Routing within Hetzner Networks
This section assumes you are familiar with the difference between switches and routers and have a basic understanding of the layers in the OSI model.
Communication within Hetzner Networks happens via two different communication layers depending on the subnet type:
| Communication | |
|---|---|
| Cloud subnet | Layer 3 |
| vSwitch subnet | Layer 2 |
-
vSwitch subnet at Layer 2 (Ethernet / Data Link Layer):
On-link (Direct) Communication
Source
dedicated server→Destination
dedicated server
Both dedicated servers are directly connected via a switch. This allows the source to use ARP to resolve the MAC address of the destination and send packets directly to the destination without additional hops in between.
-
Cloud subnet at Layer 3 (IP / Network Layer):
Off-link (Routed) Communication
Cloud servers only:
Source
cloud server→Cloud
Gateway→Destination
cloud server
Cloud server and dedicated server:
Source / Desti.
dedicated server↔vSwitch
Gateway↔Cloud
Gateway↔Des. / Source
cloud server
The servers are not directly connected. The source has to use ARP to resolve the MAC address of the gateway and send packets to the gateway. The gateway forwards the packet to the destination or the next hop towards the destination.
Example visualization
- 10.0.0.0/16
- 10.0.0.0/24
- 10.0.1.0/24
- ↕
- ⚯
10.0.0.1 00:00:5E:00:53:01
10.0.0.2
00:00:5E:00:53:02
10.0.0.3
00:00:5E:00:53:03
10.0.1.1
00:00:5E:00:53:04
10.0.1.2
00:00:5E:00:53:05
10.0.1.3
00:00:5E:00:53:06
Example routes
Following shows the routes needed to reach the private IPs in the example visualization above.
On the cloud server:
| Destination | CIDR | Netmask | Gateway | Local IP |
|---|---|---|---|---|
| 10.0.0.0 | /16 | 255.255.0.0 | 10.0.0.1 | 10.0.0.2 |
| 10.0.0.1 | /32 | 255.255.255.255 | On-link | 10.0.0.2 |
On dedicated server A:
| Destination | CIDR | Netmask | Gateway | Local IP |
|---|---|---|---|---|
| 10.0.0.0 | /16 | 255.255.0.0 | 10.0.1.1 | 10.0.1.2 |
| 10.0.1.0 | /24 | 255.255.255.0 | On-link | 10.0.1.2 |
Routing through several networks
When you send packets between the Internet and the client, they pass through two networks — the private network and the public network.
As explained in the FAQ about technical details, the MTU of Hetzner cloud servers is different in private and public interfaces.
network
⸺>
router
⸺>
⸺>
client
In the example above, an incoming packet with an MTU of 1500 bytes should be able to reach
the cloud server router without any issues. However,
if the router cannot perform IP fragmentation,
it cannot forward the packet through the private interface and the packet is dropped.
You can run ip link show to check the MTUs of all interfaces on your system.
Routing from network-isolated environments
If you have a network-isolated environment on your system (e.g. Docker container or LXC), it will usually have its own interface settings.
In the example below, the network-isolated environment and the underlying host can exchange packets with an MTU of 1500 bytes:
If the network-isolated environment uses the underlying host as a router, the host from the example above will forward the packet via the private interface with an MTU of 1450 bytes.
If the network-isolated environment sends a packet with an MTU of 1500 bytes, it should be able to reach the underlying host without any issues. However, if the host cannot perform IP fragmentation, it cannot forward the packet through the private interface and the packet is dropped.