In my home network I am currently using a “Microtik hAP ac” with default settings. No VLANs and no special firewall rules. I would now like to install “Proxmox” on an “HP ProLiant MicroServer Gen8” with various web applications like Nextcloud, Wordpress. I have a fixed WAN IP and would use a “reverse proxy” to make the applications accessible from external.The reverse proxy would also run on the Proxmox server.
To make the server accessible from outside, I would have to allow the ports 80 and 443 in the mikrotik firewall. But is that a good idea? Would I weaken my private networks security by allowing these ports? Should I build a DMZ and run the server there or are there better alternatives?
Forget about DMZ, it will definitely weaken your security.
You might want to consider using VLAN’s to prevent your webserver from being able to connect with your private network. Add a hairpin NAT and you will be able to access your server on port 80 and 443. Only thing you have to think of is how to connect to your server if you want to upoad/configre/etc.
You probably are confusing a real DMZ with the term DMZ as used by today's home routers (where DMZ just means "forward all incoming traffic not matching NAT state to this host").
Of course it is possible to configure a separate network on a MikroTik router and call it a DMZ. That would be the "3-port firewall" layout (as opposed to having two separate firewalls to isolate the DMZ from internet and from the LAN).
When you have only a single server and all you need is incoming traffic on port 80 and 443 to be forwarded to that server, of course a DMZ is a bit overkill and a simple port forward would do fine.
However, when the server instead consists of several virtual services that inter-connect e.g. for a database or other frontend/backend configuration, a separate DMZ could be a good idea.
