Correct!

Thankfully my kids school will also just load it up from cash, so we drop a $20 in when needed. I make lunch every day, but if she is still hungry or wants a milk its there, and every Friday we let her get a dessert.

There are also fees to pay online for school trips, the book store, etc.

A Jill Stein event, in a speech by a Stein supporter introducing Stein.

Too bad, this is Green. They are not a party of progressives.

1. Vote for candidates who will do something about climate change

That’s the one for removing billionaires.

• This was a Jill Stein rally
• This speech was to intro Stein
• This speech would have been reviewed, just like a certain comedian at MSG.
• Stein agrees with and supports the speech tacitly

You’re just apologizing for the Green Party while being OK with them working to get Trump in, who will literally ramp up the genocide.

Pure garbage.

At a minimum (and something achievable in the very short term), regulations and the enforcement to go with it.

Not what I said.

I said by their own people on microphone at their own event. I think maybe you misread, its not at all misleading.

She was the opener for Green at her MI rally.

She is part of it, at a Green event. Her being the founder of her own party that had a short stint as a city council member does not change who she was there for, both party and candidate.

Weeks ago.

A quote from Sawant at the Stein rally:

We are not in a position to win the White House, but we do have a real opportunity to win something historic. We could deny Kamala Harris the state of Michigan. And the polls show that most likely Harris cannot win the election without Michigan.

Edit: forgot to.drop some links for you. Here you go:

https://www.usatoday.com/story/opinion/columnist/2024/10/09/abandon-harris-stein-michigan-arab-american-voters/75561456007/

In her own words, the so-called socialist who is hoping for a trump win: https://www.workersstrikeback.org/news-analysis/kshama-sawant-speech-10-15

I agree, its only partial.

Good.

The green party is not a party for good. Jill Stein has no intention of trying to further the supposed goals of the green party.

Their intention - admitted to, on microphone, at an event, by their own people - is purely to give trump the presidency.

The green party is dogshit.

So is mine.

The funny part? He’s a union guy, doesn’t understand (despite repeated attempts to show) that Trump is anti-union. I’m sure the key component for him is really just some of that good old fashioned bigotry.

Which is also silly since he’s Cuban, and got some Testosterone shots recently (you know - gender affirming care).

He’s just clueless and won’t change his mind.

I mostly agree.

What isn’t present, and should be, is the teacher addressing how they will be avoiding recreating this situation going forward. How they address for next time is more important to me than an apology.

Ymmv, but to me that’s the part that’s missing. And I get the venting.

You were responding to me, and I most definitely didn’t equate the two. Maybe you meant to respond to someone else.

In any case, you can route between vlans (and subnets), but without a route you aren’t communicating between those vlans or.between subnets.

Also, you can have multiple subnets in a vlan, but you can’t have a single subnet across vlans.

The range (x.x.10.x and x.x.20.x from your example) is only the subnet side, you could have both of those subnets in one vlan. But you could not, for example, have x.x.10.x/24 exist in vlan 10 and vlan 20.

Just to have a straightforward reply…

Let’s start with the concept piece, which you dont need to explicitly follow, but is a decent ref. You dont need to use this explicitly, this is more about how far/close to enterprise you want, whether its for fun, for practice, whatever. From an enterprise perspective, you’ll typically have:

• Management - The only things that belongs here are network devices. Router, switches, etc, but notably not servers. This also - from just a general security perspective - should not be the default network, the vlan you get an IP from ifz you randomly connect to a port. In the enterprise, this is so people dont see the vlan switches are on, at home its just… Good practice at best.
• Services - servers you trust go here. Ones that are providing local services, not accessed by the outside (except via VPN). This could be auth services, a wiki, automation tools - proxmox servers, as an example, would go here. You may also put a jump service here - a single VM with access to management and logging, so that this becomes the only logical means of access (and a physical on the router or a locked up switch for example)
• Workstations - trusted user accessible devices would go here. Your desktop, laptop, etc go here. If an ssid is associated to this network, its typically hidden.
• IoT (no internet) - IoT devices you dont fully trust (as in, pretty much any IoT device) will get put into a VLAN without internet access. Prevents them from phoning home, usually these are closed off devices. Again, not a requirement for home use, but for personal privacy not a bad choice. This became a problem more recently in the enterprise with people buying more consumer-ish stuff at the direction of someone in C Suite who wants their office to behave like their home office. Also put your TV here. Seriously, don’t give smart tvs internet access. Block them and plug in a Linux box or something.
• Guest - Where everyone else goes, a guest vlan with internet only access. Ideally they will each get NATd and can’t see each other either. If you want these guests to be able to cast/airplay/etc though, you also would want/have:
• Media Services VLAN - this is where you would have a Chromecast, AppleTV, mersive solstice pod, airparrot, crestron air media, etc. So your receiving device lives here, in the one vlan you allow some bonjour, and allow men’s forwarding from workstation and guest to both hit this network (and its devices). Security risk. Manageable, but a risk.

There are MANY variations and unique versions of this. This is more or less a typical enterprise with we home media uses mixed in.

Now for structure purposes, you basically would have:

• Management is inaccessible by anything not a switch, with the exception of that one locked down physical port and maybe that jump VM.
• Each VLAN has its own gateway, each gateway is also NTP and DNS. You then have the upstream DNS provider be your pihole (or technitium, or pihole container, etc - I have 3 that I use so something is always up. DNS is not priority ordering, diff conversation, but having multiple is a good idea. Now your devices get their DNS from the gateway IP, and that gets it from your pihole, so you dont need to expose your pihole to those devices directly
• guest has access to NOTHING. Just internet. Maybe the media services if you’re into that sort of thing.
• IoT can be accessed from other vlans, but should have access to nothing else. As in, initiated from outside (workstation, services, etc) passes, initiated.from inside (a roomba) you block.
• the rest generally doesn’t need too much security, its more device management - workstation, servers, etc.

OK so there are the generics, let’s go back to yours.

192.168.1.x - sounds like default to me. Risky to use for proxmox and network management on a vlan generic endpoints will land in. If you have a different one for default - great! Ignore this. If its management, id move Proxmox into 200 instead.

192.168.100.x - solid choice to group up your externally facing riskier stuff and funnel it all through one connection. I’d make sure when that connection goes down everything else loses connectivity - confirm that kill switch works. Bind their network interfaces to the virtual network that goes to your VPN connection (I’m assuming a docker container here).

192.168.200.x - yup, logical group, makes sense to do. I’d probably put your hypervisor here.

Now LXC vs Docker… I’d call that mostly preference. I prefer LXC. I also keep things at a stable version and upgrade when needed, not automatically. If you want automated, your best bet is docker. If you want rock stable, and d9nt mind.manual updates, LXC is great. You can automate some with ansible and the like, but that can be a lot to set up for minimal need. YMMV.

Anything I build from source (honestly, most of what I do) I put in an LXC. Anything I take someone else’s image (rare, but happens), is docker. I have a local git repo I keep synced to projects on codeberg, github, and the like, so my setups are all set to build from that local repo. Makes sure I’ve got the latest if something is taken down, but also a local spot to make changes, test, etc for anything I may push back upstream.

Hope that helps!

Edit: Forgot to talk security!

OK first off, figure out your threat model. Where would threats come from? How serious would they be? What risks are worth taking, which are not?

Security is an ogre (onion) - its got layers. For example, I have zero concern with region blocking. No one is hitting my network from China, so I’m not allowing some random to try and get in.

What I am concerned about is user credentialing for access - one login for all services, MFA is hard required, and I don’t do text/email as MFA - that’s baby town frolics levels of security, I don’t like it.

Best way to think of it is a row of bikes. A thief is going to come by and steal one. Which one will they go for?

Do you need to have 7 bike locks and encase the whole thing in concrete? Or do you need to be enough of a pain in the ass (u lock, braided steel cable or chain looped through the wheel and frame) that the other bike (with a $5 cable lock you can pop open with a bic pen).

Take a networking class. You have numerous fundamental misunderstandings and make wild assumptions on bridging gaps that has specific requirements to occur, which also requires a complete lack of any other security methods.

Take a networking class, please. You need it.

Edit: You’re mad and still down voting, I want to point out you dont even understand the link you provided.

You should probably read that. But looooooong before then, you should take an actual class on networking.

You need it.

Take a networking class instead of spewing nonsense please.

HOW WOULD YOU GET SHELL ACCESS TO HIS ROUTER FROM A FIREWALLED OFF VLAN THAT DOES NOT GAIN ACCESS TO THE MANAGEMENT VLAN THE ROUTER IS ON.

Holy crap dude.

BASIC networking.

Thats my line.

I’m also done having any sort of discussion with you, there is a fundamental misunderstanding of logical network design here, and I have no interest in correcting that. Enjoy your day.

That’s not how any of this works… At all.

No, its managed by the firewall. The existence of a VLAN does not grant it access to egress. The firewall needs to permit that behavior.

Your entire understanding of how a logical network works is wrong. I’m not trying to be a dick - this is just really bad information that you’re sharing.

Your understanding is correct.

Multiple routers is irrelevant and ridiculous.