User Controls

Setting up an isolated home network network switch for hosting a website

  1. #1
    the man who put it in my hood Black Hole [miraculously counterclaim my golf]
    I'm really sick of virtual hosting and cloud hosting so i'm just gonna try to do it myself and split my modem somehow. I have no idea what i'm doing. I think if I set this up right the only thing I need is a domain which is a lot less hassle than having to figure out hosting payment. According to my research the #1 thing I need to get is a network switch

    Using a network switch alongside a second laptop configured as a virtual modem/router provides a practical solution to establish a separate business network while maintaining isolation from your personal network. Here’s a streamlined approach to set this up:

    Begin by connecting the network switch to your modem's Ethernet port. Attach your main router (personal network) to one port of the switch and connect the second laptop to another port. Ensure the laptop runs a suitable operating system like Windows or Linux.

    For Windows, enable Internet Connection Sharing (ICS) on the laptop’s Ethernet connection. This allows it to share the internet connection with devices connected to its WiFi hotspot. Configure the hotspot settings through Windows settings.

    On Linux, install and configure `dnsmasq` for DHCP and DNS services, and `hostapd` to set up the WiFi hotspot. Bridge the Ethernet and WiFi interfaces, enable IP forwarding, and configure NAT (Network Address Translation) using `iptables` to share the internet connection.

    Ensure the main router and virtual router (laptop) use different subnets (e.g., main router: 192.168.1.x, virtual router: 192.168.2.x) to prevent IP conflicts. Implement firewall rules on both routers to block inter-network routing for added security.

    This setup leverages existing equipment cost-effectively and offers flexibility for specific network needs. However, it requires technical expertise to configure the laptop effectively and maintain network reliability under heavy usage.
    A DMZ (demilitarized zone) is a segmented part of a network that is used to host all publicly accessible websites and services. The intention is to protect the internal network from external threats. It is an effective strategy to minimize public exposure of your critical assets as well as limit the damage caused when an intruder is able to penetrate your network.

    While researching DMZ implementations when writing this how-to, I came across a nice write-up on implementing a basic DMZ using a single firewall as well as implementing a more advanced/secure DMZ using two firewalls (another good DMZ reference). The basic DMZ example is pretty much the approach that I took in my home network – partially due to inexperience when I was learning how to use OPNsense and partially due to minimizing expense on purchasing additional hardware. I am limiting the scope of this how-to to the basic DMZ example since I imagine many home network users will be using a single router/firewall to manage multiple logical/physical networks.

    The basic DMZ implementation is a more budget friendly and easier to implement option due to requiring less hardware/software to purchase, configure, and maintain. However, the trade off is less security. By less security, I mean someone has to compromise your router/firewall box to the extent that they have full visibility into all your networks including the internal, private networks. If that type of compromise occurs, you already have big problems. Depending on the quality of your router/firewall, this may or may not be an easy task for an attacker. You are basically putting all of your eggs in one basket with this approach. For a home network user, I do not think this fact alone should sway you away from using a single router/firewall for your network. It is still a lot more secure than using a single network and exposing various ports on a server to the Internet using a standard consumer-grade router that receives little to no security updates.
  2. #2
    Michael Myers victim of incest [divide your nonresilient tucker]
    I don’t understand any of this.
  3. #3
    the man who put it in my hood Black Hole [miraculously counterclaim my golf]
    Originally posted by Michael Myers I don’t understand any of this.

    aren't you going to school for this shit? or some shit?
  4. #4
    Michael Myers victim of incest [divide your nonresilient tucker]
    Originally posted by the man who put it in my hood aren't you going to school for this shit? or some shit?

    No, that’s old news haha. I already dropped out in 2023.

    And then I dropped out again recently.
  5. #5
    Raddy Yung Blood
    Originally posted by the man who put it in my hood I have no idea what i'm doing.

    Yes this is obvious.

    You should get an independent circuit installed at demarc instead.
  6. #6
    Enigma African Astronaut [memorize my carmelite sway]
    Originally posted by Michael Myers No, that’s old news haha. I already dropped out in 2023.

    And then I dropped out again recently.

    You dropped out again?!
  7. #7
    the man who put it in my hood Black Hole [miraculously counterclaim my golf]
    uhhhhhhhhhhhhhhhhhhhhhhhhhhhh


    Originally posted by Raddy Yes this is obvious.

    You should get an independent circuit installed at demarc instead.

    I might as well just get a phone line in that case
  8. #8
    ner vegas African Astronaut
    setting up subnets/VLAN is an interesting project if you want to try some real networking but completely unnecessary


    just plug your webserver into the router and nat port 80/443
  9. #9
    the man who put it in my hood Black Hole [miraculously counterclaim my golf]
    I'm pretty sure my ISP doesn't allow me to actually host anything. I have no idea why I thought a switch would allow me to bypass this, I need to smoke more weed.

    I was also thinking maybe I could use some kind of mesh setup like an SDR + meshtastic connected to the server but that still has to connect to the modem.
    Reduced Restrictions: Some ISPs impose restrictions on residential connections that host servers, such as blocking ports commonly used for servers (e.g., 80 for HTTP, 443 for HTTPS). When in bridge mode, your ISP may not apply these restrictions directly to the devices connected to your router, allowing your router to handle port forwarding and other server-related configurations more freely.
  10. #10
    Raddy Yung Blood
    Originally posted by ner vegas setting up subnets/VLAN is an interesting project if you want to try some real networking but completely unnecessary


    just plug your webserver into the router and nat port 80/443

    This is a good way to get absolutely buttfucked by anybody wants to maliciously use shodan. Even if you use networking solutions like a VLAN 0-days are still a thing in switch firmware too. If OP has no experience with IOS commands or updating the firmware at the very least or some kind of VMDR solution with network patching then they will eventually get rekt.

    If it must be done the way that OP wants to do it without a separate circuit then the best way is to utilize something like cloudflare as a reverse proxy for the frontend which won't get you fully away from hosting it will just reduce the costs associated.
  11. #11
    ner vegas African Astronaut
    Originally posted by the man who put it in my hood I'm pretty sure my ISP doesn't allow me to actually host anything. I have no idea why I thought a switch would allow me to bypass this, I need to smoke more weed.

    I was also thinking maybe I could use some kind of mesh setup like an SDR + meshtastic connected to the server but that still has to connect to the modem.

    it doesn't, just set up a tor hidden service if you want to host something



    Originally posted by Raddy This is a good way to get absolutely buttfucked by anybody wants to maliciously use shodan. Even if you use networking solutions like a VLAN 0-days are still a thing in switch firmware too. If OP has no experience with IOS commands or updating the firmware at the very least or some kind of VMDR solution with network patching then they will eventually get rekt.

    1. he's not going to be using a switch/router that runs IOS
    2. the switch would be behind the router/modem anyway, if anything's exploitable it'll be that (the router/modem) and in most cases it'd be able to access all networks regardless of how you set up internal architecture
  12. #12
    Raddy Yung Blood
    Originally posted by ner vegas it doesn't, just set up a tor hidden service if you want to host something

    In that case this isn't a terrible solution but I'd recommend I2P instead which is more just a personal preference for hosted services.


    Originally posted by ner vegas 1. he's not going to be using a switch/router that runs IOS
    2. the switch would be behind the router/modem anyway, if anything's exploitable it'll be that (the router/modem) and in most cases it'd be able to access all networks regardless of how you set up internal architecture

    1. Using consumer grade hardware for this would be foolish and is a whole separate issue that should be avoided.
    2. OP was talking about adding the isolated network used for hosting to a DMZ which would bypass the router/modem security on the isolated network. The most probable route of attack to their home network would be through the switches or yes the modem itself. A managed switch can absolutely operate maliciously against that gateway modem if compromised even if both switches are behind the modem on different networks initially.

    The entire idea isn't great.
  13. #13
    the man who put it in my hood Black Hole [miraculously counterclaim my golf]
    Originally posted by ner vegas it doesn't, just set up a tor hidden service if you want to host something

    that seemed like the option if I wanted some way to mask network traffic, there is some info about it but i'm not sure how that works with people connecting to my shit, but in my head if a 2nd router is bridged or something and that's connected to a server running TOR than the network would just see strange connections connecting to me, or maybe nothing but masked traffic. Not really sure what that would do

    Originally posted by Raddy The most probable route of attack to their home network would be through the switches or yes the modem itself. A managed switch can absolutely operate maliciously against that gateway modem if compromised even if both switches are behind the modem on different networks initially.

    The entire idea isn't great.
    Yeah, i'm more worried about security issues than anything. I assume it's probably impossible or very difficult to totally isolate my main home network router. I have an ISP modem connected to a cable in the wall with 1 ethernet port, connected to my router which has custom firmware but it's my home network router and I don't want to fuck around with it. I also have a second router not in use.

    Does it help that I really only plan to use the server for telnet connections? Technically the only traffic should be pretty secure but there's probably a way to bypass it using the methods you described. I will have to do more research.

    Also i'm not sure how well i2p/tor works for BBS hosting but i'm not the first to try.
    https://github.com/ajroach42/Docs/blob/master/TorBBS.md

    ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ Available Servers ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

    Active Type ID Port IPV4 IPV6
    ─────────────────────────────────────────────────
    Yes TELNET TELNET 23 Yes Yes
    No RLOGIN RLOGIN 513 Yes Yes
    No SSH SSH 22 Yes Yes
    Yes BINKP BINKP 24554 Yes Yes
    No FTP FTP 21 Yes Yes
    No NNTP NNTP 119 Yes Yes
    No POP3 POP3 110 Yes Yes
    No SMTP SMTP 25 Yes Yes

    ─────────────────────────────────────────────────
    Press / for command list
    ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄

    Recommended terminal client: PuTTY, ZMODEM is required for file transfers, you can get ZMODEM with PuTTY or use your own terminal client with ZMODEM built in.
  14. #14
    Don't bother, no one is gonna visit your gay ASCII woke website.
  15. #15
    the man who put it in my hood Black Hole [miraculously counterclaim my golf]
    Originally posted by Jiggaboo_Johnson Don't bother, no one is gonna visit your gay ASCII woke website.

    whats woke about ascii?
  16. #16
    ner vegas African Astronaut
    Originally posted by Raddy In that case this isn't a terrible solution but I'd recommend I2P instead which is more just a personal preference for hosted services.

    I've never done much with i2p, always heard it was more about distributed file storage than service hosting


    Originally posted by Raddy 1. Using consumer grade hardware for this would be foolish and is a whole separate issue that should be avoided.
    2. OP was talking about adding the isolated network used for hosting to a DMZ which would bypass the router/modem security on the isolated network. The most probable route of attack to their home network would be through the switches or yes the modem itself. A managed switch can absolutely operate maliciously against that gateway modem if compromised even if both switches are behind the modem on different networks initially.

    The entire idea isn't great.

    all this stuff is possible but highly impractical/unlikely; nobody's going to burn 0days on niche, zero-traffic shitposting dens. even if it does get hacked just reroll the webserver.

    you can't even really DMZ; iirc most home routers will treat DMZ the same as just NATing all traffic to the host you point to since the switch won't do routing. setting up a real DMZ would mean installing a router as well, even if it's just dd-wrt or pfsense or some shit on a raspberry pi.


    honestly unless you want to learn about networking it'd be more practical to just shell out a few dollars a month for a shitty vps; you can set up a home webserver but it's not super practical
  17. #17
    Originally posted by the man who put it in my hood whats woke about ascii?

    It's the gay Ascii art you post that's the woke part.
  18. #18
    the man who put it in my hood Black Hole [miraculously counterclaim my golf]




    Originally posted by ner vegas honestly unless you want to learn about networking it'd be more practical to just shell out a few dollars a month for a shitty vps; you can set up a home webserver but it's not super practical

    I can't really do monthly payments which is why i'm trying to buy stuff one time that I can use to do this long term. I thought I could just buy something like a network switch to totally isolate a second network

    Originally posted by ner vegas nobody's going to burn 0days on niche, zero-traffic shitposting dens. even if it does get hacked just reroll the webserver.

    it's not even the server getting hacked that's a problem, I expect that to happen. I'm more worried about the potential of someone getting past that and messing with my home network

    Using a combination of VLANs, DMZ, hardware firewalls, and server hardening, you can make your web server accessible to the public while protecting your home network. This setup minimizes the risk of a compromised server affecting your entire network.
    Example Products to Purchase

    Router: ASUS RT-AX88U (supports VLAN and DMZ)
    Managed Switch: Netgear GS308E
    Firewall: pfSense box or a Ubiquiti EdgeRouter (optional but recommended for enhanced security)

    The router i'm using is TP-LINK with custom firmware. It might be able to do NAT,VLAN,DMZ stuff, I've been trying to avoid touching any settings on it but that might be better than trying to split the connection at the modem
  19. #19
    the man who put it in my hood Black Hole [miraculously counterclaim my golf]
    Originally posted by Jiggaboo_Johnson It's the gay Ascii art you post that's the woke part.

    whats woke about ascii?
  20. #20
    Originally posted by Jiggaboo_Johnson It's the gay Ascii art you post that's the woke part.
Jump to Top