Networks Build a router
Afnan Rehman delves into the world of networking to find out how to turn a Linux distribution into a fully functioning router.
Afnan Rehman brings all the boys to the yard, his router is better than theirs.
It’s time to take charge of your network. As individuals in the unfortunate situation of being both attracted to technology and prone having it fail on us, we’ve gone through our fair share of consumer routers. Hunting for this year’s replacement we stumbled on a new idea, that you could build your own using Linux, with full control of the functionality and settings. What a novel idea! We immediately retrieved a PC from the LXF dungeon and set to work.
The idea of building a router is not completely new, but is growing in popularity among tech enthusiasts as a way to squeeze every last bit of performance out of your routing configuration while also maintaining full control in an era of cut-down app-controlled consumer products. The reasoning for building your own homebrew solution is that it makes the typical home or small office network completely your own. You control every aspect of the functionality from routing to IP tables to NAT and DHCP services. You can even add other functions to the router to control certain types of traffic, speeds, and how devices are prioritised.
This tutorial will serve as a basic how-to on setting up a functioning router and giving you a platform on which you can expand further and take it as far as you’d like.
First, let’s discuss the main components of any router intended to facilitate a home network. The router of today is often a bundle of many different components designed as a complete solution in one box. The ones you see on shop shelves typically have the actual router hardware, a network switch (the network ports you see on the back) and a wireless access point, which enables a wireless signal to connect all your wireless devices. Often these consumer routers use only the hardware necessary, and have a low storage capacity, RAM, and processing power. These small compromises can cause bottlenecks in your network, especially when you are using higher speeds from your internet service provider such as a 100Mbps connection or higher. The ones that perform better often cost you an arm and a leg. The solution built in this tutorial only contains the core components of a router, not including a switch or wireless access point. However, you can add these separately.
Small is beautiful
Before we get down to the nitty-gritty of setup, let’s take a moment to talk about hardware. Some of you may be wondering exactly what kind of hardware is necessary to create a functioning router. Some of you may also be wondering who in their right mind would use a full sized desktop tower to function as a router. For those of you not keen on the idea of displaying your old hardware in the middle of your study, fear not, The wonderful thing about modern technology is how it grows ever smaller and sleeker. This also applies to the personal computer. For this project, we used a
full size desktop tower to test the idea, then moved everything over to a mini PC with dual Gigabit NIC about the same size as a consumer router for actual production use.
The hardware used for the build included a PC that was lying around rocking an Intel Celeron N3150 CPU with 4GB DDR3 RAM and a 64GB SSD. Is this overkill? Absolutely. Is this the cheapest system you can get to set this up? Probably not. You can certainly cut corners here using a smaller SSD, a spinning hard drive, or even a SD card to house the operating system, and you can certainly cut down on the amount of RAM. The processor can also be slower depending on what you want. We simply had these components on hand and frankly wanted top notch performance as well.
Most importantly, you must have at least two Ethernet ports, preferably Gigabit speed. The reason for this is simple: you need one port for a WAN connection (incoming from the internet), and one for LAN (outgoing traffic to local network). The LAN port can be connected to a switch to facilitate the use of multiple wired devices.
Now let’s talk about the operating system. We’re using Ubuntu Desktop to demonstrate this concept in a simple manner and most of the work will be done in the command line. Linux in general is built with routing in mind, making it a natural choice. As such the instructions provided here can be adapted to almost any common Linux distro. In a lower-spec system it may be wiser to use a minimal install such as base Ubuntu Server or CentOS Minimal to minimise the overhead taken up by the operating system, reserving your processing power for the actual routing.
Setting up
The first step is of course to install Ubuntu or your distro of choice. This is quite simple and there are plenty of guides online. Whatever you end up using, we recommend you make sure it has long term support, such as the Ubuntu LTS version. This will ensure that there will be continued security updates for the foreseeable future, which is important for a router that you may be using for a few years.
The first thing you want to do once you log in is find out which network interface is which. You might want to grab a pen and paper to keep track. The screen should show a couple of network connections, and one marked “lo” for the loopback which we won’t worry about. Ours are labelled “enp2s0” and “enp3s0” and are both Gigabit Ethernet connections. Your hardware may vary, and the interface name may vary from what I have. Be sure to record these names as you will be using them throughout this tutorial.
The next step is to configure your network interfaces now that you know which one is which. Type the following command into your console to open the editor: $ sudo nano /etc/network/interfaces
You’ll be greeted with a configuration file that already has a couple of lines in it regarding the loopback interface. Leave those lines alone and type the following underneath them: # The WAN interface, above the USB port auto enp3s0 iface enp3s0 inet dhcp # The LAN interface, above the HDMI port auto enp2s0 iface enp2s0 inet static address 192.168.97.1 netmask 255.255.255.0 As you can see we have configured both our WAN (incoming) port and our LAN (outgoing) port. I also labelled them with comments so that I know which is which. This will become very helpful later when we are using these interfaces to write our rules for routing. The LAN port is configured with a static IP address that should correspond to the one of your
current router. The netmask can also be determined by looking at the settings of your current router. Both may be different from what’s listed above depending on your network, so make sure to double check. The WAN interface is configured with DCHP from your internet provider so we simply write the line above and leave it as is. Once you’re done, save the file and reboot.
Next you will want to edit the file /etc/sysctl.conf and uncomment (by deleting the “#” symbol) the line that says
net.ipv4.ip_ forward =1. This will allow packet forwarding for all network interfaces, which is essential to forward packets between your WAN and LAN networks. Save this change and run sudo sysctl -p to refresh the configuration.
Time for tables
Now we get to the meat and potatoes of this tutorial. We are now going to set up iptables! Iptables is the most widely used Linux firewall for a long time, and we will use it here to sort and limit traffic incoming and outgoing, which will be essential if we are going to connect to the internet or any other device for that matter. The first thing we will take care of is setting up rules for packet forwarding that are applied before the
network interfaces are started, which will ensure that if we ever restart the router, packets will immediately be forwarded. First, we will install iptables-persistent, which is a package that will allow iptables rules to remain after any reboots. Run the following command to install it: $ sudo apt-get install -y iptables-persistent netfilter-persistent
Once that’s completed, let’s set up a startup script to tell the operating system to run the iptables ruleset before the network interfaces become available, so that the router never goes online or accesses the internet without the protection of the iptables ruleset. Create the script using the command:
network, and addresses on the other side of the router. This makes sure the router knows where to send a packet of data coming in from outside, and send it to the proper client device on the local network.
We’re not quite ready to go online yet. We want to also make sure the router can hand out IP addresses to clients just like a consumer router would. This part is very easy. First, we will install a DHCP server package:
Loosening up
At this point all the basics are there, and our router is now able to handle DNS queries, give IP addresses to clients, and forward traffic. However our rules are currently so extremely strict that it will refuse to do any of this. What we will do now is add several rules to the ruleset to specify what traffic goes out to the internet, what can go into the local network from the internet, and rules for port forwarding.
So we’ll go back to editing /etc/network/iptables and start with creating a service ruleset, forwarding rules, and NAT prerouting. Our complete ruleset is shown below: