You’ve done the work—you picked a solid router, set a real admin password, maybe even splurged on a mesh system and a VPN subscription. Your home network feels locked down, and honestly, it probably is. Then, one day, you want to check your security cameras from the office, and you flip on one innocent little setting to make it happen.
That setting is port forwarding, and it can be troublesome. Not because port forwarding is evil, but because it does exactly one thing very well: it pokes a permanent hole straight through the wall that was keeping the internet out of your house.
Your router is a bouncer, and port forwarding hands out a backstage pass
Everything good about your network security starts with the door being closed
By default, your router uses something called NAT, and it acts like a firewall that refuses every unsolicited knock from the outside world. If someone on the internet tries to reach a device inside your home, the router shrugs and drops the request because it has no idea where to send it. That “I don’t know you, go away” behavior is the single biggest reason random strangers can’t just wander into your network. It’s a fantastic security feature, and it’s free.
Port forwarding is you walking up to the bouncer and saying, “Actually, let this specific traffic through, every time, forever.” You’re telling the router that anything hitting a certain port should be sent straight to a device inside your home. The problem is that the internet is not a polite place, and once that door is open, it’s open to everyone, not just you.
9/10
Brand
Unifi
Range
1,750 square feet
Having a good router is very much a part of having a secure network. The UniFi Dream Router 7 is one of our favorites here at How-To Geek.
The internet finds your open port faster than you’d believe
Nobody is manually hunting for you, and that’s exactly the problem
Credit: Patrick Campanale / How-To Geek
I think a lot of people assume they’re safe because they’re nobody. Who’s going to bother targeting my random home network, right? But that’s not how any of this works.
Attackers don’t sit around guessing your IP address and trying ports one by one. They use automated scanners that sweep the entire internet constantly, cataloging every device that answers. There are whole search engines, like Shodan, dedicated to indexing internet-connected devices and the open ports they’re sitting behind. Point one at the web, and you can find exposed cameras, routers, and servers by the thousands.
If you want a genuinely scary example of how fast this happens, the security folks at Sophos ran an experiment where they stood up a server, exposed Remote Desktop to the internet, and walked away.
Login attempts started in less than one minute. Over 15 days, they logged more than two million failed login attempts from nearly a thousand different IP addresses.
And before you think “I’ll just use a weird port number so nobody finds it,” they tested that too. Scanners identify an open service no matter what port it’s hiding on. Some of these insecure default router settings are worth reviewing before you ever forward a single port.
One exposed device becomes a doorway to the whole house
The camera isn’t the prize, your network is
Credit: Jacob Hudson / How-to Geek
Let’s say you forward a port to a cheap IP camera so you can watch your porch while you’re away. Worst case, someone sees your porch, right? I wish.
The real danger is that the exposed device becomes a foothold. Once an attacker compromises that one camera, they’re inside your network, and now they can move sideways to everything else. In security circles, this is called lateral movement, and it’s the entire reason a single weak, exposed device is such a big deal.
This is also how home devices get drafted into botnets. The infamous Mirai attacks in 2016 pulled this off at a massive scale, hijacking IoT gadgets like cameras and using them to launch one of the biggest denial-of-service attacks the internet had ever seen.
Your compromised device doesn’t just put you at risk; it can end up as an unwitting soldier in somebody else’s army. And ransomware crews love exposed storage.
There are ransomware families that specifically scan the internet, hunting for NAS boxes reachable from outside, which is exactly why the advice to stop exposing your NAS to the internet exists in the first place. One open port, and your most important files become a target.
You almost certainly don’t need to forward ports at all
There are safer ways to reach your stuff from anywhere
Credit:
Hannah Stryker / How-To Geek
Most of the reasons people forward ports have much safer alternatives now. The whole point of forwarding a port is usually “I want to reach a device at home while I’m away.” You can do that without exposing anything to the public internet. The cleanest option for most people is a VPN or an overlay network. Instead of opening a door to a specific device, you create a private encrypted tunnel that only you can enter, and once you’re in, everything behaves just as it would if you were at home.
Tools like Tailscale and WireGuard have made this shockingly easy. Tailscale, in particular, builds a private mesh between your devices using the WireGuard protocol, and crucially, it doesn’t require you to open any ports at all. You install an app, sign in, and your devices can talk to each other securely from anywhere in the world. If you self-host things, this is a safer alternative to port forwarding worth setting up. A reverse proxy is another route if you’re comfortable with a bit more setup. The point is, the old “just forward a port” advice is genuinely outdated for the vast majority of home use cases.
So before you forward, ask yourself if you actually have to
The next time an app or a guide tells you to forward a port, pause for a second and ask whether there’s a way to do it without opening your network to the entire planet. Most of the time, there is. Reach for a VPN or an overlay network first, keep UPnP switched off so nothing forwards ports behind your back, and if you do forward something, forward as little as possible and guard it well. Your security stack only works if the front door stays shut, so don’t be the one who props it open just for a little convenience.
The first NAS that I built using an old laptop started out as a simple Plex server meant to keep my movies and shows all in one place and easy to access from any device. But like most homelab setups, it didn’t stay simple for long. One service turned into two, a few more Docker containers got added here and there, and before I knew it, my experimental Plex server turned into a full-blown homelab device.
All these self-hosted apps have completely changed how I use the device, as its job has been pushed well beyond the role of a simple media box. If you’d like to expand your horizons, here are some of the most useful services that you can run on your own home server.
I automatically back up all my photos with Immich
Keep every photo safely stored and synced without relying on Google Photos
Immich was one of the first self-hosted apps I installed after setting up the usual media stack. You can think of it as Google Photos, but instead of backing up your images to Google’s cloud, your home server acts as the cloud instead. The app is shockingly user-friendly, and while it doesn’t match all of Google Photos’ advanced features in scope or quality, it gets close.
Just like Google Photos, it backs up all photos from my phone (and my wife’s) completely automatically, pretty much as soon as I take them if I’m connected. It also organizes my photos and generates memories and flashbacks at the top of my timeline, reminding me of photos I took on this day in previous years, which is a heartwarming Google Photos feature beloved by many.
It can even read location metadata from my photos to create an interactive world map showing where I took them. This is incredibly cool, and since traveling is one of my favorite things ever, it feels super inspiring and makes me want to take even more photos abroad.
Interesting and unique NAS use cases Trivia challenge
Beyond basic backups — how well do you know the surprising things a NAS can do?
MediaHome LabBackupNetworkingAutomation
Which popular open-source media server software is commonly self-hosted on a NAS to stream personal video libraries to any device?
Correct! Plex is one of the most popular apps for turning a NAS into a personal Netflix-style streaming server. It organizes your media with artwork and metadata and can transcode video on the fly for different devices and connections.
Not quite — the answer is Plex. While Kodi and VLC are great media players, Plex is specifically designed as a client-server platform that lets you stream your NAS library to phones, smart TVs, and browsers from anywhere in the world.
What is the name of the widely recommended data protection strategy that involves keeping three copies of data, on two different media types, with one copy offsite?
Correct! The 3-2-1 backup rule is a cornerstone of data protection strategy. A NAS plays a central role by acting as the second on-site copy, while cloud sync or an offsite drive satisfies the third copy requirement.
Not quite — the answer is the 3-2-1 backup rule. RAID is often mistaken for a backup, but it only protects against drive failure, not accidental deletion or ransomware. The 3-2-1 rule is the gold standard precisely because it covers multiple failure scenarios.
A NAS running a hypervisor or container platform like Docker can host a Pi-hole instance. What does Pi-hole primarily do?
Correct! Pi-hole acts as a DNS sinkhole, blocking known ad-serving and tracking domains before they ever reach your devices. Hosting it on a NAS via Docker means it runs 24/7 without needing a dedicated Raspberry Pi.
Not quite — the answer is that Pi-hole blocks ads at the DNS level. Rather than installing an ad blocker on every single device, Pi-hole protects your entire network, including smart TVs and phones, by intercepting ad domain requests before any data is loaded.
Many NAS manufacturers offer dedicated surveillance software packages. What is the primary function of these applications?
Correct! Synology Surveillance Station and QNAP’s QVR Pro are examples of NAS-based NVR (Network Video Recorder) solutions. They let you manage multiple IP cameras, set motion-triggered recording, and review footage without paying for a cloud subscription.
Not quite — the answer is managing and recording IP camera footage. A NAS can replace a dedicated NVR appliance entirely, storing days or weeks of footage locally. This is a compelling use case since it avoids ongoing cloud storage fees while keeping footage on hardware you control.
Which self-hosted application, commonly run on a NAS, automatically downloads TV show episodes and movies by integrating with torrent or Usenet indexers?
Correct! Radarr handles movies and Sonarr handles TV shows — together they form the backbone of a self-hosted media automation stack. They monitor release groups, grab new episodes automatically, and pass files directly to your Plex or Jellyfin library.
Not quite — the answer is Radarr and Sonarr. While Bazarr handles subtitles and Prowlarr manages indexers, Radarr and Sonarr are the core apps for automating movie and TV downloads respectively. They integrate with your NAS download client and media server for a seamless pipeline.
A NAS can be configured as a VPN server so that remote users can securely access the local network. Which VPN protocol, known for being modern and extremely fast, is supported by newer NAS operating systems like Synology DSM?
Correct! WireGuard is a modern VPN protocol praised for its lean codebase, high speeds, and strong encryption. Synology added WireGuard support to DSM, making it easier than ever to securely tunnel into your home network from anywhere without exposing your NAS directly to the internet.
Not quite — the answer is WireGuard. PPTP is outdated and considered insecure, while OpenVPN and L2TP/IPSec are reliable but more resource-intensive. WireGuard achieves better throughput with less overhead, which matters on the modest CPUs found in many NAS devices.
Nextcloud is a self-hosted platform frequently deployed on a NAS. Which major commercial cloud service does it most directly aim to replace?
Correct! Nextcloud provides file sync, document editing, calendar, contacts, and video calls — a direct alternative to Google Drive and Google Workspace. Running it on a NAS means your data never leaves your own hardware, which is a major privacy and cost advantage.
Not quite — the answer is Google Drive and Google Workspace. Nextcloud replicates the full productivity suite experience: shared folders, collaborative document editing, and mobile sync. When paired with a NAS, it becomes a powerful private cloud that rivals Google’s offering without any subscription fees.
Some photographers and videographers use a NAS as the central hub for a collaborative editing workflow. Which protocol, natively supported on macOS and optimized for high-bandwidth file access, makes a NAS behave like a fast local drive for video editing?
Correct! For video editing workflows, SMB Multichannel (or historically AFP on older Macs) allows a NAS to deliver the kind of sustained throughput needed to scrub through high-bitrate footage without copying files locally first. Pair this with a 2.5GbE or 10GbE network and a NAS can rival a dedicated SAN for small creative teams.
Not quite — the answer is SMB with Multichannel (or AFP on legacy Macs). FTP and WebDAV are too slow and latency-prone for real-time editing. SMB Multichannel bonds multiple network connections to boost throughput, which is why NAS vendors like Synology specifically market this feature to creative professionals editing 4K and 6K footage.
Challenge Complete
Your Score
/ 8
Thanks for playing!
I use AdGuard Home for DNS-level network control
Block junk traffic before it even reaches your network
Credit: Ismar Hrnjicevic / How-To Geek
I recently upgraded my home network with a very cheap Wi-Fi 7 router, and unfortunately, it didn’t quite solve the all-too-common annoyances I’ve had with my day-to-day internet usage. Pages still took several seconds to load, and I continued experiencing random hangs, even on a wired connection.
After doing some digging, I learned that the issue was most likely related to how the router handles DNS forwarding, and that I could fix it by letting my NAS handle it using a network-based DNS filter called AdGuard Home. After setting it up, I noticed a massive improvement in browsing speed.
On top of offloading DNS forwarding requests from my router to my much more powerful NAS, AdGuard Home reduces how much work the router has to do in the first place by blocking ads, trackers, malware, and similar bloat. It blocks over 40% of all DNS requests, so you can probably imagine the kind of heavy lifting this little app is doing for my network in the background.
The Seagate Expansion 6TB external hard drive is an excellent starting point if you are building a laptop NAS, offering plenty of capacity for backups and media. It is affordable, easy to set up, and fast enough over USB 3.0 for most home server use cases.
I run my smart home through Home Assistant
A central place to control and automate all your smart devices
Credit: Ismar Hrnjicevic / How-To Geek
I don’t have a ton of smart home devices, but the ones I do use require full and reliable control at all times. I use a bunch of smart bulbs and plugs from different brands to control lamps around my home, and for a long time, I used Google Home to manage them.
However, I recently discovered the beauty of Home Assistant, which is light enough to run inside a Docker container on relatively weak hardware like my laptop. Home Assistant supports almost any smart home protocol, allowing me to connect devices from different brands. It also has advanced automation and routine support that goes well beyond the basics of apps like Google Home.
Some Home Assistant aficionados sneer at the idea of running Home Assistant inside a Docker container instead of Home Assistant OS, but the beauty of this setup is that you still get the essential Home Assistant experience while keeping your home server flexible. Maybe I’ll upgrade to VMs one day, but for my current needs, this setup works just fine!
Sometimes, I forget I even have Home Assistant running because it’s so reliable now.
I host a private fitness tracking setup instead of relying on Strava
A self-hosted alternative for logging runs without sharing data
Credit: Ismar Hrnjicevic / How-To Geek
Strava is an incredibly popular fitness app that I used briefly to log my outdoor runs. It’s built to act as a social platform, meaning it heavily encourages sharing your exercises with others, complete with GPS tracking data. Sending sensitive data like this to a third-party platform just rubs me the wrong way, so I replaced it with an open-source app that keeps my workouts offline.
To keep all my workouts logged in one place, I use Endurain. It’s basically a self-hosted alternative to Strava that you and other people connected to your NAS can use to log workouts while keeping the data contained within your own system.
It’s an awesome little app that gives me full ownership of my workout metrics while keeping the sensitive data offline.
I run my own cloud storage with Nextcloud
Your own private Google Drive-style storage
Credit: Jordan Gloor / How-To Geek
Nextcloud offers a whole suite of services that you typically associate with Google, like contacts, calendars, and Google Drive. I was particularly interested in that last one, as I’ve already got Immich for my photos and don’t really mind using my Google account for everything else.
However, Google Drive is something I’ve been wanting to replace for years, and Nextcloud has finally helped me achieve that. Instead of a measly 15 GB limit (which is shared across my entire Google account), I’ve got terabytes of available space on my attached external hard drive.
I finally have a self-hosted cloud storage solution that I can back up and sync all my important files to, and it’s super convenient for transferring files between my devices.
To top it all off, I get significantly faster upload and download speeds as well, which is a massive plus considering my severely limited 200Mbps (download) / 15Mbps (upload) internet plan.
There are time sucks, and then there are time sucks.
Your Plex server can be more than just a streaming box
Once you start experimenting with your media server by running other self-hosted services on it, you’ll begin to understand just how versatile a simple NAS can actually be. I now treat my little laptop NAS as an experimental playground, constantly swapping out services and trying out new apps, just to see what actually sticks in day-to-day use—which is what self-hosting is all about!
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.