For the past few years I’ve been building and maintaining website/blog at www.pragmaticcoding.ca. It’s mostly about programming, and more specifically it’s ended up having a lot of content about JavaFX with Kotlin.
Lately, I’ve been spending all of my time building out my own homelab and self-hosting the services that I need. I’ve got a little stack of M910Q’s running in a Proxmox cluster with an HP T740 running OPNSense.
Since I’ve been spending all - and I do mean all - of my time futzing about with this self-hosted stuff, I thought I’d try to add some content to my website to help people doing the same thing. My idea was to make it more “bloggish”, talking about the tricky things I’ve had to master along the way as I implement various services.
But I feel like there also needs to be some foundational content. Articles that explain concepts that a lot of people, especially people without professional networking experience, find difficult to grasp. So I’ve started working on those.
While I think of myself as mostly a programmer, my career (now, thankfully over) had me as an “IT Guy” more often than not. I spent 24 years at the same mid-sized company with a tiny IT department and simply had to get involved with infrastructure stuff because there was nobody else to do it. It was very hands-on at first, but as we grew I was able be limit my involvement to planning and technical strategy.
Since the mid 90’s, we went from self-hosted physical servers, to colocated servers, to colocated virtual servers to cloud servers and services. So I feel like I have the insight to provide help.
Anyways, this is the first article in this new section. I’ve seen a lot of people posting questions about how VLAN’s work and I know that it’s mystifying to many. So I wanted to push it out before I have the supporting framework put together on the website, and it’s just sitting there as the first post that’s not about programming.
My goal is to provide practical, pragmatic advice. I’m not particularly worried if some particular facet of an article isn’t 100% totally correct on some obscure technical level…as long as the article gives solid practical advice that readers can act on.
Anyways, take a look and let me know if you think this kind of article might me of use to yourself or other people getting started on self-hosting.
I know that people often find IPv6 confusing and that’s fine, but at the very least you need to explain that you’re specifically talking about IPv4 IP and Subnetting configuration and that is very much how things used to be done. IPv6 is finally gaining real adoption and can make a lot of things confusing.
For example, until I got a handle of IPv6, my Android phone never had proper ad-blocking from my Pi-Holes because Google would make Android auto-configure an IPv6 DNS address that would bypass my IPv4 DNS addresses. Even if I filled every IPv4 DNS slot, my phone would still automatically make a slot for the IPv6 DNS and fill it with a Google-chosen DNS. There were two ways to fix this, and I’ve done both: Set up IPv6 and fill that slot with my Pi-Hole IPv6 DNS address, and/or setting up a VPN that hands out the Pi-Holes as DNS and bypasses Google’s auto-configurations entirely. I ended up with both because I also use the VPN to keep ad-blocking functional on my phone while I’m away from home.
Especially in keeping with your “Zero trust” idea, you can’t have rogue IPv6 traffic all over your network unless you’ve managed to disable IPv6 on every network interface and the traffic is just being dumped since it’s disabled. (Also, personal opinion, subnetting on IPv6 is so much more elegant and straightforward than on IPv4)
Finally, you mention “bytes” (it’s actually bits) and CIDR notation, but that’s probably more confusing than illuminating if someone has no idea that an IPv4 address has four sets of octets (eight bits) for a 32-bit addressing scheme. You might consider expanding on how IPv4 addresses function to make that a little clearer.
Where would a guy go to learn more about IPv6? Trapped behind CGNAT, have gotten exactly as far as getting my public IPv6 address. Can’t as much as ping it, “name or service not known”
https://ip6.wtf/#/learn This is the best resource I’ve found so far and I can see the advantages, but am getting absolutely nowhere
I’ve been trying to get my Unifi infrastructure force IPv6 addresses to all my devices at home (mainly laptops, PCs, phones and tablets, potentially media devices as well), but it has proven a huge challenge for me because of my ignorance on IPv6 and how it differs from v4.
For the time being, I have disabled everything v6 in my network, including my ISP provided ONT, but that leaves me with only the option of a commercial VPN when I’m not at home to try and block as much as possible (together with NextDNS for some added blocks).
I know I’m currently open on that front, and would love it if someone could tell me where I can go to try and understand v6 so that I can then make an informed implementation across the board.
Thank you beforehand.
https://www.oreilly.com/library/view/tcp-ip-illustrated-volume/9780132808200/
The thing to know about IPV6 is that while being able to read the addresses and memorize the different kinds seem daunting, the implementation behind it is actually much simpler than IPv4 today.
The biggest mental hurdle to get over is that the way we use IPv4 today is informed by our need to work around the global lack of IPv4 addresses. With IPv6, it sorta turns back the clock to when every machine could just have a globally routable IP address. Private reserved ranges for local lans, NAT, etc aren’t necessary with IPv6
Thanks so much. I’ll start here. I really appreciate this.
Thanks for the feedback. I will make some changes to the article. IPv6 wasn’t even on my radar since I haven’t got around to using it myself yet.
JavaFX with Kotlin
mad lad.
what makes you snub Compose UI?
Compose is great for Android because it’s so integrated with the ecosystem. For desktop applications, JavaFX - especially coupled with Kotlin - is a clear winner to me.
I should point out that I don’t use FXML or SceneBuilder, but code all of my layouts in Kotlin. Kotlin features like extension functions let you eliminate 90%+ of the JavaFX layout boilerplate.
Back to Compose. Both Compose and JavaFX are Reactive GUI environments, although many (most???) people don’t realize that about JavaFX. But both environments take opposite approaches to Reactive design.
Compose, as the name implies, uses what I call “compositional reactivity”. This means that the actual layout is totally static, but is recomposed, in whole or part, in response to changes to the data representation of state. That code will look at the various State elements each time it runs, and alter the layout according to their current values.
JavaFX uses “Reactive Layouts” (my term, again). JavaFX has a comprehensive, yet extensible, collection of Observable data types and another comprehensive, yet also extensible, collection of Bindings to allow you to connect them together in any way that you can think of.
Every configurable element of every screen Node in JavaFX is expressed via these Observable values, meaning that they can be bound in some fashion - in either direction - to elements in the State data structure.
The result is that it JavaFX the layout code is run exactly once. But this layout code not only performs the actual layout, it also creates the bindings to State. After that, the layout behaves dynamically all my itself.
In JavaFX, layout composition is actually quite expensive in terms of performance, and recomposition is to be avoided if possible - and it is virtually always possible. I have seen people bitch about JavaFX being “heavyweight” and raggy, and I can guarantee you that those people are just doing a lot of recomposition.
The biggest challenge to programming, and I say this with more years of experience than most people reading this have been alive, is in understanding the underlying paradigm that governs whatever language or toolkit they are using. Unfortunately, you unlikely to open up a book or webpage and see, “The underlying paradigm of this technology is…”.
That’s especially true of JavaFX. It takes a LOT of time to realize the Reactive nature of JavaFX by yourself. Consequently, I don’t think that JavaFX gets recognized as the desktop application powerhouse that it is. As someone who has mostly mastered it, I’m constantly amazed at how trivial it is to build truely complicated applications with JavaFX.
yeah i get that.
generally most modern UIs are moving away from those reactive patterns (React, Svelte, etc) just cuz the composition can be optimized (Kotlin compiler plugin, shadow-DOM, etc), and a lot of people—myself included—find that declarative design easier to reason about. and yeah i guess i outed myself as an Android dev, but i can’t in good conscience recommend the node based Android XML UI lol (although that’s a different SDK).
anyway, not to yuck your yum. i played around with JavaFX back in the day but never made anything to speak of. i’ll have to check out more of your blog!
Small advice: would be nice if there was a dark mode, so I can read it at night. (without flash bang)
Dark reader on firefox has been a life saver on many websites. It works even on mobile (fennec).
I’ll have a look at it. The whole site is Jekyll using a theme called “Minimal Mistakes”, so there’s two things for me to look at. I suspect it’s the theme, and I’ve customized it enough that it’s probably “broken” when it comes to updates.
Thanks. There is a dark skin: https://mmistakes.github.io/minimal-mistakes/docs/configuration/#dark-skin-dark
Step 0. Make sure your networking equipment can do vlans and subnets.
Given how much I paid for a “high end” consumer router, I just assumed ……
I get the security aspect of it, but in my case I can’t see a reason to go through the hassle. My smart switches talk to home assistant running on my server. I want new devices to be able to access the plex server without manual config. And my server is arguably the most sensitive machine on my network, so if I can’t protect that, I don’t think it’s worth protecting anything.
Do your smart switches talk to your HomeAssistant server???
Or does your HomeAssistant server talk to the devices?
It’s probably the latter, and in terms of network security the difference is huge. You can restrict your smart switches to their own, untrusted zone with no outgoing permissions and then give HomeAssistant access to them from its zone.
I would also argue that your personal devices and desktop computers are far more sensitive than your HomeAssistant server.
That’s a fair point. I think home assistant initiates the connection, but I’m not sure how status updates work from the smart switch to home assistant. Could be home assistant polling, web sockets, or the switch broadcasting.
I have my AP connected with a trunk link and configured to offer different SSIDs for different VLANs. I connect IOT devices to the IOT WiFi, and home assistant can see them since the machine running it is connected to that VLAN as well. Apart from the initial setup, this feels like less of a hassle, as firewall rules are already set up for this VLAN (no connection to internet or other VLANs). If I had to manually make sure that every new IOT device I add is incapable of talking to the internet, I think I’d go mad.
This is a good write up, thank you!
Tip: if you’re pluralizing and using an apostrophe, you’re doing it wrong.
Some VLAN-related nuggets that you may find useful for your post/blog:
- 99% of the time when people refer to VLAN, they’re talking about 802.1Q (VLAN tagging). There are others, so it’s up whether you want to cover those as well.
- The word “Trunk” can mean different things, depending on vendor. In the Cisco world, it means a line/port carrying multiple VLANs. With many other vendors, such as Aruba/HPE, it refers to link aggregation which isn’t necessarily relevant to VLANs
- A lot of hardware still use VLANs even if none have been configured. For example, defaulting all switch ports to have an Access tag of 1 makes it behave like a dumb switch. This can cause issues later if you’re configuring VLANs elsewhere
- Anything non-vlany connected to a VLAN-enabled switch will have to be connected to a port with a default VLAN tag. This is usually referred to as an “Access port” or an “Untagged port”
- “How do I configure the switch to allow units on VLAN 123 to talk to VLAN 321?”. You don’t. Connect both VLANs to a router which will route between them. Either connect the router to both VLANs individually and skip the tagging on the router, or you can run a single trunk between the switch and the router which carries both VLANs. The latter requires you to configure VLANs on your router accordingly.
- It might make sense in many cases to have the VLAN tag the same as the last octet in the IPv4 subnet. Makes it easier to keep track of.
- A PC can implement VLANs on its network port, allowing you to connect to a trunk port and access several VLANs with one cable.
Source: VLANs have been an integral part of my career for 20ish years.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters AP WiFi Access Point CGNAT Carrier-Grade NAT DNS Domain Name Service/System IP Internet Protocol NAT Network Address Translation Unifi Ubiquiti WiFi hardware brand VPN Virtual Private Network
7 acronyms in this thread; the most compressed thread commented on today has 15 acronyms.
[Thread #75 for this comm, first seen 8th Feb 2026, 20:40] [FAQ] [Full list] [Contact] [Source code]
VLAN is a virtual local area network. Basically what it does is that it can segment out your network to not bring it down or crawl it to a halt when under load.
In addition people often use VLANs for security segregation. For example you might buy a bunch of cheap Chinese security cameras, but want to ensure that they can’t send anything back to the manufacturer. Then you can make a VLAN with no Internet access for the cameras.
