My cable modem consumes about 10-20w (I’ve done monitoring). This while a single file server is continually backing up to Crashplan (about 700GB this month so far). So I don’t even see my cable modem in my power bill.
My file server is much worse - on average it’s consuming about 100w (or 2400wh/day). I’ve done the math several times, that’s about $1/day. It’s the box that’s syncing with all my devices, and then backing up to Crashplan.
Something like Wireguard, Tailscale (uses Wireguard but provides easier administration), Reverse Proxy, VPN, are the best approaches.
Since OP doesn’t need for anyone else to access, I’d use Tailscale (Wireguard if you want a little more effort). Tailscale has a full self-host option with Headscale, though I have no problem with letting them provide discovery.
With Tailscale, you don’t even need the client on devices to access your Tailscale network, by enabling the Funnel feature. This does something similar to Reverse Proxy, by having a Web-exposed service hosted by Tailscale which then routes traffic (encrypted) to your Tailscale network.
I assume when you say externally you mean via Tailscale, but without running Tailscale on each container/service?
What I currently do is run Tailscale on a few workstation-type devices, but everything else in my network doesn’t run the Tailscale client (partly because things like printers, outers, etc can’t run the client, and it’s less convenient for things like servers).
Those type of devices can be accessed by running one Tailscale node as a Subnet Router. This device is then able to route traffic to it’s subnet. Currently I use a Raspberry Pi for this.
My Pi also runs PiHole and acts as my DNS server, so it can name resolve local resources, though I don’t think this is required, because Tailscale has its own DNS resolution called Magic DNS. So your Subnet Router should be able to resolve those names anyway (going off memory here, so be sure to check the docs, I may be misremembering how it works since I use the same device for DNS).
You don’t even need Tailscale on a remote device to access your LAN - if you enable the Funnel service, you can provide an inbound encrypted path to specified resources.
Tailscale just solves so many these types of problems.
With a virtual network, you mo longer need tools that work over the internet - just use the same tools as you would on a LAN.
I’ve used Hamachi this way on windows since about 2006. I’ve waited for an Androidi/iOS client, but it never appeared. Glad to see Wireguard/Tailscale step in to fill that gap, and it’s self-hostable!
Yea, they all suck that way. I still use my own router for wifi. It’s just routing, and your own router will know which way to the internet, unless there’s something I don’t understand about your internet connection. See my other comment below.
Yea, requirements mapping like this is standard stuff in the business world, usually handled by people like Technical Business/Systems Analysts. Typically they start with Business/Functional Requirements, hammered out in conversations with the organization that needs those functions. Those are mapped into System Requirements. This is the stage where you can start looking at solutions, vendor systems, etc, for systems that meet those requirements.
System Requirements get mapped into Technical Requirements - these are very specific: cpu, memory, networking, access control, monitor size, every nitpicky detail you can imagine, including every firewall rule, IP address, interface config. The System and Technical docs tend to be 100+/several hundred lines in excel respectively, as the Tech Requirements turn into your change management submissions. They’re the actual changes required to make a system functional.
Since their modem is handing out DHCP addresses, is there any reason why you couldn’t just connect that cable to your router’s internet port, and configure it for DHCP on that interface? Then the provider would always see their modem, and you’d still have functional routing that you control.
Since consumer routers have a dedicated interface for this, you don’t have to make routing tables to tell it which way to the internet, it already knows it’s all out that interface.
Just make sure your router uses a different private address range for your network than the one handed out by the modem.
So your router should get a DHCP and DNS settings from the modem, and will know it’s the first hop to the internet.
I do this to create test networks at home (my cable modem has multiple ethernet ports), using cheap consumer wifi routers. By using the internet port to connect, I can do some minimal isolation just by using different address ranges, not configuring DNS on those boxes, and disabling DNS on my router.