0

So I have read a lot about port forwarding lately (and understand the risks in an open port), but I want to run a Minecraft server with my cousin (who lives states away). I came up with the idea of forwarding the port to a second router to prevent my family from being exposed while the port was open.

My father was not keen on this idea as we don't know if this would still be risky for the other connected devices (and I agree but hope not :)

Would this setup remove the risk for computers on the primary network if only the Minecraft port was forwarded?

Edit: My alternative ideas...

  1. Use port forwarding on the original router. (My father said no.)
  2. Run a cloud based server (~$5 a month)
  3. No server :(
Improve this question

3 Answers 3

Reset to default
1

You write "remove the risk", but I don't think you explicitly wrote what the alternative was. If it's against not running a Minecraft server, I think you're adding (negligible) risk, assuming everything is set up properly.

If you're forwarding data to router that is inside part of your "regular" LAN, if your Minecraft server or the second router is compromised, then your attacker has gained access to your internal network. If you run your Minecraft server on a separate LAN (so you end up with two internal LANs), then you're probably fine. An alternative to that is to put the Minecraft server directly behind your Internet router and then create a new LAN behind a second router connected to your Internet router. If done correctly, you should be able to initiate a connection to your Minecraft server from the second router's network, but not vice versa.

Improve this answer
0

Depending on how deep you want an explanation and how capable you are of setting up your Server and Network, a dual NAT/PAT situation can be very safe, but hard to manage. especially if your setup runs for a long time, and suddenly something changes/breaks. Then you are most likely up to a longer debugging session. But that is no reason for not doing it ;) So as @lungj already wrote, a second internal LAN would be very safe. Especially If your Minecraft server would really be compromised, you could easily deny any communication out of that Subnet.

The question is, if you relay need a second router for that of if you current router is already capable of handling multiple subnet, and firewalling the communication between those. This would also reduce the complexity level a lot.

      +~~~~~~~~~~~~~~+
      (   Internet   )
      )              (
      +~~~~~+^~~~~~~~+
            ||
            ||
            ||
      +-----v+-------+
      |   Router1    |
      |              |
      +-----+^-------+
            ||
            ||
      +-----||------------------------------+       +----------------------------------------+
      |     ||LAN segment 1 (private)       |       |           LAN segment 2 (DMZ)          |
      |-----||------------------------------|       |----------------------------------------|
      |     ||                              |       |                                        |
      |     ||                              |       |                                        |
      |     ||             +--------------+ |       |              +--------------+          |
      |     |+-------------+   Router2    +------------------------> MinecraftSRV |          |
      |     +^------------->              | |       |              |              |          |
      |     ||             +--------------+ |       |              +--------------+          |
      |+----v+-----------+                  |       |                                        |
      ||   other Hosts...|                  |       |                                        |
      ||                 |                  |       |                                        |
      |+-----------------+                  |       |                                        |
      +-------------------------------------+       +----------------------------------------+

Here is a little diagram of the proposed (complex) sollution. If Router 1 could have second IP on another interface, and good Firewall, the same setup could be achieved without a 2nd Router in your private LAN.

If you'l set it up with a second router, dont forget to add a static route on Router1 into the DMZ over Router2 in order to communicate inwards into the LAN segment!

Improve this answer
0

It doesn't matter how many routers you put between the one your ISP is connected to (ISP-facing) and your Minecraft server, you still have to open a port on the ISP-facing router.

So you are going to have to open a port on your ISP-facing router and have traffic traverse through somewhere, somehow your LAN no matter what.

If you want to cordon off incoming traffic so a LAN can't see or be affected by it, the solution is A) a physical separate network (which you couldn't do unless your ISP gives you 2 IPs), or B) VLANs, which requires your router to support them.

Here's my home setup and the quick-and-dirty illustration below should probably explain things. You do need a router that supports VLANs.

OpenWRT allows configuring the router here to assign different ports to different VLANs. The traffic going across different VLANs can't see each other.

Using this setup, there is no way traffic destined for the server crosses your LAN unless someone happens to hack into the router.

You don't really need a separate wireless router/switch like I have but I have a lot of wired devices on my home LAN.

enter image description here

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .