Results 1 to 6 of 6

Thread: Web/Mail server: seperate from existing network?

  1. #1
    Not a good person scaryjim's Avatar
    Join Date
    Jan 2009
    Location
    Gateshead
    Posts
    15,196
    Thanks
    1,231
    Thanked
    2,291 times in 1,874 posts
    • scaryjim's system
      • Motherboard:
      • Dell Inspiron
      • CPU:
      • Core i5 8250U
      • Memory:
      • 2x 4GB DDR4 2666
      • Storage:
      • 128GB M.2 SSD + 1TB HDD
      • Graphics card(s):
      • Radeon R5 230
      • PSU:
      • Battery/Dell brick
      • Case:
      • Dell Inspiron 5570
      • Operating System:
      • Windows 10
      • Monitor(s):
      • 15" 1080p laptop panel

    Web/Mail server: seperate from existing network?

    If you've read a couple of my other threads recently you'll know I'm in the process of moving all my websites and email domains off a very expensive VPS, and onto a new server (or possibly several) I'll host myself (thanks to fttc, static IP addresses, and a 10mbps upload speed ).

    Pretty obviously, I'll need to set up appropriate port forwarding, and so I've been pondering for a few days about the best way to do this. I've considered three options:

    1) keep the servers on the existing network. This means they'll be easily accessible from the other PCs in the house, but I'd have to manage all the port forwarding through the one main router, and I'm a little concerned about a) the potential for screwing up my internet connection, and b) whether there are more security risks involved with having my public servers on my main network.

    2) Swap in a new router, have the servers attached to that, and attach my existing router to the new one - essentially my home network sits one step removed from the incoming network, and I manage all the incoming port forwarding from the (new) primary router. With this one, I don't know how much of a hassle it would be to get all the connection details for my ISP - they were preloaded on the router they sent me and are clearly *not* the details I registered with (which I assume is to do with the fact that its a fttc connection). It'd also mean some downtime whilst I swap everything around.

    3) Get a new router and connect its WAN port to the existing network; stick all the servers behind it, direct all incoming traffic to new router's WAN IP - essential the same as 2 but with the routers reversed (i.e. the servers now have 2 routers between them and the outside world). On the plus side, this would be dead easy to manage on the existing router without messing up the existing home network, and also easier to add new servers to (just stick them on the second router and mess with the port forwarding on that, rather than messing with the main network) but again I'm not sure if there's any implications for security.

    My gut feeling is that 2) is the more secure way (i.e. have the home network double-removed from the incoming connection) but 3) is mightily tempting just for the ease of management. Anyone got any experience on managing this kind of network, or just general opinions on the best way to go about it?

  2. #2
    Senior Moment blueball's Avatar
    Join Date
    Aug 2005
    Location
    Edinburgh
    Posts
    2,426
    Thanks
    846
    Thanked
    379 times in 294 posts
    • blueball's system
      • Motherboard:
      • Asus Z390A
      • CPU:
      • i9-9900KS
      • Memory:
      • Kingston 64GB (2x32GB) DDR4 2400MHz
      • Storage:
      • 2TB Samsung 970 EVO Plus NVMe PCIE M.2 plus Samsung 860 EVO 4TB SSD
      • Graphics card(s):
      • ASUS TUF RTX 3080 Ti GAMING OC
      • PSU:
      • Corsair HX850 850 W Full Modular 80 Plus Platinum
      • Case:
      • Corsair Carbide 330R Ultra Silent Midi Tower
      • Operating System:
      • Win 10 Pro x64
      • Monitor(s):
      • IIYAMA 3461WQ IPS 34" 3440x1440 plus BenQ GW2765HT IPS 27" 2560x1440
      • Internet:
      • Plusnet 28Mb

    Re: Web/Mail server: seperate from existing network?

    I would go for a simple approach:

    Plug new router into old and set it to be in a DMZ from the old router so you don't end up with double NAT - which can be a pain sometimes.
    Rgds,

    BB
    Hexus Trust here and here

  3. Received thanks from:

    scaryjim (26-09-2012)

  4. #3
    Not a good person scaryjim's Avatar
    Join Date
    Jan 2009
    Location
    Gateshead
    Posts
    15,196
    Thanks
    1,231
    Thanked
    2,291 times in 1,874 posts
    • scaryjim's system
      • Motherboard:
      • Dell Inspiron
      • CPU:
      • Core i5 8250U
      • Memory:
      • 2x 4GB DDR4 2666
      • Storage:
      • 128GB M.2 SSD + 1TB HDD
      • Graphics card(s):
      • Radeon R5 230
      • PSU:
      • Battery/Dell brick
      • Case:
      • Dell Inspiron 5570
      • Operating System:
      • Windows 10
      • Monitor(s):
      • 15" 1080p laptop panel

    Re: Web/Mail server: seperate from existing network?

    Quote Originally Posted by blueball View Post
    I would go for a simple approach:

    Plug new router into old and set it to be in a DMZ from the old router so you don't end up with double NAT - which can be a pain sometimes.
    Hmmm, is that possible? I'll have to have a dig through the documentation for my router. Be handy if it was. Is double NAT that much of an issue?

  5. #4
    Senior Moment blueball's Avatar
    Join Date
    Aug 2005
    Location
    Edinburgh
    Posts
    2,426
    Thanks
    846
    Thanked
    379 times in 294 posts
    • blueball's system
      • Motherboard:
      • Asus Z390A
      • CPU:
      • i9-9900KS
      • Memory:
      • Kingston 64GB (2x32GB) DDR4 2400MHz
      • Storage:
      • 2TB Samsung 970 EVO Plus NVMe PCIE M.2 plus Samsung 860 EVO 4TB SSD
      • Graphics card(s):
      • ASUS TUF RTX 3080 Ti GAMING OC
      • PSU:
      • Corsair HX850 850 W Full Modular 80 Plus Platinum
      • Case:
      • Corsair Carbide 330R Ultra Silent Midi Tower
      • Operating System:
      • Win 10 Pro x64
      • Monitor(s):
      • IIYAMA 3461WQ IPS 34" 3440x1440 plus BenQ GW2765HT IPS 27" 2560x1440
      • Internet:
      • Plusnet 28Mb

    Re: Web/Mail server: seperate from existing network?

    Most routers should offer the option to allow a DMZ. double NAT can be an issue but you never know what will be affected, its try it and see.
    Rgds,

    BB
    Hexus Trust here and here

  6. Received thanks from:

    scaryjim (26-09-2012)

  7. #5
    The late but legendary peterb - Onward and Upward peterb's Avatar
    Join Date
    Aug 2005
    Location
    Looking down & checking on swearing
    Posts
    19,378
    Thanks
    2,892
    Thanked
    3,403 times in 2,693 posts

    Re: Web/Mail server: seperate from existing network?

    I just have mine on the main network with port forwarding on port 22 (for SSH), 80 (web serices), 25 (SMPT) and 993 (secure IMAP) to the server I do have a firewall on the host machine, and I secure SSH logins with public/private key pair, disabling password logins.

    SSH is the most commonly attacked port, but is useful for remote administration.

    If you are running webservices, you need to make sure it is locked down, In an ideal world, I'd run the web and mail servers on different machines, but it is a risk that I have assessed and can live with.

    You MUST be careful in configuring your mail server, especially for incoming mail. I inadvertently left mine as an open relay for 24 hours (error in the config file) and during that 24 hours it forwarded 30,000 spam e mails. - worse, through my ISP. Fortunately I detected it before they did - still needed a large grovel.
    (\__/)
    (='.'=)
    (")_(")

    Been helped or just 'Like' a post? Use the Thanks button!
    My broadband speed - 750 Meganibbles/minute

  8. Received thanks from:

    scaryjim (26-09-2012)

  9. #6
    Registered User
    Join Date
    Jul 2012
    Location
    Cramlington, UK
    Posts
    10
    Thanks
    0
    Thanked
    0 times in 0 posts

    Re: Web/Mail server: seperate from existing network?

    I have a friend who uses VMware to set up a virtual network and separates the local network from the virtual network to allow him to host a couple of websites from the virtual network. Failing that, set up a DMZ with a couple of Firewalls with your local network behind the inner firewall.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •