Networking equipment is necessary nowadays. Gone are the days where households had a single computer hooked up to a 56 kbps dial-up connection (at best). If you include computers, smartphones, tablets, smart TVs it is not uncommon to have more than 10 connected devices in a single house. Even though internet connections are improving globally I feel that the included networking CPEs are not always performing consistently. Most of them have a ridiculously underpowered MIPS processor and are plagued with a lot of problems like unresponsive WiFi, constant freezes etc. not to mention the myriads of security holes that are constantly discovered and are going unpatched. There are tens of thousands of CPEs out there that are just waiting to be pwned. You can of course pay a 4-figure amount to get a SME router but for 99% of the cases it is probably an overkill solution. It is possible strike a middle ground between the crappy modem/routers that ISPs ship out and an industrial multi-thousand dollar router.
Linux provides all the necessary pieces to build a fully-functioned router that can handle the everyday requirements of a household, so purpose of this series is to explore how to setup a home network based on a linux router that will outclass most of the home routers in the $100–$200 range. I will try to provide as much information I have accumulated that will hopefully be useful to build upon.
This is a diagram of what we will try to build in its simplest form. I will try
to cover both IPv4 (SNAT) and native IPv6. For IPv4 all clients will share a
single IP address and all network translation will be done by the router. If
you ISP provides IPv6 then you will most likely be handed a whole
/64 block so every device will have its own address. Our network will reside
home.net domain for convenience but feel free to use your own
To build a router you need a computer with at least two network interfaces. There are many ways to go regarding the hardware. In the past I have used a mini-ITX board on a small enclosure. You can definitely do that, as there are tons of mini-computers that can fulfill that role on AliExpress and Amazon. For these articles I am building upon the PC Engines APU2 platform. This is a highly integrated board with 3 gigabit network interfaces and 3 mini PCIe slots for less than $200. At less than 10 W energy consumption it really is a sweet little machine for our purpose. We will additionally need a gigabit switch and a decent access point. Choice of the access point really depends on your needs. You can go either to a small power-plug access point for a small apartment but a more versatile AP (or APs) will probably be required for a larger house.
As far as the internet connectivity itself the ISP provided ADSL/VDSL/cable modem will suffice as long as it can be operated in bridge mode. This is definitely the case for most ADSL/VDSL modem/routers but if not Draytek has PPPoE client modems for both ADSL and VDSL.
The most straightforward way to go regarding the software would be to install pfSense. It’s a trusted scalable BSD-based solution that just works. If you are interested in exploring a little more you would have to setup the different software components by hand. Although this sounds a bit daunting there are basically a few parts that need to work together in order to have a fully functioning router. These are, IP forwarding, DHCP server, DNS server, NTP server and of course firewall. All are available for practically every linux distribution or BSD variant. So which one should you use? Although I was initially tempted to go with OpenBSD because of the excellent security record and of course the pf firewall I decided to stick with linux because in the end I am much more familiar with it and version upgrades are a tad easier with linux in comparison to OpenBSD.
Then comes the issue of the linux distribution. In my opinion it would be wise to stick with distributions that do not assume too much of what you want to do. With that requirement the choices are much more limited. I am a longtime user of archlinux and although one of my routers does run it I still think it is more of “medium-weight” distribution and probably a bit too much for a router. So for this project I will be using Alpine linux which has two distinct advantages over its competition. Alpine is grsec based distribution that builds against musl instead of glibc that virtually every other linux distribution does. This allows us to keep the installed system very small without any additional cruft. Secondly it runs almost entirely from RAM. I am saying “almost” because the configuration can be loaded at boot time from a storage media. Since the OS resides in memory after boot writes are infrequent and the configuration can be stored in an inexpensive SD card. And version upgrades are trivial: just burn the new image on the flash drive and you are done. So all things considered it seems to be an ideal fit for the role.
Finally here is a list of the software components that we will use. All software is available from the alpine linux repositories.
- Operating system: Alpine linux
- DHCP server/DNS server: dnsmasq. Dnsmasq is an excellent tool for small
networks. It combines a DNS caching server with a DHCP server and it can do
both DHCPv4 as well as Router Advertisements, SLAAC and DHCPv6 for IPv6.
Finally it will generate domain names for all DHCP client in the network in the
hostname.home.net. With dnsmasq we forgo both the DHCP server and the Router Advertisement daemon for extra simplicity.
- PPP: rp-pppoe. If you have an ADSL/VDSL connection you most probably use PPPoE to connect to your ISP. rp-pppoe is the tool for this job.
- NTP server: There are a lot of options for this one. chrony is probably on the lighter side, but OpenNTPD from the OpenBSD project or good old ntpd are also viable opions.
- IPv6 Prefix delegation: dhcpcd. Virtually all ISPs use prefix delegation (PD) for assigning IPv6 prefixes to end-user networks. Although dhcpcd is most commonly used as a DHCPv4 client but in our case it will be used to assign an IPv6 prefix to our LAN. ISC dhclient can also be used as a lighter alternative however dhclient cannot do DHCPv6-PD on PPP interfaces so if you are using PPP to connect to your ISP dhclient will not be an option.
- Firewall management: shorewall. We could manage iptables manually but I feel a more tested solution is better than hacking iptables scripts. Shorewall will manage open ports and port forwarding as well work around some common networking “gotchas” with minimal overhead over raw iptables rules.
So that’s it for this introduction. Up next in part 2 is a crash course on setting up and configuring alpine.