Talk:Home router

From Gentoo Wiki
Jump to:navigation Jump to:search
This is a Talk page - please see the documentation about using talk pages. Add newer comments below older ones, sign comments using four tildes (~~~~), and indent successive comments with colons (:). Add new sections at the bottom of the page, under a heading (== ==). Please remember to mark sections as "open for discussion" using {{talk|open}}, so they will show up in the list of open discussions.


Talk status
This discussion is done.

I encounter problems with the NAT and PPPoE, some request responses never finished or loaded endless.

My solution was to fix the MTU with following rule:

root # iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

just before:

root # iptables -I FORWARD -i ${LAN} -d -j DROP

root # iptables -A FORWARD -i ${LAN} -s -j ACCEPT

root # iptables -A FORWARD -i ${WAN} -d -j ACCEPT

root # iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

— The preceding unsigned comment was added by S34 (talkcontribs) 05:51, 9 May 2014‎

This exists in the troubleshooting section with MTU. --Grknight (talk) 13:49, 8 November 2018 (UTC)

Update supported kernels

Talk status
This discussion is done.

This guide only supports ancient Linux kernels (2.4/2.6): "Router is running Linux 2.4 or 2.6; other versions of the kernel are not supported by this guide"

Someone with appropriate knowledge (not me, unfortunately...) should update the guide and use the latest kernels available.

--Fturco (talk) 09:59, 21 March 2017 (UTC)

I will work on updating it. Should not be too bad, there are not very many options in this article. --Maffblaster (talk) 00:30, 15 April 2017 (UTC)
Looks to not have such references. Closing --Grknight (talk) 13:42, 8 November 2018 (UTC)

Basic router setup script

Talk status
This discussion is still ongoing.

While reading this guide I decided to put the fundamental parts in a bash script. In case it is useful to someone I post it below. Note: this script misses several things, most notably the hostapd configuration in case a WLAN interface is used. It makes several assumptions regarding networks. Also, my knowledge of Gentoo and OpenRC is not exhaustive.


set -e # Stop execution when any command fails

### Change as needed
NET_CONFIG="1" # Whether to apply any network interface configuration at all

WLAN="1" # Indicates if LAN interface is wireless

CONFIG_WAN="0" # Whether WAN should be configured or not


function net_config {
if [[ ${CONFIG_WAN} == "1" ]]; then
 # Assuming subnet for WAN + static IP
 # WAN interface configuration + DNS (in case it has not been configured yet)
 cat >> /etc/conf.d/net.${WAN} <<EOF
routes_${WAN}="default via ${WAN_IP_PREFIX}.1"

if [[ $(cat $RESOLV | grep "${WAN_IP_PREFIX}.1") == "" ]]; then
 echo "nameserver ${WAN_IP_PREFIX}.1" >> ${RESOLV}

# LAN interface config
if [[ $WLAN == "1" ]]; then
 # Disable WLAN client modules
 echo "modules_${LAN}='!iwconfig !wpa_supplicant'" >> /etc/conf.d/net.${LAN}
echo "config_${LAN}=\"${LAN_NET}\"" >> /etc/conf.d/net.${LAN}

# Set OpenRC init scripts of network interfaces to depend on iptables initscript
echo 'rc_need="iptables"' >> /etc/conf.d/net.${LAN}
echo 'rc_need="iptables"' >> /etc/conf.d/net.${WAN}

if [[ $NET_CONFIG == "1" ]]; then net_config; fi

## Packages
# Install necessary packages and start on boot
pkgs="dnsmasq net-misc/dhcpcd iptables"
if [[ $WLAN == "1" ]]; then pkgs="${pkgs} hostapd"; fi
emerge --ask -n ${pkgs}
rc-update add dnsmasq default
rc-update add iptables default
if [[ $WLAN == "1" ]]; then  rc-update add hostapd default; fi

# dnsmasq config
mv /etc/dnsmasq.conf /etc/dnsmaq.conf.bak_$(date -I)
cat > /etc/dnsmasq.conf <<EOF

## iptables
# Flush tables
iptables -F
iptables -t nat -F

# Set default policy
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP

# LAN services
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps ! -i ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain ! -i ${LAN} -j REJECT

# Allow SSH access from WAN
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

# Drop packets to privileged ports (up to 1024)
iptables -A INPUT -p TCP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP

# NAT rules
iptables -I FORWARD -i ${LAN} -d ${LAN_NET} -j DROP
iptables -A FORWARD -i ${LAN} -s ${LAN_NET} -j ACCEPT
iptables -A FORWARD -i ${WAN} -d ${LAN_NET} -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

# Enable routing in kernel
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

# Save config
/etc/init.d/iptables save

if [[  $(cat /etc/sysctl.conf  | grep 'net.ipv4.ip_forward = 1') == "" ]]; then
 cat >> /etc/sysctl.conf <<EOF
# Necessary for IP routing
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1

echo "Finished."

— The preceding unsigned comment was added by Realimp (talkcontribs) 16:48, 24 March 2018‎

Notes on rtl8723be

Talk status
This discussion is still ongoing.

There are two problems i encountered this driver:

  • bad signal
  • arping working but not ping

Both were solved with a 4.9 kernel, instead of 4.14 or 4.19 and the two options:

FILE /etc/modprobe.d/rtl8723be.conf
# The best ant_sel value was different to some kernels.
# -
options rtl8723be ant_sel=1 disable_watchdog=1

Note: The second error was systemic, occuring after a reboot or a long idle time (no clients).

--Daemon (talk) 04:26, 14 January 2019 (UTC)

Page update/overhaul

Talk status
This discussion is still ongoing as of July 11, 2019.

It might be worth updating/overhauling this page, specifically

  • Kernels 2.4 and 2.6 are long outdated/gone
  • systemd setup for those interested
  • Swap DNSMASq for ISC DHCP and [BIND] as they're a bit more full-featured
  • Swap out IPtables for NFtables perhaps?
  • Add some more "router-like" functionality like UPnP
  • Maybe VPN using Wireguard or OpenVPN?

If nobody wants to tackle this, I'd be happy to do it when I have some time free to replace my existing router (PFsense)

--Intelminer (talk) 18:18, 11 July 2019 (UTC)

You will probably be the only one with time to update the page. We all volunteer our time, so we can only update what we're currently interested or able to do. Feel free to update the article anytime! Kind regards, --Maffblaster (talk) 22:23, 11 July 2019 (UTC)