Skip to main content

Gateways & VLANS

Two gateways

There are two gateways on the network:

  1. caroline - exposed to the internet, provides access to internet and forwards connections to servers in SERVER VLAN
  2. justine - VPN G/W that connects to Mullvad and terminates incoming WireGuard VPN connections

Clients use caroline as G/W for direct internet access and justine as G/W for Mullvad protected internet access. Additionally caroline runs DNS server that uses the ISP DNS server, while justine will use PiHole and Mullvad's DNS server.

Routing with two gateways

Things get very complicated with two gateways setup. Clients need to be able to direct traffic to correct gateway in response to connections coming from one or the other gateway.

Gateway forwarded connections:

  1. caroline forwards from the internet to access internal network to:
    1. public SERVER network services from outside: blog, younohost etc.
    2. justine WireGuard VPN
  2. justine forwards from internet VPN connected devicesĀ  to:
    1. HOME network
    2. private SERVER network services (not currently configured)

This creates the challenge where devices can be configured with any G/W and need to be able to forward the traffic to the other G/W in some cases:

  1. local IP & bridge - VPN clients could be bridged directly and assigned bridged network IP
NAT - packets coming into the network are MASQUERADE'd to G/W IP address, client responds directly to that IP instead of default route as it is in same network static route - push static routes to all clients so response to packets coming from G/W terminated IPs (e.g. VPN) are forwarded to correct G/W ICMP redirect - both G/W could be configured to inform clients on the correct G/W to use for packets destination

Problems:

  • NAT will obscures the source IP address making troubleshooting, monitoring and accounting more difficult.
  • Static routes or redirects will work if G/W can be deduced from destination IP address.
  • ICMP redirects many not work reliably, will probably drop first packet?
  • Pushing routes to clients requires client support, NAT makes things transparent to clients.
Back to top