I also use Debian 12 for my home router (switched away from OPNsense). It's an old PC that became redundant when I built a new one, now stripped down to just the motherboard in a benchtable. The LAN NIC is an Intel I350 card and wifi is from an AR9280-based PCIe card, so no problems with firmware etc.
Unlike TFA I did not try to replace my ISP-provided ONT, and I use nftables (via firewalld) instead of iptables, unbound instead of dnsmasq, and systemd-networkd instead of dhclient and radvd. I also run haproxy to terminate TLS for some exposed LAN servers, and a local OpenSUSE package repository since many of my LAN machines are OpenSUSE.
For the internet facing services (chrony, haproxy, unbound) I wrote systemd override files to harden them (run as non-root, temporary mounts instead of direct filesystem access, etc). I also run them in individual network namespaces.
I highly recommend a Linux-based router if you have the hardware to spare and want a completely customizable and secure router, never having to worry about ISP malware or lack of updates again. Of course if what you have is more embedded than a full x86 motherboard then something like OpenWRT would be better than Debian.
Flexibility indeed. My first router was Linux/ipfwadm, and after many years of trying various off the shelf devices I finally came back to straight GNU/Linux. Debian for the longest time, now NixOS, as a virtual machine on a larger host. I use nftables directly, with a template engine - the same config generates rules for two premises routers and a bunch of cloud hosts (with a fully-connected mesh of wireguard links between each pair of routers, of course)
The rules make extensive use of policy routing, such that every device on my network has its own view of what services it is allowed to access, and what Internet horizon it sees. Loading the rules fails safe in that forwarding is only enabled after a successful (re)load, and the rules fail safe such that if a connection doesn't have a valid fwmark then it's not allowed to go out any interface. This allows me to do things like have two web browsing VMs that display side by side, one coming from my physical infrastructure IP and one coming from a often-rotated data center IP.
The system has served me well, but is obviously quite bespoke. I'd love to factor it out some day and publish it for general consumption, but I haven't quite figured out how to retain the flexibility while making it have broad appeal.
I stuck with OPNsense when I upgraded but I virtualized everything which make everything so much easier. [1] You can just replace the router if you want or revert it if an update fails. No more digging up an USB to Serial adapter to connect to the the console on an ALIX board.
I’m finding I can do pretty much everything between systemd-networkd and firewalld. The addition of policies that allow specifying ingress and egress zones was the last piece to make firewalld really useful on a router.
I'm doing the exact same thing, I switched ISPs and found that PFsense would only give me 10% of my WAN bandwidth due to the way the pppoe daemon is threaded.
My new firewall is Debian managed by Ansible, the playbook sets up pppoe, nftables and nettopng.
I really missed pfblockerng, so I wrote a shell script to download Firehol feeds and inject them as a set into my nftables rules.
Whole thing works great off a Proxmox J3455/8Gb mini PC with 2 NICs, leaving room for some LXC and Docker containers/
My router at the moment is a 1U Poweredge R230. Got it for 70€ off of ebay about 3,5 years ago. It's using a Pentium G4600, one stick of 16G DDR4 ECC RAM, and a small cheap 2,5'' SSD. There's an extra PCIe card with 2x 1G Intel RJ45 ports as well, giving me 4x 1G plus IPMI (or whatever Dell calls it).
Fans are throttled to 8% and I'm having Icinga2 watch system temperatures, which are usually between 35 - 45°C. It's barely audible, and currently sitting 1,5m away from my ears. I think idle power consumption is something between 20 - 30W.
It's based on Debian 11, and I'm only using tools available from Debian's repo: dnsmasq, nftables, wireguard, ipsec, haproxy, some policy based routing. Provisioning via ansible.
Rock solid platform. I've recently had to reboot for the 1st time in about 600 days due to physically moving some things around - I know, uptime is not supposed to be a flex.
Might replace the Intel PCIe card with a 1x SFP+ for a DAC connection to my core switch soon-ish since we finally seem to be getting our apartment complex connected to residential fiber.
I guess what I'm saying is - I congratulate the tenacity and expertise that went into OPs blog post, as far as homelab routers go, I'm very happy with my (very easy to set up) HW/SW.
That's quite impressive reverse engineering of the ONT. What made you choose to go through all that effort instead of using the ISP's stand-alone Huawei ONT?
If you don't know why someone would avoid trusting Huawei equipment, please read the news from recent years.
If you cannot access this news unrestricted or without government MitM, try going through non-Huawei equipment.
Really nice tutorial, and great experiment, however, at home, I would prefer to stay within a much narrower power budget like 5-10 watts max for the router. This one seems in the 40watts-60watts.
I have an ECS mini pc with a Core i3 and dual nic that I use as a router at home. For normal internet usage it stays well within that 5-10 watt range. Only slightly more than a raspberry pi but with much, much more performance.
For 10-20Watts you can use a slightly dated office-desktop (thin-client) that will take a pcie nic and usually has more than enough processing power.
A step further would be a laptop that can come by with 5-10W and still run circles around typical arm-based off the shelf routers. thou the second nic will probably connect via usb3, you get a real keyboard and screen for troubleshooting.
I use a NUC clone with a J4125 Celeron as a Debian file server and it hovers just under 3W. These tend to have only one Ethernet port so you will need to add additional ports on USB for use as a router.
Not sure how wise it is to use Huawei networking gear when it's been banned in some countries for security reasons. Also, setting up wifi access points through Debian can be a bit tedious. I simply recommend OpenWRT when it comes to router software, especially since it comes with firmware and patches for wifi, (such as 5ghz transmit support on atheros) and also provides simple configuration for things like 802.11s mesh networking, and multiple concurrent SSIDs.
Perhaps you could elaborate on a specific threat model rather than just handwaving about Huawei? As far as I can tell, the two significant threats of Huawei infrastructure are:
1. Massive DoS at a strategic moment, which is more relevant at country-scale with everyone losing communication simultaneously, rather than a few rare people having personal problems with their infrastructure.
2. Eavesdropping and backhauling the network traffic somehow. This mainly applies to corporations and governments wanting to keep using outdated plain text or even unauthenticated protocols. Individuals should be encrypting everything regardless of who makes the network gear. Especially as most countries lack privacy legislation or functional constraints on government, meaning that the WAN gear is an attacker regardless of who made it.
As far as wifi access points, I never had a problem with Debian or now NixOS. OpenWRT is a bunch of clicking and bespoke management, which is exactly what I don't want.
[+] [-] Arnavion|2 years ago|reply
Unlike TFA I did not try to replace my ISP-provided ONT, and I use nftables (via firewalld) instead of iptables, unbound instead of dnsmasq, and systemd-networkd instead of dhclient and radvd. I also run haproxy to terminate TLS for some exposed LAN servers, and a local OpenSUSE package repository since many of my LAN machines are OpenSUSE.
For the internet facing services (chrony, haproxy, unbound) I wrote systemd override files to harden them (run as non-root, temporary mounts instead of direct filesystem access, etc). I also run them in individual network namespaces.
I highly recommend a Linux-based router if you have the hardware to spare and want a completely customizable and secure router, never having to worry about ISP malware or lack of updates again. Of course if what you have is more embedded than a full x86 motherboard then something like OpenWRT would be better than Debian.
[+] [-] mindslight|2 years ago|reply
The rules make extensive use of policy routing, such that every device on my network has its own view of what services it is allowed to access, and what Internet horizon it sees. Loading the rules fails safe in that forwarding is only enabled after a successful (re)load, and the rules fail safe such that if a connection doesn't have a valid fwmark then it's not allowed to go out any interface. This allows me to do things like have two web browsing VMs that display side by side, one coming from my physical infrastructure IP and one coming from a often-rotated data center IP.
The system has served me well, but is obviously quite bespoke. I'd love to factor it out some day and publish it for general consumption, but I haven't quite figured out how to retain the flexibility while making it have broad appeal.
[+] [-] sschueller|2 years ago|reply
[1] https://sschueller.github.io/posts/wiring-a-home-with-fiber/
[+] [-] thedougd|2 years ago|reply
[+] [-] bwj982|2 years ago|reply
My new firewall is Debian managed by Ansible, the playbook sets up pppoe, nftables and nettopng.
I really missed pfblockerng, so I wrote a shell script to download Firehol feeds and inject them as a set into my nftables rules.
Whole thing works great off a Proxmox J3455/8Gb mini PC with 2 NICs, leaving room for some LXC and Docker containers/
[+] [-] lazyweb|2 years ago|reply
Fans are throttled to 8% and I'm having Icinga2 watch system temperatures, which are usually between 35 - 45°C. It's barely audible, and currently sitting 1,5m away from my ears. I think idle power consumption is something between 20 - 30W.
It's based on Debian 11, and I'm only using tools available from Debian's repo: dnsmasq, nftables, wireguard, ipsec, haproxy, some policy based routing. Provisioning via ansible.
Rock solid platform. I've recently had to reboot for the 1st time in about 600 days due to physically moving some things around - I know, uptime is not supposed to be a flex.
Might replace the Intel PCIe card with a 1x SFP+ for a DAC connection to my core switch soon-ish since we finally seem to be getting our apartment complex connected to residential fiber.
I guess what I'm saying is - I congratulate the tenacity and expertise that went into OPs blog post, as far as homelab routers go, I'm very happy with my (very easy to set up) HW/SW.
[+] [-] phone8675309|2 years ago|reply
[+] [-] stereo|2 years ago|reply
[+] [-] omniglottal|2 years ago|reply
[+] [-] unknown|2 years ago|reply
[deleted]
[+] [-] nemo136|2 years ago|reply
[+] [-] dajonker|2 years ago|reply
[+] [-] abwizz|2 years ago|reply
A step further would be a laptop that can come by with 5-10W and still run circles around typical arm-based off the shelf routers. thou the second nic will probably connect via usb3, you get a real keyboard and screen for troubleshooting.
[+] [-] kevin_thibedeau|2 years ago|reply
[+] [-] rubatuga|2 years ago|reply
[+] [-] mindslight|2 years ago|reply
1. Massive DoS at a strategic moment, which is more relevant at country-scale with everyone losing communication simultaneously, rather than a few rare people having personal problems with their infrastructure.
2. Eavesdropping and backhauling the network traffic somehow. This mainly applies to corporations and governments wanting to keep using outdated plain text or even unauthenticated protocols. Individuals should be encrypting everything regardless of who makes the network gear. Especially as most countries lack privacy legislation or functional constraints on government, meaning that the WAN gear is an attacker regardless of who made it.
As far as wifi access points, I never had a problem with Debian or now NixOS. OpenWRT is a bunch of clicking and bespoke management, which is exactly what I don't want.
[+] [-] mongol|2 years ago|reply
[+] [-] TheWoodsy|2 years ago|reply
[+] [-] teleforce|2 years ago|reply
What we need is new update to this book:
[1]Linux Routers: A Primer for Network Administrators (2nd Ed):
https://www.linuxjournal.com/article/6314
[+] [-] thepostman0|2 years ago|reply
Does anyone know of any all-in-one hardware that has ADSL, 5 switch ports and WiFi, that is Linux capable?
[+] [-] treffer|2 years ago|reply
OpenWRT supports a few lantiq systems with xDSL modems.
I was running both, but in the end switched to bridge mode on a dedicated modem.
[+] [-] tetris11|2 years ago|reply
[+] [-] dsr_|2 years ago|reply
[+] [-] redeeman|2 years ago|reply