The existing tunnels are mutually exclusive to my RancherOS/Rancher exploration. All I was trying to do is see if the mesh network would transparently extend between multiple internel, private LAN IP hosts, and multiple external Public WAN IP hosts, with pfsense in the middle running pure NAT, but not static outbound ports. I knew the two private hosts could see each other (by their host IPs), and that the two public hosts could see each other (no iptables in effect).
But what I had hoped for was that even though the public hosts couldn’t see the private hosts, that private hosts could see the public hosts (which they can ping), and that perhaps a tunnel in that direction (via NAT and/or IPSEC passthrough) would suffice. I even setup a static outbound NAT for UDP 500 and 4500 per one individual’s suggest in another forum. No go though.
Which does make we curious. Is there a way in Rancher (or RancherOS or ???) to view what tunnels the management network has setup/active? As an IPSEC passthrough setup can, in theory, permit a tunnel to be established from a private LAN host behind NAT to an Public IP gateway/endpoint, Perhaps the tunnels from private LAN to public WAN hosts are being established, and this is might be a Phase 2 issue?
Interesting idea, too, Leo, to tunnel the hosts first then trying registering them “internally”. I’ve messed around with multi-P2 layers with multiple remote subnets with some success. It would be a good experiment to see if such a nested tunnel could work. Pretty? No, but very cool if it could! And, I’ve seen reference to VXLAN but not thought to explore it yet, So, will look at that too. Thanks!
My biggest reason for trying to see if such a scenario could be made to work (near) transparently is that I can see where a client that hasn’t yet gone “cloud” except for maybe backups and storage (and perhaps Office 365 or Google Apps), might now have more creative ways of integrating hybrid cloud technologies into an existing infrastructure through “affordable” orchestration offered by RancherLabs, Docker, Kubernetes, etc., that can be deployed without requiring silos or farms or new financing (at least not required up front). A lot of clients I work with have your typical on-premise resources (NAT firewall, Internet). So, for this to work as I’m exploring it out-of-the-box would, I think, be a catalyst for them to consider broader cloud adoption, and, new avenues of work for me.
Accessible and FOSS cloud orchestration choices through containers may end up doing for cloud technologies what Linux+FOSS+choices did for IT! Though I may seem late for the party, I’ve long been standing outside waiting for my invitation to come in, I think Microsoft embracing Docker in Server 2016 was the shot over the bow that signaled (to me) just how much of a big deal Docker/containers might be. And the more I explore them, the more I see them as my invite to come on in. What I’ll think of them 3 to 6 months from now? …
Thanks again for your suggestions!