We’ve recently upgraded our Google Fiber home network to include the AltaLabs Route10 and S24-PoE equipment for ethernet and AP connectivity. In our rack, we have a dedicated PC for a Minecraft server for the kids and their friends. This requires port-forwarding rules to allow players to join the server remotely. Is there a safe way to go about this process as to not compromise our network security & integrity?
Port forwarding increases exposure. It’s offers new opportunity the idea that your game server could be compromised. You can certainly mitigate the risk by regularly updating this machine and its game server when updates are available in simple terms. But if the game server is no longer in your control, what could a person on that machine get to on your network? This is where DMZ’s come in, or VLAN’s that have no access to your other networks. There’s endless nuance to this, but that’s the gist of it.
There are a few things to consider. For the game server what are the ports, java and bedrock have two different ports ranges. A one to one port forward is the simplest. Keeping it safe and secure from the world, and keeping it segregated from the rest of the network is the difficult part. For this I recommend an isolated vlan. There is an isolation option in the subnet config. Doing this would create a “DMZ”. This dmz is a different and isolated network from the rest of the home. If someone were to illegally gain access to your Minecraft server, they would have limited access to the rest of your internal network. Your internal users, your kids gaming, will have to route to the game server from the outside. Through the public IP and port number.
As long as you are OK exposing the device’s port(s) directly to the Internet, just enter “:PORT” (replacing PORT with the port numbers you want to forward) in the Port-forward Destination field, and the IP address of the local device as the “Redirect to” field. I’d also recommend forcing the IP address of the local device by clicking on its icon in the Devices tab, and set the IP address so that it doesn’t change later on.