It doesn’t really matter how you setup dynamic DNS and SSL. I prefer to handle dynamic DNS on the router, incase it’s smart enough to refresh the IP after DHCP renews it. I do SSL on a seperate nginx instance, but I run a few other sites; it might be easier to configure it directly on home assistant, but I haven’t tried.

If you want some extra security, I’d look into mTLS, as that establishes some cert based authentication at the TLS layer before HTTP, but it can be complicated to configure.

on these atomic distros where even something like syncthing involves shenanigans to keep active week to week? Ain’t happening.

I don’t see why you couldn’t kexec into a new kernel. kexec will load a kernel into memory from an already running kernel, and jump into it. It’ll suck for the user as they’ll have to semi-reboot everytime they want HDMI 2.1, but it’s easy and doesn’t install anything.

There’s also live patching, but I think that’ll be a bit of work.

Of course the kernel needs to be compiled with those options enabled, but most distros do.

Edit: And they probably won’t work with kernel lockdown/secure boot.

DP has an option to transmit HDMI signals instead, this is what passive adapters use and will still have the same HDMI 2.0 issue. A DP source can be passively adapted to HDMI, but a HDMI source cannot be passively adapted to DP.

You can also get active HDMI adapters which actively convert the signal, and can work with HDMI 2.1. Intel actually has an active converter chip built into their ARC GPUs, and is how they get around this issue.

You’re going to have a hard time trying to get that working over the WAN (if that’s even possible).

Wake on LAN is still encapsulated in an IP packet, so you can send it over the internet, and most WOL clients let you specify an IP. However your router will need to DNAT it to a broadcast address. Some routers have a check box for this (e.g. An ISP provided Technicolor router I have), some let you port forward to broadcast (e.g. Many routers, sometimes with workarounds), and some let you manually configure NAT (e.g. MikroTik routers).

So it is possible, but forwarding public internet traffic to a broadcast address seems like a bad idea, and I wouldn’t recommend it. Why I know this: I used to do this in middle school, and it does work quite well.

Depending on your BIOS and with fast boot, you might need to just hold one of the keys while booting instead of spamming it on boot.

Yep, but it’s required, and also present in every frame sent between your router and the ISP BNG.

I was trying to think of a reason why ASUS would still be showing.

he was referring to historical data

DHCP can also send a hostname, so it’s possible your ASUS router previously sent its hostname, and then the Pi doesn’t send one. What ever software they use might not clear the old hostname when there isn’t one.

Edit: For example, this is what my current ISP lets me see:

If you just want an IPv6 prefix and don’t need the encryption a VPN provides, you can use an IPv6 broker. Hurricane Electric’s broker is a popular one.

That’s the OPs reply, not the AI.

I don’t know what fedora 43 ships, but version 3.2.0 of nvtop should also give you stats, although it may need sudo for some stuff.

Well, your router is trying, but your ISP isn’t replying, so I’d say you don’t have IPv6 yet.

I have had ISPs where if you send a bunch of DHCP solicits/discovers too quickly, then they stop replying. So maybe disable DHCPv6 for a few hours, and enable it while watching it on the packet sniffer, incase it sends a weird response.

Also it shouldn’t make any difference, but in IPv6/ND change all to bridge; your router looks like it’s advertising itself as a default route to your ISP’s router, and that just seems wrong.

I see is coming from a couple of Amcrest cameras

Oh yeah, that still seems to be from your LAN. On the Mikrotik set your WAN interface in the filters tab of the packet sniffer. Also if you haven’t already, your WAN shouldn’t be bridged with your LAN, since your router will route between them, a bridge is like a network switch.

Basically I’d like to see the Router Solicitation on your WAN from your Router, and hope that your ISP responds back with a Router Advertisement; or a Solicit for DHCPv6, and the whole exchange.

Also 2001:470:1f06:redacted looks like a Hurricane Electric IP.

Yeah thats normal, fe80:: is link local, ff02:: is broadcast. Is the source always your router’s address, or is there another addresses there? DHCPv6 and ICMPv6 (for SLAAC), are the important protocols there.

Your WAN shouldn’t be part of your bridge. Are you getting any traffic in Wireshark? You do also need to enable packet sniffer on the router and point it to the IP of the computer you’re running Wireshark on.

Ahh okay, could you at least see your router trying to request an IPv6? You might have to disconnect and reconnect the WAN while the packet capture is going.

It might be worth doing a packet capture on your WAN, you can stream it straight to wireshark’s udpdump, and look if there’s any sort of reply to DHCP or any RA broadcasts, you can just use ipv6 as a filter.

Also come to think of it, DHCPv6 is usually still used for your prefix so that should work regardless of SLAAC. SLAAC is often just used for your default routes and the router’s own IP (as allocating that from your prefix manually is often considered a misconfiguration).

Some ISPs use SLAAC instead of DHCPv6, maybe that’s the case for you? To enable it, you’ll need to run /ipv6/settings/set accept-router-advertisements=yes and reboot. The current RouterOS beta also lets you pick which interfaces to allow SLAAC on.

Funny thing, time.is uses Cloudflare, and I only found out because of the outage.

keyring lets you set backends with environment variables, I believe you can try PYTHON_KEYRING_BACKEND=keyring.backends.null.Keyring which is the simplest backend as it doesn’t save anything.

Edit: You can also try keyrings.alt as it has an insecure file backend, if you absolutely need password saving.

Yeah thats fair enough. The ACS override patch should still have better isolation and speed than anything else you can do without native ACS, the security implications are just it’s theoretically possible to intercept another PCIe device’s traffic through the NIC; you can read more here.