mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
d1d46fdfb4
Currently, the setup we have in docker-compose does not reflect real-world scenarios very well because most components share the same subnet. In reality, Clients, Gateways, relays and the backend are all in separate subnets, connected via multiple routers on the Internet. The current setup makes it hard to properly test relayed connections. To fix this, we move all components into their own subnet with a dedicated router container that performs source and destination NAT as well as acts as a firewall for the client and gateway containers to not allow inbound traffic. This setup will allow us to more easily test #10286 which requires port randomization for outgoing traffic on the Client and Gateway side.
Router
This container acts as a simple router how they are found on the public Internet. By default, no inbound traffic is allowed, except for:
- responses of previously outgoing connections
- explicit port forwarding
The router uses nftables to enforce these rules.
We also make several assumptions about the docker-compose setup that we are running in:
- The network interface between the router and its container must be called
internal - The public network interface on the other side must be called
internet - IPv4 and IPv6 must be available on both interfaces