User:NeddySeagoon/Pi4 Router

Motivation
The price of electricity in the UK has gone up by a factor of four in the last six months (August, 2022).

I have been running a HP Gen 7 Microserver, hosting various KVMs. I'm just left with my router KVM now. A HP Gen 7 Microserver, with 4x4TB conventional hard drives is overkill to support a single small KVM

Consolidating the router into the Pi4 Stratum 1 Time Server I can switch off the Microserver, saving about 60W on my base load, or about 1.5kW/h per day, or £22.50/month.

Overview
The Raspberry Pi4 is the first Pi with sufficient IO bandwith for a domestic router. Earlier Pis have the USB and Ethernet ports on a single USB2 root hub as thats all the Broadcom CPUs provide. Keep in mind that they were designed as mobile phone chips.

The Pi4 has
 * SDIO 0 - The mmc card
 * SDIO 1 - WiFi
 * 1Gb Ethernet Phy
 * Single lane PCIe - USB Ports (2 x USB3, 2 x USB2)
 * All the usual GPIO

By using the on board Ethernet and the USB3 ports, we can have three 1G ethernet ports. All operating at 1G full duplex concurrently may not go too well.

Hardware Requirements

 * A Pi 4
 * Two or more USB3 to 1Gb adaptors

Setting Up
Carry out a basic install. Follow the Pi4 Install guide. Use the  profile as the router will be headless.

How it works IPv4 Only
Traditionally, routers have used an all static setup but domestic internet providers are moving more and more to dynamic set up only, even if the setup is static. My own ISP has just turned off static support for IPv6.

A router is two loosely coupled interacting systems.

The first system is the internet facing client. It uses, to aquire its internet facing settings. This may require PPP support.

The second system is the internal network facing side. This uses to hand out settings to internal systems,  to keep a cache of domain names lookups and a firewall, here  to control what goes in and out.

Additions for IPv6 Only
aquires some allocations from your delegated prefix for your internal subnets and allocates the first address in each delegated /64 to the router interfaces.

This does mean that until you do something about it all your internal systems, behind NAT on IPv4, are on the big bad public internet on IPv6.

Required packages
A caching DNS resolver, To generate Netfilter rules without havind to do it all the hard way. A DHCP server A DHCP client

Optional extra packages
For intrusion detection Point-to-Point Protocol support. Required if your ISP delivers your internet using PPPoE IPv6 Router Advertisement Daemon. Required for automated IPv6 support To support wireguard VPN if you ever use public WiFi, you need a VPN.

Debugging packages
Hopefully, these will not be needed ever, as it will just work.



How it works IPv4 Only
Traditionally, routers have used an all static setup but domestic internet providers are moving more and more to dynamic set up only, even if the setup is static. My own ISP has just turned off static support for IPv6.

A router is two loosely coupled interacting systems.

The first system is the internet facing client. It uses, to aquire its internet facing settings. This may require PPP support.

The second system is the internal network facing side. This uses to hand out settings to internal systems,  to keep a cache of domain names lookups and a firewall, here  to control what goes in and out.

Additions for IPv6 Only
aquires some allocations from your delegated prefix for your internal subnets and allocates the first address in each delegated /64 to the router interfaces.

This does mean that until you do something about it all your internal systems, behind NAT on IPv4, are on the big bad public internet on IPv6.

Required packages
A caching DNS resolver, To generate Netfilter rules without havind to do it all the hard way. A DHCP server A DHCP client

Optional extra packages
For intrusion detection Point-to-Point Protocol support. Required if your ISP delivers your internet using PPPoE IPv6 Router Advertisement Daemon. Required for automated IPv6 support To support wireguard VPN if you ever use public WiFi, you need a VPN.

Debugging packages
Hopefully, these will not be needed ever, as it will just work.



How It Works IPv6 Only
Think of a router as two systems, a client and a server, with a bridge between them. The client faces the outside world. The ISP. It uses to aquire the upstream settings automatically for both IPv4 and IPv6. This may also require.

The server faces the internal LAN and uses to provide IPv4 configuration to the LAN segments and  to enable IPv6 autoconfiguration.

With those things in place, is the gate keeper on the bridge, determining which packets that are allowed to cross the bridge.

Static configuration of LAN members is still possible for both IPv4 and IPv6. Static configuration of the ISP facing interface is ISP dependent.

To aquire our setup from our ISP. No special USE settings are required.

To pass out settings to our clients. No special USE settings are required.

Shorewall is not yet keyworded for arm64. Add  to

TODO:

Cut down on DNS lookups. No special USE settings are required.

Required if your ISP demands it or you use PPP for other reasons. No special USE settings are required.

Required for IPv6 only, to advertise that we are a IPv6 router to enable clients to auto configure for IPv6.

Kernel Options
Choose IPv6 support if its required. The  profile already provides USE=ipv6 by defaut, so IPv6 support will be included everywhere that its optional.

Add IPv4 Netfilter support.

Add IPv6 Netfilter support.

Putting the Pieces Together
The documentation reserved subnets are used for the illustrations that follow.

2001:DB8::/32 Document Prefix

The blocks 192.0.2.0/24 (TEST-NET-1), 198.51.100.0/24 (TEST-NET-2), and 203.0.113.0/24 (TEST-NET-3) are provided for use in documentation.

/etc/dhcp/dhcpd.conf
Only for IPv4. IPv6 operates differently

option domain-name "example.com";
 * 1) Set our domain name, if we have one.

option domain-name-servers 203.0.113.100,203.0.113.200;
 * 1) The upstream Domain Nawe Servers

authoritative;

subnet 203.0.113.0/24 netmask 255.255.255.248 { }
 * 1) No service on theses networks
 * 2) IMPORTANT our ISP must be excluded.

subnet 198.51.100.0/24 netmask 255.255.255.0 { }
 * 1) Our DMZ for our servers. Servers need static IPv4


 * 1) Make addresses in the range 192.0.2.0.120 to 192.0.2.139
 * 2) avaiable via DHCP, with a lease time of 3600 to 14400 sec.
 * 3) Thats a good time for WiFi where things come and go.

subnet 192.0.2.0/24 netmask 255.255.255.0 { range 192.0.2.0.120 192.0.2.139; default-lease-time 3600; max-lease-time 14400; option subnet-mask 255.255.255.0; option broadcast-address 192.0.2.255; option routers 192.0.2.252; option interface-mtu 1492; }


 * 1) Tell clients where the router is.
 * 2) Set the Maximum Transmission Unit size to 1492
 * 3) Autodiscovery does not always work.
 * 4) The default is 1500 but PPPoE needs 8 bytes
 * 5) which makes 1492 a good number.


 * 1) Rinse and repeat for other private subnets

Users that have a TFTP server to support PXE booting, for example, for diskless hosts, configure it here.

Shorewall
Shorewall is big, you just won't believe how vastly, hugely, mind-bogglingly big it is. I mean, you may think it's a long way down the road to the chemist's, but that's just peanuts to Shorewall. Shorewall is a 'short cut' too.

As IPv4 and IPv6 are completely separate network stacks, its twice as big as that. It has two separate directories for its configuration files. and

Setting up a firewall is like installing Gentoo. Design decisions are required before you start writing rules.

There are essentially two sorts of firewalls, half open and paranoid.

With half open, everything is allowed out but only responses and things specifically requested are allowed in. That's your typical domestic router. It means that if the bad guys get in, they can phone home.

With a paranoid firewall, nothing is allowed in and nothing is allowed out unless its expressly permitted.

Its not possible to cover the configuration that suits your install, so only a few key points will be covered. The naming convention has been borrowed from Smoothwall as that was the first firewall I used.

It helps to draw a diagram to show what is allowed to connect to where.


 * 1) Table below shows firewall setup.  Symbols are
 * 2)       From - To       may not initiate connections
 * 3)       From ? To       connection initiation determined by rules
 * 4)       From / To       its in the same zone - no restrictions


 * 1)       fw IP           |       From    |                   To                  |
 * 2)                                       |  net  | Green |  Blue |  DMZ  |   fw  |
 * 3) 203.0.113.26/29       |  Net          |   /   |   -   |   -   |   ?   |   ?   |
 * 4) 198.51.100.0/28       |  Green        |   ?   |   /   |   ?   |   ?   |   ?   |
 * 5) 198.51.100.128/28     |  Blue         |   ?   |   -   |   /   |   ?   |   -   |
 * 6) 10.10.0.0/16          |  DMZ          |   ?   |   -   |   -   |   /   |   -   |
 * 7) All of the Above      |  fw           |   ?   |   -   |   -   |   ?   |   /   |
 * 1) 198.51.100.0/28       |  Green        |   ?   |   /   |   ?   |   ?   |   ?   |
 * 2) 198.51.100.128/28     |  Blue         |   ?   |   -   |   /   |   ?   |   -   |
 * 3) 10.10.0.0/16          |  DMZ          |   ?   |   -   |   -   |   /   |   -   |
 * 4) All of the Above      |  fw           |   ?   |   -   |   -   |   ?   |   /   |
 * 1) 10.10.0.0/16          |  DMZ          |   ?   |   -   |   -   |   /   |   -   |
 * 2) All of the Above      |  fw           |   ?   |   -   |   -   |   ?   |   /   |
 * 1) All of the Above      |  fw           |   ?   |   -   |   -   |   ?   |   /   |

/etc/shorewall/*
Firstly, most of the files can be left untouched. The following is a get-you-going list for IPv4.

zones
Describe your network zones to Shorewall. The firewall itself is its own zone and is required here.




 * 1) ZONE          TYPE            OPTIONS         IN_OPTIONS      OUT_OPTIONS

fw             firewall green          ipv4 dmz            ipv4 blue           ipv4 net            ipv4

green is the wired fully protected network. No uninvited inbound connections from anywhere are permitted.

blue is the protected but untrusted network. e.g. WiFi devices, smart TVs. If You don't know whats in it, it goes here.

dmz is for servers. Inbound connections may be permitted here but only if a service is provided on the requested port.

net, sometimes known as red, is the big bad internet from the ISP.

The names are case sensitive and will be used in other files.

interfaces
Tell Shorewall how the zones, defined above, map to interfaces.

net    ppp0 dmz    dmz             logmartians=1,nosmurfs blue   blue            dhcp,logmartians=1,nosmurfs green  green           dhcp,logmartians=1,nosmurfs
 * 1) ZONE  INTERFACE       OPTIONS

policy
The policy is applied when there are no more rules left to test. The default for packets from the net is to DROP them on the floor and log them.

Green is allowed connect to the firewall. This matters if the rules are not correct. Its a headless system that will be administered over ssh. As long an the rules permit it. You can lock yourself out.

Everything else is REJECTed, which gives the sender a nice error message.

The first four LOGLEVEL entries for unwanted packets from the net can be removed once correct operation has been tested. The IPv4 address range has been full for several years so the logs will grow very quickly.


 * 1) SOURCE        DEST            POLICY          LOGLEVEL        RATE

net            dmz             DROP            $LOG net            blue            DROP            $LOG net            green           DROP            $LOG net            $FW             DROP            $LOG

green          fw              ACCEPT          $LOG


 * 1) Reject everything else
 * 2) everything that is not explictly allowed is denied
 * 3) locally, we use REJECT as it helps debug

all            all     REJECT          $LOG

It would be more secure to use REJECT for green to the firewall then to open a port for ssh from a single system in the rules file.

params
Map names to static IP addresses and the like, so that names can be used in rules.


 * 1) IP addresses where we run particular services
 * 2) This avoids using name resolution in rules
 * 3) and at the same time, lets us use names for IP addresses
 * 4) Convention is initial capital letters for parameters

Ntp=10.10.10.10
 * 1) Raspberry Pi Timeserver

snat
Source NAT is better known as masquerading as is the magic that makes Network Address Translation work.
 * 1) ACTION                SOURCE                  DEST            PROTO   PORT    IPSEC   MARK    USER    SWITCH  ORIGDEST        PROBABILITY

MASQUERADE	198.51.100.0/28  ppp0 MASQUERADE	198.51.100.128/28 ppp0 MASQUERADE	10.10.0.0/16 ppp0

rules
The authors rules file is over 20k, so its not shared here. This is the hard bit. The following snippet is for the green zone only. Rinse and repeat for your other zones.


 * 1) ACTION        SOURCE          DEST                    PROTO   DPORT   SPORT           ORIGDEST        RATE            USER    MARK    CONNLIMIT       TIME         HEADERS
 * 1) ACTION        SOURCE          DEST                    PROTO   DPORT   SPORT           ORIGDEST        RATE            USER    MARK    CONNLIMIT       TIME         HEADERS

ACCEPT         green   fw                      tcp     ssh
 * 1) WARNING - Required for remote control of shorewall maybe make this port 222
 * 1) WARNING - Required for remote control of shorewall maybe make this port 222

ACCEPT         green   net                     tcp     www ACCEPT         green   net                     tcp     https ACCEPT         green   net                     udp     domain ACCEPT         green   net                     udp     ntp ACCEPT         green   net                     tcp     ftp ACCEPT         green   net                     tcp     smtp ACCEPT         green   net                     tcp     submission ACCEPT         green   net                     tcp     514 ACCEPT         green   net                     tcp     svn ACCEPT         green   net                     tcp     hkp ACCEPT         green   net                     tcp     pop3s ACCEPT         green   net                     udp     imaps ACCEPT         green   net                     tcp     imaps ACCEPT         green   net                     udp     https ACCEPT         green   net                     tcp     64738 ACCEPT         green   net                     udp     64738 ACCEPT         green   net                     tcp     8880 ACCEPT         green   net                     tcp     4242 ACCEPT         green   net                     udp     9987 ACCEPT         green   net                     tcp     nicname ACCEPT         green   net                     tcp     ircd ACCEPT         green   net                     tcp     urd ACCEPT         green   net                     tcp     git ACCEPT         green   net                     tcp     rsync ACCEPT         green   net                     tcp     git

For every outgoing rule here, by default, shorewall creates a rule to allow the response back in. The service names are taken from.

There is no reason to allow a whole zone out. green:IPaddr only allows tho one host at IPaddr to use the rule.

If you run your own servers, some Destination NAT rules are required DNAT           net             dmz:$Mail               tcp     smtp DNAT           net             dmz:$Shell              tcp     ssh DNAT           net             dmz:$Shell              tcp     https DNAT           net             dmz:$Web                tcp     http