Protecting the network server
Protecting the network server
Hello, I recently created a private cloud using Proxmox and have all my VMs configured. However, I'm facing an issue—I don't want to expose my IP or application ports to the public internet without any security measures in place. I'm concerned about potential security risks if a VM is compromised, allowing unauthorized access to other devices on my home network. I've explored various options but am unsure which setup would be easiest for five VMs (one Windows and four CentOS). Also, I understand Cloudflare, but it might undermine the main goal of maintaining strong local connectivity and low latency.
What services are offered? Proxmox includes a firewall and guest operating systems. You typically need a DMZ on your router to isolate private devices from remote servers. For a home server, securing it with passwords, logging emails, and keeping it updated helps prevent attacks.
Avoid using the built-in firewall; DMZ works well. Use any standard computer with sufficient processing power—even low-end models—and two Ethernet connections. Install pfSense and proceed.
DMZ only increases exposure, but sending just the necessary ports from the router is safer since the router’s firewall blocks everything else. I’d switch to pfSense instead, and if you need several public IPs, assign them all there and forward the ports. Also consider enabling fail2ban on your servers so they block repeated hack attempts.
Relies on whether you're dealing with a genuine DMZ that blocks any inbound connections from DMZ to inside, or a consumer-grade setup that simply forwards all port lists. The first approach is better if your DMZ layer is at risk because compromising it doesn't affect your internal network. For public servers, you're largely limited to forwarding traffic. For personal use, expose a VPN at the edge and authenticate there—then connect to resources securely.
It also relies on how much those servers are utilized within the local area network. Placing them on the LAN ensures you receive full LAN performance no matter what the router supports. If they're in the DMZ, you'll need to set up NAT just like with any other online server, which can cause significant data usage and potentially overload your router before it affects real internet traffic. Therefore, it's strongly advised that servers handling a lot of traffic stay on the LAN side.
Right now everything is handled via forwarding on my router for external access, and it's unlikely there will be significant data moves to the server for the local network.
If you're okay with a bit of coding, you can try the OS at http://www.zentyal.org/server/#server-features. Before that, I installed it on XenServer, set up several networks, and used the public VPS to connect internal IPs. This gave me five separate VPS servers, a VPN for local access, and five websites hosted on those VPS servers. They were all linked through a single VPS and an Apache proxy using DNS. Port forwarding directed traffic to the correct IP addresses, even though the ports differed. Because of the proxy, port 80 worked as expected, redirecting to another higher port over LAN. The OS also includes firewall controls and a web interface for configuring settings like firewalls and port forwarding (except for Apache). It took some time to get everything running smoothly, but it performed well. You only received one public IP address, while the others were local LAN addresses. Thanks for the tip—PowerChaos was helpful!