In incus, I had the same setup of an LCX container with a Docker container inside of it. I passed 1000/1000 to the LXC container but the LXC container’s default root user has a an ID set of 0/0. So I had to pass 0/0 to the Docker container, not 1000/1000 to get the read/write permissions working.

That may fix your issue as it’s basically the same tech, just different automated things implementing the LXC container!

Good to know Proxmox’s bad updates are more pervasive than the latest bad update.

I have been able to install Docker in the LXC containers and pull images in with the normal commands. I do that container-in-container to get effectively rootless docker containers for stuff that I couldn’t figure out how to run rootless. So you don’t even lose out on docker if you’re determined! And as you said incus goes on any OS, you can docker just fine on the base OS of your choice and use incus for specific things!

Try a diff email if you do want one, a friend recently got one via email signup and wait a few weeks. But I do abs agree it fuckin sucks you have to do any of this effort to get one, it is just enabling scalpers

I do use it to hold internet-exposed things in LXC containers to sidestep having to figure out how to not run things as Docker root.

You do not need it for everything, but since it’s not an OS that makes it your everything, that’s ok! Run Docker containers as you need, put internet-exposed ones in an LXC container, put home assistant in a VM because it’s special.

Ah, I was wondering which one you updated and it made your containers inaccessible!

You have to sign up for the in stock notifications, annoying but it works in a delayed fashion. Sad it does enable scalpers.

Incus or Proxmox (e.g., should I shift to Incus LTS or something?)

Incus is way easier to work with than Proxmox, and it sits on your OS of choice instead of being the OS you must use. For home use it’s way easier to use with the web ui, it even has clustering if you want to go hard.

So you can install Incus when you want a VM/LXC container and not have to commit to a VM/LXC container OS from the start.

Also Proxmox free just had a bad update that björked some stuff if you updated when it was live. Proxmox free is rolling and apparently lacks basic sanity checks for updates.

Your budget is really near a https://store.ui.com/us/en/collections/unifi-dream-router/products/udr Unifi dream router. Your family is gonna be way happier with you (0 downtime) and it’ll give you extender options if you ever need it. Unifi is good enough and they update regularly, just disable cloud access stuff and you’re good.

Otherwise you want Opnsense instead of Openwrt. The upgrade process for Openwrt is not automatic, while Opnsense is. Worth it not to have to dote on your router.

And you should get an access point (Unifi something or Tplink Omsomething), wifi is problematic with openwrt and I’m not sure if opensense even lets you do it (haven’t tried).

And you’ll need a switch, dumb or managed, up to you if you want VLANs. The Opnsense box will have just one LAN port, so it requires a switch if you want to plug more than one thing into it. A switch with PoE+ can power the access point directly.

Opnsense needs x64 arch (Intel or AMD CPUs), get a small thin client like a Dell Wyse 5070 extended or HP T730 or that mentioned Fujitsu Futro S720 (its CPU is old tho, you can do better). There may be newer thinclients, you just want a mini PCIe slot to install some Intel gigabit card from eBay with 2 ports. Google power efficient gigabit mini PCIe card - there’s an older model that sucks power and a newer one that doesn’t suck; if you go more than gigabit skip 2.5 on Intel unless you google hard and expect extra power draw. Very limited point to 4 port cards, just go higher gigabit speeds don’t think about multiplexing ports or whatever it is called; and switches switch better than the router can and remove CPU overhead for more actual routing work - 2 port card is the way.

Slap Incus (superior but newer, less guides, LXD is previous name if googling stuff) or Proxmox (good enough, more guides for this) on it, make a VM and pass through the 2 ports of the PCIe cards, slap Opnsense in the VM. Make an LXC container and slap Debian on it and spin up the Unifi controller for your AP. Another container for adguard home or pi hole and you’ve got a box that does the basic nets all in one. The built-in port on the thin client is how you will access the underlying OS, it gets plugged into the switch you’ll have to get. If you got something with 2 gigs of RAM and an AMD Geode/GX or aged Intel Atom CPU I’d just only do Opnsense no hypervisor stuff.

Sorry for the info dump but there’s a lot of angles!

But really, the Unifi dream router is much easier and solves it all-in-one. You need 3 pieces (router, wifi access point, Ethernet switch) for a good experience otherwise.

I followed some guide to put Opnsense on Proxmox. I pass through 2 NICs and set the KVM (using the Proxmox make-a-VM GUI) to be the CPU arch it runs on for that extra speed (but that setting precludes easy transfer to a new box with a different arch). Plenty fast and I run another Linux VM on the same box that does stuff I’d want Opnsense to do (DNS, VPN, etc.).

If I did it again I’d prob do LXD (Incus now), Proxmox has a long startup time and is fiddly to use (to me at least). Looks like Incus can do the same KVM thing, just with less steps and stock Debian.

GPU encoding uses (relatively) simpler fixed function encoders that do it much faster than the CPU which uses its general purpose transistors to run an encoding algorithm. End result is GPU encoding is speedy at the cost of visual quality per bitrate; the file size is bigger for same visual quality as a CPU encode. Importantly for storing your videos - CPU encoding, while much slower, will get your file size smaller at the same visual quality threshold you desire, so you can save more videos per drive!

Yes, it’s recommended to replace the SP4 screen with an SP5 screen - so you can rest easy

Glad yours is usable still! Mine went from fine to unusably flickering within the span of a week, so it set in fast. I babybabied it too hoping to avoid the issue - I guess I just prolonged it till it microsoft wouldn’t fix it anymore. rip fuck this corpo created e waste shit (I use it as a comp strapped to my TV now)

Ditch it, the Surface Pro 4’s are cursed via shit manufacturing.

Its screen will fail sooner or later https://flickergate.com/ . I had one, it started flickering after the “extended” warranty. The display is useless now. Nothing fixes it. At first the flicker stopped if something on the screen moved, so I used this https://github.com/Acie1998/Surface-Pro-Screen-Flicker-Solver to mitigate it. But within a day or two it was worse. I tried a reduced refresh rate, but that did not help by then. It quickly got worse when in use, within minutes after a week of the flickering starting. A used one is just pre-accelerated to its demise.

Replacing the screen - even opening the device - is egregiously dangerous because the screen often cracks when taking it apart. Microsoft abs sucks for making a device that can’t last when it clearly should. (Not to say anything about your specific problems! It sounds like the battery needs to be replaced, but it can run without a battery as far as I know so not sure why it can’t power up with it heavily depleted)

Edit: if you’re going to remove the sceeen, replace the battery and replace the screen with a surface pro 5 screen. They sell them. The batteries get fucked quick cause the heat sink cooks them, so it’s prob the battery causing your problems (mine had shit battery life at its end too)

Here is a blurb from Reddit describing what to get (ifixit apparently sells a surface pro 5 screen as well if you want one degree better than direct China): My advice, if you have a Surface Pro 4 with an Samsung Panel is to replace for an LG Screen from Surface Pro 5/6. You need to buy this LCD cable too for that conversion: M1010537-003

You can check in the device manager which LCD panel you have on your Surface

I did a wireshark packet capture and found the wake-up packet is on UDP 987. I can only capture broadcasts, not specific stuff it looks like. Source: 10.0.69.69(iOS device IP) Destination: 10.0.69.255 Protocol: UDP Length: 105 Info 57477(or 62764, 62335, 60311 as source ports) -> 987 Len=63

Note the IP of the PS4 is 10.0.69.150

I’m not sure what to do with this, though. Nothing I tried worked (e.g., jamming 987 into the IP tables iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A PREROUTING -p udp --dport 987 -j DNAT --to-destination 10.0.69.150:987; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -A POSTROUTING -p udp -d 10.0.69.150 --dport 987 -j SNAT --to-source 10.0.66.10:987 based on https://serverfault.com/questions/586486/how-to-do-the-port-forwarding-from-one-ip-to-another-ip-in-same-network).

Additionally setting the Wireguard mask to 10.0.66.1/16 makes the WG connection not route successfully, and setting the mask in OpnsenseRouter->Interfaces->[LAN]->(under Static IPv4 configuration section) to 16 did nothing. Oh well, this seems beyond me

Setting the WG [Interface] range to 10.0.66.0/16, along with the [Peer] to 10.0.66.10/16, and the Opnsense DHCP range in Interfaces->LAN to /16 made no connection to the internet or local occur.

This feels like banging rocks together hoping for fire - not for me (but maybe reading stuff for a bit will help, maybe)

Who knows indeed, I’m beginning to suspect that it was able to connect via the internet (and that stopped working) and I just never noticed so the VPN was a superfluous extra step.

But I did try in the [Peer] definition setting the allowed IPs to: 10.0.66.10/16 instead of 10.0.66.10/32, which should expand the allowed range to 10.0.69.XXX. Alas, that did not work.

Edit: Also tried assigning the [Peer] to an unused IP in the 10.0.69.XXX range directly, but that made nothing work so not the way either.

I don’t see any - but I guess it makes sense, the Opnsense computer isn’t involved by design in local network activity. The Opnsense comp goes to a switch that all other LAN also connect to, and I assume the switch routes so the Opnsense comp connection doesn’t get bottlenecked. I indeed forgot that’s how it worked till now - thanks for the suggestion, helped me internalize a bit more infrastructure at least!

Where would I set the subnet mask?

I do not understand how to apply most networking concepts effectively - I only run Opnsense to get a router that has actual software updates, not because I now how to use it (no experience with networking otherwise).

In WireGuard I specify the 10.0.66.XX subnet directly without DHCP. In Opnsense, I’m not sure where to look and searching for it didn’t help illuminate anything obvious.