User Controls
Setting up an isolated home network network switch for hosting a website
-
2024-06-30 at 11 PM UTCI'm really sick of virtual hosting and cloud hosting so i'm just gonna try to do it myself and split my modem somehow. I have no idea what i'm doing. I think if I set this up right the only thing I need is a domain which is a lot less hassle than having to figure out hosting payment. According to my research the #1 thing I need to get is a network switch
Using a network switch alongside a second laptop configured as a virtual modem/router provides a practical solution to establish a separate business network while maintaining isolation from your personal network. Here’s a streamlined approach to set this up:
Begin by connecting the network switch to your modem's Ethernet port. Attach your main router (personal network) to one port of the switch and connect the second laptop to another port. Ensure the laptop runs a suitable operating system like Windows or Linux.
For Windows, enable Internet Connection Sharing (ICS) on the laptop’s Ethernet connection. This allows it to share the internet connection with devices connected to its WiFi hotspot. Configure the hotspot settings through Windows settings.
On Linux, install and configure `dnsmasq` for DHCP and DNS services, and `hostapd` to set up the WiFi hotspot. Bridge the Ethernet and WiFi interfaces, enable IP forwarding, and configure NAT (Network Address Translation) using `iptables` to share the internet connection.
Ensure the main router and virtual router (laptop) use different subnets (e.g., main router: 192.168.1.x, virtual router: 192.168.2.x) to prevent IP conflicts. Implement firewall rules on both routers to block inter-network routing for added security.
This setup leverages existing equipment cost-effectively and offers flexibility for specific network needs. However, it requires technical expertise to configure the laptop effectively and maintain network reliability under heavy usage.A DMZ (demilitarized zone) is a segmented part of a network that is used to host all publicly accessible websites and services. The intention is to protect the internal network from external threats. It is an effective strategy to minimize public exposure of your critical assets as well as limit the damage caused when an intruder is able to penetrate your network.
While researching DMZ implementations when writing this how-to, I came across a nice write-up on implementing a basic DMZ using a single firewall as well as implementing a more advanced/secure DMZ using two firewalls (another good DMZ reference). The basic DMZ example is pretty much the approach that I took in my home network – partially due to inexperience when I was learning how to use OPNsense and partially due to minimizing expense on purchasing additional hardware. I am limiting the scope of this how-to to the basic DMZ example since I imagine many home network users will be using a single router/firewall to manage multiple logical/physical networks.
The basic DMZ implementation is a more budget friendly and easier to implement option due to requiring less hardware/software to purchase, configure, and maintain. However, the trade off is less security. By less security, I mean someone has to compromise your router/firewall box to the extent that they have full visibility into all your networks including the internal, private networks. If that type of compromise occurs, you already have big problems. Depending on the quality of your router/firewall, this may or may not be an easy task for an attacker. You are basically putting all of your eggs in one basket with this approach. For a home network user, I do not think this fact alone should sway you away from using a single router/firewall for your network. It is still a lot more secure than using a single network and exposing various ports on a server to the Internet using a standard consumer-grade router that receives little to no security updates.
-
2024-06-30 at 11:05 PM UTCI don’t understand any of this.
-
2024-06-30 at 11:10 PM UTC
-
2024-06-30 at 11:18 PM UTC
-
2024-07-01 at 1:44 AM UTC
-
2024-07-01 at 2 AM UTC
-
2024-07-01 at 3:22 AM UTC
-
2024-07-01 at 3:26 AM UTCsetting up subnets/VLAN is an interesting project if you want to try some real networking but completely unnecessary
just plug your webserver into the router and nat port 80/443 -
2024-07-01 at 3:44 AM UTCI'm pretty sure my ISP doesn't allow me to actually host anything. I have no idea why I thought a switch would allow me to bypass this, I need to smoke more weed.
I was also thinking maybe I could use some kind of mesh setup like an SDR + meshtastic connected to the server but that still has to connect to the modem.Reduced Restrictions: Some ISPs impose restrictions on residential connections that host servers, such as blocking ports commonly used for servers (e.g., 80 for HTTP, 443 for HTTPS). When in bridge mode, your ISP may not apply these restrictions directly to the devices connected to your router, allowing your router to handle port forwarding and other server-related configurations more freely.
-
2024-07-01 at 4:06 AM UTC
Originally posted by ner vegas setting up subnets/VLAN is an interesting project if you want to try some real networking but completely unnecessary
just plug your webserver into the router and nat port 80/443
This is a good way to get absolutely buttfucked by anybody wants to maliciously use shodan. Even if you use networking solutions like a VLAN 0-days are still a thing in switch firmware too. If OP has no experience with IOS commands or updating the firmware at the very least or some kind of VMDR solution with network patching then they will eventually get rekt.
If it must be done the way that OP wants to do it without a separate circuit then the best way is to utilize something like cloudflare as a reverse proxy for the frontend which won't get you fully away from hosting it will just reduce the costs associated. -
2024-07-01 at 4:28 AM UTC
Originally posted by the man who put it in my hood I'm pretty sure my ISP doesn't allow me to actually host anything. I have no idea why I thought a switch would allow me to bypass this, I need to smoke more weed.
I was also thinking maybe I could use some kind of mesh setup like an SDR + meshtastic connected to the server but that still has to connect to the modem.
it doesn't, just set up a tor hidden service if you want to host something
Originally posted by Raddy This is a good way to get absolutely buttfucked by anybody wants to maliciously use shodan. Even if you use networking solutions like a VLAN 0-days are still a thing in switch firmware too. If OP has no experience with IOS commands or updating the firmware at the very least or some kind of VMDR solution with network patching then they will eventually get rekt.
1. he's not going to be using a switch/router that runs IOS
2. the switch would be behind the router/modem anyway, if anything's exploitable it'll be that (the router/modem) and in most cases it'd be able to access all networks regardless of how you set up internal architecture -
2024-07-01 at 4:54 AM UTC
Originally posted by ner vegas it doesn't, just set up a tor hidden service if you want to host something
In that case this isn't a terrible solution but I'd recommend I2P instead which is more just a personal preference for hosted services.
Originally posted by ner vegas 1. he's not going to be using a switch/router that runs IOS
2. the switch would be behind the router/modem anyway, if anything's exploitable it'll be that (the router/modem) and in most cases it'd be able to access all networks regardless of how you set up internal architecture
1. Using consumer grade hardware for this would be foolish and is a whole separate issue that should be avoided.
2. OP was talking about adding the isolated network used for hosting to a DMZ which would bypass the router/modem security on the isolated network. The most probable route of attack to their home network would be through the switches or yes the modem itself. A managed switch can absolutely operate maliciously against that gateway modem if compromised even if both switches are behind the modem on different networks initially.
The entire idea isn't great. -
2024-07-01 at 5:56 AM UTC
Originally posted by ner vegas it doesn't, just set up a tor hidden service if you want to host something
that seemed like the option if I wanted some way to mask network traffic, there is some info about it but i'm not sure how that works with people connecting to my shit, but in my head if a 2nd router is bridged or something and that's connected to a server running TOR than the network would just see strange connections connecting to me, or maybe nothing but masked traffic. Not really sure what that would do
Originally posted by Raddy The most probable route of attack to their home network would be through the switches or yes the modem itself. A managed switch can absolutely operate maliciously against that gateway modem if compromised even if both switches are behind the modem on different networks initially.
Yeah, i'm more worried about security issues than anything. I assume it's probably impossible or very difficult to totally isolate my main home network router. I have an ISP modem connected to a cable in the wall with 1 ethernet port, connected to my router which has custom firmware but it's my home network router and I don't want to fuck around with it. I also have a second router not in use.
The entire idea isn't great.
Does it help that I really only plan to use the server for telnet connections? Technically the only traffic should be pretty secure but there's probably a way to bypass it using the methods you described. I will have to do more research.
Also i'm not sure how well i2p/tor works for BBS hosting but i'm not the first to try.
https://github.com/ajroach42/Docs/blob/master/TorBBS.md
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ Available Servers ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
Active Type ID Port IPV4 IPV6
─────────────────────────────────────────────────
Yes TELNET TELNET 23 Yes Yes
No RLOGIN RLOGIN 513 Yes Yes
No SSH SSH 22 Yes Yes
Yes BINKP BINKP 24554 Yes Yes
No FTP FTP 21 Yes Yes
No NNTP NNTP 119 Yes Yes
No POP3 POP3 110 Yes Yes
No SMTP SMTP 25 Yes Yes
─────────────────────────────────────────────────
Press / for command list
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄Recommended terminal client: PuTTY, ZMODEM is required for file transfers, you can get ZMODEM with PuTTY or use your own terminal client with ZMODEM built in.
-
2024-07-01 at 1:53 PM UTCDon't bother, no one is gonna visit your gay ASCII woke website.
-
2024-07-01 at 2:12 PM UTC
-
2024-07-01 at 2:51 PM UTC
Originally posted by Raddy In that case this isn't a terrible solution but I'd recommend I2P instead which is more just a personal preference for hosted services.
I've never done much with i2p, always heard it was more about distributed file storage than service hosting
Originally posted by Raddy 1. Using consumer grade hardware for this would be foolish and is a whole separate issue that should be avoided.
2. OP was talking about adding the isolated network used for hosting to a DMZ which would bypass the router/modem security on the isolated network. The most probable route of attack to their home network would be through the switches or yes the modem itself. A managed switch can absolutely operate maliciously against that gateway modem if compromised even if both switches are behind the modem on different networks initially.
The entire idea isn't great.
all this stuff is possible but highly impractical/unlikely; nobody's going to burn 0days on niche, zero-traffic shitposting dens. even if it does get hacked just reroll the webserver.
you can't even really DMZ; iirc most home routers will treat DMZ the same as just NATing all traffic to the host you point to since the switch won't do routing. setting up a real DMZ would mean installing a router as well, even if it's just dd-wrt or pfsense or some shit on a raspberry pi.
honestly unless you want to learn about networking it'd be more practical to just shell out a few dollars a month for a shitty vps; you can set up a home webserver but it's not super practical -
2024-07-01 at 2:59 PM UTC
-
2024-07-01 at 3:15 PM UTC
Originally posted by ner vegas honestly unless you want to learn about networking it'd be more practical to just shell out a few dollars a month for a shitty vps; you can set up a home webserver but it's not super practical
I can't really do monthly payments which is why i'm trying to buy stuff one time that I can use to do this long term. I thought I could just buy something like a network switch to totally isolate a second network
Originally posted by ner vegas nobody's going to burn 0days on niche, zero-traffic shitposting dens. even if it does get hacked just reroll the webserver.
it's not even the server getting hacked that's a problem, I expect that to happen. I'm more worried about the potential of someone getting past that and messing with my home networkUsing a combination of VLANs, DMZ, hardware firewalls, and server hardening, you can make your web server accessible to the public while protecting your home network. This setup minimizes the risk of a compromised server affecting your entire network.
Example Products to Purchase
Router: ASUS RT-AX88U (supports VLAN and DMZ)
Managed Switch: Netgear GS308E
Firewall: pfSense box or a Ubiquiti EdgeRouter (optional but recommended for enhanced security)
The router i'm using is TP-LINK with custom firmware. It might be able to do NAT,VLAN,DMZ stuff, I've been trying to avoid touching any settings on it but that might be better than trying to split the connection at the modem
-
2024-07-01 at 3:15 PM UTC
-
2024-07-01 at 3:19 PM UTC
