Skip to main content

Gateways & Routing

Virgin Media Fiber 1Gbit/s down / 100Mbit/s up.

Worst connection ever: MTU: 1468, no IPv4, no router bridge mode.

Two gateways

There are two gateways on the network:

  1. caroline - exposed to the internet, provides access to internet and forwards connections to servers in SERVER VLAN
  2. justine - VPN G/W that connects to Mullvad and terminates incoming WireGuard VPN connections

Clients use caroline as G/W for direct internet access and justine as G/W for Mullvad protected internet access. Additionally caroline runs DNS server that uses the ISP DNS server, while justine will use PiHole and Mullvad's DNS server.

Routing with two gateways

Things get very complicated with two gateways setup. Clients need to be able to direct traffic to correct gateway in response to connections coming from one or the other gateway.

Gateway forwarded connections:

  1. caroline forwards from the internet to access internal network to:
    1. public SERVER network services from outside: blog, younohost etc.
    2. justine WireGuard VPN
  2. justine forwards from internet VPN connected devices  to:
    1. HOME network
    2. to caroline for SERVER network

This creates the challenge where devices can be configured with any G/W and need to be able to forward the traffic to the other G/W in some cases:

  1. local IP & bridge - VPN clients could be bridged directly and assigned bridged network IP
  2. NAT - packets coming into the network are MASQUERADE'd to G/W IP address (how it is done currently)
  3. static route - push static routes to all clients so response to packets coming from G/W terminated IPs (e.g. VPN) are forwarded back to correct G/W
  4. ICMP redirect - both G/W could be configured to inform clients on the correct G/W to use for packets destination

Problems:

  • NAT will obscures the source IP address making troubleshooting, monitoring and accounting more difficult.
  • Static routes or redirects will work if G/W can be deduced from destination IP address.
  • ICMP redirects many not work reliably, will probably drop first packet?
  • Pushing routes to clients requires client support, NAT makes things transparent to clients.

Server VLAN

Uses Carolinededicated VM server-gw that uses WireGuard VPN to connect to Vps server. It acts as default G/W sofor outgoingall SERVER VLAN hosts and routes traffic hasout ISPvia Vps over the VPN connection. This way all servers have Vps public IP as their outgoing IP.

Plan:

Incoming
    traffic
  1. is Setforwarded upby Vps over same VPN connection to server-gw hostand thatfrom willthere
      to 
    1. Setwww upfor VPNHTTP(S) termination and also to younohost service for Jitsi meet streams.

      Sanbox VM network

      Igor runs dedicated network (vnet) with Vps host that will forward all traffic through it (like Mullvad would) so that public IP is of Vps

    2. Configure DHCP for SERVER VLAN to use server-sanbox-gw instance acting as default G/W sofor allVMs traffic goes out of Vps
  2. Configure Vpsconnected to forwardit. vpsIt runs Mullvad VPN and this way provides private connectivity out to publicthe internetinternet. with NAT.
  3. Don't NAT out to vps so that www can see public IPs of clients - it will use default G/W to send replies so they will end up on Vps over vps VPN through server-gw.

ThisThere is neededno sinceport Jitsiforwarding detects public IP automatically and it has to matchinto the domainnetwork. IPThe sonetwork IPis ofisolated Vps.from all other networks.

Back to top