Apr 26, 2025 · Privacy & Self-Hosting / Intermediate · ~2 MIN READ
Secure Your Home Lab Without Opening Dangerous Ports
"Accessible from the internet" and "safe enough to expose" are not the same thing — a documented exposure policy for every public port.
Who This Is For
Beginner to intermediate.
Think of it like deciding which doors of your house actually need a doorbell facing the street. Most rooms were never meant to have a direct entrance from outside, even if it’d occasionally be convenient.
What You’ll Build
A documented exposure policy listing every public port on your network and exactly why it exists.
Prerequisites
- An existing home lab with at least one internet-facing or forwarded service
Why Public Exposure Changes the Threat Model
The moment a service is reachable from the internet, it’s being probed by automated scanners within hours, not years. The basic rule: do not expose management interfaces.
Keep These Internal or VPN-Only
- Proxmox
- Portainer
- NAS admin interfaces
- Router/firewall dashboards
- Grafana
- NetBox
- SSH
Better Alternatives to Port Forwarding
- WireGuard or Tailscale for remote access
- Cloudflare Tunnel only when genuinely appropriate for a public-facing service
- Reverse proxy plus strong authentication for anything that must be public
Firewall Strategy
- Default deny inbound
- Permit only what’s actually required
- Restrict management ports to trusted subnets only
Account Separation
- One normal admin account per person, no shared logins
- No routine root login on any host
- Separate service accounts where practical
- MFA on every critical service that supports it
Ongoing Hygiene
- Keep a patch/update schedule
- Maintain an asset inventory and remove unused services promptly (see NetBox)
Security & Backup Notes
- This entire article is a security note, the deliverable is a written policy, not just a configuration change
Troubleshooting
- “It works from home but not remotely”, usually CGNAT on your ISP connection; a VPN mesh service like Tailscale sidesteps this
- CGNAT limitations, confirm with your ISP whether you have a real public IP at all
- Hairpin NAT confusion, some routers can’t route a LAN device back to itself via the public IP; use local DNS instead
- IPv6 firewall gaps, IPv6 often bypasses IPv4-only firewall rules; audit it separately
Lab Finish Line
A documented exposure policy listing every public port and why it exists.