WARNING! WORDPRESS DISPLAYS ONE-LINER-COMMANDS IN MULTIPLE
LINES
MAKE SURE TO ALWAYS COPY THE WHOLE
LINE!
based on https://anchored.host/articles/how-to-turn-a-debian-machine-into-a-router
- hardware requirements: have at least 2x network interfaces
- LAN (internal network shielded from WAN)
- WAN (this is the network that connects to the dangerous internet)
- CPU wise RK3588 SoCs should have plenty of power and RAM and is cheap
- this SoC is basically a perfect router fit
- after increasing SWAP space
- multi core wise it is 12x times slower than AMD Ryzen 5 (6 cores 12 threads)
- while consuming 20x less energy
- result: https://browser.geekbench.com/v5/cpu/23222798
- result: https://browser.geekbench.com/v6/cpu/9710547
- is this RISC-V SoC faster? https://browser.geekbench.com/v6/cpu/compare/9710547?baseline=9254307
- this one looks also interesting but more expensive but it has GPU
- possible alternatives:
- OpenWRT ONE
- https://de.aliexpress.com/item/1005007827172335.html
- 100% open source hardware
- 100% open source software (src: C’t’s Keno)
- more expensive RISC-V Lichee Pi 4
- OpenWRT ONE
warning! work in progress!
- but ping from client <-router-> internet worked 🙂
- DNS works 😀 (but need to tidy up the how to) instructions not in right order
# define what is WAN (internet exposed) # and what is LAN (internal network shielded via NAT router) WAN="end0" LAN="end1" # would (probably) recommended making this permanent echo 'WAN="end0"' >> /etc/environment echo 'LAN="end1"' >> /etc/environment
# install some tools apt -y install iptables tcpdump iptables-persistent netdiscover apt -y install isc-dhcp-server apt -y install dnsmasq; # alternative dns server apt -y install bind9-host # allow package forwarding between interfaces echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf sysctl -p iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE # allow Forwarding Between LAN and WAN Interfaces: iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT # allow related or established connections (i.e., responses from the WAN to the LAN): iptables -A FORWARD -i $WAN -o $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT # save config # deb based netfilter-persistent save # rpm based service iptables save # make this router DHCP server on the LAN side echo 'interface=$LAN' >> /etc/dnsmasq.conf echo 'dhcp-range=192.168.4.50,192.168.4.150,24h' >> /etc/dnsmasq.conf # port 53 might be already in use https://wiki.archlinux.org/title/Systemd-resolved systemctl stop systemd-resolved systemctl disable systemd-resolved # enable new dhcp server systemctl start isc-dhcp-server systemctl enable isc-dhcp-server echo 'search fritz.box' > /etc/resolv.conf echo 'nameserver 192.168.0.1' >> /etc/resolv.conf echo 'nameserver 1.1.1.1' >> /etc/resolv.conf cat /etc/resolv.conf search fritz.box nameserver 192.168.0.1 nameserver 1.1.1.1 # current situation ip -c a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 inet 127.0.0.1/8 scope host lo 2: end0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 <- this is WAN interface inet 192.168.0.65/24 brd 192.168.0.255 scope global end0 <- from FRITZBOX inet router dhcp 3: end1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 <- this is LAN interface inet 192.168.4.1/24 brd 192.168.4.255 scope global end1 <- defined via netplan # always backup configs before especially before changes cp -rv /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.backup vim /etc/default/isc-dhcp-server # dhcpd.conf # # Sample configuration file for ISC dhcpd # # Attention: If /etc/ltsp/dhcpd.conf exists, that will be used as # configuration file instead of this file. # # option definitions common to all supported networks... option domain-name "rockpie1"; option domain-name-servers 192.168.0.1, 1.1.1.1; default-lease-time 600; max-lease-time 7200; # The ddns-updates-style parameter controls whether or not the server will # attempt to do a DNS update when a lease is confirmed. We default to the # behavior of the version 2 packages ('none', since DHCP v2 didn't # have support for DDNS.) ddns-update-style none; # If this DHCP server is the official DHCP server for the local # network, the authoritative directive should be uncommented. #authoritative; # Use this to send dhcp log messages to a different log file (you also # have to hack syslog.conf to complete the redirection). #log-facility local7; # No service will be given on this subnet, but declaring it helps the # DHCP server to understand the network topology. subnet 192.168.4.0 netmask 255.255.255.0 { range 192.168.4.150 192.168.4.200; option routers 192.168.4.1; option domain-name-servers 192.168.4.1, 1.1.1.1; option domain-name "rockpie1"; } # make known what is the LAN interface sed -i "s/INTERFACESv4=\"\"/INTERFACESv4=\"$LAN\"/g" /etc/default/isc-dhcp-server # restart the service systemctl restart isc-dhcp-server.service # did it work? :D systemctl status isc-dhcp-server.service # if yes let's test # on a LAN connected client PC # create new virtual interface ip addr add 192.168.4.234/24 dev enp2s0 label enp2s0:1 dhclient enp2s0:1 # on server this looks like ==> /var/log/syslog <== 2025-01-07T14:42:18.579074+01:00 support dhclient[4706]: DHCPREQUEST for 192.168.4.151 on enp2s0:1 to 255.255.255.255 port 67 2025-01-07T14:42:18.579854+01:00 support dhclient[4706]: DHCPACK of 192.168.4.151 from 169.254.2.98 2025-01-07T14:42:18.596305+01:00 support dhclient[4706]: bound to 192.168.4.151 -- renewal in 223 seconds. # monitor syslog in order to catch startup errors tail -f /var/log/syslog & # howto port forwarding: # OPTIONAL: testing port forwarding through NAT-router-firewall # incoming traffic on port 2222 (SSH) from WAN to LAN: iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 2222 -j DNAT --to-destination 192.168.0.123:22 # allow forwarded traffic from WAN to LAN iptables -A FORWARD -i $WAN -o $LAN -p tcp --dport 2222 -d 192.168.0.123 -j ACCEPT # verify rules iptables -t nat -L -n -v # check forwarding chain iptables -L FORWARD -n -v
on LAN connected CLIENTS make sure gateway is set:
# set fixed ip temporarily (resets after reboot) # ip addr add / dev ip addr add 192.168.4.65/24 dev eth0 # set default gateway ip route add default via 192.168.4.1 # after that client should be able to reach internet # via newly configured pc-router :) ping 1.1.1.1
optional maybe useful:
# gc_stale_time controls how long an entry remains in the ARP cache before being considered stale. echo 'net.ipv4.neigh.default.gc_stale_time=1200' >> /etc/sysctl.conf # base_reachable_time_ms sets the base time for reachability confirmation in milliseconds. echo 'net.ipv4.neigh.default.base_reachable_time_ms=30000' >> /etc/sysctl.conf # activate changes sysctl -p
Links:
liked this article?
- only together we can create a truly free world
- plz support dwaves to keep it up & running!
- (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
- really really hate advertisement
- contribute: whenever a solution was found, blog about it for others to find!
- talk about, recommend & link to this blog and articles
- thanks to all who contribute!