this post was submitted on 19 Jun 2025
155 points (98.7% liked)

Selfhosted

48649 readers
346 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
155
[SOLVED] ELI5: How to put several servers on one external IP? (infosec.pub)
submitted 6 days ago* (last edited 6 days ago) by Allero@lemmy.today to c/selfhosted@lemmy.world
102 comments fedilink hide all child comments
 

I'm pretty new to selfhosting and homelabs, and I would appreciate a simple-worded explanation here. Details are always welcome!

So, I have a home network with a dynamic external IP address. I already have my Synology NAS exposed to the Internet with DDNS - this was done using the interface, so didn't require much technical knowledge.

Now, I would like to add another server (currently testing with Raspberry Pi) in the same LAN that would also be externally reachable, either through a subdomain (preferable), or through specific ports. How do I go about it?

P.S. Apparently, what I've tried on the router does work, it's just that my NAS was sitting in the DMZ. Now it works!

top 50 comments
sorted by: hot top controversial new old
[–] tofu@lemmy.nocturnal.garden 66 points 6 days ago (1 children)

You need a reserve proxy. That's a piece of software that takes the requests and puts them toward the correct endpoint.

You need to create port forwards in the router and direct 80 and 443 (or whatever you're using) toward the host of the reverse proxy and that is listening to on those ports. If it recognized the requests are for nas.your.domain, it will forward the requests to the NAS.

Common reverse proxies are nginx or caddy. You can install it on your raspberry, it doesn't need it's own device.

If you don't want that, you can create different port forwards on your router (e.g. 8080 and 8443 to the Raspi) and configure your service on the Raspi corresponding. But it doesn't scale well and you'd need to call everything with the port and the reverse proxy is the usual solution.

[–] Allero@lemmy.today 3 points 6 days ago (3 children)

There's an issue with that first part. Do I configure it right? Should :8100 be redirected to 192.168.0.113:81 in this case?

[–] infeeeee@lemmy.zip 11 points 6 days ago (5 children)

External 80 to internal 80 and external 443 to internal 443

With this config you don't have to deal with ports later, as http is 80, https is 443 by default.

If you run some container on port 81, you have to deal with that in the reverse proxy, not in the router. E.g. redirect something.domian.tld to 192.168.0.103:81

If you use docker check out nginxproxymanager, it has a very beginner friendly admin webui. You shouldn't forward the admin ui's port, you need to access it only from your lan.

load more comments (5 replies)
load more comments (2 replies)
[–] fibojoly@sh.itjust.works 33 points 6 days ago

Welcome to the wonderful world of reverse proxies!

[–] possiblylinux127@lemmy.zip 9 points 6 days ago (2 children)

What are you running?

If it is http based use a reverse proxy like Caddy

[–] Allero@lemmy.today 5 points 6 days ago (1 children)

Update: tried Caddy, love it, dead simple, super fast, and absolutely works!

[–] possiblylinux127@lemmy.zip 2 points 5 days ago (1 children)

Did you also forward UDP port 443?

If not I would as well since it is used for QUIC which is supported and automatically turned on for Caddy.

[–] Allero@lemmy.today 2 points 6 days ago (1 children)

For now just some experiments alongside NAS

Planning to host Bitwarden, Wallabag and other niceties on the server, and then when I get something more powerful, spin up Minecraft server and stuff

[–] greybeard@feddit.online 3 points 5 days ago (1 children)

I'll be honest, if you aren't planning on sharing with others, I'd recommend switching to something like wireguard to connect back into your house instead of exposing everything publicly. Some firewalls have wireguard built in, so you can setup the VPN easily. But then all you have to do is keep your VPN endpoint safe to keep your internal network protected from the Internet, instead of having to worry about the security of everything you expose.

[–] Allero@lemmy.today 2 points 5 days ago* (last edited 5 days ago) (2 children)

That's a good piece of advice, but due to several considerations (extreme censorship interrupting VPN connections, family using NAS for automatic backups, and some others) I cannot go that route.

[–] greybeard@feddit.online 2 points 5 days ago (3 children)

There's nothing saying you can't have ports forwarded for the NAS, and have a VPN for everything else. Censorship may be a problem, but those more often block VPN services like NordVPN, not protocols. So running your own is less likely to be stopped. That said, of course comply with local laws, I don't know where you live or what's legal there.

If you really want multiple things exposed at the same time, you have two options(which can be used in combination if needed/wanted):

  1. A reverse proxy. I use caddy. I give it a config file that says what address and port binds to what hostname, and I forward port 443/80 to it. That works great for web content.
  2. Use custom ports for everything. I saw someone else walking you through that. It works, but is a little harder to remember, so good notes will be important.

I still recommend against forwarding a lot of ports as a beginner. It's very common for software and web apps to have security vulnerabilities, and unless you are really on top of it, you could get hit. Not only does that put all your internal devices at risk, not just the one that was original breached, it also will likely become part of a botnet, so your local devices will be used to attack other people. I'd recommend getting confident with your ability to maintain your services and hardening your environment first.

load more comments (3 replies)
[–] possiblylinux127@lemmy.zip 1 points 5 days ago* (last edited 5 days ago) (1 children)

What do you mean by blocked at a protocol level? You might give it a try on a random port to see what happens.

You could also look into port knocking. It is dated but still worth while.

[–] Allero@lemmy.today 1 points 5 days ago* (last edited 5 days ago)

I mean any connection through these protocols is just not working over the Internet. DPI equipment detects respective packets and cuts the connection, irrespective of the port you assign.

[–] Nate066@lemmy.world 10 points 6 days ago* (last edited 6 days ago) (1 children)

VPN is definitely the way to go for home networks. Your router even has one built in. OpenVPN and Wireguard are good.

If you really want to expose stuff like this the proper way is to isolate your home network from your internet exposed network using a VLAN. Then use a reverse proxy, like caddy and place everything behind it.

Another benefit of a reverse proxy is you don't need to setup https certs on everything just the proxy.

You do need a business or prosumer router for this though. Something like Firewalla or setting up a OpenWRT or OPNsense.

Synology also has there quick connect service as well. While not great if you keep UPNP off and ensure your firewall and login rate limiting is turned on it may be better then just directly exposing stuff. But its had its fair share of problems so yeah.

Consider not self hosting everything. For example if all your family cares about is private photo storage, consider using a open source E2EE encrypted service for photos on the cloud like Ente Photos. Then you can use VPN for the rest. https://www.privacyguides.org/ has some recommendations for privacy friendly stuff.

Also consider the fallout that would happen if you are hacked. If all your photos and other things get leaked because your setup was not secure was it really any better than using big tech?

If nothing else please tell me you are using properly setup https certs from Let's Encrypt or another good CA. Using a firewall and have login rate limiting setup on everything that is exposed. You can also test your SSL setup using something like https://www.ssllabs.com/ssltest/

[–] Allero@lemmy.today 4 points 6 days ago* (last edited 6 days ago)

No truly private photos ever enter the NAS, so on that front it should be fine.

VPN is not an option for several reasons, unfortunately.

But I do have a Let's Encrypt certificate, firewall and I ban IP after 5 unsuccessful login attempts. I also have SSH disabled completely.

SSL Test gave me a rating of A

[–] pleksi@sopuli.xyz 5 points 6 days ago (2 children)

I really feel like people who are beginners shouldnt play with exposing their services. When you set up Caddy or some other reverse proxy and actually monitor it with something like fail2ban you can see that the crawlers etc are pretty fast to find your services. If any user has a very poor password (or is reusing a leaked one) then someone has pretty open access to their stuff and you wont even notice unless you’re logging stuff.

Of course you can set up 2FA etc but that’s pretty involved compared to a simple wg tunnel that lives on your router.

[–] Allero@lemmy.today 2 points 5 days ago

For now I'm only toying around, experimenting a little - and then closing ports and turning my Pi off. I do have my NAS constantly exposed, but it is solidly hardened (firewall, no SSH, IP bans for unauthorized actions, etc. etc.), fully updated, hosts no sensitive data, and all that is important is backed up on an offline drive.

[–] r0ertel@lemmy.world 2 points 5 days ago

My mantra is "plan to be hacked". Whether this is a good backup strategy, a read-only VM, good monitoring or serious firewall rules.

[–] MangoPenguin@lemmy.blahaj.zone 10 points 6 days ago

You can either:

A) Use a different port, just set up the new service to run on a port that's not used by the other service.

B) If it's a TCP service use a reverse proxy and a subdomain.

[–] greybeard@feddit.online 6 points 6 days ago (12 children)

The synology NAS can act as a reverse proxy for stuff inside your network. I don't have mine in front of me, so you will have to google the steps, but basically you point the synology to an internal resource and tell it what external subdomain it should respond to.

load more comments (12 replies)
[–] towerful@programming.dev 8 points 6 days ago (6 children)

Who is externally reaching these servers?
Joe public? Or just you and people you trust?

If it's Joe public, I wouldn't have the entry point on my home network (I might VPS tunnel, or just VPS host it).

If it's just me and people I trust, I would use VPN for access, as opposed to exposing all these services publicly

[–] Allero@lemmy.today 5 points 6 days ago (7 children)

Just me and the people I trust, but there are certain inconveniences around using VPN for access.

First, I live in the jurisdiction that is heavily restrictive, so VPN is commonly in use to bypass censorship

Second, I sometimes access my data from computers I trust but can't install VPN clients on

Third, I share my NAS resources with my family, and getting my mom to use a VPN every time she syncs her photos is near impossible

So, fully recognizing the risks, I feel like I have to expose a lot of my services.

load more comments (7 replies)
load more comments (5 replies)
[–] skankhunt42@lemmy.ca 8 points 6 days ago* (last edited 6 days ago) (7 children)

Router gets the public IP. Login to it, find port forwarding option. You'll pick a public port. IE 443 and forward it to a local IP:port combo, IE 192.168.0.101:443.

Then you can pick another public port and forward it to a different private IP:port combo.

If you want a subdomain, you forward one port to one host and have it do the work. IE configure Nginx to do whatever you want.

EDIT: or you use IPv6. Everything is a public IP.

load more comments (7 replies)
[–] webghost0101@sopuli.xyz 6 points 6 days ago (1 children)

Whispers “try proxmox”

[–] Allero@lemmy.today 3 points 6 days ago (1 children)

I will eventually!

But for all I understand, it is to put many services on one machine, and I already have a NAS that is not going anywhere

[–] DarkDarkHouse@lemmy.sdf.org 3 points 6 days ago (1 children)

I've gone the other way. I used to run a Proxmox cluster, then someone gave me a Synology NAS. Now it's rare that I spin up Proxmox and instead use a mix of VMs, containers and Synology/Synocommunity apps.

load more comments (1 replies)
[–] Chewy7324@discuss.tchncs.de 4 points 6 days ago (3 children)

If you go with IPv6, all your devices/servers have their own IP. These IPs are valid in your LAN as well a externally.

But it's still important to use a reverse proxy (e.g. for TLS).

load more comments (3 replies)
[–] EpicFailGuy@lemmy.world 2 points 6 days ago (3 children)

You already have a lot of good answers ... but I got one more to add.

I have a very similar setup on my homelab and I'm using a Cloudflare tunnel.

It's a free service and it's really good because it allows you to expose web services and specific ports for remote access over dynamic IPs without having to expose your own router.

https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/

load more comments (3 replies)
[–] Smokeydope@lemmy.world 2 points 6 days ago* (last edited 6 days ago) (1 children)

Good to hear you figured it out with router settings. I'm also new to this but got all that figured out this week. As other commenters say I went with a reverse proxy and configured it. I choose caddy over nginx for easy of install and config. I documented just about every step of the process. I'm a little scared to share my website on public fourms just yet but PM me ill send you a link if you want to see my infrastructure page where I share the steps and config files.

load more comments (1 replies)
[–] jacksquat@what.forfi.win 3 points 6 days ago (5 children)

Honestly Cloudflare Tunnels could be a very simple way to do it. I've always had tremendous luck with it. By using CF you can let them do all the heavy lifting instead of hosting your own... as long as you trust them.

[–] BroBot9000@lemmy.world 5 points 6 days ago (2 children)

They are a plague with how prevalent they have become.

The internet shouldn’t put all its eggs into one basket.

It’s just another centralized entity which will lead to monopolized power. It goes against what we are trying to do with federated networks like Lemmy and mastodon.

load more comments (2 replies)
[–] rikudou@lemmings.world 3 points 6 days ago* (last edited 6 days ago) (3 children)

You can use frp to do the same thing a CloudFlare tunnel does without giving them your unencrypted data.

https://github.com/fatedier/frp

load more comments (3 replies)
load more comments (3 replies)
load more comments
view more: next ›