WARNING! WORDPRESS DISPLAYS ONE-LINER-COMMANDS IN MULTIPLE

LINES

MAKE SURE TO ALWAYS COPY THE WHOLE

LINE!

based on https://anchored.host/articles/how-to-turn-a-debian-machine-into-a-router

warning! work in progress!

  • but ping from client <-router-> internet worked 🙂
  • DNS works 😀 (but need to tidy up the how to) instructions not in right order
# define what is WAN (internet exposed)
# and what is LAN (internal network shielded via NAT router)
WAN="end0"
LAN="end1"

# would (probably) recommended making this permanent 
echo 'WAN="end0"' >> /etc/environment
echo 'LAN="end1"' >> /etc/environment
# install some tools
apt -y install iptables tcpdump iptables-persistent netdiscover
apt -y install isc-dhcp-server
apt -y install dnsmasq; # alternative dns server
apt -y install bind9-host

# allow package forwarding between interfaces
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf

sysctl -p

iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

# allow Forwarding Between LAN and WAN Interfaces:
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT

# allow related or established connections (i.e., responses from the WAN to the LAN):
iptables -A FORWARD -i $WAN -o $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT

# save config

# deb based

netfilter-persistent save

# rpm based

service iptables save

# make this router DHCP server on the LAN side

echo 'interface=$LAN' >> /etc/dnsmasq.conf

echo 'dhcp-range=192.168.4.50,192.168.4.150,24h' >> /etc/dnsmasq.conf



# port 53 might be already in use https://wiki.archlinux.org/title/Systemd-resolved

systemctl stop systemd-resolved

systemctl disable systemd-resolved

# enable new dhcp server

systemctl start isc-dhcp-server

systemctl enable isc-dhcp-server

echo 'search fritz.box' > /etc/resolv.conf

echo 'nameserver 192.168.0.1' >> /etc/resolv.conf

echo 'nameserver 1.1.1.1' >> /etc/resolv.conf

cat /etc/resolv.conf

search fritz.box
nameserver 192.168.0.1
nameserver 1.1.1.1

# current situation
ip -c a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
2: end0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 <- this is WAN interface
inet 192.168.0.65/24 brd 192.168.0.255 scope global end0 <- from FRITZBOX inet router dhcp
3: end1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 <- this is LAN interface
inet 192.168.4.1/24 brd 192.168.4.255 scope global end1 <- defined via netplan

# always backup configs before especially before changes
cp -rv /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.backup

vim /etc/default/isc-dhcp-server

# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
# Attention: If /etc/ltsp/dhcpd.conf exists, that will be used as
# configuration file instead of this file.
#

# option definitions common to all supported networks...
option domain-name "rockpie1";
option domain-name-servers 192.168.0.1, 1.1.1.1;

default-lease-time 600;
max-lease-time 7200;

# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
#log-facility local7;

# No service will be given on this subnet, but declaring it helps the 
# DHCP server to understand the network topology.

subnet 192.168.4.0 netmask 255.255.255.0 {
range 192.168.4.150 192.168.4.200;
option routers 192.168.4.1;
option domain-name-servers 192.168.4.1, 1.1.1.1;
option domain-name "rockpie1";
}

# make known what is the LAN interface
sed -i "s/INTERFACESv4=\"\"/INTERFACESv4=\"$LAN\"/g" /etc/default/isc-dhcp-server

# restart the service
systemctl restart isc-dhcp-server.service

# did it work? :D
systemctl status isc-dhcp-server.service

# if yes let's test 
# on a LAN connected client PC

# create new virtual interface
ip addr add 192.168.4.234/24 dev enp2s0 label enp2s0:1
dhclient enp2s0:1

# on server this looks like
==> /var/log/syslog <==

2025-01-07T14:42:18.579074+01:00 support dhclient[4706]: DHCPREQUEST for 192.168.4.151 on enp2s0:1 to 255.255.255.255 port 67
2025-01-07T14:42:18.579854+01:00 support dhclient[4706]: DHCPACK of 192.168.4.151 from 169.254.2.98
2025-01-07T14:42:18.596305+01:00 support dhclient[4706]: bound to 192.168.4.151 -- renewal in 223 seconds.

# monitor syslog in order to catch startup errors
tail -f /var/log/syslog &

# howto port forwarding:

# OPTIONAL: testing port forwarding through NAT-router-firewall

# incoming traffic on port 2222 (SSH) from WAN to LAN:

iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 2222 -j DNAT --to-destination 192.168.0.123:22

# allow forwarded traffic from WAN to LAN

iptables -A FORWARD -i $WAN -o $LAN -p tcp --dport 2222 -d 192.168.0.123 -j ACCEPT

# verify rules

iptables -t nat -L -n -v

# check forwarding chain

iptables -L FORWARD -n -v

 

on LAN connected CLIENTS make sure gateway is set:

# set fixed ip temporarily (resets after reboot)
# ip addr add / dev 
ip addr add 192.168.4.65/24 dev eth0

# set default gateway
ip route add default via 192.168.4.1

# after that client should be able to reach internet
# via newly configured pc-router :)
ping 1.1.1.1

optional maybe useful:

# gc_stale_time controls how long an entry remains in the ARP cache before being considered stale.
echo 'net.ipv4.neigh.default.gc_stale_time=1200' >> /etc/sysctl.conf

# base_reachable_time_ms sets the base time for reachability confirmation in milliseconds.
echo 'net.ipv4.neigh.default.base_reachable_time_ms=30000' >> /etc/sysctl.conf

# activate changes
sysctl -p

Links:

liked this article?

  • only together we can create a truly free world
  • plz support dwaves to keep it up & running!
  • (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
  • really really hate advertisement
  • contribute: whenever a solution was found, blog about it for others to find!
  • talk about, recommend & link to this blog and articles
  • thanks to all who contribute!
admin