Open one router port to WAN only, others to LAN

smoltron · February 1, 2025, 12:30pm

My question is, how should I connect my Debian server to Internet without endangering my home LAN.
I should have four IP addresses from my fiber provider. One is taken by by my router and other ones are unused now. My router is x86 OpenWRT, with four ports as follows:

0: wan, wan6
1 and 2: br-lan
3: reserved to my private Debian server, will be open to Internet

What would be a good way to open port 3? I can of course put port 3 to the br-lan and forward needed ports from wan. However, I am wondering if it is possible to bridge port 3 with port 0 and receive the IP address for the Debian server directly from the fiber provider. Then my server address would not identify the router. I tried to find examples, but did not find good ones.

lleachii · February 1, 2025, 3:18pm

You could use SNAT to use the other public IP.for the server, instead of the general IP on WAN

To be clear, what dangers are you concerned about?

smoltron · February 1, 2025, 3:27pm

Nothing specific. I just thought that a totally separate address would be better.
I am now trying to do this as a separate DMZ interface. The documentation seems to be mostly obsolete though. Making DHCP work is my problem now.

Gharib24 · February 1, 2025, 10:49pm

Create a bridge (br-wan) and add ports 0 and 3.
Assign br-wan as the device for the wan interface so the Debian server can receive an IP from your fiber provider (ISP).