cross-posted from: https://lemmy.ml/post/15968883

Hello everyone ! Nobody seems to have an answer on !networking@sh.itjust.works (or maybe they are not interested because it's an enteprise network community?) and !homenetworking@selfhosted.forum seems dead?

Anyway, If anyone could guide me or direct me to the right direction, I would really appreciate it !

TL:DR

What is encapsulated into the frame that makes everyone understand: "OHHH that’s for 10.0.0.8, your docker container on bridge network br-b1de on the veth2b interface !!! "

Hi everyone !

I'm scratching my head in finding an actual answer on how virtual networking in docker actually works (mostly on the packets/frame level) or some good documentation to improve my understanding on how everything fits together.

Because I'm probably lacking the correct network terminology I made a simple network topology of my network. Don't hesitate to correct any network mistake.

In my scenario, my docker container with the virtual interface veth2b22c98 and the following ip (10.0.0.8) connects to bridge network br-b1de95b5ea89. When I curl, from my conntainer, lemmy.ml the packets/frame is send to my enp4s0 and goes through my wireguard tunnel to my VPN provider which sends back the packet/frame/handshake...

I probed every interface with tcpdump (enp4s0, wg0, br-b1,veth2b):

• enp4s0: Every packet/frame is encapsulated into the wireguard protocol with my physical interface's IP (192.168.1.30) and no DNS is visible on that interface (like expected) and sends it out to my ISP's public IP.

• wg0: Shows every packet/frame with the actual protocol with my wireguard's interface IP (192.168.2.1) with the destination IP of lemmy.ml (Dst: 54.36.178.108)

• br-b1: Shows every packet/frame with the actual protocol with my containers IP (10.0.0.8) with the destination IP of lemmy.ml (Dst: 54.36.178.108)

I know there is a mix of 2 different concepts in my scenario (wireguard tunnel and virtual networking) but I really do not understand how the frame gets back to my docker container. When I look at the frames on wg0, there is no mention of either the MacAddress of my container or the actual IP of my container.

How/when/what ? is exactly happening to my frame so that it gets to the correct target between my physical interface, virtual interface, bridge ? I mean with VLAN's there's a VLAN tag on the frame, so you can easily identify with Wireshark where it should go. But here, I cannot find any clue who or what is doing the magic so the frame finds it's way back to my docker container.

What is encapsulated into the frame that makes everyone understand: "OHHH that's for 10.0.0.8, your docker container on bridge network br-b1de on the veth2b interface !!! "

Sorry for my broken English and lack of networking terminology and thank you for those who beared with me and are willing the give me some hints/proper networking lesson.

With this growth in cloud computing, three key players—AWS, Azure, and GCP—have emerged, each with its own cloud terminology to describe the features, functionality, and tools of cloud infrastructure.

And that terminology becomes even more complicated when you’re dealing with more than one cloud provider. For example, AWS terminology refers to a data warehouse as “Redshift,” GCP uses the term “BigQuery,” and Azure terminology calls it “SQL data warehouse.”

I've been prepping my home network for the promise of "fibre coming soon" in my city.

That meant wrapping the house in Cat6A like a giant arachnid nest, and having a couple desktops with 2.5GbE on board, but I'm not sure what to do about the routing setup. I have three Ethernet runs to "30cm from the ISP equipment" now.

For gigabit in this scenario, the turnkey solution is any random Wi-Fi/router/firewall box which has 1Gb WAN and four 1Gb LAN ports. But where do you go when you start wanting 2.5GbE?

It seems like the "Wifi/Router/firewall" boxes with 2.5GbE ports are quite spendy, especially if you want more than one LAN port. I know a lot of this cost is because they tend to be the latest-and-greatest in terms of Wi-Fi, with 82 antennae, but that's only a secondary consideration for me with the heavy users on wires. Hell, my smartphone only supports the 2.4GHz band!

It seems like other options include:

• 2-box solution: A slightly cheaper Wifi-Router with 2.5GbE WAN and one LAN port and using a cheap unmanaged 2.5 switch to provide the desired port count.
• 3-box solution: Said cheap unmanaged switch, plus a wired-centric router, and use the old Wifi/Router as an access point only

I'm sort of not thrilled about the two or three-box solutions as they have poor "wife acceptance factor" as they say. A bunch of random boxes that inevitably won't stack neatly and have three big ugly wall warts. Is there some magic product that would fit my needs perfectly I'm missing?

I want to create a simple web service that'll manage WireGuard VPN servers of mine in defferent locations. It'll work like this: whenever I try to access a site in from certain, pre-defined list, a web service (a) or a local customly-modified VPN client (b) will switch me to a VPN server in a certain location. When I go back to other, normal website, it'll switch me back to the last VPN server.

How would I go about this? Will it be implemented on the side of the server (a) - web service? Or on the client one (b) -- by a custom VPN client which I'd have to modify to incorporate this functionality?

cross-posted from: https://slrpnk.net/post/4975009

Are there any Debian apps that will track bandwidth consumption on a per-app basis, and ideally website-specific when a browser with sandboxing has multiple tabs?

These tools are vaguely described as being able to monitor network traffic:

iftop, nload, nethogs, vnstat, bmon, iperf, netperf, iptraf, cbm, zabbix, nagios, cacti, darkstat, sarg, monitorx, etherape

I’ve tried iftop, nload, vnstat, & bmon. Some of those are just showing realtime stats (bytes per second) and some are per net interface, not per app. I need to know the total bandwidth used on a per-process basis so if a website is streaming or buffering something heavy like video I can react. Since browsers tend to have sandboxing, i think there is a separate process per website. So if a website is a pig I need stats on it.

Ultimately I’m on a limited connection and it’s a mystery what is hogging my bandwidth allowance. I prefer light non-graphical apps but I guess I can’t be too fussy at this point.

I am attempting to configure a VPS running Alpine Linux 3.18.4 to do a few things:

Accept incoming traffic on WireGuard interface wg0, from there:

1. Allow peer-to-peer communication in the 10.7.2.0/24 subnet
2. Provide a default route (Internet) through the WireGuard client on wg1 (NOT eth0)

So far WireGuard works on both interfaces. If I ip route add 1.1.1.1 dev wg0 I can ping -I wg1 1.1.1.1. For wg0 I can ping the server from the client.

The problem is setting up SNAT/NAT/routing. I've been banging my head against a wall trying to figure this stuff out, and everything I read online seems tailored to the "I just want WireGuard clients to use the VPS' internet connection on eth0 directly" mentality. I've even been chatting in circles with ChatGPT and getting nowhere.

Below are my configuration files, but I'll leave out routing tables, rules, etc. because at this point I'll probably blow away the entire VPS and restore just the files I have here:

/etc/network/interfaces (just wg0, wg1):

auto wg0
iface wg0 inet static
    address 10.2.7.1/24
    pre-up ip link add dev wg0 type wireguard
    pre-up wg setconf wg0 /etc/wireguard/wg0.conf
    post-up ip route add 10.2.7.0/24 dev wg0
    post-up iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wg1 -j MASQUERADE
    post-down ip link delete wg0
    post-down iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o wg1 -j MASQUERADE

auto wg1
iface wg1 inet static
    address 172.30.66.233/32
    pre-up ip link add dev wg1 type wireguard
    pre-up wg setconf wg1 /etc/wireguard/wg1.conf
    post-down ip link delete wg1

iface wg1 inet6 static
    address fd00:4956:504e:ffff::ac1e:42e9/128
    pre-up ip -6 addr add fd00:4956:504e:ffff::ac1e:42e9/128 dev wg1
    post-down ip -6 addr del fd00:4956:504e:ffff::ac1e:42e9/128 dev wg1

I have Address commented out in the files below because Alpine Linux doesn't like them.

/etc/wireguard/wg0.conf:

[Interface]
# Address = 10.2.7.1/24
ListenPort = 51820
PrivateKey = [REDACTED]

[Peer]
PublicKey = [REDACTED]
AllowedIPs = 10.2.7.0/24,0.0.0.0/0,::0/0

/etc/wireguard/wg1.conf:

[Interface]
# Address = 172.30.X.X/32
PrivateKey = [REDACTED]

[Peer]
PublicKey = [REDACTED]
AllowedIPs = 10.2.7.0/24,0.0.0.0/0
Endpoint = [REDACTED]:[REDACTED]

As the title alludes, I have two devices that I would like to connect to my LAN (a TC - wired; and a phone - wireless), but I would want them to be connected to a separate subnet, so they wouldn't communicate with the rest of my LAN.

Currently I have those two wirelessly connected via my router through a guest network, which automatically assigns them on a different subnet, but the router (provided by my ISP) is pretty crap, and the wifi networks either drop, or have bandwidth issues quite frequently. Unfortunately, due to the router not being the best, it doesn't allow me to assign IPs for those two devices that are outside the LAN subnet.

I would like to be able to connect the TC via ethernet instead, to guarantee the best connection, and perhaps link the phone with a separate wifi network, or perhaps just use data connection, thus taking it out of the LAN completely.

To achieve this I was thinking of getting a second router (second hand perhaps), flash OpenWRT on it, and use it to connect just those two devices.

Another option I've heard of would be to use a managed switch which allows me to set it up to connect devices on another IP class.

Could anyone let me know what would be the best and affordable option for this purpose?

Thank you in advance!

I have a vm for which I have s specific whitelist only firewall. It is supposed to only allow connections to the IPs an app connects to when syncing.

I first got the sync server IP's listening to tcpdump, then when I had the IP's I activated the whitelist.

This worked perfectly for some time, but now it appears that the IP's have changed. I could do the same thing again but repeating the process regularly is annoying and defeats the whole purpose of only ever allowing network connections to specific whitelisted serves.

Alternatively, I could set up a process to only allow network traffic from that app somewhat.

Using debian-11 btw.

Any help is appreceated !!!

My current setup is in two rooms. These rooms are connected via a TL-SG108E switch in one room (Room A) and a SG300-10 switch in the other (Room B). I have two WANs, one in each room. The primary WAN (fiber) is in Room A. The pfSense is in Room B. I have two VLANs set up, one for WAN and one for LAN. There are LAN devices in both rooms. The traffic is tagged so that the WAN traffic goes only to the pfSense and any LAN traffic is then separated as well, but using the same connection between the switches. All connections are 1 Gbps except for a few individual devices that don't support it that are irrelevant to this issue.

I have an OpenVPN interface set up in pfSense over WAN B. A device in Room A uses this connection exclusively via pfSense rules that force traffic from that device IP to use the VPN gateway and blocks when the gateway is down. Even though I've limited the bandwidth to 10 Mbps and connections to 1000, and WAN A is 1 Gbps and WAN B is 450 Mbps, whenever the VPN connection is being used it negatively affects my normal WAN A traffic.

I don't know for sure but I'm guessing this is some kind of issue with the connection between the two switches. Are there any settings or configuration changes I can make to alleviate the strain or prioritize my normal LAN traffic to make the VPN secondary? Would another physical setup work better? I was considering potentially moving the pfSense box to Room A, but my primary device is in Room B as well. If there's any more information that might be useful please ask.

Relevant enough, the author also references recent developments around ActivityPub, the Fediverse, and Lemmy:

As we discussed last year, there are real signs of life for the decentralization of social media thanks to the emergence of ActivityPub and the Fediverse. Just as I was putting finishing touches on my slide deck, there was yet another meltdown in the world of centralized platforms, with the CEO of Reddit deciding that sudden changes to API pricing – to the point that lots of third-party applications become economically unsustainable – was such a good idea at Twitter that he would bring the same approach to Reddit.

The response from volunteer moderators at Reddit – the unpaid community members who make the platform valuable to users – has been swift and, in some cases, hilarious. But the aspect of this story that really caught my eye was the rapid rise of ActivityPub-powered Reddit alternatives Kbin and Lemmy.

A cloud-native network function or CNF is defined as a software service that fulfills network functionalities while adhering to cloud-native design principles without requiring any hardware or appliance to house it. This article explains the architecture and working of a cloud-native network function. It also provides examples of commonly-used CNFs.

The domain name system (DNS) is a naming database in which internet domain names are located and translated into Internet Protocol (IP) addresses. The domain name system maps the name people use to locate a website to the IP address that a computer uses to locate that website.

A content delivery network (CDN) is a geographically distributed group of servers that caches content close to end users. A CDN allows for the quick transfer of assets needed for loading Internet content, including HTML pages, JavaScript files, stylesheets, images, and videos...