Hello, I’m getting into self hosting and looking to setup a small home lab to play around with different technologies. I’m considering setting up a DMZ to keep my lab hardware separate from the rest of the network and other users. What is some of the minimal hardware required to do this on a small budget? Also what are some of the necessary security measures I should understand. One of my first projects would be to setup a small Linux box that I can ssh into remotely. Thanks
Get yourself a decent router capable of running OpenWRT, which will allow you to set up vlan’s for your lab, and (I would also recommend) another separate vlan for your IoT and other “smart” devices.
The TP-Link Archer C7 is old but reliable and has a lot of open source support.
If you’re feeling more adventurous You could also build your own router with any computer that’s got two or more Ethernet ports using PFSense, Firewall-NG, or IPFire
Instead of pfSense, I would really recommend OPNsense, originally a fork but now standing on its own. I like the fact that OPNsense tracks closer to the current FreeBSD release than pfSense.
EdgeRouter is proprietary but minimal. You can also look at Opnsense running on a used thin client off ebay.
I did this myself for all of 150 dollars. I bought an OptiPlex 7050 off of Amazon and added a dual intel network card. From there, I installed OPNsense. I have a DMZ, WAN, and LAN interface.
It depends on what u wanna run, I use an old AMD A8-7600B, wich by today standards is less than a laptop cpu. But I run OpenMediaVault wich is just a NAS, so usually my cpu usage with 2 users at the same time is around %40-%60. I recommend u to use passmark as a reference, just tipe the cpu u have in mind + passmark and make thr comparison with mine so u can have an idea.
Manually set up the local IP of ur machine in the router/modem, then in the computer (so everything is failsafe), then configure the firewall (I recommended ufw) and only allow the ports that u need in the necessary protocol, nothing more. Also, to be script kiddos safe I recommend to change the ports of everything that u can, in this case SSH, I don’t remember the usual port, but change it to something like 666, 999, 6666, u get the idea, if we aren’t the same as every other server in existence we r gonna be safe most of the time, disable password login and use an rsa key.
You can physically isolate by running multiple independent switches, you could run different subnets on the same switches or you could VLAN separate but that would require a managed switch or setting up your topology that something tags the traffic with the proper vid before running on the unmanaged switches. All have their pros and cons but i would strongly recommend getting a managed switch (managed firewalls/routers/switches depending on features/port count can all fill that need) and doing VLAN separation if you don’t have a lot of equipment you’re starting out with.
Thanks for the advice! I ended up getting a managed switch on amazon and an older dell computer to set up OPNsense. Can’t wait to get started!
