Realistically, you don't need security, NAT alone is enough since the packets have nowhere to go without port forwarding.
But IF you really want to build front end security here is my plan.
ISP bridge -> WAN port of openwrt capable router with DSA supported switch (that is almost all of them)
Set all ports of the switch to VLAN mirroring mode
bridge WAN and LAN sides
Fail2Ban IP block list in the bridge
LAN PORT 1 toward -> OpenWRT running inside Proxmox LXC (NAT lives here) -> top of rack switch
LAN PORT 2 toward -> Snort IDS
LAN PORT 3 toward -> combined honeypot and traffic analyzer
Port 2&3 detect malicious internet hosts and add them to the block list
(and then multiple other openwrt LXCs running many many VPN ports as alternative gateways, I switch LAN host's internet address by changing their default gateway)
I run no internal VLAN, all one LAN because convenience is more important than security in my case.
The contextual and memetic aspect of what constitutes a "person's self interest" far outweights the person's actual decision and the individual actor cannot be removed cleanly from the wider discussion envelopping what this "self-interest" even is.
The "law" and its detterence logic shapes what "self-interest" is. Talkibg heads shape your understanding of reality and anchor what your self-interest is and means.
Actually voting itself is against your best interest as the bebefit of your vote is so minuscule that it does not warrant the severe disruption of voting.
The internal port will also be the same as the external port 80 and 443.
If the router is running in bridge mode, that would mean that your dhcp, dns and nat is happening on the upstream router.
That means you will have to go to the upstream router to setup the port forwarding.
Also depending on how it works internally with the VPN.
It might try to port forward the ports on the VPN's ip address
Which none of the VPN I tried allowed to port forward port 80 and 443
With a linux or openwrt router this could be as easy as the following
But the problem with store bought router is that every one of them has a different way of doing the things so it gets confusing really fast.
All of this confusion about port forwarding was engineered to discourage ordinary people from using their internet to host their own files and instead because cloud-dependant techno-serfs.
Another way, would be to go on the forum low end talk and obtain a VPS, and host your apache server there.
That would work, but you would be back to renting someone else's computer (aka cloud bull) but it's still better than paying squarespace about it.
Keep at it, you'll figure it out, it's actually very easy once you know all the complicated bits, I do it all the time.
Yeah, I could they trust a for profit corporation to help them connect with others by sharing about their lifes.
What stupid fools, the only thing that should be given to corporation is the pointy end of a 105mm round and you should share the details of you personal life with nobody you don't have a blood relation with.
I have it on all the time in tcpip mode. I need it for file sync and remote streaming my phone with scrcpy. Especially when I use my phone as a wireless webcam.
That would mean less money, at least in the short term, but also in the long term as it grants the user the autonomy of optionality, the power to choose some of Google's edicts. Really it's about the power to shape the choices of the users in the future. Take their power away. And in the future this will be conducive to leverage this power against the user for more money.
Buy the cheapest laptop you can find, with a broken screen it's fine.
Install debian 12 on it
give it a memorable name, like "server"
go to a DNS registrar of your choice, maybe "porkbun" and buy your internet DNS name
for example "MyInternetWebsite.tv", this will cost you 20$/30$ for the rest of your life, or until we finally abolish the DNS system to something less extortionnate
Install webmin and then apache on it
go to your router,
give the laptop a static address in the DNS section
Some router do no have the ability to apply a static dhcp lease to computers on your network, in that case it will be more complicated or you will have to buy a new one, one that preferably supports openwrt.
then go to port forwarding and forward the ports 80 and 443 to the address of the static dhcp lease
now use puttygen to create a private key, copy that public key to your linux laptop's file called /root/.ssh/authorized_keys
go to the webmin interface, which can be accessed with http://server.lan:10000/ from any computer on your PC
and setup dynamic dns, this will make the DNS record for MyInternetWebsite.tv change when the IP of your internet connection changes, which can happen at any time, but usually rarely does. But you have to, or else when it changes again, your website and email will stop working.
Now go to your desktop computer, and download winsshfs, put in your private key and mount the folder /var/www/html/ to a drive letter like "T:"
Now, whatever you put in T: , will be the content of your very own internet web server enjoy
Well in any case I'm here and not there and when that happens there won't be money to go to some magical car free place. We have winter here and the groceries are 20 km away. There is no bus, no taxi and not even uber. Not that I would have the 60 bucks a ride would cost. Of course I would also lose my job which 60km away.
So deer slug to the brain will be the prescription.
I'm curious for something more sophisticated that dns blocks. Something that modifies the content on the fly like, ublock, dark reader and sponsorblock.
The "specialist" working for a car's worth for a single watch, could be something useful instead. It's proportionnally as much waste as a private jet. For the price, the jet is also very little resources consumed but an ungodly amount of labour goes into them that could instead be doing something useful !
That.. Thing is not part of society.