Which country are you located?
Thank you all for your inputs. I believe I have my pointers as to hardware. @etorix yes, that’s the seller I got my prices from…
As @etorix pointed out, my main concern now is networking since the whole point of going with a possibly massive overkill 
would be to be able to serve the two apps (wordpress site and Django app, both exposed to the internet) from the nas and thus exposing it to the internet.
I am considering to bridge the isp router to a opnsense box but I still do not have a clear idea on how to approach the problem. Moreover, I can do some subneting and port forwarding but my networking skills are somewhat limited as aws takes care of most of that for me. At this point I am not even sure it can be done securily.
@dan I see you on a opnsense thread, do you happen to have any contribution to this discussion?
Looking forward to hearing from you and thank you all again for your inputs. I have learned more from this discussion than from a week of research.
Portugal
Replacing the dodgy ISP routers is very feasible, unless you’re stuck with coax and DOCSIS. The IPTV component is not difficult to get working, the only tricky hurdle is getting a fiber modem authenticated if you do not already have a separate modem (you’d need one that works with the ISP’s equipment and the password, which you can obtain from most technicians the next time a fiber cable mysteriously stops working - a small token of your apreciation for the services rendered goes a long way).
For Vodafone Portugal, there were some write-ups on a local forum. Haven’t been there in a while because I strongly dislike their approach to moderation. Don’t know the details for other ISPs.
2 Likes
Then a MC12-LE0 with an ECC-capable Ryzen 3000/5000 (no need for an APU, as there’s IPMI for setting up) will come even cheaper than the X11SRM while still sufficient for your stated needs. It only lacks enough SATA ports for all bays in the Node 804, but if you only needs “about 6 TB” you’re not going to fill the case.
1 Like
In my case–and I’m on “business-class” Internet at home, and in .us, so things could very well be different–I was able to have my ISP put their modem into “bridge mode,” passing everything through to my OPNsense box (and to my pfSense box before that). From there, I open ports 80 and 443 on the OPNsense box, and install Caddy to act as a reverse proxy to those of my internal services I want to expose to the Internet: Bitwarden, Ombi, Minio, and Wiki.js. The configuration is simple enough[1].
The problem comes, potentially, with your ISP. If they block ports, as many residential ISPs do in .us, that could be a problem, especially if one of those is port 80 and they won’t unblock it. If they use CGNAT, that will be a big problem.
See, e.g., the OPNsense docs for Caddy ↩︎
3 Likes
Here in the Netherlands, not only does my ISP let customers open ports as they wish, it allows them to install their own cable/fibre modem!
1 Like
The latter is pretty common here as well. The former, well, it depends on the ISP and the port in question. It seems to be the case that most residential Internet here blocks port 80 inbound, though not port 443.
Located in Portugal too 
I run OPNsense behind a 4G Router in Bridge Mode with a Vodafone Portugal prepaid SIM card with unlimited data - no landline here…
For exposed Services to the Internet: I use Cloudflare Tunnels
3 Likes
@dan thanks, that seems very feasible. isp here do not get in the way. I am already bridging two routers from two different service providers with no issues.
@DigitalMinimalist thank you fellow countryman I am using cloudflare already for both apps and doing the tunnels seems like a good idea. I take it ports 80 and 443 are no different than any other port?
what about the whole core/scale thing? i would be more confortable using linux vm’s for the apps… any inputs on this topic? thanks
tl;dr: at this point, unless you have a strong aversion to Linux or preference for FreeBSD, SCALE. It’s been the near-exclusive focus of iX’ development efforts for 3+ years[1], and there’s no sign of that changing. For more, see:
Yes, they’re still working on CORE–in the sense of releasing 13.0 and its various patch releases, and theoretically getting 13.3 out in the next couple of months–but no significant new features have been added for years, and none are coming. ↩︎
3 Likes
@dan thanks, scale it is. how are you doing your apps? are there any constrains on using vms specific to truenas?
All of my apps except for Storj are from TrueCharts. I run them on their own pool consisting of two 2 TB NVMe SSDs, mirrored.
I’ve done very little with VMs on TrueNAS; that’s what I have a Proxmox cluster for.
1 Like
If you’re used to installing your apps, you may want to look into jailmaker as a lighter alternative to VMs.
3 Likes
Especially since there is overhead with kubernets.
1 Like
thank you all for your inputs. i guess I have food for thought for another week of research and then go hands-on. perhaps I can do a small lab with esxi to experiment a bit
Bigger issue is usually home users do not have much for a perimeter device, but their ISP’s router and thus little to no control over any type of filtering, geo blocks et cetera. And with how ISP routers can have exploits that are seldom quickly patched, opens things up to more potential compromise.
So if you do run OPNSense, great, use the equivilent to pfblocker on pfsense, geo block as many country ranges as you can from inbound, and even outbound. Also set up block DNS requests so device on your network can only use your OPNSense for DNS. From there, you could use other plugins to monitor anything questionable, but that can get ugly fast!
My biggest concern is always, you are exposing your storage system and rest of your network to the internet, through various possible means vs hosting such a small app on AWS, or even something else that could be close to free or dirt cheap and you get better uptime vs a home connection.
1 Like
My ISP forces updates on the firmware; the flip side is that I have no control over its hardware’s firmware, nor root access… jailbraking it is possible, but it’s a PIA and not really worth it imho.
Generally, if you run TrueNAS you should be aware of what your router does and does not, and spending some time learning about it would be a good investement; actually, everyone should spend some time in understanding the tech they bring into home, but…
In general, I feel there is a lack of awareness [in society] as well as little effort to improve this situation.
1 Like
Update for future memory: Dedicated Nas up and running. Currently experimenting with proxmox on a separate box to host the VMs. Still pondering on either to virtualize opensense on proxmox or not…
@dan you mentioned you have chained pfsense and a opensense boxes. is this one baremetal and one virtualized? why both?
No, I have one router. It used to run pfSense; now it runs OPNsense and has for the past three years or so. I like the idea of putting two in parallel for high availability, but haven’t yet pulled the trigger on that.