Differences

This shows you the differences between two versions of the page.

--- router:networking [2024/10/22 19:01] – willy
+++ router:networking [2025/02/06 09:17] (current) – removed willy
@@ Line 1: / Line 1: @@
-====== Network Layout ======
-For a general IP networking understandings [[https://www.digitalocean.com/community/tutorials/understanding-ip-addresses-subnets-and-cidr-notation-for-networking|this]] could be a good starting point. You should be familiar with basic subnetting and routing.to understand the following content.
-Let's start with the high level organization, you have two macro areas to consider:
-  * Internal network, or the home network, is the network (or networks) that sits on top of your [[:networking|backbone]] and connects all your home devices (home automation, webcams, server, computers, tablets...) together. You can have one single flat home network or a mix of different subnets for different purposes, like one for home automation devices, one for webcams, one for computers.
-  * External network, or the internet, which is what's outside the home network and should be considered //unsafe//, but it's also the only way into your home network services when you are not at home.
-In the middle of the two, you need a firewall / router device and some magic glue to let things speak together safely and effectively. On the //[[selfhost:simple_approach|simple]]// side of things, you can use your home server as firewall/router. On a more advanced approach, you should use a dedicated firewall appliance with [[networking:using_opnsense|opnSense]].
-===== Internal Network addressing =====
-You need to choose a proper subnet for your home network, and it must be a **private** subnet. The IANA defines  [[https://en.wikipedia.org/wiki/Private_network|ranges]] of private subnets that you can safely use.
-Of the various available ranges, my suggestion is to use the **10.X.Y.Z** and try to avoid the most obvious combinations like 10.0.0.0/24, because you might stumble on some devices that use those ranges and that might complicate things. You should be creative and create your unique subnet using any logic you want. As for my home network, i picked my ZIP code and house number to combine in a unique subnet starting with 10, and on a /24 (254 hosts) size.
-For the following, i will assume your home network uses **10.20.30.0/24** as LAN, **10.20.254.0/24** as DMZ (if needed) and **10.20.1.0/24** as VPN (if needed) subnets.
-You should not use a subnet in the 192.168.x.y range as many of these ranges are already used by ISP routers and devices and in case of a clash you might end up having to replace addresses on all your internal hosts, and this can be a mess.
-You also need to choose some IP addresses range assignments. I suggest at the least:
-  * A range for DHCP (10.20.30.100 - 10.20.30.200) since most of your phones/tablets will need those dynamic addresses
-  * A range for network devices, like WiFi APs (10.20.30..2 - 10.20.30.19)
-  * A range for home servers/HomeAssistant/etc (10.20.30.20 - 10.20.30.29)
-  * A range for webcams / IoT devices (10.20.30.30 - 10.20.30.69)
-  * A range for fixed IPs (10.20.30.70 - 10.20.30.99)
-  * A fixed IP for your home server (10.20.30.1)
-  * A fixed IP for your router/gateway, if different from the home server (10.20.30.154)
-Of course, you might want to add VLANs so separate IoT stuff and/or create more segments as you prefer.
-===== External Network =====
-Upstream fro your home, lies your ISP, or ISPs. They will place in your home one (or more) //gateways//, which are just some networking box. These boxes will come preloaded with some specific configuration, often WiFi access, and some ethernet plugs. You should disable the WiFi (you will be using __your__ wifi) when possible, and just plug those into your firewall or home server dedicated ethernet plugs with 1:1 cables.
-Your ISP gateways will typically have addresses like 192.168.0.1 or 192.168.1.254.
-You **do not need** to have two ISPs. It's a resilience point tough, if you plan to host critical services you might want to have two. If you have only one, just ignore anything related to the second one in the followings.
-I will assume that your access to the **external network** is hidden behind  CG-NAT (Carrier Grade NAT) and thus you do not have, and cannot have, a static IP visible from outside in any possible way. This is the common truth for mostly everybody nowadays.
-(For you lucky from the USA, where sometimes you can, maybe paying or even for free, get a static IP, this might not apply, but since the world is big and 99% of people cannot access a static IP anymore...)
-===== Home Domain name =====
-You **need** a domain name. This is not optional, because SSL certificates can be released only to domain names and not directly to IP addresses, and also because when you are outside home, you need a //name// to reach home.
-I will assume you own **mydomain.com**. There are plenty of cheapo domains and also some are for free, remember you don't need a second-level domain (something third level under //.eu.org// for example would work fine). You will need somebody to manage your DNS records (you **cannot** use your home server for this) and you will also be able to create sub-domains (like service.mydomain.com).
-So, i assume you have the following sub-domains:
-  * mydomain.com: your main domain
-  * home.mydomain.com: your home server subdomain
-  * external1.mydomain.com: a second subdomain pointing to //home.mydomain.com//
-  * external2.mydomain.com: a third subdomain pointing to //home.mydomain.com//
-The key point is that you will be configuring this sub-domains differently **inside** and **outside** home, so that your mobile devices will be able to reach your home server with the same sub-domains both when inside and outside home.
-So, from **inside** home (i will show you how to set this up in [[router:dnsmasq|Router configuration|this section]]):
-  * mydomain.com: 10.0.0.1
-  * home.mydomain.com: 10.0.0.1
-  * external1.mydomain.com: 99.99.99.99
-  * external2.mydomain.com: 77.77.77.77
-And from **outside** home:
-  * mydomain.com: 99.99.99.99
-  * home.mydomain.com: 99.99.99.99
-  * external1.mydomain.com: 99.99.99.99
-  * external2.mydomain.com: 77.77.77.77
-(if you have only one ISP, you don't need external2.mydomain.com)
-====== Home Server Networking setup ======
-You will need at least two network connections on your home server. I mean at least two physical network Ethernet card. You could use one WiFi link, but i prefer to have the backbone on wired.
-You need one Ethernet connection that will be plugging your internal network, i will call this **enp0s31f6** or LAN.
-You need one Ethernet connection for each ISP gateway, while you might do with only one for both, provided you properly assign multiple IP addresses to the same interface. I will call ISP1 **enp0s20f0u4u4c2** and ISP2 **enp59s0u2u4c2**.  The hardware aspect of the network devices has been discussed in [[selfhost:hardware|here]].
-Sorry guys, these are default Linux naming scheme, i know it looks messed up, but there are good reasons for this. You can list all your network devices under **/sys/class/net**.
-Here is a summary of the information you will need:
-  * Internal network: 10.0.0.0/24
-  * ISP1 network: 192.168.0.0/24 - ISP router on 192.168.0.1
-  * ISP2 network 192.168.1.0/24 - ISP router on 192.168.1.254
-  * Home server, on ISP1 network: 192.168.0.10 (static IP) on enp0s31f6
-  * Home server, on ISP2 network: 192.168.1.10 (static IP) on enp0s20f0u4u4c2
-  * Home server, on internal network: 10.0.0.1 (static IP) on enp59s0u2u4c2
-  * Main external host: static IP 99.99.99.99
-  * Secondary external host: static IP 77.77.77.77
-The two external servers should ideally be on different networks/providers, but that is not mandatory.
-I choose to use static IPs for the home server on the ISPs networks because this allows for the use of SNAT instead of MASQUERADING later on , and it's faster.
-===== Gentoo Network Configuration =====
-Since i am going all static on the home server, network setup is simple and traightforward. I will be using the basic Netifrc scripts from Gentoo, you should check [[https://wiki.gentoo.org/wiki/Netifrc|this page]] for additional details. You will **not** need NetworkManager for the home server.
-If you plan to use WiFi with WPA or more complex setups (PPP or such) please refer to the [[https://wiki.gentoo.org/wiki/Handbook|Gentoo Handbook]].
-You should double check the actual names of your network devices under **/sys/class/net** of course and identify them properly or the following will not work for you.
-The first step is to populate your **/etc/conf.d/net** configuration file, follow this example and adapt to your needs:
-<file - net>
-# LAN on enp0s31f6
-config_enp0s31f6="10.0.0.1/24"
-# ISP1  on enp59s0u2u4c2
-config_enp59s0u2u4c2="192.168.0.10/24"
-# ISP2 on enp0s20f0u4u4c2
-config_enp0s20f0u5u3="192.168.1.10/24"
-</file>
-Please note that i omitted any default route. This file will not let you navigate internet from the home server. This is on purpose because in the next sections i will show you how to do advanced routing techniques and that will cause issues with a default route set at this level. If you need proper internet access meanwhile, add a line like the following:
-<code>
-route_enp59s0u2u4c2="default via 192.168.0.254"
-</code>
-Now, create the needed symlinks and start the networks:
-<code bash>
-for i in enp0s31f6 enp59s0u2u4c2 enp0s20f0u4u4c2
-do
-    ln -s /etc/init.d/net.lo /etc/init.d/net.$i
-    rc-upate add net.$i default
-done
-</code>
-Now you need to tell Gentoo that only **one** of these needs to be up for networking to be ready. If you don't do this, then all your services will fail as soon as one goes down. Edit the file **/etc/rc.conf** and change the following line to "NO":
-<code>
-rc_depend_strict="NO"
-</code>
-Reboot your home server and ensure all networks are up and running by pinging the ISP gateways and some internal network host.

Willy's Wiki

User Tools

Differences