irotsoma

I run a single instance of Postgres and one of MariaDB on my NAS that all services connect to. And all of my containers store their settings in NFS shares from that NAS and backup most other things to the NAS. This greatly simplifies off-site backups overall when a copy of almost everything critical lives on the NAS.

Of course, the NAS needs to be powerful enough to handle the load, but since settings don’t get changed often and backups are during off hours and NFS has good caching anyway, the DBs are really the only heavy load on the NAS outside of storing and serving media. It has plenty of memory and has two 2.5Gb ports trunked together and a couple of small SSDs for fast caching in addition to the RAID array of HDDs. So it’s easily able to handle all of its file sharing duties as well as hosting the DBs.

Only negative might be that there’s no fail over if the NAS goes down. But I also don’t have a second router, so that’s another even more devastating single point of failure. But since everything critical is backed up to the NAS and then off-site, it’s an acceptable risk considering the cost to properly remediate it and the unlikelihood of major issues outside of times I’m doing maintenance..

If configured properly, it can usually bypass the router altogether. In my setup I have several VLANs for different traffic, so for me it’s important to have a Layer 3 switch that can handle the routing between VLANS. But if you don’t use VLANs, a layer 2 switch will build a mac address table and bypass the router once it knows where the traffic is going. That way only your DNS queries and similar get sent to the router for internal traffic on the LAN. Then the issue is just traffic going to the internet.

For the internet side you just need to configure the firewall to drop packets on ports (not reject, just drop/ignore) you don’t use and use something like fail2ban or crowdsec to make your router outright drop malicious and LLM bot kinds of traffic to ports you do use that otherwise have to be processed. That generally will reduce processing load unless you have self-hosted services that really generate a ton of traffic in which case you can move those to VPSs outside of your network.

Those are my general strategies at a very high level.

Wow, I run opnsense in proxmox along with a pihole and a couple of other small services and never hit 100% CPU on an Intel N100. My miniPC box has 4 2.5 gigabit network ports though I only use 2 of them, one for LAN and one to the modem. I do also have a managed switch, though, that has a couple of 10 gigabit ports a couple of 2.5 and the rest 1. Likely the switch is taking some of load off of the router I suppose. Might try getting a low-end managed switch. If you’re in the US do it quick, though as a lot of networking equipment is about to spike in price since the administration banned all new foreign made equipment and none is made I’m he US.