Router Setup
For this, start with the base image and deploy to a system with two network cards. It's possible to use one and configure a "router on a stick," but that's a bit beyond the scope of this blog post. For the initial setup, only one interface needs to be connected, to the internal network. Output is, as usual, from a VM.
It's possible in principle to configure a firewall with raw iptables or nftables. I prefer to use a front-end, and find firewalld to be quite a bit more flexible than UFW. So, to install firewalld
$ paru -Syu firewalld
$ sudo systemctl enable --now firewalldDefault is to allow SSH in, so this won't disconnect you. First thing is to set up the zones. Our firewall is small and has just an external and an internal zone; initially, we want to block everything from the external network, and allow administrative SSH from the internal network, while serving DHCP on the internal network. For this blog, I assume eth0 stays connected internally, eth1 will be internet-facing. Substitute your own interface names.
$ sudo firewall-cmd --permanent --zone=external --remove-service=ssh
$ sudo firewall-cmd --permanent --zone=external --add-interface=eth1That sets up the external interface. IP masquerading is enabled on that interface by default, so for that interface, that's all we need to do.
For the internal side, there's a bunch of zones we could use, or we could set up one of our own. But since the "work" zone comes with sane defaults, we'll just use that.
$ sudo firewall-cmd --permanent --zone=work --add-interface=eth0
$ sudo firewall-cmd --set-default-zone=drop
$ sudo firewall-cmd --permanent --new-policy=egress
$ sudo firewall-cmd --permanent --policy=egress --set-target=ACCEPT
$ sudo firewall-cmd --permanent --policy=egress --add-ingress=work
$ sudo firewall-cmd --permanent --policy=egress --add-egress=external
$ sudo firewall-cmd --reloadWill set the default zone for new interfaces to "drop", configure eth1 to be in the work zone, and reload the firewall configuration.
Next, we set up our network interfaces. The default "wired" network we set up in the base image will serve well for the internet interface, so we copy and modify it accordingly. This is easier with a superuser shell.
$ sudo -i
# mv /etc/systemd/network/20-{wired,eth1}.network
# sed -i -e 's/eth0/eth1/' /etc/systemd/network/20-eth1.networkEdit /etc/systemd/network/20-eth0.network to contain
[Match]
Name=eth0
[Network]
Address=10.32.0.1/16
IPForward=true
DHCPServer=true
[DHCPServer]
PoolOffset=255
PoolSize=256
EmitDNS=true
DNS=8.8.8.8
# EmitNTP=true
# NTP=10.32.0.1
EmitRouter=true
Router=10.32.0.1$ sudo firewall-cmd --permanent --zone=work --add-service=dhcpThis sets eth0 as DHCP server on the internal network and configures it to issue addresses, DNS server 8.8.8.8 (since we are not configuring our own caching DNS server). For the moment, we're commenting out NTP server settings - I'll detail optionally configuring the router as NTP server at the end of this post.
This is really all that is required for a basic router setup - to test it, reboot your new router, connect the internet-facing interface to your existing router, and the internal interface to your laptop. This may require a crossover network cable or using a dedicated switch separate from the home router; you will want a dedicated switch to connect multiple devices anyway. Your test system should acquire an IP address in the range 10.32.1.0/24 with outbound internet still operational.
In a perfect world, your internet provider does not supply you with a preconfigured home router, and instead simply allows you to plug in your own DHCP client directly to the cable/DSL modem or fiber terminal. If so, at this point, the home router can serve the basic needs of a home network. Note that if you do that and you have a wireless network on your existing home router, you will need additional configuration on the wireless side. For the moment, that's out of scope, but I might add a blog post for how to set up a MicroTik wireless AP in the future.
Optional: NTP server on the home router
$ paru -Syu chrony
$ sudo -i
# echo 'allow 10.32/16' >> /etc/chrony.conf
# systemctl enable --now chronyd
# firewall-cmd --permanent --zone=work --add-service=ntpAnd uncomment the NTP lines in /etc/systemd/network/20-eth0.network