Gateways & Routing
Two gateways
There are two gateways on the network:
- caroline - exposed to the internet, provides access to internet and forwards connections to servers in SERVER VLAN
- justine - VPN G/W that connects to Mullvad and terminates incoming WireGuard VPN connections
Clients use caroline as G/W for direct internet access and justine as G/W for Mullvad protected internet access. Additionally caroline runs DNS server that uses the ISP DNS server, while justine will use PiHole and Mullvad's DNS server.
Routing with two gateways
Things get very complicated with two gateways setup. Clients need to be able to direct traffic to correct gateway in response to connections coming from one or the other gateway.
Gateway forwarded connections:
- caroline forwards from the internet to access internal network to:
- public SERVER network services from outside: blog, younohost etc.
- justine WireGuard VPN
- justine forwards from internet VPN connected devicesĀ to:
- HOME network
- to caroline for SERVER network
This creates the challenge where devices can be configured with any G/W and need to be able to forward the traffic to the other G/W in some cases:
- local IP & bridge - VPN clients could be bridged directly and assigned bridged network IP
- NAT - packets coming into the network are MASQUERADE'd to G/W IP address (how it is done currently)
- static route - push static routes to all clients so response to packets coming from G/W terminated IPs (e.g. VPN) are forwarded back to correct G/W
- ICMP redirect - both G/W could be configured to inform clients on the correct G/W to use for packets destination
Problems:
- NAT will obscures the source IP address making troubleshooting, monitoring and accounting more difficult.
- Static routes or redirects will work if G/W can be deduced from destination IP address.
- ICMP redirects many not work reliably, will probably drop first packet?
- Pushing routes to clients requires client support, NAT makes things transparent to clients.
Server VLAN and sandbox VM network
