Hello selfhosted.
My router just burnt up and instead of buying a new one, I’m thinking of turning my own built NAS/home server into a router. Is this possible?
The server in question is a normal computer running debian, where I have a few disks in RAID and host some web services. The motherboard only has one RJ45 port, so my guess is that I have to at least get a network card that supports 2 ports. I’m no stranger to linux but physical networking is not my home field, though I’m very interested.
If someone could point me in the right direction, I would be more than happy.
Short answer: yes
Though anything else I could not say better than this guide: https://opnsense.org/get-started/
Sorry I was probably not very clear on one part, I’m looking to run a router additionally to my already existing debian installation. OPNsense seems very nice, but that would require me switching to FreeBSD, which I’m not very keen on right now.
Well all Linux systems can easily be turned into routers if they have 2 or more networking ports.
All you have to do is enable routing, the firewall rules for routing internal traffic and restrictions on external traffic, and dhcp services to the internal network (assuming that you don’t have a dedicated dhcp server)
Here is an example: https://github.com/dhenkes/router
Basically any Linux router guide (for any Linux distribution) can be used with minimal translation as they are all going to be using the exact same software with virtually identical configurations.
You can create a virtual machine, running within your debian install, to serve as your router. It actually works very well.
I used a headless Debian VM as a router with Shorewall to configure iptables. If I had to do it again, I probably would have used an opensense VM.
I forgot VM’s completely, that’s very true.
First thing I’d troubleshoot… Is your router the issue, or the modem that decodes the signal from your ISP?
Last I checked, router/AP stuff is pretty easy to DIY (OpenWRT, PFsense, etc). But that’s the step after the modem has done what it needs to do.
My router physically burnt up, up in flames. No idea why, tired of life I guess.
The 8K porn was too hot.
You can use OPNSense inside a virtual machine. You can use QEMU or install the Proxmox toolkit over Debian to manage it. I’ve been using this setup for years without issue.
You’ll have to create a bridge network for the WAN and the LAN interface, connect them to the VM, then configure the virtual interfaces inside OPNSense.
Only issue I’ve had with this setup is if you’re running in a cluster and you have to restart the cluster then you run into a deadlock. The cluster won’t start VMs without a quorum and it can’t form a quorum without the OPNSense VM up. So you have to manually intervene.
Ah I see, did not think of that. A network card with two ports would be enough right? One for the modem, and the other for clients, which ideally could be a switch, for more ports. That’s possible right?
Yes, that will be enough. You can also use a single port on the NIC and the one on the motherboard if it can handle the ethernet speed you want.
This is my network setup on Proxmox:
vmbr0is a bridge that has a single port going to the modem. The OPNSense VM’s first virtual interface is connected to this and configured as a WAN interface. Nothing else connects to this bridge as it is exposed to the internet.vmbr1also has a single port that goes to the physical switch. OPNSense’s second interface connects to it as a LAN port, as well as every other VM and container running on the server.I see, very nice. That would reduce the cost quite a bit. Thank you
You only need one port. WAN to switch, switch to router. The router routes and sends it back to the switch, and the switch to the LAN. Vice versa for outbound traffic. It’s called a router on a stick.
Not recommended if you’re paranoid about security, because a malicious client or particularly malformed inbound traffic could bypass your router. For general use it’s perfectly fine.
Do not do that. You need to set up VLANs and proper separation between them on both the switch and the router, assuming the switch even supports tagged trunk lines. If you don’t, you’re just connecting all of your hosts to the unfiltered internet.
Technically yes, but as long as your WAN gateway doesn’t provide a route, clients will only know how to reach your own gateway.
But your isp modem will have total access to your local devices.
Yes, that’s possible
Here’s a pretty good tutorial on how to do this on a system with two network cards https://medium.com/@lfoster49203/setting-up-ubuntu-as-a-router-with-advanced-routing-features-4511abc5e1eb
I know you can run openwrt as a VM on a NAS. Might be a good solution for you. Theoreticaly you can use virtual interfaces and bridges on the NAS to use a single fysical network interface. But a second card will be the interface.
Enable packet forwarding via interfaces:
# cat /etc/sysctl.d/01-forward.conf net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1 net.ipv6.conf.default.forwarding = 1Then install isc-dhcp-server and configure ipv4 and ipv6 dhcp server. (only on local ports or you internet prowider will be angry)
short example:
# cat /etc/dhcpd.conf ddns-update-style interim; ddns-updates on; ddns-domainname "my.local"; ddns-rev-domainname "in-addr.arpa"; allow client-updates; update-conflict-detection true; update-optimization true; authoritative; default-lease-time 86400; preferred-lifetime 80000; max-lease-time 86400; allow leasequery; option domain-name "my.local"; option domain-name-servers 192.168.1.1; lease-file-name "/var/lib/dhcp/dhcpd.leases";# cat /etc/dhcpd6.conf ddns-update-style interim; ddns-updates on; ddns-domainname "my.local"; ddns-rev-domainname "ip6.arpa"; allow client-updates; update-conflict-detection true; update-optimization true; authoritative; default-lease-time 86400; preferred-lifetime 80000; max-lease-time 86400; allow leasequery; option domain-name "my.local"; option dhcp6.name-servers fd00:1::1; option dhcp6.domain-search "my.local"; option dhcp6.preference 255; dhcpv6-lease-file-name "/var/lib/dhcp/dhcpd6.leases";don’t forget start dhcpd@lan and dhcpd6@lan
Then install radvd and configure RA ipv6 broadcasting. (only on local ports or you internet prowider will be angry)
# cat /etc/radvd.conf interface br0 { AdvSendAdvert on; MinRtrAdvInterval 3; MaxRtrAdvInterval 10; AdvDefaultPreference low; AdvHomeAgentFlag off; prefix fd00:1::/64 { AdvOnLink on; AdvAutonomous on; AdvRouterAddr off; }; RDNSS fd00:1::1 { AdvRDNSSLifetime 30; }; DNSSL my.local { AdvDNSSLLifetime 30; }; };Then install iptables-persistent and configure ipv4 and ipv6 rules in /etc/iptables/ . Change lan and internet to you real interfaces.
# cat /etc/iptables/rules.v4 # Generated by iptables-save v1.6.1 on Mon Dec 30 18:53:43 2019 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o internet -j MASQUERADE COMMIT # Completed on Mon Dec 30 18:53:43 2019 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] #UNBRICK IF YOU WANT ACCESS FROM INTERNET -A INPUT -s x.x.x.x -j ACCEPT -A INPUT -s y.y.y.y -j ACCEPT #BASE -A INPUT -i lo -j ACCEPT -A INPUT -i lan -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lan -j ACCEPT -A FORWARD -p icmp -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT# cat /etc/iptables/rules.v6 # Generated by ip6tables-save v1.6.0 on Thu Sep 8 13:29:11 2016 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o internet -j MASQUERADE COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] #BASE INPUT -A INPUT -i lo -j ACCEPT -A INPUT -i lan -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lan -j ACCEPT -A FORWARD -p ipv6-icmp -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT COMMITThen install dns relay. I user bind, but that some overkill. But anyway:
install named / bind9
# cat /etc/named.conf ... acl "lan" { 192.168.1.0/24; 127.0.0.1; fd00:1::/64; ::1/128; }; tls google-DoT { ca-file "/var/named/google.crt"; //SET google cert path here remote-hostname "dns.google"; }; tls local-cert { //if you want local SSL requests cert-file "/etc/letsencrypt/live/local/cert.pem"; key-file "/etc/letsencrypt/live/local/privkey.pem"; }; options { directory "/var/named"; pid-file "/run/named/named.pid"; forwarders port 853 tls google-DoT { 8.8.8.8; 8.8.4.4; }; // Uncomment these to enable IPv6 connections support // IPv4 will still work: //listen-on-v6 { any; }; // Add this for no IPv4: //listen-on { any; }; listen-on-v6 { fd00:1::1; ::1; }; listen-on { 192.168.1.1; 127.0.0.1; }; listen-on-v6 tls local-cert { fd00:1::1; ::1; }; //if you want local SSL requests listen-on tls local-cert { 192.168.1.1; 127.0.0.1; }; //if you want local SSL requests allow-recursion { lan; }; allow-recursion-on { 192.168.1.1; fd00:1::1; 127.0.0.1; ::1; }; allow-transfer { none; }; allow-update { none; }; allow-query { lan; }; allow-query-cache { lan; }; allow-query-cache-on { 192.168.1.1; fd00:1::1; 127.0.0.1; ::1; }; version "DNS Server 1"; hostname "interesting server"; server-id "realy interesting server"; dnssec-validation auto; empty-zones-enable no; minimal-responses yes; http-port 8888; listen-on http local tls none { any; }; listen-on-v6 http local tls none { any; }; auth-nxdomain no; # conform to RFC1035 }; ...All done.
Aren’t both the isc dhcp server and iptables deprecated?
I would instead setup dnsmasq since it would be simpler. For the Firewall you could use Firewalld since it provides a higher level system that is much cleaner.
First question. Was your router also your modem? As in describe each connection/device from street until you get to your router. (Do you also know your connection type? Some flavour of DSL, HFC, Fiber?)
Not sure if others already said this (I seem to see mostly comments explaining how to do it, but didn’t read them all), but, while it’s certainly feasible, you may not want to do that.
A router is the cornerstone of your network (if it goes down, so does the network) and if you are a self-hoster you’ll probably fiddle endlessly with your home server, and of course break it from time to time… the two things just don’t go well together.
Personally, I’d recommend getting some second-hand router appliance that can run openwrt and use that (make sure to check the flashing procedure before deciding what to buy - some are easier than others). Or you could get a dedicated x86 machine… probably overkill though.
Agreed. Separate device. If your VM or hypervisor dies, or you misconfigure something, you take your Internet down. Not a fun thing to recover from.
I truly understand this sentiment, and if I ever find it troublesome to maintain, I will do just that, but right now I just want to use this as an excuse to fiddle around haha ;). I don’t run anything high-profile and my server uptime is still on par with the frequent power outages in my area
This is extremely possible and I have done a lot of stuff like it (I set up my first home built Linux firewall over 20 years ago). You do want to get some kind of multiport network card (or multiple network cards… usb -> ethernet adapters can do OK filling in in a pinch). It also gives you a lot of power if you want to do specific stuff with specific connections (sub netting, isolation of specific hosts, etc).
There’s a lot of ways to do it, but the one I’m most familiar with is just to use IP tables.
The very first thing you want to do is open up /proc/sys/net/ipv4/ip_forward and change the 0 to a 1 to turn on network forwarding.
You want to install bridge-utils and isc-dhcp-server (or some other DHCP server). Google or get help from an LLM to configure them, because they’re powerful and there’s a lot of configs. Ditto if you want it to handle DNS. But basically what you’re going to do (why you need bridge-utils) is you’re going to set up a virtual bridge interface and then add all the various NICs you want on your LAN side into it (or you can make multiple bridges or whatever… lots of possibilities).
Your basic iptables rule is going to be something like
iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE, but again there’s lots of possible IP tables rules so read up on those.
I’m happy to answer specific questions as you dig into it.
This was my first thought. I have some experience with iptables so I think this would be doable. Thank you
I’m happy to answer specific questions as you dig into it. :) Good luck.
I had a very similar problem as @Toralv@lemmy.world a few weeks ago. I repurposed a small, fanless x86 desktop computer as my new router. It has only one RJ45 port and due to its small size cannot be extended with a proper network card. As it has an unused USB3 port, I acquired a cheap Realtek-based USB3-to-RJ45 ‘adapter’ as the second network interface. It works without any further issues in Linux (Arch) and has no problems to handle Gbps traffic.
For the router configuration, I am using ‘nftables’ instead of ‘iptables’, as the former is supposed the successor of the latter. I only used the new nftables configuration, but there are wrappers available so that one can continue to use iptables syntax if desired.
For network configuration, I am using systemd’s networkd. Check systemd.network(5): Configuration option ‘IPMasquerade’ takes care of telling nftables/iptables to setup masquerading (rendering the iptables invocation @thebardingreen@lemmy.starlightkel.xyz exemplified unnecessary), options ‘IPv4Forwarding’ and ‘IPv6Forwarding’ renders manually changing ‘/proc/sys/net/ipv4/ip_forward’ unnecessary.
systemd’s networkd has a built-in DHCP server; check option ‘DHCPServer’ and section ‘DHCPServer’ for that (same man page as above). This way you can skip installing/configuring a separate DHCP server, but systemd’s DHCP server has some limitations, such as only supporting DHCPv4 and lack of proper command line tools. For example, to retrieve the list of current leases, you would have to make a dbus call to networkd, e.g. via busctl or dbus-send.
Bridges can also be configured with systemd’s networkd, making a separate bridge tool unnecessary. Rather straight-forward with three small configuration files, telling networkd that you want to have a bridge, its name (e.g. br0), its MAC address, which NICs will be part of the bridge, and the bridge’s configuration like a NIC itself (e.g. static IP address, that the networkd’s DHCP server shall listen here, …).
As others have mentioned this is practical with a VM. It might also be doable with Docker, saving some resources.
Personally, I’ve always been a big fan of running the firewall/router/DNS separate of everything else. It’s harder to accidentally make a security blunder and doing regular system maintenance on your hosting server won’t knock out internet to the rest of the house.
Hey there! Sorry, I got busy with work today.
I was just noticing that you have plenty of replies. I think you seem to have enough to go on with.
If you still need anything, hit a reply to this one and I can give you my 2-cents worth of opinion.
I’ve been using a raspberry pi for my router for a few years. Followed this guide mostly
https://www.technicallywizardry.com/raspberry-pi-network-monitor/
You can but I would strongly recommend that you set up a dedicated box. It doesn’t matter that much what OS it is running but it shouldn’t be the same device running other services.
As someone who has done their router as both a VM and a stand alone physical box, just do a stand alone box. It doesnt take much to run pfsense
👉
There! Happy?
