How to turn anything into a router

Posted by yabones 7 hours ago

How to turn anything into a router(nbailey.ca)

439 points | 168 commentspage 2

drnick1 2 hours ago|

> While it may seem appealing, I would highly recommend against installing loads of software right on the router, and instead forward traffic to a device in a DMZ or VLAN.

Why not? I use an old gaming PC as a "router" (machine exposed to the WAN), and run dozens of services on it besides the firewall/NAT (iptables). Among others: email, Web server, multiple game servers, and many internal services (DNS, hostapd, loads of Docker containers).

benlivengood 1 hour ago||

You need more careful firewall rules on any device with IP forwarding enabled, and it can be hard to remember exactly when forwarding, NATint, etc. happen with relation to the incoming/outgoing firewall rules.

E.g. is your pf-based load balancer running its rules before or after the global filtering rules? And if they're running first are they SNATing incoming traffic so the LAN rules allow the traffic through or does it need explicit exceptions for external IPs to traverse to a LAN endpoint?

If you're comfortable with more advanced networking then it's fine to run it all on one box. If you just want to open ports for internal LAN services then that is a very canned and well-supported feature for a gateway firewall.

E.g. see AirSnitch which resulted in large part from mixing too many complex networking rules in single devices.

yabones 1 hour ago|||

A classic example is Docker inserting its firewall rules before everything else, causing any "published" ports to be wide open even if a firewall ruleset was configured. They might have fixed this, or doubled down on their design choice. Either way, that kind of complexity can really bite you if you're not careful.

https://docs.docker.com/engine/network/#published-ports

drnick1 43 minutes ago||

Yes, this is a well-known pitfall. It's important not to bind containers to 0.0.0.0 for this reason, unless they are actually intended to be public.

alias_neo 2 hours ago||

> Why not?

It seems like you weren't really asking, but I'll answer anyway.

It's bad security practice, and opens up your network to attack and/or compromise, you're massively increasing the attack surface, and a compromise of one of those components leaves the attacker sat on your edge router, at which point your entire network is fair game.

Generally speaking you shouldn't expose anything on your edge router / firewall, it's a safety barrier.

You can sit things behind it in a "DMZ" and port-forward and isolate them etc so that there's no packets terminating on the actual edge device itself.m, that lowers the risk of a full network level compromise.

Chances are you might be fine and never have a problem, but it's still recommended against.

drnick1 34 minutes ago||

It was a genuine question, and while you reiterate the author's point about this being "bad security practice," neither you nor the author explain why this is the case.

I don't believe physical separation really buys you much here. At most, if may reduce downtime if you do indeed get pwned, but I think that you can achieve the same objective through a combination of containers, VMs, and UNIX users. And running multiple, somewhat redundant machines also has obvious downsides such as increased power consumption, increased maintenance burden, additional space and cabling, etc.

nottorp 5 hours ago||

Hmm I've always had a manually configured low power generic box as router.

But I've never even tried to set up my own access point, I just pay Unifi for that [1]. The software part is doable but I don't want to learn to handle the signal issues.

[1] Switched to Unifi in anger after my first consumer level 5 Ghz wifi needed reboots weekly because it was overheating. Do yourself a favour and get the semi pro stuff, Unifi or others.

tombert 5 hours ago||

I've been running a custom router for about a decade, but I too have haven't tried handling the wifi on my own. It's always been easy to get an external access point and there's a bit of a guarantee that it's done correctly.

I kind of feel like that's cheating though; I've outsourced the hardest part of the project to someone else. Maybe one of these days I'll take an old NUC or something and buy a decent wifi antenna for it and try and do it properly.

[1] Initially pfsense, then OpnSense, then ClearOS, and now some custom firewall rules in NixOS.

burner420042 4 hours ago||

So it's been awhile but the best and simplest way I think is use an access point. I don't want my wireless gear doing routing. From a logic stand point they acts as wireless "bridge" to the physical network, and nothing more. DHCP, etc. stay handled in one place for the entire network, back on the physical router.

p0w3n3d 1 hour ago||

There's a famous Polish song "Mój jest ten kawałek podłogi", written in times of Soviet influence, about a man building wall around his home, but later he gets hungry and there's no exit...

Anyone with translate.kagi can find it and translate

hughes 2 hours ago||

I wonder if consumer routers will end up being built in a trivially-not-a-router configuration - something akin to a pull-tab or turn of the screw that closes a circuit, transforming the device from legally something else into a router after it's purchased.

What a dumb timeline.

HeWhoLurksLate 2 hours ago|

"this here is a virtual network appliance, so called because it doesn't have any ports on it - wait, why are you taking off that blanking panel? That's illegal!"

solarkraft 5 hours ago||

Maybe someone in this thread has a couple of ideas:

What’s the simplest way to spin up a simple „cattle, not pet“ routing VM? I don’t want to mess with any state, I just want version controllable config files. Ideally, if applying a version fails, it would automatically roll back to the previous state.

OpenWRT seems like it fits my description most closely, but maybe someone here is a fan of something more flashy/modern.

thequux 4 hours ago||

NixOS using https://github.com/thequux/nix-zone-firewall/ worked well for me for many years. I only stopped using it because my poor embedded Linux machine started having issues and it made more sense to go with a Mikrotik than to buy a new device to run as a soft router.

moqmar 5 hours ago|||

That sounds like you might like VyOS. I found it to be relatively easy to achieve exactly what I wanted, but went back to a GUI as it turned out I wanted a pet and not start a farm.

nullpoint420 4 hours ago||

> but went back to a GUI as it turned out I wanted a pet and not start a farm.

This made me chuckle, I'm definitely going to quote this the next time our K8S cluster has issues

tombert 5 hours ago|||

I recommend Pfsense or OpnSense if your hardware works with a FreeBSD-based thing. They're super easy to set up and don't have many surprises.

After I upgraded to a 10GbE ethernet card in my previous router, my card didn't work correctly with FreeBSD-based stuff anymore. I changed to ClearOS and that was actually comparably easy to Pfsense...maybe even easier? I recommend checking that one out.

miladyincontrol 4 hours ago||

While I am a linux advocate for networking in the current day outside of hyper specific CDN use cases (a la netflix)... its pretty common for people to just virtualize opnsense/pfsense to take advantage of linux network drivers. Especially if their actual routing requirements are modest and dont require full use of the hardware.

Beyond getting support for devices completely absent on freebsd, quality of drivers, bugs much more rapidly squashed, and general misc features absent on the bsd side like NBASE-T.

kev009 1 hour ago|||

This is the kind of low quality information you see on fanboy forums. There is nothing special about Linux drivers and anyone can go look at them. A lot of hardware uses a HAL and there is a smaller OS adaption therefore most of the code is similar across OSes.

Virtualization means you now have multiple layers of drivers and privileged code in the mix to add and amplify bugs, it can and should work but if you are doing this in the name of stability that is a bit curious.

The reason Netflix can do what they do is they have good relationship with their HW vendors, NVIDIA(Mellanox) and Chelsio. If they were on Linux, they'd need the same level of support.

tombert 3 hours ago|||

I don't know enough about this level of IT to rebut this.

I use Linux for my router now because my server is NixOS, so I was able to consolidate my router into my server and turn off a machine (and thus save a little power), and I have so thoroughly drunk the Kool-aid for NixOS that I kind of want to put it everywhere. I run the latest kernel and I update daily, so I think most bugfixes (and hopefully security updates) will manifest quick enough.

bembem_c 5 hours ago|||

OPNsense. I use it on dell optiplex SFF for about 8 years. Was never tempted to use VM for routing, but many do.

Version control is in the GUI, you can adapt for your needs the number of changes you need. automatic config.xml backup also possible.

SamDc73 47 minutes ago||

[dead]

chungy 5 hours ago||

OpenWrt has a generic x86 PC build that can also be used to turn basically any random PC into a router, complete with an operating system actually designed and developed for that purpose.

moffkalast 4 hours ago||

And of course probably 1000x the power usage compared to the average off the shelf router that runs off a borderline microcontroller.

socalgal2 2 hours ago||

good point! I think you can run it on a PI though.

moffkalast 1 hour ago||

Otoh it would make sense if you could combine it with a home server, then it's just a side process and you actually save power by not having an extra device.

Though you'd still need a switch or two. And a fiber modem which already has a router and a switch built-it. Oops.

adolph 5 hours ago|||

OpenWRT is great if it fits your use case. If one has reason to stray from the happy path a disadvantage is that the OpenWRT uses a single binary like Busybox and doesn't use glibc. This is great for embedded/low power machines like the OG WRT54G, but not as optimal for when you have an entire random PC. I don't recall the exact things I was looking for but I moved on to pfSense and didn't look back.

znpy 2 hours ago||

> This is great for embedded/low power machines like the OG WRT54G, but not as optimal for when you have an entire random PC.

There are steps in the middle :)

I'm running OpenWRT on the recent WRT3200ACM and it's going beautifully.

anthk 3 hours ago||

Alpine Linux too.

proxysna 6 hours ago||

Pleasant thing about routers that is is so simple to build one after learning basics of networking and pretty much any OS or distro can act as one. There are obvious choices like OPN\PFSENSE, OpenWRT, DD-WRT, FreshTomato, but literally any PC with a single Ethernet port can act as one. My favorite setup was a laptop running Ubuntu and the whole router setup was in a single netplan file + dnsmasq for DHCP.

Edit: And ofc best cheap device imo is OrangePI R1 LTS and a whatever usb wifi dongle. Came in clutch a few times, such a nice little device.

leptons 3 hours ago|

Been using DD-WRT for years. Current setup is a $50 Dell Optiplex i5 from ebay running x86 DD-WRT. I put an intel 4x 1Gbit NIC in it, and it's been an excellent router for years.

Havoc 4 hours ago||

Just ensure the firewall appliance thing you buy has I226 intel chipset not I225

The first two versions of 225 have packet drop issues and it’s unclear to me whether v3 third time lucky fixed it. And getting the stepping info out of aliexpress supplier is hard so 226 is safer

zoobab 5 hours ago||

Love the "An ExpressCard-PCIe bridge in the ThinkPad’s expansion bay".

Would you have a picture of the ExpressCard laptop connector?

yabones 3 hours ago||

It would be something a bit like this: https://www.ebay.com/itm/115721630079

Before Thunderbolt was common, people attempted to use external GPUs with this sort of expander, but it worked really poorly.

burner420042 5 hours ago||

I did this back when, just using a 100mbit NIC express card.

Ran openbsd for a few years like that, the base OS included everything needed. I recall it used 24MB of ram and closer to 30MB if ssh'd in. It was very handy to have a local login when playing with firewall rules.

tanvach 4 hours ago|

Anyone has done mesh WiFi (ideally triband) using off the shelf parts and Linux?

I have an Orbi AX system which works reliably, but now I want to upgrade the radio to WiFi 7 and that means I need to upgrade all the hardware.

Hoping to move to using off the shelf parts so in the future I can just change the radio (ideally bunch of USB sticks).

I understand this is not strictly just the router. I can (and used to have) a router as separate device, but any mesh WiFi right now that I can find need a pricy router that acts as the coordinator, essentially negates the economic benefits.

segbrk 4 hours ago||

That's a bigger can of worms than you might expect. Most consumer WiFi chips only barely support AP mode, and I'm not aware of any that can do multiple bands simultaneously. You'd probably need 4 adapters on the repeater for triband. One to connect upstream, one for each downstream band. Three instances of hostapd all configured with the same SSID and auth for each downstream interface.

Then there's the roaming issue. This is largely what the commercial "mesh" systems try to solve: deciding / helping inform when clients should switch APs. There are many solutions and none of them are without issues, including the commercial ones. Here's a starting point: https://openwrt.org/docs/guide-user/network/wifi/roaming

tanvach 2 hours ago||

Super interesting, thanks for sharing

Havoc 4 hours ago||

Openwrt guys were cooking up a wifi 7 router I think. Think that’s best bet but Not super close to it though

More comments...