Lots of "just use X" comments but the article is about showing the bare minimum/how easy the core part of routing actually is.
Also, if you have ever used docker or virtual machines with NAT routing (often the default), you've done exactly the same things.
If you have ever enabled the wifi hotspot on an android phone also, you've done pretty much what the article describes on your phone.
All of these use the same Linux kernel features under the hood. In fact there is a good chance this message traversed more than one Linux soft router to get to your screen.
This really takes me back. My first actual 'use' for Linux was making routers out of leftover computers.
The perfect machine back then was a 100MHz Pentium, in a slimline desktop case. At the time, the Pentium III was the current desktop chip, so you'd have a pile of early Pentium-class machines to use. And even a 10mb ISA network card (3Com if possible) would have plenty of power for the internet connections of the day. But 100mb PCI cards were still fairly cheap.
Install two NICs, load your favorite Linux distro, and then follow the IP-Masquerading HOWTO and you've got internet access for the whole apartment building, office, or LAN party.
Eventually I moved on to Linux Firewalls by Robert Ziegler for a base to build on.
After that I started piling other services on, like a spam filter, Squid cache, it was amazing to get so much use out of hardware that was going to just get thrown out.
Ha, that's very close to my story as well. I had a 166Mhz Pentium and it was all PCI cards and 100mbit by then. That was essentially the start of my career.
I’ve been using OpnSense/pfsense [0] for years and would highly recommend it. It has a great automatic update experience, config backups, builtin wireguard tunnels and advanced features like packet filtering options via suricata.
When I am doing network management on my weekends, I’m so glad I’m not stuck in the Linux terminal learning about networking internals and can instead just go to a webui and configure my router.
I agree on principal, but I often find that the GUI abstractions don't always map to the linux tooling/terminology/concepts, which often ends with a head bashing against the wall thinking "this is linux, I know it can do it, and I can do it by hand, but what is this GUI trying to conceptualize?!?!"
I was recently introduced to a Barracuda router, and bashed my head against the wall long enough to discover it had an ssh interface, and linux userland, and was able to solve my immediate problem by directly entering the commands to get it to [temporarily] do what I needed. (Of course, using the GUI to reapply settings wiped my manual configuration...)
I've used pfsense, OpenWRT, Barracuda, Verizon's OEM router (Actiontec) and they all represent the same functionality wildly differently.
> I've used pfsense, OpenWRT, Barracuda, Verizon's OEM router (Actiontec) and they all represent the same functionality wildly differently.
Worth noting that pfSense (and OPNsense) are not Linux-based, they're based on BSD, specifically FreeBSD. While it's possible to have standard router OS web UIs that are cross platform, the underlying technology is different, so it's not really a surprise that there will be differences in how the devices running these OSes are configured.
I'm at a stage where I don't want to be doing network management on my weekends. I have a Ubiquiti router that's pretty good, and for my router I'd like something like TrueNAS for my NAS, a distribution that completely turns the hardware into an appliance I can configure once and forget about.
Pfsense/opnsense would be one option (based on FreeBSD). For Linux there is OpenWRT, which you can either run as an alternative firmware on quite a few consumer routers/access points, or install on a PC or Pi or similar.
Caveat: I have only used OpenWRT on a high end consumer router (GL.inet MT6000) out of those. That works well, anything else is based on reading about people using those options.
For all of those, once you set it up you don't really need to do much except install updates a couple of times per year, or if you want to forward a new port or such.
Yep, this is the way. You will learn loads using Linux but this is not something you want to go wrong.
I used a lower power Intel Atom mini PC with an additional NIC as a router for years. I tested it and found it could route around 300Mb/s which was plenty.
But then I got gigabit internet. So I bought an Intel 4 port GigE card from eBay and now run OPNSense as a VM. If you get the right Intel card you can pass through ports to VM individually, which is nice for playing (don't know the exact details but look for cards with virtualisation support, mine is an 82575GB I think).
To be fair, my setup still probably has too much to go wrong, due to the VM thing, but I just haven't got round to getting dedicated hardware, and it's worked fine for a couple of years now.
Maybe someone in this thread has a couple of ideas:
What’s the simplest way to spin up a simple „cattle, not pet“ routing VM? I don’t want to mess with any state, I just want version controllable config files. Ideally, if applying a version fails, it would automatically roll back to the previous state.
OpenWRT seems like it fits my description most closely, but maybe someone here is a fan of something more flashy/modern.
I recommend Pfsense or OpnSense if your hardware works with a FreeBSD-based thing. They're super easy to set up and don't have many surprises.
After I upgraded to a 10GbE ethernet card in my previous router, my card didn't work correctly with FreeBSD-based stuff anymore. I changed to ClearOS and that was actually comparably easy to Pfsense...maybe even easier? I recommend checking that one out.
“Just use OPNsense” is great advice for production, but terrible advice for learning.
This article is valuable precisely because it shows how little magic is actually involved in routing.
OpenWrt has a generic x86 PC build that can also be used to turn basically any random PC into a router, complete with an operating system actually designed and developed for that purpose.
Hmm I've always had a manually configured low power generic box as router.
But I've never even tried to set up my own access point, I just pay Unifi for that [1]. The software part is doable but I don't want to learn to handle the signal issues.
[1] Switched to Unifi in anger after my first consumer level 5 Ghz wifi needed reboots weekly because it was overheating. Do yourself a favour and get the semi pro stuff, Unifi or others.
I've been running a custom router for about a decade, but I too have haven't tried handling the wifi on my own. It's always been easy to get an external access point and there's a bit of a guarantee that it's done correctly.
I kind of feel like that's cheating though; I've outsourced the hardest part of the project to someone else. Maybe one of these days I'll take an old NUC or something and buy a decent wifi antenna for it and try and do it properly.
[1] Initially pfsense, then OpnSense, then ClearOS, and now some custom firewall rules in NixOS.
Pleasant thing about routers that is is so simple to build one after learning basics of networking and pretty much any OS or distro can act as one. There are obvious choices like OPN\PFSENSE, OpenWRT, DD-WRT, FreshTomato, but literally any PC with a single Ethernet port can act as one. My favorite setup was a laptop running Ubuntu and the whole router setup was in a single netplan file + dnsmasq for DHCP.
Edit: And ofc best cheap device imo is OrangePI R1 LTS and a whatever usb wifi dongle. Came in clutch a few times, such a nice little device.
Routing is pretty easy for most use cases... firewalling an Internet connection, on the other hand, is just about impossible (thanks TLS 1.3) without pretty serious overhead, 3rd party maintained live subscriptions, TLS interception, and a willingness to say "no" to a lot of the shenanigans that modern programs and devices try to pull.
I recommend the free home version of Sophos for the least painful way to do it. Buy a Palo Alto with a full subscription if you are really serious.
I am truly sorry. I can't understand the physical networking from the pics or the description... I'm probably just missing something. There is one blue plug going from the laptop to the cisco switch or the pci wifi module? I see a blue plug going to each device. So I'm guessing everything is plugged into the cisco switch?
if you could show all the wiring and label it (according to the table below) i think it would add a lot of value for someone less familiar with these kinds of setups (like me)
Here I was thinking this article would tell me how to turn my unmanaged switches into routers, but no, "anything" actually means "any fully featured general purpose computer with networking".
I did this back when, just using a 100mbit NIC express card.
Ran openbsd for a few years like that, the base OS included everything needed. I recall it used 24MB of ram and closer to 30MB if ssh'd in. It was very handy to have a local login when playing with firewall rules.
We are just scraping the surface here; let's imagine a really easy to use and install bit of router software that includes all kinds of p2p bells and whistles.
The extreme difficulty of setting up networking and routers is (obviously?) a weird endgame result of how companies and safety and capitalism and restriction intersect* and given the relatively insane regulatory ideas we're seeing these days, time for another look at all of this.
*edit, and not, e.g. an inherent property of "networking technology," it does NOT have to be this hard.
nftables syntax is pretty tough to read. I wonder why they didn't go for an easier to read DSL. I do understand it's likely super fast to parse though, and has a 1:1 relationship to its struct in the kernel.
I’ll pick nftables over iptables any day, it’s leagues better (granted, it’s not hard). The nftables wiki is great, as the syntax and modules are documented in a single easy to read page.
As an added bonus, you get atomic updates of all chains for free.
Granted, for simple usecases, ufw or firewalld may be simpler though.
A fun project that results in a unique and stylish router is repurposing a Mac Pro Trashcan. They can be picked up for a few hundred dollars, offer dual 1GbE Intel NICs that work natively on Linux, and have plenty of CPU and RAM overhead. Throw OPNsense on there and you’re off to the races.
Qotom mini PCs are my cheatcode. These little PCs are often available with multiple NICs, and I use one as a wifi bridge/router for my office network. Put Linux or FreeBSD on one and you have a very capable little network-appliance box.
if fancy a bit more of capability, dockerized opnsense and just play right with your vlans. One cable is enough into your switch...did I said managed... and your opn/telco eth exit.
Any computer with a single network interface, maybe even an (old) laptop, can be used. Anything x86 from at least the last 10 years is energy efficient and fast enough to route at gigabit speed. If you don't care about energy usage, any x86-based computer from the last 20 years is fast enough.
The magic trick is to use VLANs, which require switches that support VLANs, which can be had for cheap. VLANS also allows you to create separate isolated networks for IoT or other 'less secure' or untrusted devices.
I’ve always made my own routers by using low-power devices running Linux (Debian) with IPtables and now NFtables.
No special router OS or software required.
Highly recommend.
P.S. that single network interface is very likely never a bottleneck because network interfaces are full-duplex. Only when your router is also your file server (not recommended), internet traffic and file server traffic could start to compete with each other.
It only needs one port, but for most simple networks two ports on the router means less configuration.
The "router on a stick" paradigm using VLANs to a share a single physical port is perfectly valid. You're creating a "now you have two problems" scenario in which you need a VLAN-capable switch and have VLAN configuration to make.
I typically like the ISP router on a dedicated router port to make monitoring the physical link and/or cycling the physical link easier.
Unless your ISP is >1Gbps adding a second port to most devices is as easy as adding a USB NIC.
Sounds interesting. I always wanted to use a Raspberry PI as router (to have one as backup in case the OpenWRT Linksys goes down), but couldn't wrap my head around properly how to overcome the single network port (I think the usual recommendation is to use an extra USB network card/adapter). Can you elaborate more about this VLAN stuff (you would put your modem, your router, and all your machines on the switch... and in the switch you tell the router connection to double use the connection for WAN and LAN separated via VLANs? And put the modem into the "WAN VLAN" too?)
Ideally the PI also should to what the extra DSL Modem does… but I guess that's where the dram must stop. :D
The TL;DR is to have two vlans on the cable from your switch (called a "trunk"), "lan" and "wan", carrying the respective LAN and WAN networks. Then, on the Pi, create two vlans on the underlying Ethernet interface. Then those two VLAN interfaces can be configured just like the LAN and WAN interfaces of the router. On the switch, you’d dedicate one port to the WAN by adding it to the WAN VLAN without tagging, and the other interfaces do the LAN VLAN, also untagged.
Yes, but some folks are wary of using the same physical port for external and internal traffic. Fears of "VLAN hopping" remain, even if unfounded. Also, you'll hit a performance wall since you are sharing a single gigabit port between external and internal traffic. Obviously may not be an issue for many, but if you have gigabit fiber...
I have gigabit fiber and none of this is an issue.
VLAN hopping is only possible due to misconfiguration. I'd like to be proven otherwise if that's not the case. VLANs are used EVERYWHERE where it matters. And no, the single port is absolutely not a bottleneck because the port is full-duplex.
I agree VLAN hopping is not possible without misconfiguration but it still is a "concern" for some. I also make extensive use of VLANs on my home network.
If you're trying to push close to a gigabit up and down simultaneously that single port will become a bottleneck. I agree for most typical use cases it is not a concern.
Yea, I would add openwrt x86 provides a decent interface for management. Gave dad a little minicomputer with openwrt when he upgraded his internet. He can change wifi password and such and is happy.
You'd be shocked to find out how old and weak the CPU in your current router is. Typically they're on par with low end desktop CPUs from 10-15 years ago.
Except actual routers don't handle the traffic on the CPU, they have dedicated hardware to actually handle the packets. The CPU basically runs the OS, configures the hardware router, and does housekeeping tasks (e.g. ARP or FDB expirations, NAT cleanup, etc). The only packets that ever reach it are "trap to CPU" situations that don't require acceleration as those are rare or expensive to implement in hardware (e.g. better suited to a CPU). Those usually include management protocols (ICMP, ARP, NDP, STP, etc) or packets with unknown destination (e.g. the first packet to an IP that requires ARP resolution).
That's how you can have multi-Gbps on a router with a 200MHz MIPS CPU. Or Tbps on a router with a quad-core Xeon.
I assume the real router OS is extremely neutered to basically only route traffic and filter inbound with everything else being removed? But yeah I can definitely see that.
A CPU from the last 20 years can route traffic at gigabit speed. It's only something to worry about for a Raspberry Pi3 or something similarly 'crippled'.
I think I understand why this is true for plain IP forwarding. There isn’t much to break the cache and the lookups are few and fast.
What’s the cheapest (new) computer that can drive a 1Gb port with NAT? With a busy encrypted (wireguard?) connection?
[I don’t think qos has a lot of use in the domestic environment; sure, someone here does it but I think it’s much less mainstream than the features I already mentioned. ]
Such a device could drive my home. But in a couple of years I suspect I’ll want 2Gb or 10.
In the past I’ve tended to use a device until its crappy power supply failed. So I guess I’m hoping for a >5 year life span/upgrade capacity.
For all I know the answer to my question is one of those passively cooled four port n100 bricks from AliExpress. Anecdata happily accepted.
> What’s the cheapest (new) computer that can drive a 1Gb port with NAT?
What's the cheapest new computer you can find? That will work. If you have PPPoE, you need to be a bit more careful; depending on your OS and NICs, it's possible for inbound traffic to only use one core; low power laptop cpu may not have enough throughput from a single cpu, but my information is a little dated.
I did 1G NAT on a dual core haswell [1] for a long time.
Wireguard adds nothing unless you'd want to terminate it on the router. In which case it adds so very little it's unnoticeable.
About any n100 will do. Question is in their reliability which mostly comes down to power regulation components quality. Not performance.
One of my installs runs on a repurposed old android phone. Which has about 100 times CPU capacity of the router I write this through, and that one being cheap tplink shit still terminates wireguard at link speed which is 100Mbps. You don't need fancy gear for routing. And you don't usually need gigabit uplink because speed is limited way upstream.
But if you want "the right gear and damn the price" go get a Microtik. They are very good.
If you're tech-savvy and building your own router, you can add those advanced aspects in if you want them.
I'd be willing to bet, though, that the overwhelming majority of people who use consumer routers aren't doing anything remotely advanced. A how-to that covers the majority of use cases is valuable even when it excludes advanced use cases.
There are a whole lot of normal people using mesh networking Wi-Fi routers. Honestly, most of the least technical people that I know are all using mesh networks because their houses require it.
Home mesh is mostly about having wireless backhaul, and you can certainly do that of you have (preferably) two radios, you just set up one radio as a client to your main AP.
Even if you aren't doing wireless backhaul you just rely on regular client behaviour to transition between APs, can enable 802.11r to improve this.
Enterprise "mesh" typically uses wired backhaul for performance and can help clients roam quicker with a controller (auth, not deciding to roam). Controller can also adjusts radio power so APs aren't talking over each other if they're too close.
Also, if you have ever used docker or virtual machines with NAT routing (often the default), you've done exactly the same things.
If you have ever enabled the wifi hotspot on an android phone also, you've done pretty much what the article describes on your phone.
All of these use the same Linux kernel features under the hood. In fact there is a good chance this message traversed more than one Linux soft router to get to your screen.
The perfect machine back then was a 100MHz Pentium, in a slimline desktop case. At the time, the Pentium III was the current desktop chip, so you'd have a pile of early Pentium-class machines to use. And even a 10mb ISA network card (3Com if possible) would have plenty of power for the internet connections of the day. But 100mb PCI cards were still fairly cheap.
Install two NICs, load your favorite Linux distro, and then follow the IP-Masquerading HOWTO and you've got internet access for the whole apartment building, office, or LAN party.
Eventually I moved on to Linux Firewalls by Robert Ziegler for a base to build on.
After that I started piling other services on, like a spam filter, Squid cache, it was amazing to get so much use out of hardware that was going to just get thrown out.
When I am doing network management on my weekends, I’m so glad I’m not stuck in the Linux terminal learning about networking internals and can instead just go to a webui and configure my router.
0: https://opnsense.org/
I was recently introduced to a Barracuda router, and bashed my head against the wall long enough to discover it had an ssh interface, and linux userland, and was able to solve my immediate problem by directly entering the commands to get it to [temporarily] do what I needed. (Of course, using the GUI to reapply settings wiped my manual configuration...)
I've used pfsense, OpenWRT, Barracuda, Verizon's OEM router (Actiontec) and they all represent the same functionality wildly differently.
Worth noting that pfSense (and OPNsense) are not Linux-based, they're based on BSD, specifically FreeBSD. While it's possible to have standard router OS web UIs that are cross platform, the underlying technology is different, so it's not really a surprise that there will be differences in how the devices running these OSes are configured.
At this point I rather doubt the sanity of people still sticking to iptables tbh.
So there is approximately one concept of "packet filter done right". UI madness is on UI authors.
Is there something like that?
Caveat: I have only used OpenWRT on a high end consumer router (GL.inet MT6000) out of those. That works well, anything else is based on reading about people using those options.
For all of those, once you set it up you don't really need to do much except install updates a couple of times per year, or if you want to forward a new port or such.
I used a lower power Intel Atom mini PC with an additional NIC as a router for years. I tested it and found it could route around 300Mb/s which was plenty.
But then I got gigabit internet. So I bought an Intel 4 port GigE card from eBay and now run OPNSense as a VM. If you get the right Intel card you can pass through ports to VM individually, which is nice for playing (don't know the exact details but look for cards with virtualisation support, mine is an 82575GB I think).
To be fair, my setup still probably has too much to go wrong, due to the VM thing, but I just haven't got round to getting dedicated hardware, and it's worked fine for a couple of years now.
What’s the simplest way to spin up a simple „cattle, not pet“ routing VM? I don’t want to mess with any state, I just want version controllable config files. Ideally, if applying a version fails, it would automatically roll back to the previous state.
OpenWRT seems like it fits my description most closely, but maybe someone here is a fan of something more flashy/modern.
After I upgraded to a 10GbE ethernet card in my previous router, my card didn't work correctly with FreeBSD-based stuff anymore. I changed to ClearOS and that was actually comparably easy to Pfsense...maybe even easier? I recommend checking that one out.
Version control is in the GUI, you can adapt for your needs the number of changes you need. automatic config.xml backup also possible.
But I've never even tried to set up my own access point, I just pay Unifi for that [1]. The software part is doable but I don't want to learn to handle the signal issues.
[1] Switched to Unifi in anger after my first consumer level 5 Ghz wifi needed reboots weekly because it was overheating. Do yourself a favour and get the semi pro stuff, Unifi or others.
I kind of feel like that's cheating though; I've outsourced the hardest part of the project to someone else. Maybe one of these days I'll take an old NUC or something and buy a decent wifi antenna for it and try and do it properly.
[1] Initially pfsense, then OpnSense, then ClearOS, and now some custom firewall rules in NixOS.
Edit: And ofc best cheap device imo is OrangePI R1 LTS and a whatever usb wifi dongle. Came in clutch a few times, such a nice little device.
I recommend the free home version of Sophos for the least painful way to do it. Buy a Palo Alto with a full subscription if you are really serious.
:-)
if you could show all the wiring and label it (according to the table below) i think it would add a lot of value for someone less familiar with these kinds of setups (like me)
Would you have a picture of the ExpressCard laptop connector?
Ran openbsd for a few years like that, the base OS included everything needed. I recall it used 24MB of ram and closer to 30MB if ssh'd in. It was very handy to have a local login when playing with firewall rules.
The extreme difficulty of setting up networking and routers is (obviously?) a weird endgame result of how companies and safety and capitalism and restriction intersect* and given the relatively insane regulatory ideas we're seeing these days, time for another look at all of this.
*edit, and not, e.g. an inherent property of "networking technology," it does NOT have to be this hard.
As an added bonus, you get atomic updates of all chains for free.
Granted, for simple usecases, ufw or firewalld may be simpler though.
Any computer with a single network interface, maybe even an (old) laptop, can be used. Anything x86 from at least the last 10 years is energy efficient and fast enough to route at gigabit speed. If you don't care about energy usage, any x86-based computer from the last 20 years is fast enough.
The magic trick is to use VLANs, which require switches that support VLANs, which can be had for cheap. VLANS also allows you to create separate isolated networks for IoT or other 'less secure' or untrusted devices.
I’ve always made my own routers by using low-power devices running Linux (Debian) with IPtables and now NFtables.
No special router OS or software required.
Highly recommend.
P.S. that single network interface is very likely never a bottleneck because network interfaces are full-duplex. Only when your router is also your file server (not recommended), internet traffic and file server traffic could start to compete with each other.
The "router on a stick" paradigm using VLANs to a share a single physical port is perfectly valid. You're creating a "now you have two problems" scenario in which you need a VLAN-capable switch and have VLAN configuration to make.
I typically like the ISP router on a dedicated router port to make monitoring the physical link and/or cycling the physical link easier.
Unless your ISP is >1Gbps adding a second port to most devices is as easy as adding a USB NIC.
Ideally the PI also should to what the extra DSL Modem does… but I guess that's where the dram must stop. :D
VLAN hopping is only possible due to misconfiguration. I'd like to be proven otherwise if that's not the case. VLANs are used EVERYWHERE where it matters. And no, the single port is absolutely not a bottleneck because the port is full-duplex.
If you're trying to push close to a gigabit up and down simultaneously that single port will become a bottleneck. I agree for most typical use cases it is not a concern.
Both get 500Mbit.
Bottleneck.
That's how you can have multi-Gbps on a router with a 200MHz MIPS CPU. Or Tbps on a router with a quad-core Xeon.
What’s the cheapest (new) computer that can drive a 1Gb port with NAT? With a busy encrypted (wireguard?) connection?
[I don’t think qos has a lot of use in the domestic environment; sure, someone here does it but I think it’s much less mainstream than the features I already mentioned. ]
Such a device could drive my home. But in a couple of years I suspect I’ll want 2Gb or 10.
In the past I’ve tended to use a device until its crappy power supply failed. So I guess I’m hoping for a >5 year life span/upgrade capacity.
For all I know the answer to my question is one of those passively cooled four port n100 bricks from AliExpress. Anecdata happily accepted.
What's the cheapest new computer you can find? That will work. If you have PPPoE, you need to be a bit more careful; depending on your OS and NICs, it's possible for inbound traffic to only use one core; low power laptop cpu may not have enough throughput from a single cpu, but my information is a little dated.
I did 1G NAT on a dual core haswell [1] for a long time.
[1] https://www.intel.com/content/www/us/en/products/sku/82723/i...
About any n100 will do. Question is in their reliability which mostly comes down to power regulation components quality. Not performance.
One of my installs runs on a repurposed old android phone. Which has about 100 times CPU capacity of the router I write this through, and that one being cheap tplink shit still terminates wireguard at link speed which is 100Mbps. You don't need fancy gear for routing. And you don't usually need gigabit uplink because speed is limited way upstream.
But if you want "the right gear and damn the price" go get a Microtik. They are very good.
But you might want VLANs anyway, so it's an interesting thing to consider.
I get by without it, but I can imagine some won't be able to.
I'd be willing to bet, though, that the overwhelming majority of people who use consumer routers aren't doing anything remotely advanced. A how-to that covers the majority of use cases is valuable even when it excludes advanced use cases.
Perhaps someone else will (or did) write up a how-to for support mesh networking in your homebrew router.
Even if you aren't doing wireless backhaul you just rely on regular client behaviour to transition between APs, can enable 802.11r to improve this.
Enterprise "mesh" typically uses wired backhaul for performance and can help clients roam quicker with a controller (auth, not deciding to roam). Controller can also adjusts radio power so APs aren't talking over each other if they're too close.
Mesh isn't any magic, just regular wifi.
So if anything can be turned into a router will importing anything be banned as well?