Hi!Relatively new to network stuffs, please forgive the lack of terminology.
The situation is as follows:
I have an old PC that I have reused as a home server.It currently runs my Plex and network share, and hosts a few private projects locally. (In Windows environment… Noob setup, just followed the LTT guide, miserable, I know)I know the very basics of virtualization, have also played around with Proxmox on the server, still have it installed, but so far not much progress in learning it.However, I want to make some parts of the server accessible publicly for very small-scale private web project hosting and general learning about hosting/self-hosting, networks, development, security, etc.
I was on a dynamic IP provided by the ISP. I could manage workarounds for changing IP addresses, but, in any case, port forwarding on my router doesn’t work because of how the ISPs infrastructure is set up, so that kind of screwed with things.After a long conversation with my ISP, they now provide me one dynamic IP and one static IP (with no additional cost, in fact, my monthly bill will now be 10 cents lower!)I want to use the dynamic IP for my private LAN, and the static IP for the public parts of my server.Reasoning goes that I don’t want my whole entire private network sitting on a static IP.
However, they don’t provide two physical access points - all traffic goes through one single fiber optic network cable that comes into my house. It then plugs into a device that my ISP set up and I have no knowledge of, other than the name - Huawei EchoLife EG8010H.From it I ran a cat5 cable to the input of my router - TP-Link Archer C1200. Currently all my network devices are connected, via cat5 or Wi-Fi, to this router. Including the server.
Desired result :
Essentially, I want to move some functionality running on the server out of my LAN to it’s own static IP. However, there are certain parts of its functionality that I’d like to keep for internal use only (like Plex and LAN share). I know I will, at the very least, have to set up separate VMs for functionalities that I want to keep on separate networks. Also, in the future it’s likely that I’ll want to make more devices accessible publicly (private IoT projects), so I assume I will also have to have another router running on the static IP connection.
Obviously I have virtually no control over the ISPs Huawei device. However, they told me that in place of my router, I have to connect a network switch, and then run two cables from the switch to two separate routers. When that is done, I should call them and they’ll do some kind of setup. I gathered that it’s related to MAC addresses.
So eventually, I gather, I will run two networks -
- My LAN on a dynamic IP
- Public stuff on my server and other devices on a static IP.
Vaguely worded questions for lack of more knowledge of things and terminology :
- Is plugging a switch between the Huawei and two routers, and some configuration, really all that’s necessary? Does it work like that at all? Wouldn’t a malicious party be able to cross through the static IP connection into my LAN via the switch?
- Do I have to look for anything specific for the switch, DHCP support or anything like that? Are there any other pitfalls that I don’t yet know about or might have missed?
- To keep the private parts of the server private, do I install another network card in it, then run a cable from the router that is going to be configured for dynamic IP, and configure the VMs to be accessible only via that network interface? Is it possible and is it safe? Would it be better/safer to run a separate dedicated machine for public hosting, entirely apart from my home server?
Final thoughts :
How can I learn more about networking, security, servers, virtualization, hosting, all these related questions? I find it hard to come by any materials that could help me extend my knowledge. Mostly I see either basic information that assumes you know basically nothing, like explaining the difference between IP and MAC addresses, or skimming the surface of how DNS works, or really advanced things where I’m completely lost and out of my depth, like subnetworks and IP address maths. It feels like all the intermediate knowledge is either so common that nobody really talks about it in a constructed manner, or is locked behind some school or key that I don’t know about. I’ve tried to also study the wiki here, but to me it just looks like what it is at face level - a list of hardware and software with some generic description about it’s functionality. It does not help me understand how the underlying dependencies work together to make a working system. It does not help me learn the best practices of structuring a network, or server virtualization, or security.
I’ve spent many-many years as a Windows power user, since Windows 95. Worked at an ISP (not the one in question here) as a assistant technician for a time, spent a lot of time providing all kinds of user and tech support, with which comes a lot of dealings with all kinds of hardware also, computer hardware, network hardware, peripherals, electronics repair, etc. Coming up on 5 years of experience also as a software dev. So I’ve definitely been around and seen some stuff, but haven’t branched out really into the networking and servers realm. Recently decided to gradually move away from Windows, hate the direction they’re going, and started to embrace Linux and FOSS. And I feel the same lack of finding any form of consistent and constructed knowledge also in the Linux realm - it looks like people just assume that you know things.
Is the way forward just playing around, stepping on all the rakes and dealing with the bumps as they come? I fully assume, of course, that my lack of finding new information might be based on some basic knowledge that I’m missing. Is there maybe a “roadmap” that could be used to guide someone on the networking journey?
Technically, yes. This is pretty common in enterprise. In fact, on my second internet connection here at home (used for work) I have 13 static public IPs, and I use them for testing configurations. The connection comes into my core switch, allowing me to put any number of firewalls “on the WAN” without opening any of my internal network to that traffic.
No, because connected to the switch are two separate NAT routers/firewalls.
No, all I would look for is a layer 2 switch. Any of those little Netgear/TP-Link/etc five port jobs will do it for you.
Yes: security. There is no way in hell I would expose anything intentionally to the internet with just a consumer router in the way. In your case, this is doubly important because you are coming at this from a lack of knowledge. There’s nothing wrong with lacking knowledge – we’re not born knowing anything. It’s just far too easy to inadvertently open yourself up to attack.
Without knowing the rest of your network topology, I want to say this is a soft “yes”. Again, I do this: my VM host’s network configuration includes the VLAN that leads to my business ISP. I can put a VM (e.g., a firewall VM) on the ISP VLAN and then put other VMs “behind” it on another VLAN. This forces the traffic to pass through the firewall and keeps the rest of the network secure.
Make sure you understand what’s happening before exposing anything internal to the network, and that includes your host’s network configuration.
In your case, this is what I would do. You don’t need much. If you check out Level1Techs or ServeTheHome, they’ve been doing tons of reviews on little mini PCs that would be perfect for this job. You could install Proxmox on them and use a virtual firewall distro like pfSense along with a few VMs to serve up. Just be careful about how you connect that host to the rest of your network for management.
Alternatively, consider one of the low-cost cloud hosted solutions. I used DigitalOcean often for small projects I needed exposed to the internet. For $5-10 per month, you get a VM you can work with and expose absolutely none of your home network until you’re confident you can secure it.
Thank you so much for this amazing answer! VLAN, WAN, NAT, switch layers, lots of new stuff to read up on! I could go with a separate, low power machine for public hosting for now, at least until I have a firmer grasp of security basics. Then again, I’m getting the second IP literally for even less than free, so no losses incurred if it sits unused until I learn up. I have considered cloud hosting, looked at multiple options, DigitalOcean, Heroku and AWS included. But I’ve always been drawn to messing with hardware, and all of cloud hosting is very “virtual”, for a lack of a better term. None of it has the same appeal for me as having a physical, self-hosted machine, that I can use and modify however I need or want to.
Do you maybe have any suggestions for starting points in network/server security? I’ve seen a lot of general information, like disabling and never using root accounts in any Unix/Linux environment, only use sudo for extreme necessities, and other basic setup tips, like setting a firewall VM or having everything pass through a separate hardware machine that acts like a firewall. But, again, very seldom do I find anything explained, like, why is root dangerous, what is a firewall VM, what software do I use for this thing or that thing, best practises of hardware/software/connectivity/permissions/access, etc. The information that I do find is very lacking and scattered, like, it’ll say that root is dangerous because if compromised it can affect the whole system. Okay, I get that, but then how it is different from an Admin with full access? Why is one safer than the other, if both can be set up with the same protections against malicious parties? It’s things like this that I’m confused by, and lacking either the knowledge or terminology to find out. I feel like I have a lot of chunks of information in my head about all these topics, but I’m missing the substance, the thread that ties it all up.
This is a deep question. I would start by Googling “cybersecurity best practices for business” and read/watch some videos. I can reply later with some more detail on your other questions.