{"id":4438,"date":"2017-06-05T15:31:46","date_gmt":"2017-06-05T13:31:46","guid":{"rendered":"https:\/\/adrhc.go.ro\/blog\/?p=4438"},"modified":"2019-11-24T00:32:14","modified_gmt":"2019-11-23T22:32:14","slug":"setup-linux-router","status":"publish","type":"post","link":"https:\/\/adrhc.go.ro\/blog\/setup-linux-router\/","title":{"rendered":"setup your own linux based router"},"content":{"rendered":"
\r\nWhat is all about<\/strong>\r\nshort story ...<\/em>\r\nThis post will help you to configure a linux PC in order to function as a router too.\r\nlong story ...<\/em>\r\nIf you like me have a very low energy consumption PC (a NAS equivalent) running all the time you might prefer it to act as a router too. This way you'll be able to:\r\n- use the full Linux power to control the network traffic (especially the malicious connections)\r\n- use the better performing PC hardware (compared to one of a dedicated router) to deal with the network traffic\r\n- have fun because you're a linux enthusiast :)\r\nThe setup explained below uses NetworkManager.service; if you use something else the main difference will be related to configuring the pppoe connection while the other aspects should be the same or anyway helpful for your setup.\r\nBut using your PC as a router doesn't mean you won't be able to use it for something else too. I for example use my PC as a router while also as a desktop PC, as a server (for this blog, Transmission, ssh, nginx, etc) and as HTPC (Plex based).\r\n\r\nWhat's to achieve<\/strong>\r\nIn the end you'll achieve these:\r\n- connect directly to Internet using your PC router\r\n- Internet users directly access your websites running on your PC router\r\n- when having at least 2 ethernet cards you'll use one for Internet access while the other to setup a LAN\r\n- with 2 ethernet cards one could be connected to a dedicated wireless router; its wireless users could be considered part of a LAN accessing the Internet through the PC router (the gateway for the dedicated router)\r\n- secure your PC router against malicious Internet access\r\n- setup other goodies e.g. dnsmasq with or without dhcp, sshttp, Plex\r\n\r\nHow to do it<\/strong>\r\nIn order to achieve the above you'll have do these:\r\n- secure the access to your PC router\r\n- setup a pppoe connection in order to access the Internet\r\n- share the Internet access\r\n- setup dnsmasq (NetworkManager's plugin) in order to ... long story, I'll explain later\r\n- setup a dedicated wireless router in order to have wireless access to Internet when your PC router isn't able to provide by itself wireless access\r\n- solve miscellaneous other issues e.g. dealing with sshttp and\/or Plex\r\n\r\nSecure the access to your PC router<\/strong>\r\nThis is a vital step!\r\nYou should do this first before having your PC accessed from all over the Internet.\r\nYou can do this by using the default firewall of your Linux distribution, e.g. for Ubuntu is UFW (Uncomplicated Firewall<\/a>) while for RedHat\/CentOS\/Fedora is firewalld (check firewall-cmd man page<\/a> and usage examples here<\/a> and here<\/a>).\r\nBefore continuing just check your opened ports with the commands below.\r\nList opened ports using UFW:\r\nsudo ufw status numbered<\/code>\r\nList opened ports using firewalld:\r\nfirewall-cmd --get-active-zones\r\nfirewall-cmd --list-ports<\/code>\r\n\r\nSetup a pppoe connection in order to access Internet<\/strong>\r\nUse your graphical NetworkManager connection editor (nm-connection-editor on Ubuntu) in order to create a DSL connection (e.g. named RDS). In General tab<\/em> check the options Automatically connect to this network when it is available<\/em> and All users may connect to this network<\/em>. In DSL tab<\/em> fill in the username and password handed to you by your Internet provider. In Ethernet tab<\/em> let MTU to automatic<\/em> (it won't apply to pppoe connection) and choose the card which will be used for Internet access (e.g. eth0). In IPv6 Settings tab<\/em> disable ipv6 connections if you don't have a reason to use it; if you intend to use it then this post won't help you.\r\n\r\nCheck the pppoe setup<\/strong>\r\nOn Ubuntu you'll be able to see your configuration from the command line:\r\nsudo cat \/etc\/NetworkManager\/system-connections\/RDS<\/code>\r\nor using the graphical NetworkManager applet (Connection Information<\/em> menu).\r\n\r\nWith the ifconfig command you'll see a new network interface (e.g. ppp0) when the pppoe connection is active.\r\nUsing the command below:\r\nnmcli connection show<\/code>\r\nyou'll also see that the pppoe connection is related to eth0 (chosen by you when creating the RDS connection).\r\nWith the command below:\r\nnmcli device show\r\nyou'll see that eth0 has as IP4.GATEWAY the ip of your internet provider.\r\nCheck the pppoe connection with these commands too:\r\nifconfig ppp0\r\nnetstat -i\r\n\r\nThe MTU configuration<\/strong>\r\nWhen MTU of your pppoe connection is not correctly set you'll experience internet web pages hanging\/loading forever. 1500 is the maximum MTU possible and seems to be the default for the ethernet devices. For pppoe connections the maximum MTU is 1492. Check more about these at http:\/\/www.dslreports.com\/faq\/695<\/a>.\r\n\r\nYou'll have to edit manually the [ppp]<\/em> section in \/etc\/NetworkManager\/system-connections\/RDS in order to add\/change it:\r\n\r\n[ppp]\r\nmru=1492\r\nmtu=1492<\/code>\r\nWith mtu=1492 the commands below:\r\nsudo ip route flush cache\r\nping -c 1 -M do -s 1464 8.8.8.8<\/code>\r\nshould yield among other:\r\n1 packets transmitted, 1 received, 0% packet loss<\/em>\r\nor an error similar to the below:\r\nping: local error: Message too long, mtu=1492\r\n1 packets transmitted, 1 received, 0% packet loss<\/em>\r\nIf ping with 1464 (1464 = 1492 - 28) value yields an error then change it to a lower value e.g. subtract 10 then try again and so on. When found the maximum working value add 28 to it then use it for [ppp]<\/em> section in RDS and restart RDS connection (use the NetworkManager applet to disconnect then reconnect).\r\n\r\nWhen an ip package flows through e.g. eth1 (another ethernet card on your PC router<\/em>) to ppp0 a MTU conversion must be done. This is accomplished with iptables or with the help of the firewall e.g. UFW. After finding the proper MTU you'll have to put this in \/etc\/ufw\/before.rules: \r\n\r\n-A ufw-before-forward -p tcp -i eth1 -o ppp0 --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1452\r\n-A ufw-before-forward -p tcp -i eth1 -o ppp1 --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1452\r\n\r\njust before # ufw-not-local though when left at the end I guess it will work too. Replace 1452 with your pppoe MTU (e.g. 1492 for RDS) minus 40 (TCP and the IP header, 20 bytes each).\r\n\r\nWhy adding 28 and why using 1464 in the first place? check at http:\/\/www.dslreports.com\/faq\/695<\/a>.\r\n\r\nThere are other commands that show the MTU value:\r\nip ad\r\nnetstat -i\r\nifconfig ppp0 | grep MTU<\/code>\r\nbut they don't provide you an option to test a wrong MTU value (as ping does).\r\nThe MTU for eth0 (used by ppp0) should be 1500.\r\n\r\nThere's another way of testing MTU value but with a more complicated setup. It works like this: on another computer (PC2) using e.g. eth0 (192.168.0.1) and connected to your PC router on e.g. eth1 run the command below in order to check received network packets:\r\nsudo tcpdump -i eth0 --direction=in -n ip proto \\\\icmp<\/code>\r\nthen from your PC router send network packets like this:\r\nping -c 1 -s 1472 -I eth3 192.168.0.1\r\nping -c 1 -s 1464 -I eth3 192.168.0.1<\/code>\r\nFor any packet received on PC2 you'll get one line of console output so when the ping value (1464, 1472) is too large you'll see more than one line in PC2's console. You should change the ping value till you reach the maximum one while still showing only one line in PC2's console. Then to that maximum value add 28 and that's will be the MTU for the connection PC router on eth1 to PC2 on eth0.\r\ncheck also http:\/\/ping.online-domain-tools.com\/<\/a>\r\n\r\nI have no idea how to check the current MRU value but seems a good idea to set it to the same value as MTU; please post a comment when you have a clue about it.\r\n\r\nShare the Internet access<\/strong>\r\nYou'll have to enable packet forwarding by editing \/etc\/sysctl.conf:\r\nnet.ipv4.ip_forward=1\r\nthen activate the new sysctl configuration with:\r\nsudo sysctl -p\r\nCheck current configuration with:\r\nsysctl net.ipv4.ip_forward\r\n\r\nAlso you'll have to configure your firewall to allow ip forwarding.\r\ne.g. with UFW you'll have to edit \/etc\/default\/ufw to have this:\r\n\r\nDEFAULT_FORWARD_POLICY=\"ACCEPT\"\r\n\r\nIn \/etc\/ufw\/before.rules you'll need:\r\n\r\n*nat\r\n:PREROUTING ACCEPT [0:0]\r\n:POSTROUTING ACCEPT [0:0]\r\n# when having no other *nat rules uncomment the line below:\r\n# -F\r\n-A POSTROUTING -o ppp0 -j MASQUERADE\r\n-A POSTROUTING -o ppp1 -j MASQUERADE\r\nCOMMIT\r\n\r\nAt this point when having multiple ethernet cards you'll be able to share the internet connection with them. This means that a PC2 directly connected to PC router's eth1 will be able to access the Internet but only with a proper configuration: \r\n- PC2 must have an ip in the same network class as PC router's eth1\r\n- PC2 must have the gateway pointing to PC router eth1's ip\r\n- PC2's DNS servers must be the same as those used by PC router (check nmcli device show eth0 | grep '.DNS'<\/em>)\r\nThis setup is an annoying complication mostly because of the DNS setup which might change depending on the Internet provider. The following section solves this with the help of a DNS and DHCP server.\r\n\r\nInternet connection sharing: the big picture<\/strong>\r\nLet's suppose that your PC router has an additional network interface (e.g. eth1). You could connect to it:\r\na) another PC on a wired connection when eth1 is wire only accessible\r\nb) many other wireless devices when eth1 is a wireless device\r\nc) a dedicated wireless router (when eth1 is wire only accessible) in order to share the Internet connection with other wireless and wired devices\r\nFor the b case you'll need to setup dnsmasq as a DNS and DHCP server. For a and c you won't really need the DHCP server but won't harm you anyway.\r\n\r\nSetup dnsmasq as a DNS and DHCP server<\/strong>\r\nWhen using NetworkManager then dnsmasq is already used as a plugin; just check \/etc\/NetworkManager\/NetworkManager.conf for something like dns=dnsmasq<\/em>. You'll need to customize dnsmasq's configuration; create the file \/etc\/NetworkManager\/dnsmasq.d\/custom-dnsmasq.conf with the following content:\r\n\r\naddn-hosts=\/etc\/hosts-dnsmasq.conf\r\nlocal-ttl=3600\r\nlog-facility=\/var\/log\/dnsmasq\/dnsmasq.log\r\ninterface=eth1\r\nexcept-interface=eth0\r\nexcept-interface=ppp0\r\nstrict-order\r\nall-servers\r\nclear-on-reload\r\ncache-size=5000\r\ndhcp-range=192.168.0.2,192.168.0.255,255.255.255.0,192.168.0.255,1h\r\ndhcp-option=option:router,192.168.0.1\r\ndhcp-option-force=option:mtu,1500\r\ndhcp-lease-max=1\r\nlog-dhcp\r\ndhcp-leasefile=\/var\/log\/dhcpd.leases.log<\/code>\r\n\r\nMake sure to create \/var\/log\/dnsmasq\/ (owned by root only) used for keeping dnsmasq.log.\r\n\r\nBe aware to exclude with except-interface<\/em> at least the pppoe connections (e.g. ppp0) and the network interfaces used by them (e.g. eth0). You can change the cache-size<\/em> in case you want less RAM to be used. Related to dhcp-range<\/em> I assume you have only one network interface available (e.g. eth1) besides the one used for the pppoe connection (e.g. eth0). So when something is connected to eth1 it will automatically get the proper ip (between 192.168.0.2 and 192.168.0.255) and the DNS configuration. On your side eth1 should have the ip 192.168.0.1 and no gateway or DNS configured. \r\n\r\nI don't know what one should do when having multiple network interface available; the problem is with the dhcp-option=option:router,192.168.0.1<\/em> which should be different for every interface.\r\n\r\nSometimes you'll notice that the network won't start with dnsmasq complaining that can't bind port 53 to 192.168.0.1 (see interface=eth1<\/em> option). This happens because sometimes eth1 (having 192.168.0.1 ip) is activated after<\/em> dnsmasq. The solution I found is to start with the \"interface=eth1\" option commented; after eth1 is started I uncomment it then kill dnsmasq which will then be restarted automatically by NetworkManager. On PC router shutdown or eth1 down I'll have to comment again the \"interface=eth1\" option and do again the uncommenting-kill-dnsmasq after restarting eth1.\r\n\r\nFor the uncommenting and dnsmasq killing part I use \/etc\/network\/if-up.d\/eth1-up:\r\n<\/pre>\n
\r\n#!\/bin\/sh -e\r\n# eth1 post-up\r\n\r\n# sudo cp -v \/********\/bin\/config\/eth1-up \/etc\/network\/if-up.d\/ && sudo chown -c root: \/etc\/network\/if-up.d\/eth1-up && sudo chmod -c 755 \/etc\/network\/if-up.d\/eth1-up\r\n\r\n[ \"$IFACE\" = \"eth1\" ] || exit 0\r\n[ \"$PHASE\" = \"post-up\" ] || exit 0\r\nif [ -e \/etc\/NetworkManager\/dnsmasq.d\/custom-dnsmasq.conf ]; then\r\n\tif [ \"`grep -P \"^interface=eth1$\" \/etc\/NetworkManager\/dnsmasq.d\/custom-dnsmasq.conf`\" = \"\" ]; then\r\n\t\techo \"[$(date +\"%d.%m.%Y %H:%M:%S\") eth1-up] activating \\\"interface=eth1\\\" in custom-dnsmasq.conf\" | tee -a \/var\/log\/RDS.log\r\n\t\tsed -i s\/\"^#\\s*interface=eth1$\"\/\"interface=eth1\"\/ \/etc\/NetworkManager\/dnsmasq.d\/custom-dnsmasq.conf\r\n\t\tkill `pidof dnsmasq` 2>\/dev\/null\r\n\t\tif [ \"$?\" != \"0\" ]; then\r\n\t\t\techo \"[$(date +\"%d.%m.%Y %H:%M:%S\") eth1-up] couldn't find dnsmasq to kill\" | tee -a \/var\/log\/RDS.log\r\n\t\telse\r\n\t\t\techo \"[$(date +\"%d.%m.%Y %H:%M:%S\") eth1-up] killed dnsmasq (in order to restart it)\" | tee -a \/var\/log\/RDS.log\r\n\t\tfi\r\n\telse\r\n\t\techo \"[$(date +\"%d.%m.%Y %H:%M:%S\") eth1-up] custom-dnsmasq.conf already uses eth1\" | tee -a \/var\/log\/RDS.log\r\n\tfi\r\nfi\r\n<\/pre>\n
\r\nFor the commenting part I use \/etc\/network\/if-post-down.d\/eth1-post-down:\r\n<\/pre>\n
\r\n#!\/bin\/sh -e\r\n# eth1 post-down\r\n\r\n# sudo cp -v \/********\/bin\/config\/eth1-post-down \/etc\/network\/if-post-down.d\/ && sudo chown -c root: \/etc\/network\/if-post-down.d\/eth1-post-down && sudo chmod -c 755 \/etc\/network\/if-post-down.d\/eth1-post-down\r\n\r\n[ \"$IFACE\" = \"eth1\" ] || exit 0\r\n[ \"$PHASE\" = \"post-down\" ] || exit 0\r\nif [ -e \/etc\/NetworkManager\/dnsmasq.d\/custom-dnsmasq.conf ]; then\r\n\tif [ \"`grep -P \"^interface=eth1$\" \/etc\/NetworkManager\/dnsmasq.d\/custom-dnsmasq.conf`\" = \"\" ]; then\r\n\t\techo \"[$(date +\"%d.%m.%Y %H:%M:%S\") eth1-post-down] \\\"interface=eth1\\\" already commented in custom-dnsmasq.conf\" | tee -a \/var\/log\/RDS.log\r\n\telse\r\n\t\techo \"[$(date +\"%d.%m.%Y %H:%M:%S\") eth1-post-down] commenting \\\"interface=eth1\\\" in custom-dnsmasq.conf\" | tee -a \/var\/log\/RDS.log\r\n\t\tsed -i s\/\"^interface=eth1$\"\/\"# interface=eth1\"\/ \/etc\/NetworkManager\/dnsmasq.d\/custom-dnsmasq.conf\r\n\tfi\r\nfi\r\n<\/pre>\n
\r\nI notice anyway that when shutdowning PC router<\/em> the eth1-post-down<\/em> script above doesn't work so I also use \/etc\/systemd\/system\/NetworkManager.service.d\/network-manager-override.conf:\r\n<\/pre>\n
\r\n# sudo cp -v bin\/systemd-services\/network-manager-override.conf \/etc\/systemd\/system\/NetworkManager.service.d\/ && sudo chown root: \/etc\/systemd\/system\/NetworkManager.service.d\/network-manager-override.conf && sudo chmod 664 \/etc\/systemd\/system\/NetworkManager.service.d\/network-manager-override.conf && sudo systemctl daemon-reload\r\n[Service]\r\nExecStartPre=\/bin\/sed -i s\/\"^interface=eth1$\"\/\"# interface=eth1\"\/ \/etc\/NetworkManager\/dnsmasq.d\/custom-dnsmasq.conf\r\nExecStopPost=\/bin\/sed -i s\/\"^interface=eth1$\"\/\"# interface=eth1\"\/ \/etc\/NetworkManager\/dnsmasq.d\/custom-dnsmasq.conf\r\n<\/pre>\n
\r\nYou'll also have to open the DNS (53) and DHCP (67) ports only on eth1:\r\n\r\nsudo ufw allow in on eth1 to any port 53 comment 'allow DNS access from LAN'\r\nsudo ufw allow in on eth1 to any port 67 comment 'allow DHCP access from LAN'<\/code>\r\n\r\nUseful commands:\r\n<\/pre>\n
\r\nsudo kill -s USR1 `pidof dnsmasq` -> generates dnsmasq statistics in \/var\/log\/dnsmasq\/dnsmasq.log\r\ntailf \/var\/log\/dnsmasq\/dnsmasq.log\r\ntailf \/var\/log\/RDS.log\r\ntailf \/var\/log\/dhcpd.leases.log\r\njournalctl -fu NetworkManager\r\ngrep -P \"interface=eth1$\" \/etc\/NetworkManager\/dnsmasq.d\/custom-dnsmasq.conf\r\n<\/pre>\n
\r\nto be continued ...\r\n\r\nsee also https:\/\/www.incapsula.com\/blog\/mtu-mss-explained.html<\/a>\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
What is all about short story … This post will help you to configure a linux PC in order to function as a router too. long story … If you like me have a very low energy consumption PC (a […]<\/p>\n
Continue reading ➞ setup your own linux based router<\/span><\/a><\/div>","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,11,49,50],"tags":[151,152,150,95],"class_list":["post-4438","post","type-post","status-publish","format-standard","hentry","category-howto","category-linux","category-network","category-security","tag-mtu","tag-pppoe","tag-router","tag-ufw"],"_links":{"self":[{"href":"https:\/\/adrhc.go.ro\/blog\/wp-json\/wp\/v2\/posts\/4438","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adrhc.go.ro\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adrhc.go.ro\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adrhc.go.ro\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adrhc.go.ro\/blog\/wp-json\/wp\/v2\/comments?post=4438"}],"version-history":[{"count":0,"href":"https:\/\/adrhc.go.ro\/blog\/wp-json\/wp\/v2\/posts\/4438\/revisions"}],"wp:attachment":[{"href":"https:\/\/adrhc.go.ro\/blog\/wp-json\/wp\/v2\/media?parent=4438"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adrhc.go.ro\/blog\/wp-json\/wp\/v2\/categories?post=4438"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adrhc.go.ro\/blog\/wp-json\/wp\/v2\/tags?post=4438"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}