Re: wg trunk (TM) traffic isolation: VRF vs netns

Development discussion of WireGuard
 help / color / mirror / Atom feed

From: Matthias Urlichs <matthias@urlichs.de>
To: wireguard@lists.zx2c4.com
Subject: Re: wg trunk (TM) traffic isolation: VRF vs netns
Date: Wed, 23 Dec 2020 14:55:46 +0100	[thread overview]
Message-ID: <64d48aca-7de5-e303-fbd3-c91707920c83@urlichs.de> (raw)
In-Reply-To: <20201220192149.bojbghrxm6g3yq7q@p51>

[-- Attachment #1.1: Type: text/plain, Size: 860 bytes --]

Hello,
> thoughts?
>
> - jrun

When in doubt, do both.

I am running my home router as a couple of netns domains on one of the 
less-overworked servers in the basement, facilitated by a couple of 
"dumb" scripts that set it all up.

My setup: create a netns instance, move the machine's main interface 
into it, setup VLANs and bridges in there, and then add a veth interface 
to one of the bridges whose other end is moved back to the root namespace.

Bonus points, the router instance doesn't have any services (thus only 
needs FORWARD firewall rules) and can run on basically any local system 
with enough bandwidth. Just add VLANs to its interface on the switch.

Within that router netns I have separate VRFs for "sensitive" and 
"guest" traffic, mainly to simplify firewall rules and routing tables.

-- 
-- Matthias Urlichs

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

     prev parent reply	other threads:[~2020-12-23 13:56 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-12-20 19:21 jrun
2020-12-22 19:23 ` Tomcsanyi, Domonkos
2020-12-23 13:55 ` Matthias Urlichs [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=64d48aca-7de5-e303-fbd3-c91707920c83@urlichs.de \
    --to=matthias@urlichs.de \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).