Expose Turris Nextcloud-installation to another VLAN?

Hi,

Unfortunately my dedicated server is down and it will take a couple of weeks or months to get it up running again (to many other high-prio real-world-projects and family summer activities running in parallel). Until then I didn’t want to completely do without calender and contacts sync and therefore decided to install the Turris Nextcloud package (yes, much better would be to run a docker or lxc-instance but as I am not used to that I wanted to avoid this learning curve and better invest that time later in my dedicated server revival).
But as I segmented my network via VLANs into lan (infrastructure, VID 1) and family (normal client devices, VID 2) and guest (iot devices via TOR, VID 5), I need to somehow give the family-devices access to the Nextcloud-Homepage.
Is there any option to only give them access to 192.168.1.1:443/Nextcloud but not to 192.168.1.1:443? I do not have any experience with lighttpd operations, I normally work with Apache.

You can run Nextcloud on different IP and allow access only to that IP so MGMT interface will not be available. And at the same time you can restrict MGMT to listen only on primary IP.

1 Like

And how do I run it on different IP?

1 Like

I would sugest to run Nextcloud in LXC container. Like that you are in the control on version and you could add two interfaces simply in container config. So one is on your LAN VLAN ID 1 network and the other is on other VLAN ID 5.

Like that you have one server that is available in two networks two different IP.

Other option is to change firewall rules to allow traffic for example from vlan1 to vlan5 or vice versa.

Can you share how to setup an unpriviledged container on TOSv6.x or have a link to an how-to?

I am sorry but I don’t have experience with Nextcloud. It was just my idea how it can be done from network perspective level. So I am not able to provide you step by step guide.

I don’t think this is possible easily (if at all as lighttpd needs to be able to access such different IP), without reverse proxys and similar heavy stuff.