You need a reserve proxy. That's a piece of software that takes the requests and puts them toward the correct endpoint.

You need to create port forwards in the router and direct 80 and 443 (or whatever you're using) toward the host of the reverse proxy and that is listening to on those ports. If it recognized the requests are for nas.your.domain, it will forward the requests to the NAS.

Common reverse proxies are nginx or caddy. You can install it on your raspberry, it doesn't need it's own device.

If you don't want that, you can create different port forwards on your router (e.g. 8080 and 8443 to the Raspi) and configure your service on the Raspi corresponding. But it doesn't scale well and you'd need to call everything with the port and the reverse proxy is the usual solution.

Welcome to the wonderful world of reverse proxies!

What are you running?

If it is http based use a reverse proxy like Caddy

I really feel like people who are beginners shouldnt play with exposing their services. When you set up Caddy or some other reverse proxy and actually monitor it with something like fail2ban you can see that the crawlers etc are pretty fast to find your services. If any user has a very poor password (or is reusing a leaked one) then someone has pretty open access to their stuff and you wont even notice unless you’re logging stuff.

Of course you can set up 2FA etc but that’s pretty involved compared to a simple wg tunnel that lives on your router.

VPN is definitely the way to go for home networks. Your router even has one built in. OpenVPN and Wireguard are good.

If you really want to expose stuff like this the proper way is to isolate your home network from your internet exposed network using a VLAN. Then use a reverse proxy, like caddy and place everything behind it.

Another benefit of a reverse proxy is you don't need to setup https certs on everything just the proxy.

You do need a business or prosumer router for this though. Something like Firewalla or setting up a OpenWRT or OPNsense.

Synology also has there quick connect service as well. While not great if you keep UPNP off and ensure your firewall and login rate limiting is turned on it may be better then just directly exposing stuff. But its had its fair share of problems so yeah.

Consider not self hosting everything. For example if all your family cares about is private photo storage, consider using a open source E2EE encrypted service for photos on the cloud like Ente Photos. Then you can use VPN for the rest. https://www.privacyguides.org/ has some recommendations for privacy friendly stuff.

Also consider the fallout that would happen if you are hacked. If all your photos and other things get leaked because your setup was not secure was it really any better than using big tech?

If nothing else please tell me you are using properly setup https certs from Let's Encrypt or another good CA. Using a firewall and have login rate limiting setup on everything that is exposed. You can also test your SSL setup using something like https://www.ssllabs.com/ssltest/

Whispers “try proxmox”

If you mean HTTP server, what you need is a reverse proxy and name-based virtual hosts. I usually use nginx for such tasks, but you may choose another web server that has these features.

The synology NAS can act as a reverse proxy for stuff inside your network. I don't have mine in front of me, so you will have to google the steps, but basically you point the synology to an internal resource and tell it what external subdomain it should respond to.

You can either:

A) Use a different port, just set up the new service to run on a port that's not used by the other service.

B) If it's a TCP service use a reverse proxy and a subdomain.

Who is externally reaching these servers?
Joe public? Or just you and people you trust?

If it's Joe public, I wouldn't have the entry point on my home network (I might VPS tunnel, or just VPS host it).

If it's just me and people I trust, I would use VPN for access, as opposed to exposing all these services publicly

Router gets the public IP. Login to it, find port forwarding option. You'll pick a public port. IE 443 and forward it to a local IP:port combo, IE 192.168.0.101:443.

Then you can pick another public port and forward it to a different private IP:port combo.

If you want a subdomain, you forward one port to one host and have it do the work. IE configure Nginx to do whatever you want.

EDIT: or you use IPv6. Everything is a public IP.

Honestly Cloudflare Tunnels could be a very simple way to do it. I've always had tremendous luck with it. By using CF you can let them do all the heavy lifting instead of hosting your own... as long as you trust them.

If you go with IPv6, all your devices/servers have their own IP. These IPs are valid in your LAN as well a externally.

But it's still important to use a reverse proxy (e.g. for TLS).

You already have a lot of good answers ... but I got one more to add.

I have a very similar setup on my homelab and I'm using a Cloudflare tunnel.

It's a free service and it's really good because it allows you to expose web services and specific ports for remote access over dynamic IPs without having to expose your own router.

https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/