Routing on the Home Server

Your internal network is almost ready to go. You have a DNS and DHCP server setup, what you need now is to ensure that all packets going out of your home network are properly routed and modified to reach the internet. Also, even more important, that any response packet coming from the internet is properly redirected to the originator.

Brief excursus: an IP packet contains within it's source and destination address. For example if want to browse www.kde.org// from my laptop (IP: 10.0.0.100) my browser will generate an IP packet with: <code> source: 10.0.0.100 # my IP destination: 85.10.198.55 # www.kde.org IP </code> Now, my packet goes to the home server (which is my laptop gateway) and needs to be sent to www.kde.org. But remember that 10.0.0.0 is a private subnet? Well, www.kde.org will not know how to send that packet back to your home network! This means that the home server will perform an action called Network Address Translation (NAT) and put it's IP address as source. The packet will then become (assuming ISP1 is the default gateway): <code> source: 192.168.0.10 # my IP destination: 85.10.198.55 # www.kde.org IP </code> and will need to keep track of your outgoing packet so that it can match the reply and replace the reply destination address (which will be 192.168.0.10) with the real destination address (10.0.0.100). ===== Network Access Translation ===== There are many different kind of NATs, but only two are relevant here: * Source NAT (SNAT) * Masquerading SNAT is faster and more efficient, but it require a static ip on your outgoing network interface of the home server. Masquerading does not depend on a fixed IP, but since it queries the interface for it's current IP for each packet routed, it's slower and require a little bit more resources. Since in your setup the upstream network interfaces have static IP address, i will show you SNAT. Enabling SNAT with nft is pretty easy and can be achieved with the following commands on the server: <code bash> > nft add table nat > nft add chain nat postrouting { type nat hook postrouting priority 100\;} > nft add rule nat postrouting oifname “enp59s0u2u4c2” iifname enp0s31f6 snat to 192.168.0.10 </code> These rules: * Create a new table called nat * Create a new chain called postrouting * Append to it a rule that will apply SNAT to all packets coming from the LAN interface (iifname) and routes them on the WAN interface (oifname) replacing it's IP address as 192.168.0.10 I am showing you how to use nftables tool, which replaced iptables. Here is a nice NFT Quick Reference Table if you need it. ===== Default route ===== In order to test your home network access, you need to have a default route on your home server, In Network Configuration for the Home Router i told you not to setup a default route because i will show you how to manage it with a more dynamic approach later. So if you followed my suggestion and you want to test home internet access now, setup a default route at runtime with the following command: <code bash> ip route add default via 192.168.0.1 </code> to remove that rule: <code bash> ip route del default via 192.168.0.1 </code> ===== IP Forwarding ===== One last step is to enable IP forwarding, since you will need this both for containerized services and the home network. Create a new file called /etc/sysctl.d/ip_forward.conf: <file - ip_forward.conf> net.ipv4.ip_forward=1 net.ipv4.conf.default.rp_filter=1 </file> Now either reboot or manually enable: <code bash> > sysctl net.ipv4.ip_forward=1 > sysctl net.ipv4.conf.default.rp_filter=1 </code> Now go to a device in your home network and test if it can access internet.