Hey guys,
I would like to run a game server on my UnRaid machine (Binhex Minecraft Server Docker container), and open it up to the internet via port forwarding so that friends outside of my network can join. The fear I have currently is that my server is on my main network VLAN, which has all of my other computers, mobile devices and other important things on it. The server itself also has other Docker containers and file shares, which share the same physical NIC connection and IP address to my router. This main VLAN can also speak to other VLANs I have in my home such as security cameras, IoT devices etc. Obviously anything exposed to the internet via open ports on a router is a risk in itself, and if something were to go wrong such as an intrusion or attack, then I could find myself in a situation where they have access to my home network right?.....at least I think this could happen?
I had thought about building a dedicated machine for exposed services such as game servers, and making a separate VLAN for it with rules to isolate it from the main network so it can speak ONLY to the internet and nothing else. However this involves extra cost that I would rather not have to do considering I have a perfectly working UnRaid server as it is.
I have been reading up on Docker networks and various NIC setups etc, and it seems like I could potentially segregate the Minecraft Docker container without having to spend too much money. I think this would mean even if someone managed to get in, they wouldn't be able to access anything else on the server/network right?
With this in mind, would it be possible to install a separate NIC in the server, and connect it to my network via a separate physical cable (assigning it with a separate VLAN and isolating that network in the process), or could I potentially achieve this with the single onboard NIC I am currently using, and utilise some sort of VLAN tag that is only used by that container? I am in the Ubiquiti Unifi ecosystem, and I currently already have this server on a VLAN.
Please let me know if I am completely overthinking this safety/paranoia wise - I have a habit of going over the top unnecessarily with security. If there's a better way to open up a docker container to the internet, while keeping the server and network safe I am all ears! Thanks guys