WIP: Ansible Debian 12 Router (IPv4/IPv6, Nftables, Systemd-networkd, Dnsmasq, Adguard, ntopng)

• WARNING: CURRENTLY, THIS IS WORK IN PROGRESSf

• It is a heavy modification of : this blog post

• but is developing towards an almost complete rewrite, main changes:

  • Do not use bridging between local interfaces, instead rely on routing and firewall
  • switched to systemd-networkd for interface bringup and all DHCPv4/v6 clients and IPv6 RAs
  • in local nets, use IPv6 SLAAC only - but delegate Prefix obtained from ISP
  • switch to two stage nftables setup with Flow offloading (it is much nice than iptables!)
  • Use dnsmasq as DHCPv4 Server and DNS resolver for local zones
  • switched to Aguard Home as main DNS resolver
  • switched to using chrony NTP server/client with NTS (secure NTP) support
  • transparent intercepts for outgoing unencrypted DNS and NTP with dnat to router
  • Use ntop-ng (community edition) to monitor traffic (with a nice Web UI)

• ongoing TODOs

  • netcup DDNS setup
  • podman installation (remove any docker config)
  • add tasks for setting up BTRFS / snapper snapshots.. also for grub
  • modify ansible task to spawn Serial console on N100 ITX
  • Setup Wireguard mesh to webserver / clients
  • install caddy http reverse proxy ?
  • Install / Setup Samba / NFS / SFTP
  • automate install of smartmontools

networkinterfaces:

enp0s0f0np0

• not used, WAN interface without VLAN

enp0s0f0np0.10

• actual WAN interface with VLAN ID as required by ISP

enp0s0f1np1

• primary LAN interface

enp2s0

• auxiliiary interface without DHCP

enp3s0

• secondary LAN interface, wired to access point

guest (aka enp3s0.100)

• Guest WIFI VLAN (Wifi / SSID are configured on AP, not on the router)

ghetto (aka enp3s0.254)

• Ghetto WiFI VLAN (Wifi/ SSID are configured on AP, not on the router)

Credits / Sources

• A lot of parts / detail solutions have been generated by ChatGPT, the core structure for individual aspects was taken from:

Ansible Layout

• heavily modified / rewritten but initially based on https://tongkl.com/building-a-router-from-scratch-part-1/
  • compared to the guide, config for Network, Firewall, Adblocker and DHCP / IPv6 prefix delegation has been replaced with alternate approaches

Systemd-Networkd

• base template for Systemd IPv6 Prefix Delegation: https://blog.g3rt.nl/systemd-networkd-dhcpv6-pd-configuration.html

nftables

• Heavy inspiration from the generated nftables ruleset of my previous OpenWRT router
• He

Chrony / NTP server

• https://chrony-project.org/examples.html
• https://github.com/jauderho/nts-servers

Preconditions

Perform a fresh install of Debian 12 on your future router. Give the user sudo privilege. Configure the router to have the static IP 192.168.10.1 on one of the LAN interfaces so that you can connect to it via ssh. Plug the WAN cable in the WAN port and configure it to use DHCP so the machine has Internet access. Install python3 and openssh-server on the machine.

$ sudo apt install openssh-server python3

Copy the ssh keys of your Ansible host to the router. You are good to go. Just run Ansible and it will be done.

$ ansible-playbook -i inventory/hosts playbooks/router/main.yaml -K