Update homelab, wondering whether to change my firewall setup?

[Master Disaster]

Won't go into to much detail but the basic story, I decided it was time to overhaul & update my home network setup. I'm moving away from static services (as much as possible) and moving lots of stuff over to containers.

 

I was also really unhappy with a few quirks of my setup which I want to fix, namely having a few of my important services internet facing and having to mess with my router every time I need to forward a port.

 

Probably doing my usual over complication I decided to create a domain controller, my own DNS server and a local domain that I can use to host my private stuff just for me locally and have my public domain only hosting a webserver/websites. I went down this route because using an IP address wreaks havoc with my password manager and I'm currently having to store some passwords in a file, by going home domain I can split the services up into subdomains and have my password manager remember all the passwords without overwriting/updating existing ones. This is mostly setup and working great.

 

The second change is the one I'm a bit worried about, right now I use my router firewall and the server firewall which is a PITA as the router interface is slow, clunky and it loves to kick me out then refuse to let me sign in for 5 minutes because "another admin is currently logged in".

 

I'm considering making my server DMZ on the router and solely using the firewall on the server. This would make my life so much easier, being able to mess with stuff then update port forward rules from the same terminal without having to deal with my router but I'm a bit worried about leaving my entire setup at the mercy of a software firewall.

 

FTR I run all my webservices on my Synology NAS.

 

Advice please. Thanks all

[leadeater]

1 hour ago, Master Disaster said:

This would make my life so much easier, being able to mess with stuff then update port forward rules from the same terminal without having to deal with my router but I'm a bit worried about leaving my entire setup at the mercy of a software firewall.

There are really good options out there, like Sophos Home Eidtion of pfsense, but the main issue you'll face is more around having it as a VM. If you make your network dependent on a VM that lives on a single physical host if you ever need to do maintenance on either then you'll have no internet (without bypassing it). I've done this in the past and it works fine, just quality of life and slight hassles to think about.

 

Other option is physical/dedicated computer or actual firewall appliance but that's going down the yet more things and more power path. Personally I went this way with Fortigate firewall appliance.

[Master Disaster]

10 hours ago, leadeater said:

There are really good options out there, like Sophos Home Eidtion of pfsense, but the main issue you'll face is more around having it as a VM. If you make your network dependent on a VM that lives on a single physical host if you ever need to do maintenance on either then you'll have no internet (without bypassing it). I've done this in the past and it works fine, just quality of life and slight hassles to think about.

 

Other option is physical/dedicated computer or actual firewall appliance but that's going down the yet more things and more power path. Personally I went this way with Fortigate firewall appliance.

Apologies, I think I wasn't clear. All the domain stuff and the webserver are running as a static service on the NAS, I've moved mariadb & phpmyadmin, plex, portainer, a few web things, code-server and my steamcmd installs over to docker. As long as my NAS is up then so is my domain and I have my router set as a fallback DNS so if the NAS is off I still have internet access, just the local domain goes down. I haven't actually joined my PCs to the domain, they are only connected to its DNS as primary.

 

I did it this way so pma.mydomain.lan accesses phpmyadmin locally but pma.mydomain.com returns a 404. Previously I was using ip/alias (so 192.168.1.69/phpmyadmin for example) but my password manager would see every alias as the same site and wouldn't let me store all my passwords.

 

This is where you call me an idiot and explain the much easier way I could have done it I wanted to move stuff over to docker anyway, it makes handling updates much simpler, just pull the new image, it updates and fires up with all my configs still intact plus I can pull the latest versions and not have to deal with the Synology Packages being 1 or 2 versions behind.

 

Its just the firewall, I'd be limited to the firewall built into my Synology and that worries me.

[leadeater]

2 hours ago, Master Disaster said:

This is where you call me an idiot and explain the much easier way I could have done it I wanted to move stuff over to docker anyway, it makes handling updates much simpler, just pull the new image, it updates and fires up with all my configs still intact.

Separate domain is actually fine, only other way is split-scope DNS but then you have to run "internal" and "external" DNS servers that resolve to different IPs but that wouldn't actually fix your problem as it's matching on the actual URL and treating as the same?

[Master Disaster]

7 hours ago, leadeater said:

Separate domain is actually fine, only other way is split-scope DNS but then you have to run "internal" and "external" DNS servers that resolve to different IPs but that wouldn't actually fix your problem as it's matching on the actual URL and treating as the same?

Correct, for some reason its fine with subdomains but for aliases it treats them all as the same site. It kind of makes sense in some ways, for example www.linustechtips.com and www.linustechtips.com/topic/ are the same site but it just seems like a weird and arbitrary restriction.

 

It could be fixed by allowing me to say "this is a new site" but the only option I get is "this site exists, do you want to update its password?".