Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
| router:nat [2024/02/08 17:30] – created willy | router:nat [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1 | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ===== Enabling NAT ===== | ||
| - | |||
| - | If you want your home network to be able to reach the outside internet, you need to enable Network Address Translation on the home server. | ||
| - | |||
| - | There are at least two different types of NAT that you can use: | ||
| - | * SNAT (source NAT) | ||
| - | * Masquerading | ||
| - | |||
| - | SNAT is faster but require your **upstream** interface to have a static IP address, because it's a NAT associated to a fixed IP address. | ||
| - | |||
| - | Masquerading does not depend on a fixed IP, but since it queries the interface for it's current IP for each packet routed, it's slower and require a little bit more resources. Since in your setup the upstream network interfaces have **static** IP address, i will show you SNAT. Masquerading is required when you have a PPP upstream connection, for example, or when you are forced to use DHCP from your ISP. | ||
| - | |||
| - | Enabling SNAT with **nft** is pretty easy and can be achieved with the following commands on the server: | ||
| - | <code bash> | ||
| - | > nft add table nat | ||
| - | > nft add chain nat postrouting { type nat hook postrouting priority 100\;} | ||
| - | > nft add rule nat postrouting oifname " | ||
| - | </ | ||
| - | |||
| - | These rules: | ||
| - | * Create a new table called nat | ||
| - | * Create a new chain called postrouting | ||
| - | * Append to it a rule that will apply SNAT to all packets coming from the LAN interface (iifname) and routes them on the WAN interface (oifname) replacing it's IP address as 192.168.1.10 | ||
| - | |||
| - | I am showing you how to use **nftables** tool, which replaced // | ||
| - | |||
| - | You should, now, route your home network to the outside world... | ||
| - | |||
| - | |||
| - | One last step is to enable IP forwarding, since you will need this both for containerized services and the home network. Create a new file called **/ | ||
| - | <file - ip_forward.conf> | ||
| - | net.ipv4.ip_forward=1 | ||
| - | net.ipv4.conf.default.rp_filter=1 | ||
| - | </ | ||
| - | |||
| - | Now either reboot or manually enable: | ||
| - | <code bash> | ||
| - | > sysctl net.ipv4.ip_forward=1 | ||
| - | > sysctl net.ipv4.conf.default.rp_filter=1 | ||
| - | </ | ||
| - | |||
| - | ====== Leveraging having more than one ISP / upstream connection ====== | ||
| - | |||
| - | If you have **two** upstream connections (for example, one could be a cell phone link, only for emergencies) it would be great to be able to: | ||
| - | * Switch between the two ISPs when needed | ||
| - | * Route access to specific servers trough ISP1 or ISP2 | ||
| - | * Route specific programs trough ISP1 or ISP2 | ||
| - | * Load-balance your traffic | ||
| - | |||
| - | I will address at this time only the first three points. | ||
| - | |||
| - | Having two ISPs is important for redundancy. When you start to rely on your home services for your everyday life you want them to be always accessible, so if ISP1 goes down switch to ISP2. | ||
| - | |||
| - | If your ISP1 is, for example, much faster **but** with a data-cap, while ISP2 is slower, but with unlimited data? It would be great to route all traffic trough ISP1, but some apps (like //usenet// or // | ||
| - | |||
| - | More over, you will want to set-up two SSH tunnels one trough ISP1 and one trough ISP2 so in any case you have remote access. | ||
| - | |||
| - | To achieve this you need to operate on two levels: | ||
| - | * At **nft** level to set specific rules for packet filtering & modification inside the kernel | ||
| - | * At **route** level, because packets **need** to be properly routed outside | ||
| - | |||
| - | |||
| - | ==== select ISP based on destination ==== | ||
| - | |||
| - | I will assume ISP1 is your **default gateway**, and you can have only one default route. The basic idea is that if i want to reach // | ||
| - | |||
| - | |||
| - | ==== select ISP based on service ==== | ||
| - | |||
| - | Make service 1 always go trough ISP2. | ||
| - | |||
| - | |||
| - | |||
| - | ==== Automation | ||
| - | [[https:// | ||
| - | |||
| - | |||
| - | ====== All done? ====== | ||
| - | |||
| - | Now you can access internet safely from the home network. | ||
| - | |||
| - | To learn how to reach the internal server from the **internet**, | ||
| - | |||
| - | |||