Talk:Home router

From Gentoo Wiki
(Redirected from Talk:Home Router)
Jump to: navigation, search
Note
This is a talk page. Please add newer comments below older ones, and sign your comments using four tildes (~~~~). When adding a new section (at the bottom of the page), please mark it as "open for discussion" by using {{talk|open}} so it will show up in the list of open discussions.

NAT and PPPoE

Talk status
This discussion is done.

I encounter problems with the NAT and PPPoE, some request responses never finished or loaded endless.

My solution was to fix the MTU with following rule:

root # iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

just before:

root # iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP

root # iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT

root # iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT

root # iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

— The preceding unsigned comment was added by S34 (talkcontribs) 05:51, 9 May 2014‎

This exists in the troubleshooting section with MTU. --Grknight (talk) 13:49, 8 November 2018 (UTC)

Update supported kernels

Talk status
This discussion is done.

This guide only supports ancient Linux kernels (2.4/2.6): "Router is running Linux 2.4 or 2.6; other versions of the kernel are not supported by this guide"

Someone with appropriate knowledge (not me, unfortunately...) should update the guide and use the latest kernels available.

--Fturco (talk) 09:59, 21 March 2017 (UTC)

I will work on updating it. Should not be too bad, there are not very many options in this article. --Maffblaster (talk) 00:30, 15 April 2017 (UTC)
Looks to not have such references. Closing --Grknight (talk) 13:42, 8 November 2018 (UTC)

Basic router setup script

Talk status
This discussion is still ongoing.

While reading this guide I decided to put the fundamental parts in a bash script. In case it is useful to someone I post it below. Note: this script misses several things, most notably the hostapd configuration in case a WLAN interface is used. It makes several assumptions regarding networks. Also, my knowledge of Gentoo and OpenRC is not exhaustive.

FILE router.sh
#!/bin/bash

set -e # Stop execution when any command fails

### Change as needed
NET_CONFIG="1" # Whether to apply any network interface configuration at all

LAN="wlp2s0b1"
WLAN="1" # Indicates if LAN interface is wireless
LAN_IP_PREFIX="192.168.202"
LAN_NET="${LAN_IP_PREFIX}.0/24"

WAN="enp1s0"
WAN_IP_PREFIX="192.168.5"
CONFIG_WAN="0" # Whether WAN should be configured or not

RESOLV="/etc/resolv.conf"


function net_config {
if [[ ${CONFIG_WAN} == "1" ]]; then
 # Assuming 255.255.255.0 subnet for WAN + static IP
 # WAN interface configuration + DNS (in case it has not been configured yet)
 cat >> /etc/conf.d/net.${WAN} <<EOF
config_${WAN}="${WAN_IP_PREFIX}.2/24"
routes_${WAN}="default via ${WAN_IP_PREFIX}.1"
EOF
fi

if [[ $(cat $RESOLV | grep "${WAN_IP_PREFIX}.1") == "" ]]; then
 echo "nameserver ${WAN_IP_PREFIX}.1" >> ${RESOLV}
fi

# LAN interface config
if [[ $WLAN == "1" ]]; then
 # Disable WLAN client modules
 echo "modules_${LAN}='!iwconfig !wpa_supplicant'" >> /etc/conf.d/net.${LAN}
fi
echo "config_${LAN}=\"${LAN_NET}\"" >> /etc/conf.d/net.${LAN}


# Set OpenRC init scripts of network interfaces to depend on iptables initscript
echo 'rc_need="iptables"' >> /etc/conf.d/net.${LAN}
echo 'rc_need="iptables"' >> /etc/conf.d/net.${WAN}
}

if [[ $NET_CONFIG == "1" ]]; then net_config; fi

## Packages
# Install necessary packages and start on boot
pkgs="dnsmasq net-misc/dhcpcd iptables"
if [[ $WLAN == "1" ]]; then pkgs="${pkgs} hostapd"; fi
emerge --ask -n ${pkgs}
rc-update add dnsmasq default
rc-update add iptables default
if [[ $WLAN == "1" ]]; then  rc-update add hostapd default; fi

# dnsmasq config
mv /etc/dnsmasq.conf /etc/dnsmaq.conf.bak_$(date -I)
cat > /etc/dnsmasq.conf <<EOF
dhcp-range=${LAN},${LAN_IP_PREFIX}.100,${LAN_IP_PREFIX}.250,180d
interface=${LAN}
EOF

## iptables
# Flush tables
iptables -F
iptables -t nat -F

# Set default policy
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# LAN services
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps ! -i ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain ! -i ${LAN} -j REJECT

# Allow SSH access from WAN
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

# Drop packets to privileged ports (up to 1024)
iptables -A INPUT -p TCP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP

# NAT rules
iptables -I FORWARD -i ${LAN} -d ${LAN_NET} -j DROP
iptables -A FORWARD -i ${LAN} -s ${LAN_NET} -j ACCEPT
iptables -A FORWARD -i ${WAN} -d ${LAN_NET} -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

# Enable routing in kernel
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

# Save config
/etc/init.d/iptables save

if [[  $(cat /etc/sysctl.conf  | grep 'net.ipv4.ip_forward = 1') == "" ]]; then
 cat >> /etc/sysctl.conf <<EOF
# Necessary for IP routing
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
EOF
fi

echo "Finished."

— The preceding unsigned comment was added by Realimp (talkcontribs) 16:48, 24 March 2018‎

Notes on rtl8723be

There are two problems i encountered this driver:

  • bad signal
  • arping working but not ping

Both were solved with a 4.9 kernel, instead of 4.14 or 4.19 and the two options:

FILE /etc/modprobe.d/rtl8723be.conf
# The best ant_sel value was different to some kernels.
# -
options rtl8723be ant_sel=1 disable_watchdog=1

Note: The second error was systemic, occuring after a reboot or a long idle time (no clients).

--Daemon (talk) 04:26, 14 January 2019 (UTC)

Page update/overhaul

Talk status
This discussion is still ongoing as of July 11, 2019.

It might be worth updating/overhauling this page, specifically

  • Kernels 2.4 and 2.6 are long outdated/gone
  • systemd setup for those interested
  • Swap DNSMASq for ISC DHCP and [BIND] as they're a bit more full-featured
  • Swap out IPtables for NFtables perhaps?
  • Add some more "router-like" functionality like UPnP
  • Maybe VPN using Wireguard or OpenVPN?

If nobody wants to tackle this, I'd be happy to do it when I have some time free to replace my existing router (PFsense)

--Intelminer (talk) 18:18, 11 July 2019 (UTC)

You will probably be the only one with time to update the page. We all volunteer our time, so we can only update what we're currently interested or able to do. Feel free to update the article anytime! Kind regards, --Maffblaster (talk) 22:23, 11 July 2019 (UTC)