Yeah, I do the same thing.

Curiously, the installer of my ISP - which is one of the smaller ISPs around here - says it’s very common for their clients to just want the ISP’s box to do bridging (or even just act as a Fiber-modem) and use their own router behind it.

Guess the techies tend to flock to the more obscure ISPs that pretty much just provide “data pipe to the Internet” rather than use the big ISPs which tend to do stuff like push their own TV Boxes and even bundles of Home Internet + TV + Mobile.

I am very happy with this ISP - cheap, fast, reliable, no bullshit.

My ISP does give my router a public IP.

However my VPN provider does not give my client machines public IPs and instead gives them internal IPs.

So from any machine in my home, my normal (via ISP) connection is via my own router (which does NAT for all machines in my home network and which I fully control) which has a public IP address on its external interface (so, no double NAT), whilst a VPN connection is via the VPN provider’s router (as that’s what’s on the other end of the VPN pipe) which also does NAT, but that router I don’t control and the VPN provider I use doesn’t allow Port Forwarding hence all the trickery I described above to make sure I actually seed more than I download.

Around here ISPs giving internal addresses is not very common unless it’s on a mobile connection.

You should have pretty much everything on your router disabled for access from machines on the external network side of the router.

The typical example is the web admin interface, which should never be enabled for access from outside, only for access from machines on your internal network. The same applies to all other sorts of control interface, be they human interfaces or machine interfaces.

For any machines reaching it from the outside network interface the router should look the same as the most basic, dumbest router there is with no way to configure or control it.

So, yeah, enabling uPnP for external use is asking to be hacked, probably worse even that enabling the web admin interface for external access since the latter usually has username:password authentication, which although pretty crap (most people don’t even know its there and leave it at default and when not it often has character limitations that make it guessable or possible to brute force) it’s still way better than NO AUTHENTICATION WHATSOEVER which is what uPnP has.

In a VPN your own machine sits behind a Router from the VPN provider in a NAT configuration (meaning that during VPN tunnel initialization that router gives your machine an IP address from one of the so-called “internal” IP address range - most commonly one in the 192.168.x.x range - which are NOT valid to have visible in the Internet) and which multiple machines all over the world sitting behind other routers can use at the same time (for example: even though it only has 254 valid addresses, there are probably millions of machines running right now with an IP address in the 192.168.1.x range, which is by far the most popular range of internal IP addresses).

The IP address which is visible on the actual Internet has to be one which is not from an internal range or other kinds of special ones, and that’s the one that the VPN provider Router shows to the outside. (There are a few “tell me my IP address” websites out there which will let you know what that address is).

This is also how home routers work in providing multiple machines in your home access to the internet even though its on a single ISP connection which has only one IP address valid for the Internet.

To make all this work, such routers do something called NAT-Translation: connection requests from the INSIDE to the OUTSIDE go to the router, which changes ip:port information of those requests from the internal ip and a port in that machine to be the router external ip and a port the router has available, and then forwards the request the outside. The router also records this association between the external machine, the port the router used for it and the internal machine and the port on it the connection came from, on an internal table so that when the OUTSIDE machine connects to the router on that specific port, the router treats that inbound connection request as associated to the earlier outbound request and does the reverse translation - it forwards that inbound request to the internal machine and port of the original outbound connection.

However - all this only works when your machine first connects from the inside to an machine on the outside, because that’s when the router translates the IP address and Port and memorizes that association. If however you gave the IP address in some other way to that remote machine other than connecting to it via the router (for example, you have registered a Domain Name pointing to it, or you just gave the IP address and port number to a friend and told them “this is my Jellyfin machine”), any connection coming from the outside will not be routed by the router to your machine, because the router never had an original outbound connection to make the association for any return inbound connections: from its point of view some random machine is trying to connect to one if its ports and it simply doesn’t know which internal machine and on which port on it is supposed to get this connection from that unknown external machine.

Also all this is dynamic - after a while of one such association not being used, the router will remove it from memory.

Port Forwarding is a static way to explicitly configure in a router that all connections arriving at a specific port of the router are ALWAYS to be forwarded to a specific internal machine and a specific port on that machine.

Given that the association is static, you can give the outside world in any way you like without involving the router (for example, listing in some kind of shared list, which is what the Torrent protocol does), the IP of the router + the forwarded router port, as the address for a “service” that’s running on your internal machine, and any request coming from the outside on that port even if your machine never connected to that remote machine, ever gets forwarded to the internal machine and the port you configured there.

With port forwarding you can for example host your own website behind a VPN or in a home machine that’s not directly connected to the internet because any requests coming into a specific port on the router that does have a direct connection to the internet always get forward to that machine and the port on it you configured.

In the old days Port Forwarding had to be manually configured on the Router (for example, via a web-interface), but nowadays there is a protocol called uPNP that lets programs running on your machine automatically request that the router sets up a Port Forwarding for them so this is often done transparently, which how most networked applications sitting on a machine at home behind a home routers, work just fine since those routers always support port forwarding.

PS: All this shit is actually one enormous hack, that only exists because IPv4 doesn’t have sufficient IP addresses for all Internet connected machines in the World. The newer IPv6 does have more than enough, so it’s theoretically possible that all your machines get a valid Internet IPv6 address and are thus directly reachable without any NAT on the router and associated problems. However I’m not sure if VPN provides which do support IPv6 actually have things set-up to just give client machines a direct, valid on the Internet IP address, plus a lot of protocols and applications out there still only work with IPv4 (byte . byte . byte . byte) addresses.

Coitus interruptus

One of the few latin expression I memorized, because that’s how the Catholic Church calls it since that’s their recommended “contraception” method, all of which I find hilarious.

Unfortunately my VPN provider doesn’t support Port Forwarding (they’re great in everything else, but suck on this) so if I just start seeding from scratch no peers will ever manage to connect to my machine. The only way I can contribute back to the community is when a Download session ends and starts seeding (basically all those peers that my machine checked during the download stage get recorded in the VPN’s Router NAT as associated with my machine so if they try to connect to my machine later, for example to download a block, they get through), so my torrents are just left to seed after downloading (if I stop it and start seeding later, it might not work anymore depending on how long has passed).

Fortunatelly I have a fast internet connection and torrenting is done in a server machine, so I just leave it setup to a 2:1 seeding ratio for as long as it takes to get there and pretty much all torrents I download reach that seeding ratio (it pretty much only fails to reach that on really obscure torrents with very small swarms).

I’ve been sailing the high seas for over 3 decades and long ago saw the importance of doing my bit to keep the whole ecosystem alive.

So I might not be seeding everything I have (and as it’s been 3 decades, I do have some stuff which is now very obscure), but everything I get from the community I seed 2x as much so that others can get it too.

If the post was about themselves, saying “I am queer” is fine IMHO (as would’ve been to say “I am straight” or imply it for example by saying “I’m a man” and “I have a wife”) as that’s about that person so sharing what they feel defines them as person is the whole point and restricting mentions of one’s sexual orientation there is at best idiotic.

Had it been on a post about something Canonical or Ubuntu, in my view mentioning one’s sexual orientation would probably not have been appropriate, mainly because it would be raising an irrelevant and (sadly, in the present day) ideologically charged subject, same as it would be inappropriate to mentioning one’s political allegiance in the same context.

All in all I hope the moderator who made that mistaken moderation action has been taught the difference and been alerted to how their own internal biases are leaking into the professional sphere, which they shouldn’t.

I see, with your clarification that does make more sense.

Frankly I would’ve rather have avoided Intel because, well, they’re Intel, but from what I saw when I looked around, the N100 was an x86 designed for that kind of use, had far more computing power than the dissapointing cheap ARM based Android TV boxes I had tried before (I’ve been using TV Boxes for since well before they were common and the last one was so old that it couldn’t handle newer media anymore, so I started looking around and first tried replacing with with a cheap Android TV box) and I could get a Mini-PC for roughly the same price as a good Android TV box for making my own thing fully under my control (i.e. Linux with my chosen media player and services, rather than a closed Android riddled with bloatware), so I went for it and am happy with the result.

As for desktop environment, in practice the thing just runs Kodi all the time as the frontend, hence is perfect for controlling with a remote, like the one I linked in my original post. Any linux style kind of management I do remotelly from another computers, either from the command line via SSH or via web interfaces. In practice whilst I do have a keyboard and mouse connected to it, they’re very rarelly used.

I later found out that using LibreELEC (a whole Linux distro meant specifically for use as a TV box were Kodi is the frontend) would probably have been an optimal choice for a TV box rather than starting from a light ubuntu variant and customizing it myself, plus LibreELEC would’ve worked just as well on an ARM based SBC (something like an Orange Pi 3) which would’ve been cheaper and would’ve used even less power. That said, I had intended from he start to hang more services from that box (for example, I wanted to replace the NAS “solution” I had in place using my router, which only supported SMBv1) so starting from a more generic Linux distro probably made more sense that using a TV Box specific light distro.

The thing is a bit of a Frankenstein monster on the inside but doesn’t at all look like it when used in my living room to play media on the TV.

If the thing is not meant to use as a Desktop, why load it with heavier applications that aren’t delivering anything useful?

No matter how efficient a core is at most tasks, it can’t beat the power savings of not actually running needless code.

My homemade TV Box isn’t running a lightweight desktop because I had to “limit myself”, it’s running one because I’m not losing anything by not having that which I don’t use and if that even just saves a few Watts a week, it still means I’m better off, which is satisfying as I like to design my systems to be efficient.

For fancy Linux Desktop things I have an actual Desktop PC with Linux - the homemade TV Box on my living room is only supposed to let me watch stuff on TV whilst I sit on my sofa.

Further, there are more than one form of efficiency - stuff like the N100 (and even more, the ARM stuff) are designed for power consumption efficiency, whilst desktop CPUs are designed for ops-per-cycle efficiency, which are not at all the same thing: being capable of doing more operations per cycle doesn’t mean something will consume less power in doing so (in fact, generally in Engineering if you optimize in one axis you lose in another) it just means it can reach the end of the task in fewer cycles.

For a device that during peak use still runs at around 10% CPU usage, having the ability to do things a little faster doesn’t really add any value.

Even the series 4000 Zen2 being more optimized for power consumption is only in the context of desktop computers, a whole different world from what the N100 (and even more things like ARM7) were designed to operate in, which is why the former has a TDP of 140W and the latter of 15W (and the ARMs are around 6W). Sure the TDP is a maximum and hence not a precise metric for a specific use case such as using something as a TV Box, but it’s a pretty good indication of how much a core was optimized for power consumption, and 15W vs 140W is a pretty massive distance to expect that any error in using TDP to estimate how the power consumption of those two in everyday use as a TV Box compares would mean that the CPU with 140W TDP consumes less than the one with 15W.

PS: All that said, if the use case was “selfhosting” rather than “TV Box (with a handful of lightweight services on the side)”, you suggestion makes more sense, IMHO.

Also, in my experience of trying Android boxes first and ending up with a Mini-PC with Linux, the Android boxes which are cheaper than basic Mini-PCs like the one with an N100 that I have, are underpowered, and the one’s which aren’t underpowered cost about the same as the Mini-PC.

Further, you can install all manner of services running on the background on the Linux machine: mine works as TV Box with Kodi as the frontend that’s displayed on my TV, but it’s also working as my home NAS and runs a bittorrent server with a web interface on top of an always on VPN, all of which uses very little of its computing power. I manage the “linuxy” stuff remotely via web-interfaces and SSH whilst in the living room were it is I actually have a remote for it and use it just like a regular TV Box.

This in addition to as you pointed out the Android stuff being locked down and often bloated.

I really would advise people against an Android TV box, but if one really wants the lower consumption of those (they do consume half as much power as my Mini-PC, with TDPs around 8W or less to the Mini-PC’s 15W) best get an SBC and a box for it, and then install Libreelec on it or a full linux distro (often the manufacturers have a Linux distro for those and there’s always Armbian),

I use one of these which I got from AliExpress along with one of these, though of course it will work fine with mouse and keyboard.

(Please note that I haven’t tested it specifically with a bluetooth keyboard and mouse).

I installed Lubuntu on it because it’s a lighter distro (it will work fine with the full desktop Linux distros, but why waste computing power on fancy window managers for something that’s just a TV Box that’s always showing Kodi) and have it always turned on (the TDP of this is pretty low) with Kodi as interface and its runs perfectly.

It’s sitting on my living room under the TV.

It’s probably a little overpowered, but that means its fan almost never turns on (it’s pretty quiet when it does, but silence is better), so I’m also running a bittorrent server on it with an always on VPN, plus it’s my NAS. There’s room for more if I wanted.

I don’t really understand people advising the more powerful Mini-PCs: they’re way overpowered for the job hence needlessly expensive plus the TDP of their processors is way more than the N100 in this one hence it both consumes more and is a lot less quiet because the fan has to be bigger and running a lot more often to cool that hotter processor down.

PS: Also the downside of using old PCs for this as some recommend is their higher power consumption, even for notebooks, plus they generally don’t really look like a nice TV-Box to have in your living room, which this one does. If you’re going to run it all the time, a low TDP mini-pc will probably quickly pay itself over using an old desktop, longer if versus an old notebook.

At least when it comes to the Movie industry, piracy is pretty much a moral obligation.

Ditto for the Music Industry.

Ditto for the Science Publishing Industry.

It’s only not the same for the Games Industry because so much of it are Indies.

Way back in the early days of the Net, when we were all young, naive, had a full head of hair and pretty much every dynamic website out there was susceptible to SQL injections, I used to browse without an ad blocker, but with all the abuse in the form of pop-ups, pop-unders, page covering overlays, animated shit and even malicious payloads, I had to start blocking ads.

Never went back since.

Also in this day and age getting a VPN and having it always on for general privacy enhancement, especially against snoopy governments (something which just keeps on getting worse), is also a good idea, plus it also lets you work around geographically restricted sites, so it ends up useful in multiple ways.

It also protects your machine from any spyware in the original game, as it’s very easy to have the sandboxing deny network access beyond localhost.

Personally I run everything inside the sandbox with networking disabled.

In Linux, if you run games with Lutris, you can have them sandboxed with your sandboxing app of choice (personally I use firejail) by changing the “command prefix” option in the configuration for the game (or setting it as the default in the global Lutris configuration).

Also Lutris defaults to a different Wine instance per game, so Windows-specific malware would only ever affect the wine instance of that game.

So if you’re worried about pirated Windows games might contain Linux specific malware meant for when the game is running under Wine (as Wine is just an adaptor, not an emulator or sandboxing layer) you can go as crazy as you want in blocking what that executable can access, all fully under your control.

Just keep any torrent you download seeding after you finished the download and you will easilly get a seed/download ratio of 2 or more.

Even without static port-forwarding, the NAT translation done by the Mullvad router will automatically keep track of external machines to which your own machine has connected to recently, in order to forward to it any connections back, and since the torrent protocol pretty much connects to the whole swarm during the download stage (even if it doesn’t download from most of them, it still connects to each swarm participant to check which parts they have), which means that after your download stage for a torrent is over, for a while (hours, in my experience) if any of those machines tries to connect back the connection gets properly forwarded by the Mullvad router to your machine because it still recognizes them as associated with your host and forwards the connection correctly.

What won’t work without static port-forwarding is starting seeding from scratch, resuming seeding after you stopped it for a while (a day or more) and very small size torrents (because the swarm changes very fast when the download size is very small and is quickly done, and the new machines in the swarm which your own machine did not connect to during your own download stage, won’t be associated in the Mullvad router with your machine so it can’t do automatic routing of their connection attempts).

The point being that it’s perfectly fine to torrent with a VPN without port-forwarding and you can do it without being a leecher as long as you’re not just downloading tiny torrents and you make sure to leave the torrents to seed for a while after the download stage is over. What you can forget about is seeding from scratch or to remote machines you did not download any data from, which is a problem if you’re trying to get a good ratio for private trackers since you can’t just fire up a torrent for seeding alone and all uploading can only happen following your downloading of that same torrent.

Dust is going to be a problem (well, maybe not that much electrically, but it maks it a pita to keep clean) after some months, especially for the Raspberry Pi.

Consider getting (or, even better, 3D printing) an enclosure for it at least (maybe the HDDs will be fine as they are since the fan keeps the air moving and dust probably can’t actually settle down on it).

External 2.5" HDDs connected via USB for longer term bulk storage and using it as a NAS, a smaller internal NVME SSD for the OS and a larger one (but SATA, so slower) for the directory were torrents go to.

The different drive performances fit my usage pattern just fine whilst optimizing price per GB.

External 3.5" would be cheaper for bulk storage but the 2.5" are a leftover from when I was more constrained in terms of physical space.

Well, the N100 does have a lot more breathing space in terms of computing power, so it’s maybe a better bet for something you want to use for a decade or more, and that remote control I linked to above does work fine, except for the power button (which will power your Linux off but won’t power it back on).

I actually tried an Android TV Box (which is really just and SBC in the same range of processing power as the Pi) for this before going for the Mini PC and it was simply not as smooth operating.

That Mini-PC has enough computing power room (plus the right processing extensions) that I can be torrenting over OpenVPN on a 1Gb/s connection whilst watching a video from a local file and it’s not at all noticeable on the video playback.