Hacker News new | ask | show | jobs
by the_angry_angel 2043 days ago
Routing domains, or VRFs, are probably easiest to think of like VLANs, but one layer up.

The two typical scenarios are;

1. You want to use the same IP space multiple times across different networks (i.e. multi-tenant)

2. You have a bunch of different networks that you really never want to ever be able to talk to each other (you can allow it through routes, etc. but by default this does not happen). Although you can achieve this with VLANs and ACLs, on a single routing table, rules can become a real pain in the ass to manage very quickly

You could use this for stuff like guest or IoT networks.
1 comments
hyperpl 2043 days ago
Thanks for the great intro. I do segregate my network using vlans now to isolate things like my printer which I don't trust and also my guest network. I also isolate my wife's devices as I don't generally trust Windows being behind my firewall either.

I'm currently wrangling with a good solution for selectively routing certain traffic via one of multiple VPN connections I have on my router.

I'll look into rdomains to see if this may help my situation if not only to make it more simple.

link
francis-io 2043 days ago
I used to do this with pfsense to route all traffic from a specific internal IP over a VPN. If I remember rightly I set up multiple VPN connections (across multiple geographic locations) and set up a way to link them all together as a logical interface (I think it was called a gateway). I then pushed out that gateways IP to the server over DHCP. I guess routing tables would have also worked. I assume all of this is possible with just pf.

These days, I have removed this functionality from my router and moved it directly onto the server. I run the container haugene/transmission-openvpn which creates and maintains a VPN for transmission, but also has a proxy I can direct other containers to use. This has the benefit of keeping more of the prerequisites of these servers managed in the same docker compose file. It bakes in most of the popular public VPN configs, so you can enable them with a few ENV vars.

link