Hi all! Self Hosting newbie here!
I'm currently configuring a mini pc home server. Before I start, I have to mention right out the bat that my ISP router, while having great connectivity and speed, has a lot of limitations. It does not allow me to create VLAN or do segmentation other than adding a Guest wifi. It does not allow to set firewall rules. It also doesn't offer bridge mode. It does, however, offer DMZ and port forward! I will use the port forward function for my exposed services. Please note that I am aware that Tailscale and Cloudflare tunnel exist. They do not suffice for some of my services, hence why I'm exposing those.
My main concern is isolating the server from my personal LAN. In the 3 scenarios depicted in the image, I used a router/firewall to separate the 2 LANs. Can the separation be done as shown in the 3 scenarios? And what rules can I apply to enforce the isolation via the router/firewall? And can my personal PCs host-based firewalls set rules to block my server located in the other network as a mean to add a layer of security?
Another concern is the lack of bridge mode on the ISP router and Double NAT. Do you think the "Double NAT" will take a toll on my connection speed? My main concern here is my personal LAN's speed. I can accept some loss of speed on the server. Also, In scenario 1 and 3, the server is behind 2 routers. Can I still port forward my services in these scenarios?
Another thing I'm curious about is using the router/firewall to "host" my No-IP DDNS. Can it be done in the 3 scenarios? Or should i use the server itself to do it? My ISP, surprisingly, allows the DDNS service from No-IP.
Lastly, can I install Crowdsec and/or fail2ban on my server in these 3 scenarios? Or is it better on a router/server? I don't have the funds for another device yet. And do crowdsec/fail2ban have problems with granting access to legit users who use phones with GrapheneOS and ProtonVPN? And as from a privacy standpoint, is crowdsec invasive?
edit: the firewalls in the picture are just suggestions, Im also interested in Mikrotik Hex S and some of the routers from GL.iNet look afordable.
Thanks!
