-
WARNING: CURRENTLY, THIS IS WORK IN PROGRESSf
-
It is a heavy modification of : this blog post
-
but is developing towards an almost complete rewrite, main changes:
- Do not use bridging between local interfaces, instead rely on routing and firewall
- switched to systemd-networkd for interface bringup and all DHCPv4/v6 clients and IPv6 RAs
- in local nets, use IPv6 SLAAC only - but delegate Prefix obtained from ISP
- switch to two stage nftables setup with Flow offloading (it is much nice than iptables!)
- Use dnsmasq as DHCPv4 Server and DNS resolver for local zones
- switched to Aguard Home as main DNS resolver
- switched to using chrony NTP server/client with NTS (secure NTP) support
- transparent intercepts for outgoing unencrypted DNS and NTP with dnat to router
- Use ntop-ng (community edition) to monitor traffic (with a nice Web UI)
-
ongoing TODOs
- netcup DDNS setup
- podman installation (remove any docker config)
- add tasks for setting up BTRFS / snapper snapshots.. also for grub
- modify ansible task to spawn Serial console on N100 ITX
- Setup Wireguard mesh to webserver / clients
- install caddy http reverse proxy ?
- Install / Setup Samba / NFS / SFTP
- automate install of smartmontools
- not used, WAN interface without VLAN
- actual WAN interface with VLAN ID as required by ISP
- primary LAN interface
- auxiliiary interface without DHCP
- secondary LAN interface, wired to access point
- Guest WIFI VLAN (Wifi / SSID are configured on AP, not on the router)
- Ghetto WiFI VLAN (Wifi/ SSID are configured on AP, not on the router)
- A lot of parts / detail solutions have been generated by ChatGPT, the core structure for individual aspects was taken from:
- heavily modified / rewritten but initially based on https://tongkl.com/building-a-router-from-scratch-part-1/
- compared to the guide, config for Network, Firewall, Adblocker and DHCP / IPv6 prefix delegation has been replaced with alternate approaches
- base template for Systemd IPv6 Prefix Delegation: https://blog.g3rt.nl/systemd-networkd-dhcpv6-pd-configuration.html
- Heavy inspiration from the generated nftables ruleset of my previous OpenWRT router
- He
Perform a fresh install of Debian 12 on your future router. Give the user sudo privilege. Configure the router to have the static IP 192.168.10.1
on one of the LAN interfaces so that you can connect to it via ssh
. Plug the WAN cable in the WAN port and configure it to use DHCP so the machine has Internet access. Install python3
and openssh-server
on the machine.
$ sudo apt install openssh-server python3
Copy the ssh keys of your Ansible host to the router. You are good to go. Just run Ansible and it will be done.
$ ansible-playbook -i inventory/hosts playbooks/router/main.yaml -K