Super insightful, thanks. Didn’t think about any of that.

I don’t disagree with you, but you’ve put some thought into this so maybe you can help us understand your logic and rationale more.

as soon as they deem profitable

What’s profitable about losing sales of adult games?

Also, what leverage do these groups have over banks and payment processors? If you have leverage over Visa and MasterCard, some of the most profitable companies in the world, I could imagine doing way more nefarious things than this. I just don’t get it. Some random group in Australia has leverage over Visa and MasterCard - American companies - is that what we’re saying here?

Those are things that should be handled by a government in defence of the public interest of everyone

I think you might have too much faith in government. Facebook and YouTube shouldn’t be hyper-polarizing brainwashing machines either, but here we are 20 years later and governments have done jack shit to address that. If anything, we’re going the wrong direction - Governments are seeing that and the TikTok model as tools they can have at their disposal to suppress dissent. But ironically, I think YouTube and many other platforms quietly accept that if we want to live in a somewhat harmonious society, we can’t leave it to the government to make all the rules. (eg. YouTube banning vaccine misinformation and disinformation during a public health emergency.)

On a tangent here, maybe the only potential upside from this situation with Steam is that horrifically misogynistic waifu simulators aren’t going to be 1 click away from the new Call of Duty. Seriously, Steam is just full of super gross anime shit that kids shouldn’t see, but the main audience of the platform is kids. The way Steam puts that content beside everything else is really gross and they really should get called out for that.

This law sounds good in theory, but there’s a lot of lawful content that is really undesirable (scams, spam, deepfakes, hate speech, etc.) and platforms need to be able to deal with that. The law isn’t fast or flexible enough to keep up, and every country has different (or laughable) definitions of some of these things.

The YouTube community guidelines are a pretty good overview of whatever shady shit people are trying to pull these days: https://support.google.com/youtube/answer/9288567?hl=en

That you misremembered the generation of Nintendo console that Quake 2 was on makes this the perfect chefs kiss millennial boomer comment, lol.

You need that SRE team you said you don’t have. :)

I’m sold on the sales pitch for it, but deflect.ca resolves to a Hetzner box in their Washington DC datacenter. I have a 112 ms ping to it from Toronto.

How do you sell a CDN when your own website is hosted out of the country at a PoP that’s that far away?

I totally understand. It sucks that there’s not really any options in between these two extremes.

If I can ramble a bit more - forget the Anycast bit. If you run your own DNS server(s), you can just configure them to respond based on the geographic location of the requester. PowerDNS is pretty easy to set up for this. You could run your own DNS just for the image domain. You basically run PowerDNS authoritative server, set up your zones and the geoip stuff, then slap dnsdist in front of it to be publicly exposed. dnsdist has anti-DDoS features and loadbalancing in it, in case you need it down the road.

Since it’s just for static images, you can have a higher TTL so you don’t need to worry about distributing the DNS servers. (ie. the DNS lookup might not be super fast since it could go across the country, but it doesn’t matter since that lookup is only going to happen every TTL period on each client, which can be high.)

One suggestion to consider for Lemmy.ca is to move your images and other easily-cacheable content to a different domain or subdomain, to give you more flexibility.

eg. If you serve your static assets off of lemmyimages.ca, then you can have only that behind a CDN, Cloudflare, or some other hosting with DDoS scrubbing. It gives you more flexibility to cope with various situations.

2tb a week isn’t much (6 mbps on average?). It’s pretty easy to set up nginx as a caching reverse proxy and spin that up on a couple of VPSes, but the annoying bit is you need to anycast your own IP address space in order for it to be functional as a CDN.

I’m not aware of any Canadian-owned CDNs either… OVH has one but they’re pretty crappy as a company. Beware of whitelabelled CDNs too, even some of the CDNs provided by big cloud hosting companies are actually whitelabelled from another company.

yooo, I was just playing T2 in the pickup game on Friday night a few weeks ago. It’s still so good!

Wrapping up this thread, I really appreciate all the opinions and experiences everyone shared! Gave me lots of new perspectives to think about.

Yeah, this might be the way to go. OpenWRT supports hardware NAT with many of these ARM-based routers like many of the MediaTek-based ones, which gives them super high throughput at very low CPU usage. The efficiency blows x86 out of the water. The ability to migrate your OpenWRT config to new hardware (real or virtual) in the future means you kinda get the best of both worlds…

Do not use an SSD for cold storage - it will fail. SSDs need to be plugged in every once to refresh the charge in their NAND, otherwise they’ll lose the data.

This is not a theoretical thing - I’ve had a good Samsung 850 Pro drive fail while being off for 2 years.

Thanks, this is good data!

How fast is your internet?

Do a speed test and run htop… you’ll see CPU usage only on one core spiking. Not a big deal if your CPU can handle it, but the AMD GX-412TC in the APU2 I was using is too slow.

Even if the virtualized router is down, I’ll still have access to the physical server over the network until the DHCP lease expires. The switch does the work of delivering my packets on the LAN, not the router.

Thanks for the tip about the pfSense limit. After running pfSense for like 8 years, my opinion is that is flush with features but overall, it’s trash. Nobody, not even Netgate, understands how to configure limiters, queues, and QoS properly. The official documentation and all the guides on the internet are all contradictory and wrong. I did loads of testing and it worked somewhat, but never as well as it should have on paper (ie. I got ping spikes if I ran a bandwidth test simultaneously, which shouldn’t happen.) I don’t necessarily think OpenWRT is any better, but I know the Linux kernel has multithreaded PPPOE and I expect some modern basics like SQM to work properly in it.

The other thing to keep in mind is to pass through physical nics. Using just the vnics will potentially lead to security risks. That’s the reason I went back to physical fws.

I could throw an extra NIC in the server and pass it through, but what are the security risks of using the virtualized NICs? I’m just using virtio to share a dedicated bridge adapter with the router VM.

If you just use 2 nodes, you will need a q-device to make quorum if you have one of the nodes down

I could just use VRRP / keepalived instead, no?

I should try Proxmox, thanks for the suggestion. I set up ZFS recently on my NAS and I regret not learning it earlier. I can see how the snapshotting would make managing VMs easier!

That is pretty sweet. I have a second server I could use for an HA configuration of the router VM. I’ve been meaning to play around with live migrations (KVM) so this could be a cool use case for testing.