domi

Does it lock up when booting? Fedora's kernel has issues booting on Surface devices since Fedora 39.

You either need to switch kernels (e.g. linux-surface kernel) on a different machine or switch distro.

Running an outdated Fedora version is not the solution.

That only applies to the GNOME variant, the KDE spin is missing the third party repo toggle.

At least the Flathub repo is fixed on the GNOME variant now. The Nvidia repo is added but the driver is not installed, meaning you still need to use the CLI to install the drivers.

https://rpmfusion.org/Howto/NVIDIA

No, it's like buying a car without understanding how the engine works, which a lot of people do.

It caters to a middle ground that barely exists, meaning it doesn't have enough options for a power user and too many for a newcomer.

For example, a newcomer doesn't know what a root account is and doesn't have to care, yet they have to choose if they want to enable or disable the account. They can also remove their administrator privileges without knowing what it means for them. I get asked what a root account is every time somebody around me tries to install Fedora.

I recommend spinning up a Ubuntu 24.04 VM and taking a look at their installer.

They have a clear structure on how to install Ubuntu step by step while Fedora presents you everything at once. They properly hide the advanced stuff and only show it when asked for it. They have clear toggles for third party software right at the installer and explain what they do. Fedora doesn't even give you the option to install H264 codecs or Nvidia drivers.

It also looks a lot cleaner and doesn't overload people with too much info on a single screen. And yet it can still do stuff like automated installing and has active directory integration out of the box, where the Fedora installer miserably fails for a "Workstation" distro.

The Fedora installer works, but it doesn't do much more than that and the others do it better in many areas.

Long-time Fedora user here. I do not think Fedora is noob friendly at all.

• Their installer is awful
• Their spins are really well hidden for people who don't know they exist
• The Nvidia drivers can't be installed via the GUI
• There's no "third party drivers" tool at all
• The regular Flathub repo is not the default and their own repo is absolutely useless
• AMD/Intel GPUs lack hardware acceleration for H264 and H265 out of the box, adding them requires the console
• Their packages are consistently named differently than their Ubuntu/Debian counterpart

I really like Fedora for their newish packages without breaking constantly. I still would not recommend it for beginners.

That's less of an opinion and more of a hardware restriction, isn't it?

If I had a 5 Mbps connection or no display that can display 4k, I also would not download in 4k.

Off the top of my head, why did you set the prefix to 0x1? I was under the impression that it only needs to be set if there are multiple vlans

I have multiple VLANs, 0x1 is my LAN and 0x10 is my DMZ for example. I then get IP addresses abcd:abcd:a01::abcd in my LAN and abcd:abcd:a10::bcdf in my DMZ.

However, I get a /56 from my ISP wich gets subnetted into /64. I heard it's not ideal to subnet a /64 but you might want to double check what you really got.

what are your rules for the WAN side of the firewall?

Only IPv4 + IPv6 ICMP, the normal NAT rules for IPv4 and the same rules for IPv6 but as regular rule instead of NAT rule.

My LAN interface is only getting an LLA so maybe it’s being blocked from communicating with the ISP router.

If you enable DHCPv6 in your network your firewall should be the one to hand out IP addresses, your ISP assigns your OPNsense the prefix and your OPNsense then subnets them into smaller chunks for your internal networks.

It is possible to do it without DHCPv6 but I didn't read into it yet since DHCPv6 does exactly what I want it to do.

I'm no expert on IPv6 but here's how I did it on my OPNsense box:

• Activate IPv6 on your WAN interface (probably already done)
• Activate IPv6 on the LAN interface, use Track interface on IPv6, track the WAN interface and choose a prefix ID like 0x1
• Activate DHCPv6 under Services -> ISC DHCPv6 for your LAN interface (you can shorten the range like ::eeee to ::ffff, you don't have to type the full IP)
• Activate Router advertisments under Services -> Router Advertisments for your LAN interface (set Advertisments to Managed and Priority to High

After that your DHCP server should serve public IPv6 addresses inside of your prefix and clients should be able to connect to the internet.

A few notes:

• Don't forget to add an allow rule for IPv6 on your LAN as well if you only have one for IPv4
• Repeat the steps above for every VLAN you have, always use a different prefix ID
• You don't have to use NAT rules with IPv6 anymore and can just directly add a regular firewall rule to WAN with the target IP and port and you are done
• Make sure you don't have any of the various "Disable IPv6" toggles enabled, there's a few in the firewall settings and general settings for example

That is what I'm doing currently but now unbound doesn't talk to the root servers anymore, it sends all queries to Quad9.

Both scenarios are not ideal because you always end up with one entity knowing all your queries.

Not illegal but it leaves all your DNS lookups in plain text with your ISP, which just doesn't sit right with me.

Not that the ISP in my country would care.

Is it possible to get unbound to talk to the root servers via TLS/HTTPS by now?

I'm currently using Quad9 because they support DNS over TLS and DNS over HTTPS.

Eternal was a recipe for stress for me.

That's the thing that made it great for me, but I liked both 2016 and Eternal for different reasons. Would be great if they can somehow satisfy both camps with the next entry.