Virtual server and interface group isolation with Archer VR1600v
Hi everyone
I have a bit of a convoluted setup question.
I'm setting up a minecraft server on my home network so that my kids (at home) and their friends (outside) can play together. I have dedicated a machine to host the server.
I have used the virtual server function of my Archer VR1600v (thats the router our ISP is providing here in Australia) to forward connections on the specific port used by the server of our public IP to the server internal IP to allow the friends to connect. I did a quick test and the virtual server function works fine, I can connect internally using the internal network IP of the server and I can also connect via the public IP of the router.
However since I'm opening a port to the outside, I wanted to isolate the server so that if it gets compromised it does not put the rest of the home network at risk. For that I used the interface grouping feature of the archer VR1600V. I created group for home device use (WIFI + LAN1 + LAN2) 192.168.1.1/24 and another one (LAN3+LAN4) 192.168.2.1/24 for the server and a potential management port. Again I apply port forwarding on to the new 192.168.2.x server fixed IP address.
If I do not tick the group isolation I can connect to the server from the 192.168.1.1/24 part of the home network either using the internal 192.168.2.x IP of the server or using the router public IP.
If I do tick the group isolation option, as expected I cannot connect anymore to the server using its internal 192.168.2.x IP. Which is what I wanted. However I can only connect via the public IP using port forwarding from outside the network. Not from the 192.168.1.1/24 part of the home network. So basically it is only opened for friends but not for my kids.
I was expecting that connection from 192.168.1.1/24 to the public IP server port would not be blocked since they are going through the ewan interface.
I'm not too sure this is achievable just using the archer configuration. Does any one have an idea of how I could isolate the server from the rest of the network while allowing both my kids inside the network and their friend to connect to it ?
I was considering putting the server int he DMZ but it seems even less secured.