this post was submitted on 19 Jun 2025
162 points (98.8% liked)

Selfhosted

48681 readers
2263 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
162
[SOLVED] ELI5: How to put several servers on one external IP? (lemmy.today)
submitted 1 week ago* (last edited 1 week ago) by [email protected] to c/[email protected]
107 comments fedilink hide all child comments
 

I'm pretty new to selfhosting and homelabs, and I would appreciate a simple-worded explanation here. Details are always welcome!

So, I have a home network with a dynamic external IP address. I already have my Synology NAS exposed to the Internet with DDNS - this was done using the interface, so didn't require much technical knowledge.

Now, I would like to add another server (currently testing with Raspberry Pi) in the same LAN that would also be externally reachable, either through a subdomain (preferable), or through specific ports. How do I go about it?

P.S. Apparently, what I've tried on the router does work, it's just that my NAS was sitting in the DMZ. Now it works!

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 6 points 1 week ago (2 children)

I really feel like people who are beginners shouldnt play with exposing their services. When you set up Caddy or some other reverse proxy and actually monitor it with something like fail2ban you can see that the crawlers etc are pretty fast to find your services. If any user has a very poor password (or is reusing a leaked one) then someone has pretty open access to their stuff and you wont even notice unless you’re logging stuff.

Of course you can set up 2FA etc but that’s pretty involved compared to a simple wg tunnel that lives on your router.

[–] [email protected] 2 points 6 days ago

For now I'm only toying around, experimenting a little - and then closing ports and turning my Pi off. I do have my NAS constantly exposed, but it is solidly hardened (firewall, no SSH, IP bans for unauthorized actions, etc. etc.), fully updated, hosts no sensitive data, and all that is important is backed up on an offline drive.

[–] [email protected] 2 points 6 days ago

My mantra is "plan to be hacked". Whether this is a good backup strategy, a read-only VM, good monitoring or serious firewall rules.

[–] [email protected] 9 points 1 week ago (2 children)

What are you running?

If it is http based use a reverse proxy like Caddy

[–] [email protected] 5 points 1 week ago (1 children)

Update: tried Caddy, love it, dead simple, super fast, and absolutely works!

[–] [email protected] 2 points 6 days ago (1 children)

Did you also forward UDP port 443?

If not I would as well since it is used for QUIC which is supported and automatically turned on for Caddy.

[–] [email protected] 2 points 1 week ago (1 children)

For now just some experiments alongside NAS

Planning to host Bitwarden, Wallabag and other niceties on the server, and then when I get something more powerful, spin up Minecraft server and stuff

[–] [email protected] 3 points 6 days ago (1 children)

I'll be honest, if you aren't planning on sharing with others, I'd recommend switching to something like wireguard to connect back into your house instead of exposing everything publicly. Some firewalls have wireguard built in, so you can setup the VPN easily. But then all you have to do is keep your VPN endpoint safe to keep your internal network protected from the Internet, instead of having to worry about the security of everything you expose.

[–] [email protected] 2 points 6 days ago* (last edited 6 days ago) (2 children)

That's a good piece of advice, but due to several considerations (extreme censorship interrupting VPN connections, family using NAS for automatic backups, and some others) I cannot go that route.

[–] [email protected] 1 points 6 days ago* (last edited 6 days ago) (1 children)

What do you mean by blocked at a protocol level? You might give it a try on a random port to see what happens.

You could also look into port knocking. It is dated but still worth while.

[–] [email protected] 1 points 6 days ago* (last edited 6 days ago)

I mean any connection through these protocols is just not working over the Internet. DPI equipment detects respective packets and cuts the connection, irrespective of the port you assign.

[–] [email protected] 2 points 6 days ago (1 children)

There's nothing saying you can't have ports forwarded for the NAS, and have a VPN for everything else. Censorship may be a problem, but those more often block VPN services like NordVPN, not protocols. So running your own is less likely to be stopped. That said, of course comply with local laws, I don't know where you live or what's legal there.

If you really want multiple things exposed at the same time, you have two options(which can be used in combination if needed/wanted):

  1. A reverse proxy. I use caddy. I give it a config file that says what address and port binds to what hostname, and I forward port 443/80 to it. That works great for web content.
  2. Use custom ports for everything. I saw someone else walking you through that. It works, but is a little harder to remember, so good notes will be important.

I still recommend against forwarding a lot of ports as a beginner. It's very common for software and web apps to have security vulnerabilities, and unless you are really on top of it, you could get hit. Not only does that put all your internal devices at risk, not just the one that was original breached, it also will likely become part of a botnet, so your local devices will be used to attack other people. I'd recommend getting confident with your ability to maintain your services and hardening your environment first.

[–] [email protected] 1 points 6 days ago (1 children)

It's not illegal to use VPN in my area, but connections are blocked on a protocol level, both through OpenVPN and Wireguard.

I already managed to make caddy work, so, hooray!

I also found a setting on my router that fully isolates certain devices from the local network. I want to put the server in there, so that the rest of my LAN is not under threat. I also want to figure out VLANs.

[–] [email protected] 2 points 6 days ago (1 children)

I am not an expert on security and I don't know how to setup ddns, but I simply use Tailscale VPN to access my RPi4 homeserver running Umbrel from outside of my home, I simply installed Tailscale in my Umbrel and in my phone, and when I want to access from my phone Immich, Nextcloud or any other app running on my Umbrel. I simply enable the Tailscale VPN. Maybe it has some limitations, but is the simpler way I found, and based on what I read, it is more secure than exposing a port in the router, but not sure.

[–] [email protected] 2 points 6 days ago

I would be fairly comfortable running a direct WireGuard connection even without Tailscale, but my location and use case simply won't allow me to.

Your setup is valid, nothing wrong with it, and yes, it is more secure. Just can't be used in my case.

[–] [email protected] 2 points 1 week ago (1 children)

You already have a lot of good answers ... but I got one more to add.

I have a very similar setup on my homelab and I'm using a Cloudflare tunnel.

It's a free service and it's really good because it allows you to expose web services and specific ports for remote access over dynamic IPs without having to expose your own router.

https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/

[–] [email protected] 1 points 1 week ago* (last edited 1 week ago) (1 children)

Thanks! I got that advice as well, but I would like to keep it self-hosted - I consider using Pangolin on a VPS for that purpose going forward: https://github.com/fosrl/pangolin

Also, beware of the new attack on Cloudflare Tunnel: https://www.csoonline.com/article/4009636/phishing-campaign-abuses-cloudflare-tunnels-to-sneak-malware-past-firewalls.html

[–] [email protected] 1 points 1 week ago (1 children)

This attack targets end users, not Cloudflare tunnel operators (i.e. self-hosters). It abuses Cloudflare Tunnels as a delivery mechanism for malware payloads, not as a method to compromise or attack people who are self-hosting their own services through Cloudflare Tunnels.

[–] [email protected] 1 points 1 week ago

Thanks for clarification!

[–] [email protected] 3 points 1 week ago* (last edited 1 week ago) (1 children)

Good to hear you figured it out with router settings. I'm also new to this but got all that figured out this week. As other commenters say I went with a reverse proxy and configured it. I choose caddy over nginx for easy of install and config. I documented just about every step of the process. I'm a little scared to share my website on public fourms just yet but PM me ill send you a link if you want to see my infrastructure page where I share the steps and config files.

[–] [email protected] 1 points 1 week ago* (last edited 1 week ago)

Thanks, I will! Wise of you not to share it publicly for security reasons

[–] [email protected] 7 points 1 week ago (1 children)

The synology NAS can act as a reverse proxy for stuff inside your network. I don't have mine in front of me, so you will have to google the steps, but basically you point the synology to an internal resource and tell it what external subdomain it should respond to.

[–] [email protected] 1 points 1 week ago (2 children)

Yes, I know where this feature is in the settings, but it's got its own issues and I also turn the NAS off for the night, so it's not an option for me.

[–] [email protected] -4 points 1 week ago (1 children)

then its not selfhosting.

[–] [email protected] 1 points 1 week ago (1 children)

In what way? It is a physical server located in my bedroom, sharing resources online.

[–] [email protected] 3 points 1 week ago (2 children)

Dude above you over is under the perception that it requires 100% uptime or other users to to be classified, which is wrong. You are definitely self hosting, albeit only for yourself I assume. Which is fine

[–] [email protected] 1 points 1 week ago

yes. i ment the uptime. to me hosted means i can reach it in a digital way any time even if it is just wake on lan. but if you guys say some device running 8hrs a day is hosting I am fine with that.

[–] [email protected] 1 points 1 week ago (1 children)

Yep, sharing stuff for others requires more expertise, as I'll get responsible for other people's experience. If I screw something up now, only I will be affected.

[–] [email protected] 1 points 1 week ago (1 children)

And you are self-sufficient, or whatever the word is. But that's the key thing for me, not having to rely on others for my services :)

[–] [email protected] 1 points 6 days ago

Yep!

For me it's a sense of reliability and control - my stack will keep working even if new censorship rolls out (I live in a heavily censored and sanctioned jurisdiction), or if there's a global outage, or whatever else. I am also the sole authority over my piece of the Internet, and no one can do anything to alter it or take it away.

[–] [email protected] 3 points 1 week ago (1 children)

Why do you turn off the NAS at night? Reminds me of my grandparents turning off the wifi at night.

[–] [email protected] 2 points 1 week ago* (last edited 1 week ago) (1 children)

Drives are somewhat noisy (even though I took fairly quiet ones) and I appreciate total silence at night. Unfortunately, I don't have many places to put it outside my single room, so there's that.

I'd love to move to SSDs for storage at some point (I know it's controversial, but they would fit my use case better), but for now it's too expensive for me.

[–] [email protected] 2 points 1 week ago (1 children)

Ahh, that's valid. I've been wanting to build a (relatively) small 16TB SSD NAS for video editing, after which I could dump footage to my main NAS. SSD NAS systems can definitely make sense depending on your use case. Hell, you can even game off of them if you've got 10gig networking.

[–] [email protected] 1 points 1 week ago* (last edited 1 week ago)

I'd love to eventually have a 10gbps LAN, yep :)

I'd also love to explore the technology going into cloud gaming, so not only would I launch games using files laying on the server, but could actually play them everywhere from my energy efficient potato laptop :D

But that's long ahead and more of an "if it even works properly"

load more comments
view more: next ›