Home Server Networking Guide for Beginners

Q: What is CGNAT and why does it matter?

Carrier-Grade NAT (CGNAT) means your ISP shares one public IP among multiple customers. You don't have your own public IP, so port forwarding doesn't work. Check by comparing your router's WAN IP to `curl ifconfig.me`. If they're different, you're behind CGNAT. Solution: use Tailscale or Cloudflare Tunnel instead of port forwarding.

Q: Do I need a domain name?

Not required for local access. Required if you want remote access via reverse proxy with SSL. A .com domain costs ~$10/year. Cloudflare offers free domains with their Registrar service.

Q: Is 1 Gbps Ethernet fast enough?

For self-hosting services: yes, easily. 1 Gbps handles 50+ simultaneous 1080p Plex streams. The only scenario where you'd need more is bulk NAS file transfers. See the speed comparison table above.

Quick Summary

Your home server needs three things from the network: a wired Ethernet connection (not Wi-Fi), a static local IP address, and optionally remote access (Tailscale is the easiest method). That’s it for 90% of self-hosters.

Everything in this guide builds from that foundation. Read the sections relevant to your setup and skip the rest.

The Basics

Use Ethernet, Not Wi-Fi

Self-hosted services need reliable, low-latency connections. Wi-Fi introduces:

Latency spikes (50–200ms during congestion vs <1ms on Ethernet)
Bandwidth variability (actual throughput fluctuates with interference)
Connection drops (Wi-Fi reconnects disrupt running services)

Run a Cat6 cable from your router to your server. If you can’t run a cable, use a MoCA adapter (Ethernet over coax) or powerline adapter as a last resort. Never rely on Wi-Fi for a 24/7 server.

For cable recommendations, see Network Cables Guide.

Set a Static IP Address

Your server needs the same IP address every time it boots. Two ways to achieve this:

Method 1: DHCP Reservation (Recommended)

Configure your router to always assign the same IP to your server’s MAC address. This is the cleanest method — the server doesn’t need any special configuration.

Find your server’s MAC address: ip link show eth0
Log into your router’s admin panel
Find DHCP settings → Static leases / Address reservation
Add a reservation: MAC address → IP address (e.g., 192.168.1.100)

Method 2: Static IP on the Server

Configure the server to use a static IP directly. On Ubuntu 24.04 with Netplan:

# /etc/netplan/01-static.yaml
network:
  version: 2
  ethernets:
    eth0:
      dhcp4: false
      addresses:
        - 192.168.1.100/24
      routes:
        - to: default
          via: 192.168.1.1
      nameservers:
        addresses:
          - 192.168.1.1
          - 1.1.1.1

sudo netplan apply

Choose an IP outside your router’s DHCP range to avoid conflicts. Most routers use 192.168.1.100–254 for DHCP. Set your server to 192.168.1.10–50.

DNS: How Names Resolve to IPs

When you type nextcloud.example.com in a browser, DNS translates that name to an IP address. For self-hosting, you’ll encounter:

Public DNS — Your domain registrar’s DNS (Cloudflare, Namecheap) points your domain to your server’s public IP
Local DNS — A local DNS server (Pi-hole, AdGuard Home) resolves local names to local IPs, avoiding hairpin NAT
Split DNS — Different answers for the same domain depending on whether you’re home or away

If you run Pi-hole, it doubles as your local DNS server. Add local DNS records for your services:

Pi-hole → Local DNS → DNS Records
Add: nextcloud.yourdomain.com → 192.168.1.100

This makes your services accessible by name on your local network without going through your ISP.

Network Speeds

What Speed Do You Need?

Use Case	Bandwidth Needed	Minimum Link Speed
Pi-hole, Vaultwarden, Home Assistant	<1 Mbps	100 Mbps
Nextcloud file sync	10–100 Mbps	1 Gbps
Plex/Jellyfin streaming (1080p)	10–20 Mbps per stream	1 Gbps
Plex/Jellyfin streaming (4K)	25–80 Mbps per stream	1 Gbps
NAS bulk file transfers	As fast as possible	2.5 Gbps or 10 Gbps
Backup to NAS	As fast as possible	2.5 Gbps or 10 Gbps

1 Gbps Ethernet (built into every modern server) handles all self-hosting workloads except heavy NAS file transfers. You only need faster networking if you regularly transfer large files to/from your server.

Upgrading Beyond 1 Gbps

Speed	Hardware Needed	Cost
2.5 Gbps	USB 3.0 to 2.5GbE adapter + 2.5GbE switch	$15 adapter + $40 switch
10 Gbps	PCIe 10GbE NIC + 10GbE switch	$30 NIC (used) + $150+ switch

2.5 Gbps is the practical sweet spot for home users. USB adapters are cheap, Cat6 cables work (same as 1 Gbps cables), and 2.5GbE switches are affordable. See 2.5GbE Networking Guide.

10 Gbps only makes sense if you have a dedicated NAS serving multiple clients simultaneously or do professional video editing against network storage. See 10GbE Networking Guide.

Remote Access

Accessing your self-hosted services from outside your home network. Three approaches, ranked by ease:

1. Tailscale (Recommended)

Tailscale creates a private WireGuard VPN between your devices. No port forwarding, no firewall configuration, no exposed services.

# Install on your server
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

# Access your server from any device with Tailscale installed
# Your server gets a Tailscale IP (e.g., 100.x.y.z)

Free tier: Up to 100 devices, 3 users
No ports to open: Traffic routes through Tailscale’s coordination servers (but data goes device-to-device)
Works behind CGNAT: Unlike port forwarding, Tailscale works even when your ISP uses carrier-grade NAT

2. Cloudflare Tunnel

Exposes specific services to the internet through Cloudflare’s network. No port forwarding required.

# Install cloudflared
sudo apt install cloudflared

# Authenticate with your Cloudflare account
cloudflared tunnel login

# Create a tunnel
cloudflared tunnel create my-server

# Configure the tunnel to route to your services
# See Cloudflare's documentation for config details

Free tier available
Adds Cloudflare’s DDoS protection and CDN
Domain required (free with Cloudflare)
Cloudflare can inspect your traffic (they terminate TLS)

3. Port Forwarding + Reverse Proxy

The traditional approach. Expose ports 80 and 443 on your router, point them at a reverse proxy (Nginx Proxy Manager, Caddy, Traefik) on your server.

Set up a reverse proxy — Reverse Proxy Setup Guide
Get a domain name and point it at your public IP
Forward ports 80 (HTTP) and 443 (HTTPS) on your router to your server
Set up SSL certificates (Let’s Encrypt, automatic with most reverse proxies)

Full control — no third parties in the path
Requires a public IP (doesn’t work with CGNAT)
Security responsibility is yours — exposed ports are attack surface
Dynamic DNS needed if your public IP changes (most residential ISPs)

Security warning: Exposing ports to the internet means your server is directly reachable. Use a reverse proxy with SSL, enable fail2ban, keep software updated. See Security Basics.

VLANs (Optional, Advanced)

VLANs (Virtual LANs) segment your network into isolated subnets. Useful for:

IoT isolation — keep smart home devices off your main network
Server VLAN — dedicate a subnet to your servers
Guest network — separate guest Wi-Fi from your LAN

VLANs require a managed switch (not the unmanaged switch that came with your router). See Managed Switch for Homelab.

Skip VLANs if: You have fewer than 10 networked devices, you don’t have IoT devices, and you don’t need network segmentation. VLANs add complexity that most self-hosters don’t need.

For network topology planning, see Homelab Network Topology.

Recommended Network Hardware

Router

Your ISP’s router is usually fine for self-hosting. Upgrade if you need:

Better firewall rules
VLAN support
VPN server built-in
More reliable DHCP/DNS

See Best Routers for Self-Hosting.

Switch

If you need more Ethernet ports than your router provides:

Type	Ports	Price	Use Case
Unmanaged 5-port Gigabit	5	$15–$20	Simple port expansion
Unmanaged 8-port Gigabit	8	$20–$30	More ports
Managed 8-port Gigabit	8	$50–$80	VLANs, QoS, monitoring
2.5GbE 5-port	5	$40–$60	Faster NAS transfers
PoE 8-port	8	$80–$150	Powering cameras, APs

For PoE needs, see PoE Explained and Best PoE Switches.

Access Points

If your Wi-Fi needs improvement (not for the server — for your other devices):

TP-Link EAP245 (~$70) — reliable, ceiling-mount, PoE powered
Ubiquiti U6 Lite (~$100) — good ecosystem, Wi-Fi 6
TP-Link EAP670 (~$120) — Wi-Fi 6, high throughput

See Best Access Points for Homelab.

Common Networking Mistakes

Using Wi-Fi for the server. Run Ethernet. Always.
Not setting a static IP. Services break when the server’s IP changes after a reboot.
Opening too many ports. Only forward 80 and 443. Everything goes through the reverse proxy.
Ignoring DNS. Set up local DNS (Pi-hole) to avoid hairpin NAT issues and get ad blocking as a bonus.
Overcomplicating VLANs. Start without VLANs. Add them only when you have a specific isolation requirement.
Using unshielded cable near power lines. Cat6 near electrical wiring picks up interference. Use shielded (STP) cable or route away from power lines.

FAQ

What is CGNAT and why does it matter?

Carrier-Grade NAT (CGNAT) means your ISP shares one public IP among multiple customers. You don’t have your own public IP, so port forwarding doesn’t work. Check by comparing your router’s WAN IP to curl ifconfig.me. If they’re different, you’re behind CGNAT. Solution: use Tailscale or Cloudflare Tunnel instead of port forwarding.

Do I need a domain name?

Not required for local access. Required if you want remote access via reverse proxy with SSL. A .com domain costs ~$10/year. Cloudflare offers free domains with their Registrar service.

Is 1 Gbps Ethernet fast enough?

For self-hosting services: yes, easily. 1 Gbps handles 50+ simultaneous 1080p Plex streams. The only scenario where you’d need more is bulk NAS file transfers. See the speed comparison table above.