this post was submitted on 07 Jun 2025
184 points (98.4% liked)
Technology
71448 readers
2673 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Hi,
The internal port will also be the same as the external port 80 and 443. If the router is running in bridge mode, that would mean that your dhcp, dns and nat is happening on the upstream router. That means you will have to go to the upstream router to setup the port forwarding.
Also depending on how it works internally with the VPN. It might try to port forward the ports on the VPN's ip address Which none of the VPN I tried allowed to port forward port 80 and 443
With a linux or openwrt router this could be as easy as the following
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.199:80 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 192.168.1.199:443
But the problem with store bought router is that every one of them has a different way of doing the things so it gets confusing really fast.
All of this confusion about port forwarding was engineered to discourage ordinary people from using their internet to host their own files and instead because cloud-dependant techno-serfs.
Another way, would be to go on the forum low end talk and obtain a VPS, and host your apache server there. That would work, but you would be back to renting someone else's computer (aka cloud bull) but it's still better than paying squarespace about it.
Keep at it, you'll figure it out, it's actually very easy once you know all the complicated bits, I do it all the time.
Once again, thank you for your insight! It truly does help a lot.
Today I learned the VPN routing is the cause of my issues, I opted to expose my homelab to WAN and tried to connect over LTE/5G and was surprised to see it actually resolve!
I also learned Fail2Ban has failed me in this regard.
Unfortunately this now throws a wrench in my plans In regard to security so now I’m debating on getting another piece of hardware and labelling one as “front end” and the other as “back end” so that the “back end” doesn’t share the same public IP as the “front end”.
This has ignited a spark to rework my homelab!
Realistically, you don't need security, NAT alone is enough since the packets have nowhere to go without port forwarding.
But IF you really want to build front end security here is my plan.
ISP bridge -> WAN port of openwrt capable router with DSA supported switch (that is almost all of them) Set all ports of the switch to VLAN mirroring mode bridge WAN and LAN sides Fail2Ban IP block list in the bridge
LAN PORT 1 toward -> OpenWRT running inside Proxmox LXC (NAT lives here) -> top of rack switch LAN PORT 2 toward -> Snort IDS LAN PORT 3 toward -> combined honeypot and traffic analyzer
Port 2&3 detect malicious internet hosts and add them to the block list
(and then multiple other openwrt LXCs running many many VPN ports as alternative gateways, I switch LAN host's internet address by changing their default gateway)
I run no internal VLAN, all one LAN because convenience is more important than security in my case.