I have a domain, static IP address and many devices I'd like to access outside my house. How do I route them?

I have a domain (e.g. example.com), static IP address (e.g. 212.5.5.5) and local devices at 192.168.0.1:80, 192.168.0.2:80, 192.168.0.3:80, 192.168.0.4:80, 192.168.0.4:47 (this one is not a website).

How do I access these devices using subdomains (for example, device1.example.com, device2.example.com, etc.)?

Currently I was only able to get example.com:80 and example.com:47 working, which point to 192.168.0.4:80 and 192.168.0.4:47.

I know that you cannot set the port on DNS server.

How I should overcome my problem?

Laurynas Kerežius

Posted 2019-07-21T21:42:20.333

Reputation: 323

1How many external IP addresses do you have? How many internal addresses share a non-web port (e.g. 47)? – ctrl-alt-delor – 2019-07-21T22:56:09.043

4That is also a violation of your residential service contract (they all have a clause prohibiting services to the Internet). Your residential ISP may shut that ability down at any time, or it may simply cancel your service if it finds out. Get a business account, then you will not have the problem. – Ron Maupin – 2019-07-21T23:14:39.547

42@RonMaupin: "All"? I can't find that clause in my residential ISP's contract. – user1686 – 2019-07-22T05:00:45.267

5Make sure you use IPv6 if you have it available, because you wouldn't have this problem at all. – Michael Hampton – 2019-07-22T06:26:01.563

19@RonMaupin, I live in Lithuania, you do whatever you want to with your external IP. – Laurynas Kerežius – 2019-07-22T07:50:01.710

@LaurynasKerežius Out of curiosity, what is the name of your ISP? You might have missed the clause in a different document. – Nzall – 2019-07-22T15:30:10.950

13@RonMaupin: you don't know that. There are plenty of smaller ISPs that don't care about home users running services. – whatsisname – 2019-07-22T16:23:34.087

1@whatsisname, it is still in the residential contract. Every time someone told me that it wasn't, I have looked it up and it is there. It may be that it is not now enforced, but when a residential ISP converts to CGN, and it breaks running services to the Internet, people complain, but it is in the residential contract. – Ron Maupin – 2019-07-22T16:26:49.640

13@RonMaupin I've been running my home server for like 15 years? Changed 4 ISPs during that time. I've the contract just recently out of curiosity and my ISP lets me do whatever I want until I do some sort of fraud, spam, hosting gambling websites, anything that does not break the law and is not fraudulent is allowed. – Laurynas Kerežius – 2019-07-22T17:18:47.187

@ctrl-alt-delor I have 1 external address and 1 internal address which shares a non-web port. – Laurynas Kerežius – 2019-07-22T17:19:40.863

How can one thing share. Surely it takes 2 to share. – ctrl-alt-delor – 2019-07-22T21:10:37.930

12I guess this might be some US-centric perspective which @RonMaupin is sharing with us. It simply might not be globally applicable. – GrzegorzOledzki – 2019-07-23T10:50:06.840

7@GrzegorzOledzki never heard of this in the U.S. Why do all the ISP-provided routers allow port forwarding then? – multithr3at3d – 2019-07-23T11:26:18.407

2@multithr3at3d Idk, It'd be funny if you couldn't host your own Minecraft server :D – Laurynas Kerežius – 2019-07-23T17:42:19.613

@ctrl-alt-delor Well this device is a house recuperator which has: 1. web interface on port 80 and 2. App communication protocol on port 47. – Laurynas Kerežius – 2019-07-23T17:54:38.270

3@ Ron Maupin most countries with consumer protection laws would have a problem with this. Internet is internet, you are paying for a connection. "Fair Use" can apply, but not prohibition. It fails the fitness for purpose test. Amazon would certainly disagree. – mckenzm – 2019-07-24T01:15:36.017

@mckenzm You are paying to connect to their service, through which you access the internet. They can put any (legal) restrictions on your use of their systems that they want in their agreement with you; you're free to take your business elsewhere. My (US) experience agrees with Ron - every ISP I've used has had clauses prohibiting hosting services on residential connections. Except a few who blocked port 80, I've never known it to really be enforced, and in some ways I don't even know how they'd differentiate hosting a server from many types of traffic (P2P sharting, gaming, active FTP, etc) – A C – 2019-07-24T02:02:02.063

1@AC, when I was younger Charter actually contacted my parents because I was running a personal web server and said it had to be removed or service may be terminated. Had next to no traffic so they must have just found it through monitoring or something. Now with comcast, they haven't bothered me about it despite the same restriction. – kicken – 2019-07-24T08:50:14.800

1@AC Most ISPs I know only block port 25 to block email spambots. You could forward any other port, thus run a webserver, Minecraft (or other game) server, ... from a residential line. You don't get any SLAs with that and might reach your bandwith limits or be slapped with a Fair Use limitation (lowering your connection speed during peak hours) if you've used to much bandwith. But my experience is also limited to an EU country – BlueCacti – 2019-07-24T12:28:41.610

Answers

You can have one public facing server running nginx reverse proxy that redirects traffic based on subdomain to the correct server.

nginx configuration on your "main" server:

server {
  server_name device1.example.com;
  location / {
    proxy_pass http://192.168.0.1:80;
  }
}
server {
  server_name device2.example.com;
  location / {
    proxy_pass http://192.168.0.2:80;
  }
}
server {
  server_name device3.example.com;
  location / {
    proxy_pass http://192.168.0.3:80;
  }
}

Daniel

Posted 2019-07-21T21:42:20.333

Reputation: 819

26While you're at it, you could also use https / port 443 for the outside facing end – Hagen von Eitzen – 2019-07-22T12:58:45.587

6+1 Same goes for any reverse proxy. My favorite is HAProxy because it is very easy to setup for multiple subdomains. – rexkogitans – 2019-07-22T13:35:23.283

This post is absolutely correct! Although I'd recommend running a docker called "NginxProxyManager" https://github.com/jc21/nginx-proxy-manager which gives easy (letsencrypt) ssl and routing configuration!

– Rick van Lieshout – 2019-07-22T18:02:10.657

The last IP they have specified is "not a website". This solution only helps with web content. – Shadow – 2019-07-22T22:46:58.333

1@shadow, since its only one none website the reverse proxy will be used for all websites and default port forwarding for port 47 (it seems OP already done this) – Fritz – 2019-07-23T13:41:35.170

An alternative to nginx is caddy. Although not as performant, it does make getting letsencrypt certs much easier. It is also worth noting, that this ONLY works with http/https (with SNI enabled). – Aron – 2019-07-24T04:41:22.563

"The last IP they have specified is "not a website"". -> Again a point for HAProxy. HTTP mode can be turned off into stupid TCP mode. – rexkogitans – 2019-07-24T07:41:49.497

@Shadow Than just drop that severname from the nginx config or make it point to a blank website on port 80? Since OP will most probably go to example.com:47 to reach that device. Nginx only needs to run on port(s) 80 (and 443). Port 47 can be forwarded from the router to 192.168.0.4:47 – BlueCacti – 2019-07-24T12:23:27.243

1@Daniel Don't forget to mention that port forwarding must be enabled on the router, forwarding port(s) 80 (and 443) to the Nginx proxy and port 47 to 192.168.0.4:47 – BlueCacti – 2019-07-24T12:24:09.980

You'll need to use alternate ports for everything except one of them. For example, 212.5.5.5:80 would forward to 192.168.0.1:80, but then 212.5.5.5:81 would forward to 192.168.0.2:80, and 212.5.5.5:82 would forward to 192.168.0.3:80, and so on. This should be configurable on most modern NAT devices.

Another way, if you're willing to use IPv6, is just turn on IPv6 pass-through on your NAT device or router. That basically exposes every IPv6 address on your LAN to the public internet, letting you access them directly from the outside. As you might imagine, there is some risk associated with this. It's up to you to decide if that risk is tolerable.

Charles Burge

Posted 2019-07-21T21:42:20.333

Reputation: 1 792

You shouldn't expose these services to the internet directly. You can't audit these devices to be sure they are secure, and merely exposing them leaks information about the state of your internal network.

The correct solution is to set up a VPN server that grants you remote access to an internal network. Ideally the internal network should be segregated from your main one, only used for these exposed devices. That limits the damage if they are hacked.

Open source VPN software is mature, audited and the security issues are well understood. You limit yourself to a much smaller attack surface.

user11567957

Posted 2019-07-21T21:42:20.333

Reputation: 41

2This only works if none of the services needs to be exposed for any reason. – mckenzm – 2019-07-24T01:19:07.513

If you have only one external IP address, then:

The first thing is to differentiate my port, you seem to have done this.

Next for all the port 80s, you can use nginx as a reverse proxy to route traffic to the various places. You can tell it exactly what you asked for e.g. route http://device1.example.com to 192.0.0.1:80 etc. An alternative is to route http://example.com/device1 to 192.0.0.1:80.

To do the first way see virtual hosts, in the nginx manual.

You will also have to point all of the names to the external IP address, if using the virtual host method. Or just the base domain, if using the directory method.

ctrl-alt-delor

Posted 2019-07-21T21:42:20.333

Reputation: 1 886

You could first make sure everyone needs to access these services from Internet (= that they are truly intended to be public). Otherwise you could consider setting up a VPN server and access the services inside your network.

I assume that the services which are on port 80 are web servers providing typical web services. In such a case the reverse proxy solutions suggested in other answers apply.

It may be that they are services which are prepared/intended to run with a SRV entry in your DNS. The idea is that you resolve a well-known record for a service, which in turn gives you the name:port to connect to. To take the example of Minecraft:

you set up your client to connect to minecraft.example.com
your client knows that it can query _minecraft._tcp.minecraft.example.com. to get the actual IP and port to connect to.

This is an extremely useful feature but it has to be implemented on the client for the service you are accessing

WoJ

Posted 2019-07-21T21:42:20.333

Reputation: 1 580

If you want exactly what you described, the answer by Daniel is correct - you have to up set another server, make it receive all the :80 traffic and proxy it to the correct server depending on domain.

But I would suggest to simply get another IP address. Judging by your comments it seems that you are using some local ISPs and you have multiple of them to choose among in the neighborhood. Smaller ISPs in a competitive situation are very likely to agree on whatever. As long as you doing something legal, most of them will agree to give you an additional IP address for a couple of euros per month.

Another option is to just use one server. If your :80 servers are virtual machines on the same host, you will save resources and reduce complexity by making a single webserver with multiple virtual hosts serving it all.

Džuris

Posted 2019-07-21T21:42:20.333

Reputation: 101