[Cake] CAKE host isolation modes with NAT - two routers

Nils Andreas Svee me at lochnair.net
Thu May 20 12:07:43 EDT 2021

Hi folks

Currently my setup looks something like this: LAN <-> EdgeRouter <->
WireGuard <-> VPS <-> Internet.

CAKE for upstream is running on the EdgeRouter and downstream on the

The public IPs are all on the VPS per today, so that the host isolation
can do its job with NAT enabled.

Ideally I'd like to route the public IPs to each endpoint and handle
NAT-ing there, but then I'd obviously lose the ability to do proper
host isolation.

Now, I've been toying with the idea of using an userspace application
to extract conntrack information, to let the VPS know which host hash
it should use.

I might be way of here, but I'm thinking of using NFQUEUE to mark new
flows based on information from the EdgeRouter, and let tc filters set
the host hash based on that mark. For performance purposes only send
unmarked flows to NFQUEUE.

I realise this is kinda overkill, but it might we a fun weekend

Best Regards,

More information about the Cake mailing list