wg trunk (TM) traffic isolation: VRF vs netns
Matthias Urlichs
matthias at urlichs.de
Wed Dec 23 14:55:46 CET 2020
Hello,
> thoughts?
>
> - jrun
When in doubt, do both.
I am running my home router as a couple of netns domains on one of the
less-overworked servers in the basement, facilitated by a couple of
"dumb" scripts that set it all up.
My setup: create a netns instance, move the machine's main interface
into it, setup VLANs and bridges in there, and then add a veth interface
to one of the bridges whose other end is moved back to the root namespace.
Bonus points, the router instance doesn't have any services (thus only
needs FORWARD firewall rules) and can run on basically any local system
with enough bandwidth. Just add VLANs to its interface on the switch.
Within that router netns I have separate VRFs for "sensitive" and
"guest" traffic, mainly to simplify firewall rules and routing tables.
--
-- Matthias Urlichs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20201223/5c5ea83a/attachment.asc>
More information about the WireGuard
mailing list