DMZs and servers at home. Thinking a Minecraft server.
Discussion
I'm thinking of setting up a Minecraft server at home, because all the online offerings are expensive ($100/mon for something similar to a box I have at home dedicated).
So aside the connection (which is ADSL right now, but should be 1.5GB capable in 12mo I hope), I'm a noob to running exposed servers. Current setups are all behind router with no port forwarding.
I know about DMZ logic, but do I still route via my home router to it? Or should I also budget for a decent switch between my router/modem and the DMZ machine?
Also how does DDos protection fit into it all? Do you really need it, will I just be asking for trouble?
The server will just be literally a whole machine dedicated to disposable game stuff, backed up to it's own dedicated HDD as an image I expect. So isolated in all respects bar using my same home IP address.
Just curious where to start really, if it's going to be a world of pain, a security risk for other machines on my network behind my router, etc.
So aside the connection (which is ADSL right now, but should be 1.5GB capable in 12mo I hope), I'm a noob to running exposed servers. Current setups are all behind router with no port forwarding.
I know about DMZ logic, but do I still route via my home router to it? Or should I also budget for a decent switch between my router/modem and the DMZ machine?
Also how does DDos protection fit into it all? Do you really need it, will I just be asking for trouble?
The server will just be literally a whole machine dedicated to disposable game stuff, backed up to it's own dedicated HDD as an image I expect. So isolated in all respects bar using my same home IP address.
Just curious where to start really, if it's going to be a world of pain, a security risk for other machines on my network behind my router, etc.
The ‘A’ in ADSL is asymmetric, your current upload speed will be significantly less than your download speed, and upload is important for hosting, typical ADSL upload will be less than 20 Mb/s which could be more limiting than you think.
Most networking kit will easily cope with 1 Gb/s (but worth checking it’s all Gb capable, and that your cables do too), so your internet connection is likely to max out long before your local network or ISP supplied router does.
Might also be worth checking what your ISP’s policy on hosting your own services is (and have you worked out how much it might cost use a VPS? That would eliminate a whole host of issues).
Most networking kit will easily cope with 1 Gb/s (but worth checking it’s all Gb capable, and that your cables do too), so your internet connection is likely to max out long before your local network or ISP supplied router does.
Might also be worth checking what your ISP’s policy on hosting your own services is (and have you worked out how much it might cost use a VPS? That would eliminate a whole host of issues).
Mr Whippy said:
I'm thinking of setting up a Minecraft server at home, because all the online offerings are expensive ($100/mon for something similar to a box I have at home dedicated).
So aside the connection (which is ADSL right now, but should be 1.5GB capable in 12mo I hope), I'm a noob to running exposed servers. Current setups are all behind router with no port forwarding.
I know about DMZ logic, but do I still route via my home router to it? Or should I also budget for a decent switch between my router/modem and the DMZ machine?
Also how does DDos protection fit into it all? Do you really need it, will I just be asking for trouble?
The server will just be literally a whole machine dedicated to disposable game stuff, backed up to it's own dedicated HDD as an image I expect. So isolated in all respects bar using my same home IP address.
Just curious where to start really, if it's going to be a world of pain, a security risk for other machines on my network behind my router, etc.
I know very little about Minecraft other than than fond memories of playing it with my son locally a few years ago, but I'd be surprised if you needed to create a DMZ to host a server. I'd also not want to do that on my own network at home!So aside the connection (which is ADSL right now, but should be 1.5GB capable in 12mo I hope), I'm a noob to running exposed servers. Current setups are all behind router with no port forwarding.
I know about DMZ logic, but do I still route via my home router to it? Or should I also budget for a decent switch between my router/modem and the DMZ machine?
Also how does DDos protection fit into it all? Do you really need it, will I just be asking for trouble?
The server will just be literally a whole machine dedicated to disposable game stuff, backed up to it's own dedicated HDD as an image I expect. So isolated in all respects bar using my same home IP address.
Just curious where to start really, if it's going to be a world of pain, a security risk for other machines on my network behind my router, etc.
Might be worth reading this Reddit post
And watching this Youtube vid if you can bear to listen for longer than 10 seconds.
Partially depends on how clever your router is. When I've done stuff like this the switch in the router was able to fully partition things without needing anything external.
I do use commercial grade routers though.
Slapping it into the cloud isn't a bad idea though especially if size & active hours are tightly managed.
I do use commercial grade routers though.
Slapping it into the cloud isn't a bad idea though especially if size & active hours are tightly managed.
I currently have a server on an i7 4770k with 16gb ram and ssds, which is fine for my home server and local Minecraft server with kids etc.
But it also hosts my films, music, family photos, work, backups. And I’m not keen exposing the Java Minecraft process on it to the WWW via port forwarding, while it holds all this other type of content too.
To get a 3950x 8gb ram type machine is $100 a month!
For a 9950x type machine with 2 logical cores and 4gb ram (clearly shared) it’s still $20 a month.
So online/cloud is expensive for what you get, though it’ll also bundle a GUI/setup/admin and appropriate bandwidth.
My isp is currently Zen, not sure what their T&Cs say will take a look.
Agree ADSL will be a no go. It’ll be once I’m on fibre that I go this route.
I suppose I could pay say £100 for a year for something online and see what it’s like. But it’s just sunk capital and serves no other purposes.
But it also hosts my films, music, family photos, work, backups. And I’m not keen exposing the Java Minecraft process on it to the WWW via port forwarding, while it holds all this other type of content too.
To get a 3950x 8gb ram type machine is $100 a month!
For a 9950x type machine with 2 logical cores and 4gb ram (clearly shared) it’s still $20 a month.
So online/cloud is expensive for what you get, though it’ll also bundle a GUI/setup/admin and appropriate bandwidth.
My isp is currently Zen, not sure what their T&Cs say will take a look.
Agree ADSL will be a no go. It’ll be once I’m on fibre that I go this route.
I suppose I could pay say £100 for a year for something online and see what it’s like. But it’s just sunk capital and serves no other purposes.
Will this Minecraft server be for specific people like friends and family?
If so, look at something called "Tailscale" - essentially, it'll create a private LAN over the internet. Incredibly easy to setup - just install Tailscale on all the devices you want to connect to each other (supports basically every OS) and it'll assign all those devices specific IP addresses for that "LAN"
The only confusion that may occur is each device will have two IP addresses - something like 192.x for your "real" internet, and 100.x for your Tailscale LAN. You just need to remember that anything to do with Minecraft (or any other game) needs to connect over the 100.x addreses.
The benefit is, this requires no port fowarding, or concerns over fixing IP addresses. It just works, and it's free! I use it at home (as I'm behind CG-NAT) and it works perfectly for sharing my NAS access without exposing, or paying for a fixed, public IP.
the above question is a very good one - who are your "customers" for this?
Tailscale is a nice suggestion but comes with its own overheads and some complexity (not much). Oh and if you run Tailscale and have something like Jellyfin as your media server, it would be available everywhere. I actually do this and have Tailscale on my Apple TVs in two locations, hooked onto one Jellfin server.
Minecraft is not too massively demanding in network terms for a handful of "users". I ran this years ago when my boy was a teenager and he and his friends had their own world....cute.
I do have a DMZ at home - basically double-NATted setup so hooking onto my fiber box is the DMZ. I have lots in there, this could be a path for you too.
It more depends on what you are trying to do and for whom, that's the vital information missing.
Tailscale is a nice suggestion but comes with its own overheads and some complexity (not much). Oh and if you run Tailscale and have something like Jellyfin as your media server, it would be available everywhere. I actually do this and have Tailscale on my Apple TVs in two locations, hooked onto one Jellfin server.
Minecraft is not too massively demanding in network terms for a handful of "users". I ran this years ago when my boy was a teenager and he and his friends had their own world....cute.
I do have a DMZ at home - basically double-NATted setup so hooking onto my fiber box is the DMZ. I have lots in there, this could be a path for you too.
It more depends on what you are trying to do and for whom, that's the vital information missing.
+1 for Tailscale. If this is just for you, and you want to access it remotely e.g. on holiday, Tailscale is brilliant. If this is just for you at home, then presumably it doesn't need any external access at all?
I'd suggest also looking at something like Proxmox to host the Minecraft "server" - it adds a layer of protection and gives you easy backups etc.
Allowing open internet access to your minecraft server's port(s) would need some reading up of their docs; even just opening port 22 for ssh gets a LOT of bad attention, and that's probably much more secure than Minecraft!
I'd suggest also looking at something like Proxmox to host the Minecraft "server" - it adds a layer of protection and gives you easy backups etc.
Allowing open internet access to your minecraft server's port(s) would need some reading up of their docs; even just opening port 22 for ssh gets a LOT of bad attention, and that's probably much more secure than Minecraft!
biggiles said:
Allowing open internet access to your minecraft server's port(s) would need some reading up of their docs; even just opening port 22 for ssh gets a LOT of bad attention, and that's probably much more secure than Minecraft!
A lot? My honeypots report their daily attacks
https://infosec.exchange/@toce
Great info here, I'll start digging through.
Wrt users, it'd mainly be me and my kids, but as they're venturing out into the world on other MC servers they may meet people they get along with and want to invite to their world (I have warned them that any and all people online could look like friendly little girls but might be 50 year old weirdos) to play, also increasingly their friends are coming round and it turns out they play MC, and so there is the opportunity for them to play with their *real* friends online but keep it just that way, rather than the global player base.
So I'm not entirely sure. It may never actually happen, but as with many things it seems fun to try and do it.
That's interesting on the exposure. I've never done anything port forwarded with a publicised IP. It just seems safer entirely to have it not on my IP (Tailscale seems good for that), and on it's own metal isolated from my home network. That way if it goes awry it's just that box. Restore an image, go again. Job jobbed.
Generally though, I'm surprised people haven't got these things just running with a script setup on AWS or something? It's weird that all these MC servers seem to run on what are consumer CPUs (faster single thread core speed), so they must have dedicated hardware in some location with a good connection.
It's quite baffling how, after a decade+ of time, they haven't just multi-threaded the server code yet.
Wrt users, it'd mainly be me and my kids, but as they're venturing out into the world on other MC servers they may meet people they get along with and want to invite to their world (I have warned them that any and all people online could look like friendly little girls but might be 50 year old weirdos) to play, also increasingly their friends are coming round and it turns out they play MC, and so there is the opportunity for them to play with their *real* friends online but keep it just that way, rather than the global player base.
So I'm not entirely sure. It may never actually happen, but as with many things it seems fun to try and do it.
That's interesting on the exposure. I've never done anything port forwarded with a publicised IP. It just seems safer entirely to have it not on my IP (Tailscale seems good for that), and on it's own metal isolated from my home network. That way if it goes awry it's just that box. Restore an image, go again. Job jobbed.
Generally though, I'm surprised people haven't got these things just running with a script setup on AWS or something? It's weird that all these MC servers seem to run on what are consumer CPUs (faster single thread core speed), so they must have dedicated hardware in some location with a good connection.
It's quite baffling how, after a decade+ of time, they haven't just multi-threaded the server code yet.
We used to run Minecraft servers for my son and his group of friends to play in a safe environment when they were younger.
I had a Mac mini at the time that ran MineCraft servers on a specific ports that you configure when you build the game.
We're on BT Fibre and opened up the ports and forwarded them to the Mac mini on BT router. Note you can have multiple MineCraft servers running different games at the same time on different ports.
I used a DDS service provider such that his mates connected to my username.ddnsservice.org:<port> on the MineCraft client. They were all then able to play on the same MineCraft server. Worked a charm and they played like this for a number of years. Some of their MineCraft builds were epic !
Hope this helps,
BS
I had a Mac mini at the time that ran MineCraft servers on a specific ports that you configure when you build the game.
We're on BT Fibre and opened up the ports and forwarded them to the Mac mini on BT router. Note you can have multiple MineCraft servers running different games at the same time on different ports.
I used a DDS service provider such that his mates connected to my username.ddnsservice.org:<port> on the MineCraft client. They were all then able to play on the same MineCraft server. Worked a charm and they played like this for a number of years. Some of their MineCraft builds were epic !
Hope this helps,
BS
Edited by blackscooby on Friday 13th March 14:28
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff