Your internal network is almost ready to go. You have a DNS and DHCP server setup, what you need now is to ensure that all packets going out of your home network are properly routed and modified to reach the internet. Also, even more important, that any response packet coming from the internet is properly redirected to the originator.
Brief excursus: an IP packet contains within it's source and destination address. For example if want to browse www.kde.org from my laptop (IP: 10.0.0.100) my browser will generate an IP packet with:
source: 10.0.0.100 # my IP destination: 85.10.198.55 # www.kde.org IP
Now, my packet goes to the home server (which is my laptop gateway) and needs to be sent to www.kde.org. But remember that 10.0.0.0 is a private subnet? Well, www.kde.org will not know how to send that packet back to your home network! This means that the home server will need to perform an action called Network Address Translation (NAT) and put it's IP address as source. The packet will then become (assuming ISP1 is the default gateway):
source: 192.168.0.10 # my IP destination: 85.10.198.55 # www.kde.org IP
and will need to keep track of your outgoing packet so that it can match the reply and replace the reply destination address (which will be 192.168.0.10) with the real destination address (10.0.0.100).
There are many different kind of NATs, but only two are relevant here:
SNAT is faster and more efficient, but it require a static ip on your outgoing network interface of the home server. Masquerading does not depend on a fixed IP, but since it queries the interface for it's current IP for each packet routed, it's slower and require a little bit more resources.
Since in your setup the upstream network interfaces have static IP address, i will show you SNAT.
Enabling SNAT with nft is pretty easy and can be achieved with the following commands on the server:
nft add table nat nft add chain nat postrouting { type nat hook postrouting priority 100\;} nft add rule nat postrouting oifname "enp0s20f0u4u4c2" iifname enp0s31f6 snat to 192.168.0.10
These rules:
I am showing you how to use nftables tool, which replaced iptables. Here is a nice NFT Quick Reference Table if you need it.
In order to test your home network access, you need to have a default route on your home server, In Network Configuration for the Home Router i told you not to setup a default route because i will show you how to manage it with a more dynamic approach later.
So if you followed my suggestion and you want to test home internet access now, setup a default route at runtime with the following command:
ip route add default via 192.168.0.1
to remove that rule:
ip route del default via 192.168.0.1
Let's assume you have more tha one upstream ISP to which your home network is connected to, and you want to ensure that specific destinations are routed always trough a specific ISP.
Let's assume that the remote IP 130.130.130.130 (i am writing random numbers here) sohuld go out trough your ISP n.2 instread of the ISP n.1, where the normal NAT occurs.
You can achieve that with the following nft rule:
nft add rule nat postrouting oifname "enp59s0u2u4c2" ip daddr 130.130.130.130 snat to 192.168.1.10
this rule will take any packet with destination 130.130.130.130.and apply source-nat to the ISP n.2 interface instrad of the default ISP n.1.
This is the base to ensure that traffic goes trough specific interfaces, which could be useful fo redoundancy or load balancing (static).
One last step is to enable IP forwarding, since you will need this both for containerized services and the home network. Create a new file called /etc/sysctl.d/ip_forward.conf:
net.ipv4.ip_forward=1 net.ipv4.conf.default.rp_filter=1
Now either reboot or manually enable:
sysctl net.ipv4.ip_forward=1 sysctl net.ipv4.conf.default.rp_filter=1
Now go to a device in your home network and test if it can access internet.
You have set-up ad-blocking DNS when i told you how to setup DNSMasq, cool. Now you discovered that many branded-devices just ignore the DNS provided by DHCP and forcefully use their own DNS servers, making your ad-blocking useless. Not cool.
Luckly, it's easy to fix. You need to add a specific rule to nft to force all traffic on port 53 to be routed to your ad-blocking DNS:
nft add chain nat prerouting { type nat hook prerouting priority 100\;} nft add rule nat prerouting iifname "enp0s31f6" udp dport 53 redirect to 53 nft add rule nat prerouting iifname "enp0s31f6" tcp dport 53 redirect to 53
The first line is needed to create the prerouting chain, since in nft chains and tables are not created by default. The second and third lines do the trick by redirecting any incoming from your LAN on port 53 to your DNS resolver, both on UDP and TCP.
You can check your rulesets with:
nft list ruleset
The easiest way to save your rules is to manually stop the service:
/etc/init.d/nftables stop
Your rules are not saved and can be reviewed into /var/lib/nftables/rules-save:
table ip nat {
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "enp59s0u2u4c2" ip daddr 95.110.230.204 snat to 192.168.1.10
oifname "enp0s20f0u4u4c2" iifname "enp0s31f6" snat to 192.168.0.10
}
chain prerouting {
type nat hook prerouting priority 100; policy accept;
iifname "enp0s31f6" udp dport 53 redirect to :53
iifname "enp0s31f6" tcp dport 53 redirect to :53
}
}
Now, just start the service and add it to the default runlevel:
/etc/init.d/nftables start rc-update add nftables default