Home server network positioning and security

Hello Guys,

First of all, Happy Holidays, I hope you are all well!

I'm about to install an Ubuntu home server in my house to host some game servers and an Apache server.
My ISP will provide static address for me, so I do not need to worry about DDNS configuration.

The problem is that I'm really concerned about the security. I will change some of the usual stuff like SSH ports, will also install fail2ban, and make sure that I only open ports I really need to public.
But I can't figure out what would be the best way to position the server and change my home network configuration. I really want to do my best to keep everyone in the LAN safe, (I already know that this is really hard given the fact that I use cheap TP-link router). I really think that the server can handle WAN stuff better, so I was thinking about WAN > Server > Router. The server already has 2 network cards, so I can forward the traffic to the other one and attach my home router there. However, I'm willing to sacrifice WAN stability to achieve better security and put the server behind my router - WAN > Router > Server.

Thinking about both options, aren't they the same? In both ways all LAN clients in my home network will be behind the router that has some firewall stuff built in.
I will greatly appreciate your opinions and ideas on this.

Thank you very much!

This doesn't really work for most networks unless your server is also a router with a robust firewall. Your server should be behind the router.

Are you running OpenWrt on your TP-Link router? If so, you have lots of options in terms of how you structure your network, including VLANs to keep things separated wherever that might be good for your security needs.

1 Like

Thanks for your reply. Yes, I'm running an OpenWrt.

I'm looking at the VLAN documentation, but it seems like I will need some time to understand how everything works. I'm assuming that in order to isolate the server from my default LAN (server will be connected to port 1), I would need to create VLAN 3 that should probably look like this:

Yes, that is the start of how you would setup a VLAN for your server. You'll also need to setup the network interface for it, and then figure out your requirements for the firewall (i.e. what is the security/access model for the devices on your trusted LAN to connect to your server and vice versa, and a few other aspects).

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.