 12:33:03 +0000</pubDate>
      <link>https://dev.to/hugovalters/tailscale-zerotier-why-youre-fighting-cgnat-and-losing-4h5c</link>
      <guid>https://dev.to/hugovalters/tailscale-zerotier-why-youre-fighting-cgnat-and-losing-4h5c</guid>
      <description>&lt;p&gt;I recently talked to a developer who spent three days trying to set up a WireGuard tunnel to his home server. He had the config perfect. He had the port forwarded on his router. He had the dynamic DNS updating every five minutes. But no matter what he did, he couldn't get a handshake. &lt;/p&gt;

&lt;p&gt;I told him to check his WAN IP on his router and compare it to what "WhatIsMyIP" told him. Sure enough, his router showed a &lt;code&gt;100.64.x.x&lt;/code&gt; address. &lt;/p&gt;

&lt;p&gt;"You're behind CGNAT," I said. "Your ISP isn't giving you a public IP. You're effectively behind a firewall that you don't own and can't control. You can't forward a port if the port doesn't belong to you."&lt;/p&gt;

&lt;p&gt;If you’re still trying to use traditional "inbound" VPNs in an era where ISPs are hoarding IPv4 addresses like digital dragons, you aren't fighting a technical battle; you're fighting a losing war against the exhaustion of the internet's address space. It’s 2026. If you want to connect your devices without losing your mind to "Double NAT" hell, it’s time to embrace the "magic" of overlay networks like Tailscale and ZeroTier.&lt;/p&gt;

&lt;h3&gt;
  
  
  The Rant: The CGNAT Death Trap
&lt;/h3&gt;

&lt;p&gt;Carrier-Grade NAT (CGNAT), specifically defined in RFC 6598, is the ISP's solution to the fact that we ran out of IPv4 addresses years ago. Instead of giving every customer a unique public IP, the ISP puts thousands of customers behind a single public IP. Your router gets a private address in the &lt;code&gt;100.64.0.0/10&lt;/code&gt; range. &lt;/p&gt;

&lt;p&gt;This works fine for 99% of people who just want to browse TikTok. But the moment you want to host a VPN, a Minecraft server, or a Plex instance, you hit a brick wall. Because you don't have a unique public IP, there is no way for a packet from the outside world to "find" your router. Traditional port forwarding is dead. &lt;/p&gt;

&lt;p&gt;You can call your ISP and beg for a "Static IP" (which they will happily charge you $15/month for), or you can stop living in the past and use a mesh VPN that was designed to handle this exact nightmare.&lt;/p&gt;

&lt;h3&gt;
  
  
  The Mechanics: How the "Magic" Works
&lt;/h3&gt;

&lt;p&gt;Tailscale and ZeroTier are often described as "magic" because you just install them, log in, and suddenly your devices can talk to each other as if they were on the same switch, regardless of firewalls, NAT, or CGNAT. &lt;/p&gt;

&lt;p&gt;This isn't magic; it's sophisticated orchestration using three core technologies: &lt;strong&gt;STUN&lt;/strong&gt;, &lt;strong&gt;TURN&lt;/strong&gt;, and &lt;strong&gt;UDP Hole Punching&lt;/strong&gt;.&lt;/p&gt;

&lt;h4&gt;
  
  
  1. STUN (Finding the Exit)
&lt;/h4&gt;

&lt;p&gt;STUN (Session Traversal Utilities for NAT) is how a device finds out what it "looks like" to the outside world. Your server sends a packet to a STUN server on the public internet. The STUN server replies: "Hey, I saw your packet coming from public IP &lt;code&gt;203.0.113.5&lt;/code&gt; on port &lt;code&gt;54321&lt;/code&gt;." &lt;/p&gt;

&lt;p&gt;Now your server knows its external "mapped" address.&lt;/p&gt;

&lt;h4&gt;
  
  
  2. UDP Hole Punching (The Handshake)
&lt;/h4&gt;

&lt;p&gt;This is the brilliant part. Most firewalls are "stateful." They block incoming packets by default, but they allow outgoing packets. Crucially, if you send an outgoing UDP packet to a destination, the firewall opens a temporary "hole" to allow a response from that same destination to come back in.&lt;/p&gt;

&lt;p&gt;Tailscale’s coordination server tells both Peer A and Peer B: "Okay, both of you send a UDP packet to each other's mapped STUN addresses &lt;em&gt;at the same time&lt;/em&gt;." &lt;/p&gt;




&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;⚠️ DECLASSIFIED / TRUNCATED VERSION&lt;/strong&gt;&lt;br&gt;
You are reading a truncated version of this technical guide. &lt;br&gt;
To read the full, unedited deep-dive (including all configuration files, architecture diagrams, and high-res images), &lt;strong&gt;&lt;a href="https://www.valtersit.com/guides/networking/tailscale_zerotier-why_youre_fighting_cgnat-and-losing/" rel="noopener noreferrer"&gt;visit the original post on Valters IT Docs&lt;/a&gt;&lt;/strong&gt;.&lt;/p&gt;
&lt;/blockquote&gt;

</description>
      <category>networking</category>
      <category>vpn</category>
      <category>tailscale</category>
      <category>cgnat</category>
    </item>
    <item>
      <title>The MTU Nightmare: Why Your VPN Connection is Fragmenting to Death</title>
      <dc:creator>Hugo | DevOps | Cybersecurity</dc:creator>
      <pubDate>Fri, 01 May 2026 12:33:04 +0000</pubDate>
      <link>https://dev.to/hugovalters/the-mtu-nightmare-why-your-vpn-connection-is-fragmenting-to-death-4he7</link>
      <guid>https://dev.to/hugovalters/the-mtu-nightmare-why-your-vpn-connection-is-fragmenting-to-death-4he7</guid>
      <description>&lt;p&gt;I’ve lost count of how many times I’ve had to explain this to "Senior" DevOps engineers who think they’ve discovered a ghost in the machine. The symptoms are always the same: The VPN tunnel is "Up." You can ping the remote gateway. You can even SSH into the server. But the moment you run &lt;code&gt;ls -al&lt;/code&gt; in a directory with 500 files, or try to &lt;code&gt;scp&lt;/code&gt; a database dump, the terminal just... hangs. &lt;/p&gt;

&lt;p&gt;The website starts to load—you see the favicon and the title in the tab—and then it spins forever, eventually timing out with a "Connection Reset." &lt;/p&gt;

&lt;p&gt;You check the logs. Nothing. You check the CPU. Idle. You check the bandwidth. Plenty. &lt;/p&gt;

&lt;p&gt;Congratulations. You aren't being hacked, and your app isn't buggy. You are suffering from an &lt;strong&gt;MTU mismatch&lt;/strong&gt;, and your packets are being ruthlessly discarded by a "black hole" router that someone—likely a junior security admin with an itchy trigger finger—configured to block the very protocol meant to prevent this exact disaster.&lt;/p&gt;

&lt;h3&gt;
  
  
  The Mechanics: The 1500-Byte Delusion
&lt;/h3&gt;

&lt;p&gt;To understand why your VPN is dying, you have to understand the &lt;strong&gt;Maximum Transmission Unit (MTU)&lt;/strong&gt;. On a standard Ethernet network, the MTU is almost universally 1500 bytes. This is the largest frame that can be sent across the physical wire without being broken into pieces.&lt;/p&gt;

&lt;p&gt;When your application sends a packet, it assumes it has 1500 bytes of "room." It builds a 1500-byte IP packet. But your application is inside a VPN tunnel.&lt;/p&gt;

&lt;h4&gt;
  
  
  1. The VPN Tax (Overhead)
&lt;/h4&gt;

&lt;p&gt;A VPN is an encapsulation protocol. It takes your original 1500-byte packet and wraps it inside &lt;em&gt;another&lt;/em&gt; packet (the tunnel header) to send it across the internet. &lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;WireGuard&lt;/strong&gt; adds roughly 60-80 bytes of overhead.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;OpenVPN&lt;/strong&gt; or &lt;strong&gt;IPsec&lt;/strong&gt; can add 60 to 100+ bytes depending on the cipher and padding.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If your original packet was already 1500 bytes, and you add 80 bytes of WireGuard headers, you now have a 1580-byte packet. When that packet hits the physical network interface, the OS realizes it’s too big for the 1500-byte limit of the physical wire.&lt;/p&gt;

&lt;h4&gt;
  
  
  2. Fragmentation vs. The "Don't Fragment" Bit
&lt;/h4&gt;

&lt;p&gt;In a perfect world, the router would just "fragment" the packet—break it into two smaller pieces. But modern TCP/IP implementations almost always set the &lt;strong&gt;DF (Don't Fragment)&lt;/strong&gt; bit. Why? Because fragmentation is computationally expensive and introduces massive latency. &lt;/p&gt;

&lt;p&gt;When a 1580-byte packet with the DF bit set hits a router with a 1500-byte MTU, the router is supposed to drop the packet and send back an ICMP message: &lt;strong&gt;Type 3, Code 4: "Destination Unreachable, Fragmentation Needed and DF set."&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;This message includes the "Next-Hop MTU," telling the sender exactly how small the packet needs to be to fit. This process is called &lt;strong&gt;Path MTU Discovery (PMTUD)&lt;/strong&gt;.&lt;/p&gt;

&lt;h3&gt;
  
  
  The "Black Hole" Router: A Security Admin's Crime
&lt;/h3&gt;

&lt;p&gt;Here is where the nightmare begins. Many "security-conscious" admins think that ICMP is "scary" or "dangerous." They configure their firewalls to &lt;code&gt;DROP&lt;/code&gt; all ICMP traffic, thinking they are hiding from pings. &lt;/p&gt;

&lt;p&gt;By dropping all ICMP, they have effectively blinded the network. Your server sends the 1580-byte packet. The intermediate router drops it and sends the "Fragmentation Needed" message. Your firewall sees the ICMP message, thinks it’s an attack, and drops it. &lt;/p&gt;




&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;⚠️ DECLASSIFIED / TRUNCATED VERSION&lt;/strong&gt;&lt;br&gt;
You are reading a truncated version of this technical guide. &lt;br&gt;
To read the full, unedited deep-dive (including all configuration files, architecture diagrams, and high-res images), &lt;strong&gt;&lt;a href="https://www.valtersit.com/guides/networking/the-mtu-nightmare-why_your_vpn_connection_is_fragmenting_to_death/" rel="noopener noreferrer"&gt;visit the original post on Valters IT Docs&lt;/a&gt;&lt;/strong&gt;.&lt;/p&gt;
&lt;/blockquote&gt;

</description>
      <category>networking</category>
      <category>vpn</category>
      <category>mtu</category>
      <category>troubleshooting</category>
    </item>
    <item>
      <title>VLAN Segmentation: Why Your Smart Fridge Shouldn't Talk to Your File Server</title>
      <dc:creator>Hugo | DevOps | Cybersecurity</dc:creator>
      <pubDate>Tue, 28 Apr 2026 12:33:04 +0000</pubDate>
      <link>https://dev.to/hugovalters/vlan-segmentation-why-your-smart-fridge-shouldnt-talk-to-your-file-server-2j63</link>
      <guid>https://dev.to/hugovalters/vlan-segmentation-why-your-smart-fridge-shouldnt-talk-to-your-file-server-2j63</guid>
      <description>&lt;p&gt;I recently audited a homelab belonging to a "Senior Developer" who had over $10,000 worth of enterprise-grade server hardware. He had a 100TB ZFS storage array, three Proxmox nodes, and a dedicated Opnsense firewall. But when I looked at his network map, I nearly walked out. &lt;/p&gt;

&lt;p&gt;Everything—his production database, his high-end workstation, his guest's iPhones, and thirty-five unpatched, $5 Chinese-made smart lightbulbs—was sitting on a single, flat &lt;code&gt;192.168.1.0/24&lt;/code&gt; subnet. &lt;/p&gt;

&lt;p&gt;"It makes it easier for the apps to find the devices," he told me. &lt;/p&gt;

&lt;p&gt;If your definition of "easier" is providing a friction-less, high-speed highway for a Russian botnet to move from your $12 smart fridge to your corporate file server, then sure, a flat network is "convenient." But in the world of modern network architecture, a flat network is a sign of fundamental laziness. If you aren't segmenting your traffic, you aren't running a secure network; you're just hosting a digital mosh pit where the guy with the most infectious disease gets to hug everyone else.&lt;/p&gt;

&lt;h3&gt;
  
  
  The Mechanics: The "Inside-Out" Attack
&lt;/h3&gt;

&lt;p&gt;To understand why a flat network is a disaster, you have to understand the concept of &lt;strong&gt;Lateral Movement&lt;/strong&gt;. &lt;/p&gt;

&lt;p&gt;Most hobbyists and junior admins think of security as a "perimeter" problem. They build a big, thick wall at the edge of the network (the firewall) and assume everything inside the wall is "trusted." This is an archaic 1990s mentality. &lt;/p&gt;

&lt;h4&gt;
  
  
  1. The IoT Trojan Horse
&lt;/h4&gt;

&lt;p&gt;IoT devices—your smart cameras, lightbulbs, vacuum cleaners, and fridges—are notorious for having the security posture of a wet paper bag. They run ancient, unpatched Linux kernels (often 2.6.x), they have hardcoded "backdoor" credentials for manufacturer testing, and they almost never receive security updates. &lt;/p&gt;

&lt;p&gt;When an attacker finds a vulnerability in that $12 Wi-Fi camera you bought on a whim, they don't use it to watch you sleep. They use it as a persistent, low-power pivot point. Because that camera is on the same subnet as your file server, the attacker is already "inside." They don't have to bypass your $500 firewall. They are already standing in your living room.&lt;/p&gt;

&lt;h4&gt;
  
  
  2. ARP Spoofing and Scanning
&lt;/h4&gt;

&lt;p&gt;Once an attacker has a foothold on a single "dirty" device in a flat network, the entire subnet is at their mercy. They can perform &lt;strong&gt;ARP Spoofing&lt;/strong&gt; (Man-in-the-Middle) to intercept your unencrypted traffic. They can run &lt;code&gt;nmap&lt;/code&gt; scans to find every open port on your NAS. They can attempt to exploit known vulnerabilities in your PC. &lt;/p&gt;

&lt;p&gt;In a flat network, there is no internal gatekeeper. Every device can "see" every other device. A compromise of the least secure device on your network is, by extension, a compromise of the most secure device on your network.&lt;/p&gt;

&lt;h3&gt;
  
  
  The Mechanics of the Fix: 802.1Q and Isolation
&lt;/h3&gt;

&lt;p&gt;The Senior Network Architect's fix is &lt;strong&gt;Micro-Segmentation via VLANs (Virtual Local Area Networks)&lt;/strong&gt;. &lt;/p&gt;

&lt;p&gt;Using the IEEE 802.1Q standard, we can take a single physical switch and "slice" it into multiple logical networks. Each slice is a separate broadcast domain. A device on VLAN 10 cannot even "see" a device on VLAN 20 unless you explicitly configure a router (and a firewall) to allow that traffic.&lt;/p&gt;

&lt;h4&gt;
  
  
  The 3-VLAN Blueprint
&lt;/h4&gt;

&lt;p&gt;For a secure home or small office, you need a minimum of three distinct zones:&lt;/p&gt;




&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;⚠️ DECLASSIFIED / TRUNCATED VERSION&lt;/strong&gt;&lt;br&gt;
You are reading a truncated version of this technical guide. &lt;br&gt;
To read the full, unedited deep-dive (including all configuration files, architecture diagrams, and high-res images), &lt;strong&gt;&lt;a href="https://www.valtersit.com/guides/networking/vlan_segmentation-why_your_smart_fridge_shouldn-t_talk_to_your_file-server/" rel="noopener noreferrer"&gt;visit the original post on Valters IT Docs&lt;/a&gt;&lt;/strong&gt;.&lt;/p&gt;
&lt;/blockquote&gt;

</description>
      <category>networking</category>
      <category>vlan</category>
      <category>iot</category>
      <category>security</category>
    </item>
  </channel>
</rss>
