Differences

This shows you the differences between two versions of the page.

--- router:networking [2024/02/21 13:05] – [Gentoo Network Configuration] willy
+++ router:networking [2025/02/06 09:17] (current) – removed willy
@@ Line 1: / Line 1: @@
-====== Network Configuration for the Home Router ======
-{{ :selfhost:architecture_v2.png?800 |}}
-The network architecture i will referring to it's divided into different zones:
-  * The **external** zone, which is internet or in general anywhere **outside** your home. This will be on the other side of your ISP gateway. It's considered dangerous and //hic sunt leones//.
-  * The **internal** zone, which is your home network, it's considered safe and comfy. Do not let unknown strangers have the WiFi password!
-There are also your ISP's gateways networks, which i will assume are //192.168.1.0// and //192.168.1.0//, which is quite typical.
-You **do not need** to have two ISPs. It's a resilience point tough, if you plan to host critical services you might want to have two. If you have only one, just ignore anything related to the second one in the followings.
-===== Internal network =====
-The **internal** network is considered somehow a safe zone, where all your home devices (or devices while at home) will connect. This network will be able to access to all your home services and also the internet, in a safe way.
-The key point for mobile devices (laptops, tables, phones etc) that can move between inside and outside home is to be able to access the services both when inside and outside home in the same way. This will **not** include how to provide safe internet access to mobile devices while outside home, since this might require root access in some cases or the mandatory use of a VPN.
-(note: a quick way for Android devices is to set //dns.adguard.com// as your private DNS)
-I will show you how do all this **without** the need for a VPN, not because i dislike using a VPN but because it's a complexity layer that applies to end-users, and this might not be acceptable for someone (elderly parents, spuses, kids...). Moreover, i do not want mobile devices to be using the home network connection when outside for general browsing and navigation, because this will add delay and use up twice the home bandwidth and data caps, which is not desirable.
-For the **internal** network it is important that you choose a good subnet range. The IANA defines  [[https://en.wikipedia.org/wiki/Private_network|ranges]] os private subnets that you can safely use. I suggest you don't use a subnet in the 192.168.x.y range as many of these ranges are already used by ISP routers and devices and in case of a clash you might end up having to replace addresses on all your internal hosts, and this can be a mess. A good idea is to use the 10.a.b.c ranges and choose something meaningful for you, or totally random. I will assume you are using **10.0.0.0** subnet.
-I will assume your home server is 10.0.0.1.
-Note that your internal network must be connected **only** to your home server and **never** directly to your ISPs gateways!
-===== External network =====
-I will assume that your access to the **external network** is hidden behind  CG-NAT (Carrier Grade NAT) and thus you do not have, and cannot have, a static IP visible from outside in any possible way. This is the common truth for mostly everybody nowadays.
-(For you lucky from the USA, where sometimes you can, maybe paying or even for free, get a static IP, this might not apply, but since the world is big and 99% of people cannot access a static IP anymore...)
-I will assume that you have two ISPs (for resilience). **ISP1** is high-speed but has a monthly data-cap, and it's gateway is on the 192.168.0.0 subnet. **ISP2** is lower-speed but has no data-cap. It's gateway is on the 192.168.1.0 subnet.
-I also assume you have an **external server**, or better that you have **two** external servers for resilience and redundancy:
-  * external server 1: 99.99.99.99
-  * external server 2: 77.77.77.77 (only needed if you have two ISPs)
-(IPs are totally random, but you need static IPs accessible on the internet).
-You can get very cheap VPS by shopping around. You will not be running much on them, so you don't need CPU or RAM nor storage, make sure you have a decent network bandwidth as that will determine the quality of accessing your home services while outside.
-===== Home Domain name =====
-You **need** a domain name. This is not optional, because SSL certificates can be released only to domain names and not directly to IP addresses, and also because when you are outside home, you need a //name// to reach home.
-I will assume you own **mydomain.com**. There are plenty of cheapo domains and also some are for free, remember you don't need a second-level domain (something third level under //.eu.org// for example would work fine). You will need somebody to manage your DNS records (you **cannot** use your home server for this) and you will also be able to create sub-domains (like service.mydomain.com).
-So, i assume you have the following sub-domains:
-  * mydomain.com: your main domain
-  * home.mydomain.com: your home server subdomain
-  * external1.mydomain.com: a second subdomain pointing to //home.mydomain.com//
-  * external2.mydomain.com: a third subdomain pointing to //home.mydomain.com//
-The key point is that you will be configuring this sub-domains differently **inside** and **outside** home, so that your mobile devices will be able to reach your home server with the same sub-domains both when inside and outside home.
-So, from **inside** home (i will show you how to set this up in [[router:dnsmasq|Router configuration|this section]]):
-  * mydomain.com: 10.0.0.1
-  * home.mydomain.com: 10.0.0.1
-  * external1.mydomain.com: 99.99.99.99
-  * external2.mydomain.com: 77.77.77.77
-And from **outside** home:
-  * mydomain.com: 99.99.99.99
-  * home.mydomain.com: 99.99.99.99
-  * external1.mydomain.com: 99.99.99.99
-  * external2.mydomain.com: 77.77.77.77
-(if you have only one ISP, you don't need external2.mydomain.com)
-====== Home Server Networking setup ======
-You will need at least two network connections on your home server. I mean at least two physical network Ethernet card. You could use one WiFi link, but i prefer to have the backbone on wired.
-You need one Ethernet connection that will be plugging your internal network, i will call this **enp0s31f6** or LAN.
-You need one Ethernet connection for each ISP gateway, while you might do with only one for both, provided you properly assign multiple IP addresses to the same interface. I will call ISP1 **enp0s20f0u4u4c2** and ISP2 **enp59s0u2u4c2**.  The hardware aspect of the network devices has been discussed in [[selfhost:hardware|here]].
-Sorry guys, these are default Linux naming scheme, i know it looks messed up, but there are good reasons for this. You can list all your network devices under **/sys/class/net**.
-Here is a summary of the information you will need:
-  * Internal network: 10.0.0.0/24
-  * ISP1 network: 192.168.0.0/24 - ISP router on 192.168.0.1
-  * ISP2 network 192.168.1.0/24 - ISP router on 192.168.1.254
-  * Home server, on ISP1 network: 192.168.0.10 (static IP) on enp0s31f6
-  * Home server, on ISP2 network: 192.168.1.10 (static IP) on enp0s20f0u4u4c2
-  * Home server, on internal network: 10.0.0.1 (static IP) on enp59s0u2u4c2
-  * Main external host: static IP 99.99.99.99
-  * Secondary external host: static IP 77.77.77.77
-The two external servers should ideally be on different networks/providers, but that is not mandatory.
-I choose to use static IPs for the home server on the ISPs networks because this allows for the use of SNAT instead of MASQUERADING later on , and it's faster.
-===== Gentoo Network Configuration =====
-Since i am going all static on the home server, network setup is simple and traightforward. I will be using the basic Netifrc scripts from Gentoo, you should check [[https://wiki.gentoo.org/wiki/Netifrc|this page]] for additional details. You will **not** need NetworkManager for the home server.
-If you plan to use WiFi with WPA or more complex setups (PPP or such) please refer to the [[https://wiki.gentoo.org/wiki/Handbook|Gentoo Handbook]].
-You should double check the actual names of your network devices under **/sys/class/net** of course and identify them properly or the following will not work for you.
-The first step is to populate your **/etc/conf.d/net** configuration file, follow this example and adapt to your needs:
-<file - net>
-# LAN on enp0s31f6
-config_enp0s31f6="10.0.0.1/24"
-# ISP1  on enp59s0u2u4c2
-config_enp59s0u2u4c2="192.168.0.10/24"
-# ISP2 on enp0s20f0u4u4c2
-config_enp0s20f0u5u3="192.168.1.10/24"
-</file>
-Please note that i omitted any default route. This file will not let you navigate internet from the home server. This is on purpose because in the next sections i will show you how to do advanced routing techniques and that will cause issues with a default route set at this level. If you need proper internet access meanwhile, add a line like the following:
-<code>
-route_enp59s0u2u4c2="default via 192.168.0.254"
-</code>
-Now, create the needed symlinks and start the networks:
-<code bash>
-for i in enp0s31f6 enp59s0u2u4c2 enp0s20f0u4u4c2
-do
-    ln -s /etc/init.d/net.lo /etc/init.d/net.$i
-    rc-upate add net.$i default
-done
-</code>
-Now you need to tell Gentoo that only **one** of these needs to be up for networking to be ready. If you don't do this, then all your services will fail as soon as one goes down. Edit the file **/etc/rc.conf** and change the following line to "NO":
-<code>
-rc_depend_strict="NO"
-</code>
-Reboot your home server and ensure all networks are up and running by pinging the ISP gateways and some internal network host.

Willy's Wiki

User Tools

Differences