The network architecture i will referring to it's divided into different zones:

• The external zone, which is internet or in general anywhere outside your home. This will be on the other side of your ISP gateway. It's considered dangerous and hic sunt leones.
• The internal zone, which is your home network, it's considered safe and comfy. Do not let unknown strangers have the WiFi password!

There are also your ISP's gateways networks, which i will assume are 192.168.1.0 and 192.168.1.0, which is quite typical.

You do not need to have two ISPs. It's a resilience point tough, if you plan to host critical services you might want to have two. If you have only one, just ignore anything related to the second one in the followings.

The internal network is considered somehow a safe zone, where all your home devices (or devices while at home) will connect. This network will be able to access to all your home services and also the internet, in a safe way.

The key point for mobile devices (laptops, tables, phones etc) that can move between inside and outside home is to be able to access the services both when inside and outside home in the same way. This will not include how to provide safe internet access to mobile devices while outside home, since this might require root access in some cases or the mandatory use of a VPN.

(note: a quick way for Android devices is to set dns.adguard.com as your private DNS)

I will show you how do all this without the need for a VPN, not because i dislike using a VPN but because it's a complexity layer that applies to end-users, and this might not be acceptable for someone (elderly parents, spuses, kids…). Moreover, i do not want mobile devices to be using the home network connection when outside for general browsing and navigation, because this will add delay and use up twice the home bandwidth and data caps, which is not desirable.

For the internal network it is important that you choose a good subnet range. The IANA defines ranges os private subnets that you can safely use. I suggest you don't use a subnet in the 192.168.x.y range as many of these ranges are already used by ISP routers and devices and in case of a clash you might end up having to replace addresses on all your internal hosts, and this can be a mess. A good idea is to use the 10.a.b.c ranges and choose something meaningful for you, or totally random. I will assume you are using 10.0.0.0 subnet.

I will assume your home server is 10.0.0.1.

Note that your internal network must be connected only to your home server and never directly to your ISPs gateways!

I will assume that your access to the external network is hidden behind CG-NAT (Carrier Grade NAT) and thus you do not have, and cannot have, a static IP visible from outside in any possible way. This is the common truth for mostly everybody nowadays.

(For you lucky from the USA, where sometimes you can, maybe paying or even for free, get a static IP, this might not apply, but since the world is big and 99% of people cannot access a static IP anymore…)

I will assume that you have two ISPs (for resilience). ISP1 is high-speed but has a monthly data-cap, and it's gateway is on the 192.168.0.0 subnet. ISP2 is lower-speed but has no data-cap. It's gateway is on the 192.168.1.0 subnet.

I also assume you have an external server, or better that you have two external servers for resilience and redundancy:

• external server 1: 99.99.99.99
• external server 2: 77.77.77.77 (only needed if you have two ISPs)

(IPs are totally random, but you need static IPs accessible on the internet).

You can get very cheap VPS by shopping around. You will not be running much on them, so you don't need CPU or RAM nor storage, make sure you have a decent network bandwidth as that will determine the quality of accessing your home services while outside.

You need a domain name. This is not optional, because SSL certificates can be released only to domain names and not directly to IP addresses, and also because when you are outside home, you need a name to reach home.

I will assume you own mydomain.com. There are plenty of cheapo domains and also some are for free, remember you don't need a second-level domain (something third level under .eu.org for example would work fine). You will need somebody to manage your DNS records (you cannot use your home server for this) and you will also be able to create sub-domains (like service.mydomain.com).

So, i assume you have the following sub-domains:

• mydomain.com: your main domain
• home.mydomain.com: your home server subdomain
• external1.mydomain.com: a second subdomain pointing to home.mydomain.com
• external2.mydomain.com: a third subdomain pointing to home.mydomain.com

The key point is that you will be configuring this sub-domains differently inside and outside home, so that your mobile devices will be able to reach your home server with the same sub-domains both when inside and outside home.

So, from inside home (i will show you how to set this up in Router configuration|this section):

• mydomain.com: 10.0.0.1
• home.mydomain.com: 10.0.0.1
• external1.mydomain.com: 99.99.99.99
• external2.mydomain.com: 77.77.77.77

And from outside home:

• mydomain.com: 99.99.99.99
• home.mydomain.com: 99.99.99.99
• external1.mydomain.com: 99.99.99.99
• external2.mydomain.com: 77.77.77.77

(if you have only one ISP, you don't need external2.mydomain.com)

You will need at least two network connections on your home server. I mean at least two physical network Ethernet card. You could use one WiFi link, but i prefer to have the backbone on wired.

You need one Ethernet connection that will be plugging your internal network, i will call this enp0s31f6 or LAN.

You need one Ethernet connection for each ISP gateway, while you might do with only one for both, provided you properly assign multiple IP addresses to the same interface. I will call ISP1 enp0s20f0u4u4c2 and ISP2 enp59s0u2u4c2. The hardware aspect of the network devices has been discussed in here.

Sorry guys, these are default Linux naming scheme, i know it looks messed up, but there are good reasons for this. You can list all your network devices under /sys/class/net.

Here is a summary of the information you will need:

• Internal network: 10.0.0.0/24
• ISP1 network: 192.168.0.0/24 - ISP router on 192.168.0.1
• ISP2 network 192.168.1.0/24 - ISP router on 192.168.1.254
• Home server, on ISP1 network: 192.168.0.10 (static IP) on enp0s31f6
• Home server, on ISP2 network: 192.168.1.10 (static IP) on enp0s20f0u4u4c2
• Home server, on internal network: 10.0.0.1 (static IP) on enp59s0u2u4c2
• Main external host: static IP 99.99.99.99
• Secondary external host: static IP 77.77.77.77

The two external servers should ideally be on different networks/providers, but that is not mandatory.

I choose to use static IPs for the home server on the ISPs networks because this allows for the use of SNAT instead of MASQUERADING later on , and it's faster.

Since i am going all static on the home server, network setup is simple and traightforward. I will be using the basic Netifrc scripts from Gentoo, you should check this page for additional details. You will not need NetworkManager for the home server.

If you plan to use WiFi with WPA or more complex setups (PPP or such) please refer to the Gentoo Handbook.

You should double check the actual names of your network devices under /sys/class/net of course and identify them properly or the following will not work for you.

The first step is to populate your /etc/conf.d/net configuration file, follow this example and adapt to your needs:

net

# LAN on enp0s31f6
config_enp0s31f6="10.0.0.1/24"

# ISP1  on enp59s0u2u4c2
config_enp59s0u2u4c2="192.168.0.10/24"

# ISP2 on enp0s20f0u4u4c2
config_enp0s20f0u5u3="192.168.1.10/24"

Please note that i omitted any default route. This file will not let you navigate internet from the home server. This is on purpose because in the next sections i will show you how to do advanced routing techniques and that will cause issues with a default route set at this level. If you need proper internet access meanwhile, add a line like the following:

route_enp59s0u2u4c2="default via 192.168.0.254"

Now, create the needed symlinks and start the networks:

for i in enp0s31f6 enp59s0u2u4c2 enp0s20f0u4u4c2
do
    ln -s /etc/init.d/net.lo /etc/init.d/net.$i
    rc-upate add net.$i default
done

Now you need to tell Gentoo that only one of these needs to be up for networking to be ready. If you don't do this, then all your services will fail as soon as one goes down. Edit the file /etc/rc.conf and change the following line to “NO”:

rc_depend_strict="NO"

Reboot your home server and ensure all networks are up and running by pinging the ISP gateways and some internal network host.