8000 Add option to use SNAT instead of Masquerading by antoncuranz · Pull Request #41 · angelnu/pod-gateway · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Add option to use SNAT instead of Masquerading #41

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 3, 2023
Merged

Add option to use SNAT instead of Masquerading #41

merged 1 commit into from
Dec 3, 2023

Conversation

antoncuranz
Copy link

Description of the change

I introduced a new variable SNAT_IP. If set to a source IP, the outbound NAT will be configured to use SNAT instead of masquerading.

Can be tested with port-checker as described in the gluetun-wiki. This verifies that the port-forwarding works and responds with the incoming IP address.

Benefits

  • The IP addresses of incoming requests are displayed correctly (currently the gateway IP is shown).
  • This seems to improve torrent performance/connectibility with incoming peers.

Possible drawbacks

None, as SNAT will only be used if explicitly configured.

Applicable issues

Additional information

I don't know why SNAT seems to have a positive impact on p2p performance. Maybe someone else has some insights?

@antoncuranz antoncuranz mentioned this pull request Nov 6, 2023
Closed
@angelnu angelnu merged commit 2d1432f into angelnu:main Dec 3, 2023
@Ruakij
Copy link
Ruakij commented Jun 13, 2024

Hey, I dont understand why a blanket masquerade is used instead of a more refined one towards the VPN/Outgoing-Interface (or atleast NOT masquerading towards the local vxlan network)?

That way outgoing traffic gets masqueraded, but incoming ones keeps their source. This should work perfectly fine?
Its kind of an expectation of forwarded traffic to be routed as-is with only DNAT being applied. (at least for me)

I think we should have an option to either:

  • MASQ everything but towards local interface (new default)
    • Alternatively: MASQ only towards VPN-Interface (should be what most VPN programs either already do or expect)
  • MASQ all (the current state)
  • No MASQ (plus option for manual rules)

@angelnu
Copy link
Owner
angelnu commented Jun 13, 2024

Masquerading everything is a safe default because it cal also help when the internal k8s network overlap with the vpn network.

This being said i see the value of adding options as you propose. So if you are able to raise a PR we can add it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Nat port with Qbitorrent
3 participants
@antoncuranz @Ruakij @angelnu
0