[Support]: One master-network (to reach all "sub-network-clients") ?

[PizzaProgram]

📝 Inquiry

What is the recommended way to set up my own planet on a VPS to handle one "master-network" that can reach the other 100+ networks too?

I like the simplicity, and I’d like to manage 100+ separated networks (restaurants).
1-10 PCs in each. (ca 300 PCs+Phones+Laptaps all together.)
I am the only one allowed to manage networks. (Pizzeria owners get only client access to their own network.)

10.9.10.0/24  BestPizzaShop
10.9.11.0/24  FastPizza
...
 10.9.250.0/16 MASTER (for my dev. PCs + phones)

But it would be bad if I'd need to connect to all 100+ networks from my phone + laptops simultaneously.
(Or disconnect / reconnect to an other network each time someone is calling for quick help.)

So my developer PCs and phones should connect to only this one "master-network", from where I could connect to any member of any separated network.

❓ So the question is:

• Is it possible somehow to create one Network that would “see everyone” (all members in all networks) ?

• If yes, can I block somehow the access to this one group, so sub-members should not be able to start connections “back to my developer PCs / phone”, only I should be able to connect to them? (VNC, RDP, SQL, ...)

Thanks for any advice :-)

🔧 Deployment Type: [X] Docker
💻 Operating System: Debian

[sinamics]

Note: This is just from the top of my head and not tested, but here's how I would configure it:
Add a routing node (like your VPS) to your master network and each pizza network. Enable IP forwarding on the routing node with:

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p

Then in your master network settings, add managed routes for each pizza network like this:

Destination: 10.9.10.0/24   (BestPizzaShop network)
Via: (The Managed IP of the routing node that exist in all networks)

Destination: 10.9.11.0/24   (FastPizza network)
Via: (The Managed IP of the routing node that exist in all networks)

This way, your devices only need to connect to the master network to reach any pizza network through the routing node.

[PizzaProgram]

Thanks for the quick answer! 😺

I have something similar in my head too, just not clear yet, how it would work in reality, because what I've tried so far, did not work. (Maybe I did a mistake?)

Only this command seems troublesome for me at first site:
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
I've red everywhere is starts forwarding internet traffic of VPN too. But I do not want my clients to surf through my VPS!

Also I'm afraid, I'll have to install a firewall and set many strict rules to prevent one network to see the other. Don't I ?
Or should I start thinking about Flow Rules inside the networks? (By Mixing them.)

Someone suggested I should run 1 of "ZeroTier ONE", where it connects to all networks, and do all the forwarding in there. But I do not know how to prevent port conflict, if it is running on the same VPS / docker stack?

Actually I also do not know, if these routings only apply "inside docker", or also outside of it, on the whole VPS...
(For example: SoftEther is using it's own MAC-routing system, so there is no need to create firewall rules to separate networks from each other. How is that working inside ZT's kernel?)

[PizzaProgram]

I've tested this method.

Conclusion:

Too slow! (30-600ms, instead of 2-5ms. Even TightVNC is lagging.)

The reason is:

• To avoid port conflict, I am forced to port forward docker container from default 9993.
• No mater what I've tried, changing that port from 9993 is impossible.
• ZeroTier One somehow recognising the "outside port" is different, so it changes back to "TCP relay" mode.

Any other ideas?