Very good, that makes things much easier. Has been a while since I used pihole but when I did I used pihole to serve the internal IPs.
This is the perfect opportunity to set up a pihole. Its primary purpose is to block ads network wide but since it is essentially a DNS with a block list you can also set custom dns-entries.
No problem, happy to help. Since I am not sure about your knowledge-level I will start from the basics, namely your ISP router.
It is in fact several devices in one:
A modem: The Modulator / Demodulator converts the signal from whatever standard they use on the cable net (likely some version of DOCSIS) into something the rest of your network can understand.
A router: This routes network packets between different networks. In your case that would be your internal network (probably 192.168.X.X) and the internet. Everytime different networks need to talk to each other a router will be needed between them. It also does NAT which is explained well here.
A firewall: While a router can guide a packet to where it needs to go, it can not decide whether it is welcome there. A firewall can check packets according to various configured criteria and decide to pass or block it. Very helpful to keep the FSB out of your porn collection.
A switch: Functions as a sort of central interconnect between wired devices. Much like an old telephone exchange where ladies would literally connect plugs with wires to create a direct connection between callers. The one in your ISP provided device is likely an “L2 dumb switch” <- more on this later.
A wifi access point: Very simplified basically a switch that works with radio waves instead of physical wires. Again, very simplified.
This is all very nice and comfortable for your basic home user. But it also greatly limits your options if you want to do something different than whatever the manufacturer of your ISP-device deems fitting. The most common option to cirumvent this is to separate the functions out into their own devices, using software and hardware that you have much more control over. Businesses do the same, depending on their size and requirements. It is therefore also good practice for a future career in system administration and networking.
In your case I would recommend the following:
2/3. Here is where opnSense comes in. It is a combined router AND firewall. This specific combination of functions is what most small and medium businesses use. Very large organisations may further separate out routing and firewalling into dedicated devices. But that is Facebook / Google / Microsoft level stuff. You connect the modem into the WAN-port of opnSense and device number 4 into the LAN-port. opnSense sits in the middle.
Get yourself a separate switch with as many ports as you need. Make sure that it supports the following functions: LACP (also known as IEEE 802.3ad), 802.1x and L2 VLAN (also known as IEEE 802.1q). POE might be useful as well, to supply some devices with power directly over the network. These weird words will become relevant later if you choose to go deeper into this rabbit hole. You won’t need them in the beginning but this way you are ready to really get into the deeper stuff.
Add in an access point to cover all your wifi needs. Make sure that it is an access point, not a wifi router. Some routers can be set to access point mode but thats just a waste of capabilities. The access point basically converts wired signals into radio. I recommend ubiquiti for this.
But for your next step you should start researching the five different functions I outlined in my first list. If I’m not sure about somethings (happens quite often ;-)) I literally type “whatever for dummies” into google and start reading. Don’t be embarassed to start at the bottom, we all came from there in the beginning. There are also some good youtube channels that might help. Once you are somewhat confident that you at least generally know what those magic five do you can start with the second list.
Feel free to ask further questions but it’s night time in my time zone so answers will take a while. Good luck and above all: Have fun. This is a fascinating topic and you can spend years exploring it.
There seems to be a bit of a misunderstanding of what a reverse proxy does.
The proxy should accept requests on port 80 and 443 and on the basis of the requested website route you to the correct adress:
So your client thinks its talking to your jellyfin-instance over port 443 but in actuality your proxy reroutes the traffic to wherever your jellyfin needs it to arrive…
/Edit: Ah just saw that it redirects 443 requests to your router. Can you configure a DNS override on its config somewhere?
Try running this command on your target system:
cat $HOME/.ssh/authorized_keys
Does the private key part of your key pair show up in the list?
While opnSense is a fine solution (use it myself), I am not sure if your current router is actually the problem.
I suspect that the upload speed may be the culprit. Even when you are just downloading stuff there is data going bi-directionally. Even if it’s just TCP ACK packets. If your upload is fully saturated, download speed will suffer as well or even cut out entirely. You may also consider that Windows / Steam / Epic Games etc. like to download updates in the background, which might also fill up the capacity of your bandwith.
Does your router provide some kind of statistics for current bandwith use towards the internet? What does it show when those halts occur?
As for your planned homelab. On a birds eye level I would recommend using a small cheap computer with two network interfaces and opnSense as a router / firewall and Ubiquiti Unifi Access Points with the unifi controller software hosted on your media server. I can go into some more depth if you wish, but the official documentation for opnSense is pretty good.
AMD EPYC 7B12 / 256GB RAM / Supermicro H12SSL-i / 4x2TB Samsung 980 Pro in ZFS RAIDZ-10
Total overkill for what is currently running on it. But who knows what the future brings.
Current:
Docker-based
As a VM in Proxmox VE
As an LXC in Proxmox VE
Ha, same here. HAProxy plugin running on my opnSense. I should probably try caddy because HAProxy is complete overkill for my requirements.