Posted by yabones 6 hours ago
It's a shell script that allows you to turn any ol' Linux computer into a WiFi router in one quick command-line:
By default, it will setup your WiFi card as an access point (allows WPA2/3, MAC filtering, etc), setup packet forwarding and routing, and run a DHCP and DNS server. It will generally pick sensible defaults, but it's also highly customizable. If your WiFi card supports simultaneous AP and client mode, it will allow that.
Its requirements are extremely minimal: basically just Linux, a compatible wireless card, and a few common configuration packages (hostapd, iw, iproute2, iptables, dnsmasq). No NetworkManager needed.
I used it as my own home Internet gateway for many years, running on an ancient fanless Atom mini-PC.
Because it can quickly setup and teardown WiFi networks on-the-fly, it's also a valuable tool for setting up test networks when reverse-engineering IoT devices. I use it frequently for this purpose (see https://snowpatch.org/posts/i-can-completely-control-your-sm...).
I've been very interested in some of Radxa's boards in the ~$30-70 range, like the E52C [0] and the E20C [1], but they don't have many distributors and seem to have stocking issues [2].
[0] https://radxa.com/products/network-computer/e52c/
[1] https://radxa.com/products/network-computer/e20c/
[2] https://shop.allnetchina.cn/products/radxa-e52c?variant=5034...
Also, if you have ever used docker or virtual machines with NAT routing (often the default), you've done exactly the same things.
If you have ever enabled the wifi hotspot on an android phone also, you've done pretty much what the article describes on your phone.
All of these use the same Linux kernel features under the hood. In fact there is a good chance this message traversed more than one Linux soft router to get to your screen.
Windows PCs had (have?) that Internet connection sharing feature for a long time. It was really just a checkbox to enable NAT too.
Sometimes I think combining a firewall/router/switch/AP/file server/etc into a device called a "router" really confuses people. Even people who should know better.
You can do a lot of routing on a $70 Mikrotik, although they might not be "easy".
The perfect machine back then was a 100MHz Pentium, in a slimline desktop case. At the time, the Pentium III was the current desktop chip, so you'd have a pile of early Pentium-class machines to use. And even a 10mb ISA network card (3Com if possible) would have plenty of power for the internet connections of the day. But 100mb PCI cards were still fairly cheap.
Install two NICs, load your favorite Linux distro, and then follow the IP-Masquerading HOWTO and you've got internet access for the whole apartment building, office, or LAN party.
Eventually I moved on to Linux Firewalls by Robert Ziegler for a base to build on.
After that I started piling other services on, like a spam filter, Squid cache, it was amazing to get so much use out of hardware that was going to just get thrown out.
That snowballed into “we want a website do you know how to do that?” and. Well, no, but it had Apache available and I … figured things out enough to take the skills elsewhere.
Repeated the same trick with a place in Wisconsin, who initially shared a 56k dialup connection with all their dispatchers and were impressed the thing had stayed up for 900 days without even redialing. 90% of their work was done in an on-prem wyse terminal anyway, dialup used to do the job for email or googling an address.
27, 28 years later I’m still dragged in front of them once in a while to ask how they can accomplish something cheaply with Linux, bubble gum, paper clips, or whatever . The times and technology have changed, but not how cheap they are!
The old one is getting really old now, nearly 25 years ago [2].
[1] Book Review: Linux Routers - A Primer for Network Administrators, 2nd Ed:
It just wouldn't die.
The suspicion was because the electricity going to it cleaner than average, in a datacenter, the normal wear and tear on electronics may have been reduced.
Respect was paid at it's decommissioning to convert it into a vm, knowing it's luck, chances are it would still boot up and keep on running.
I was doing the same. Router and firewall on old Pentium CPUs. I don't have these machines anymore but I still have HDDs from back then with post-it notes on them saying stuff like: "Linux firewall / HDD 120 GB". For whatever reason my HDDs adapter that can read just about everything doesn't have the correct pin out for those HDDs. Would be a blast if they were to still boot: at some point I'll just buy a compatible adapter and see what I can find on those HDDs. I was very likely also saving some backups there.
But really my best memory was years (I think) before 120 GB HDDs became an affordable thing, in the super early Slackware days, on a dial-up connection: I had a 486 desktop computer and I'd share the Internet connection to a very old laptop (!) using... PLIP. A printer cable and the Parallel Line Internet Protocol. Amazing hack: my brother and I could then both use Netscape at the same time and to us this felt like a glimpse into the future.
My home router was an old Thinkpad for a while, but then I switched over to a slightly newer Dell Optiplex that my work was throwing out. The plus side of that is that the i7 is total overkill for routing so I can also have my "router" run some VMs for network services and cut down on the number of boxen in my homelab rack.
Alpine is a great distro for this.
Anyone actually measured this? I see a lot of bandwidth/etc style tests but few that can show the actual impact of enabling disabling deep packet inspection and a few of the other metrics that I actually care about. Serve the home seems to have gotten some fancy test HW but they don't seem to be running these kinds of tests yet.
When I am doing network management on my weekends, I’m so glad I’m not stuck in the Linux terminal learning about networking internals and can instead just go to a webui and configure my router.
I was recently introduced to a Barracuda router, and bashed my head against the wall long enough to discover it had an ssh interface, and linux userland, and was able to solve my immediate problem by directly entering the commands to get it to [temporarily] do what I needed. (Of course, using the GUI to reapply settings wiped my manual configuration...)
I've used pfsense, OpenWRT, Barracuda, Verizon's OEM router (Actiontec) and they all represent the same functionality wildly differently.
Worth noting that pfSense (and OPNsense) are not Linux-based, they're based on BSD, specifically FreeBSD. While it's possible to have standard router OS web UIs that are cross platform, the underlying technology is different, so it's not really a surprise that there will be differences in how the devices running these OSes are configured.
At this point I rather doubt the sanity of people still sticking to iptables tbh.
So there is approximately one concept of "packet filter done right". UI madness is on UI authors.
Why do you doubt the sanity of people sticking to iptables? What makes nft compelling?
That said, I think many distros are shipping `iptables` as the wrapper/compatibility layer over nft now anyways.
Are they? I recently had to learn nftables and they seem to be iptables but with a slightly nicer syntax and without pre-defined chains. But otherwise, nftables directly maps to iptables and neither of them seem similar to pf.
I will concede that the OpnSense UI is far from perfect. I would really like to see a device-centric view that lets me set all the things related to that device from one screen (or possibly one screen with multiple tabs). For example, if I add a Roku device to my network, I want to enter in the MAC address and then be taken to a screen where it will let me set the hostname, pick a static IP address, hand it a specific DNS resolver IP, see all of the traffic going to/from the device, only allow it access to the Internet between during certain hours, etc. All of this currently requires jumping around between multiple disconnected parts of the OpnSense UI.
Is there something like that?
Caveat: I have only used OpenWRT on a high end consumer router (GL.inet MT6000) out of those. That works well, anything else is based on reading about people using those options.
For all of those, once you set it up you don't really need to do much except install updates a couple of times per year, or if you want to forward a new port or such.
I used a lower power Intel Atom mini PC with an additional NIC as a router for years. I tested it and found it could route around 300Mb/s which was plenty.
But then I got gigabit internet. So I bought an Intel 4 port GigE card from eBay and now run OPNSense as a VM. If you get the right Intel card you can pass through ports to VM individually, which is nice for playing (don't know the exact details but look for cards with virtualisation support, mine is an 82575GB I think).
To be fair, my setup still probably has too much to go wrong, due to the VM thing, but I just haven't got round to getting dedicated hardware, and it's worked fine for a couple of years now.
Is the concern mainly things like botnets and DDoS activity, weak default credentials on network equipment, or compromised business networks where poorly secured routers or attached NAS devices could expose sensitive or proprietary data? In other words, is the concern less about decrypting traffic and more about using the router as a foothold for surveillance, disruption, or access to poorly secured internal systems?
These are networks of controlled devices. They're hard to eradicate, as shown by the fact that they haven't been eradicated: they're still active and being used to compromise systems, including defense and intelligence systems, power systems, financial systems, identity systems, etc.
Is banning foreign gear going to fix this? No. Security isn't a product. It is, however, a process, and in a process you take steps. I think this: we (individuals and institutions) enjoy tremendous liberty in the use of communications equipment in the US and most of the West. Taking that for granted is a mistake. If part of keeping this means the US has to spin up a domestic supply of network gear, or carefully modulate where such gear comes from, then lets do that. Otherwise, The Powers That Be will leverage its concerns into far worse steps.
Imagine everyone had their routers disabled simultaneously. I don't know if the cell networks could function with the surge in standard traffic that would happen, and then you've effectively plunged all or part of the country into a communication blackout.
I think "turn it off permanently by bricking it" is almost as bad as "leverage for DDoS".
I worked on Bot Mitigation at Amazon, and we once saw a ton of traffic that was heavily distributed amongst consumer devices world-wide, but surprisingly in the US too. We suspected compromised routers that were using the home page as a health check. There was a lot of investigation I did, and the short realization after talking with the network engineers is that the amount of traffic, and distribution of sources, would be impossible to stop. There merely isn't enough bandwidth in the world to stop so many residential device if it hits a specific target. To be clear, this was coming from less than half of active Amazon customers, not everyone in the US.
Anyway, it wasn't routers, but it was a consumer device, and it wasn't nefarious, it was incompetence (in code), as usual.
IME cell networks definitely can't cope with a loss of all routers in an area, given how mobile data becomes basically unusable when there's a power outage. That said, "everyone had their routers disabled" is probably not realistic, given that there are plenty of non-chinese router vendors.
If this were really about computer security they would follow California’s example of requiring unique passwords. Maybe make manufacturers liable for not patching known remote exploitable security vulnerabilities. It doesn’t matter if the source of a DDoS is a Huawei box or a Netgear box.
- Access to data (dns/ips, domain names (if not using ESNI), amount of traffic, etc) of sites you are visiting
- Access to the inside of your network where it can attack machines that may not be secure
- DDoS
- The ability to shut down your internet
I'm sure there are more.
That should probably be the technical concern. Even if you have traffic protected by TLS, you still typically have enough metadata to cause some problems for users individually, but the assumption that foreign equipment is back-doored by some security service or other is probably safe.
net.ipv4.ip_early_demux = 0
net.ipv4.tcp_early_demux = 0
net.ipv4.udp_early_demux = 0
Such things do not preclude additional tuning on the client and server sides as well but those are even bigger topics.