[GTALUG] Debian Linux as-a-router Guide

D. Hugh Redelmeier hugh at mimosa.com
Fri Sep 8 11:50:12 EDT 2023 

| From: Giles Orr via talk <talk at gtalug.org>

| As per my previous post, I just purchased a mini-PC which I intend to
| turn into a router.  Is anyone aware of a guide for turning a Debian
| PC into a _home_ router?  I'd like to be running probably DNSmasq,
| using a blocklist, stuff like that.  I've found webpages that tell me
| how to turn on network forwarding, or maybe configure DNSmasq, but not
| the whole process.

There are lots of guides but it is hard to tell which are current and 
reliable.

I've been using PCs as my gateway machine for perhaps 25 years.  I've 
been lazy and only changed when forced to (and sometimes slow at that).
I've always run some Red Hat distro (RHL, CentOS, Fedora).

Here are some things that I hope you might find useful.

- One surprise to me was that debian out-of-the-box doesn't have a
  firewall.  Eek!

- normal home setups are NOT complicated.  There are, however, a number of 
  services you might want to provide, and each requires a varying amount 
  of design and configuring.

  On my system (that I remember) (You probably don't want all of
  these):
	filewall
	DNS for my LAN.
	DNS for the world (a hidden master for my zones)
	SMTP for the world
	SMTP, POP3, imap for my LAN
	SSH for the world and for LAN (forbid authentication by
		password!)
	DHCP client for upstream
	DHCP server for LAN

  I don't have an ASN.  I don't see any reason or have the ability
  to run BGP and the like.

  I don't have multiple LANs or VLANs.  People with home-made routers
  seem to like those things.

- For firewalling, I evolved my own set of rules.  Now I'm using
  firewalld

  For most people, I imagine that firewalld is a slightly gentler
  interface.  Underneath it is the regular Linux firewall (nft these
  days)

  firewalld is easy to configure and does some of the work for you.
  The model it provides makes it easier to understand firewalling.
  Unlike raw filter rules, it is mostly declarative.  But its
  modelling capability is a bit simplistic might not match your needs.

  One great thing is that the authors/maintainers are responsive.

- I have two gateways that require PPPoE.  That reduces the packet
  size that can transit the link.  Path MTU discovery should handle
  that but some hosts in the internet just assume that the Path MTU
  bottleneck is always at the leaf.  So: on one gateway, I have to add
  TCP MSS clamping to the firewall.  For some reason I don't have to
  do that on the other (it might be a built-in feature of Roaring
  Penguin PPPoE).

I find that half the problem is figuring out how to bypass the ISP's
router.  The documentation is bad.  At least Rogers was simple.

Things are more complicated with Bell.  I landed on PPPoE pass through
with my Bell-supplied GigaHub router/modem.  Interestingly, that gives
my router and the Bell router distinct public IPv4 addresses.  I tried
"Advanced DMZ" which was simpler (no PPPoE on my router) but that left
both routers with the same IP address and I could not figure out how
that could safely work (both are doing NAT and hence allocating ports,
but without co-ordination).  Interesting: Bell's "Fibe" application
lets me watch TV with either IP address.

A good thing about the Bell setup is that I could access the internet
through the GigaHub directly, bypassing my own router, while my
router is still live.  Great for debugging.

More information about the talk mailing list