Differences

This shows you the differences between two versions of the page.

--- selfhost:router [2024/02/08 16:15] – willy
+++ selfhost:router [2024/02/08 17:29] (current) – removed willy
@@ Line 1: / Line 1: @@
-====== Network Configuration for the Home Router ======
-As i already described in the [[selfhost:architecture|My Self-Host Architecture]], you will have three different //network zones// in your setup.
-Additionally, i will also show you how to manage multiple upstream network connections to split the outgoing load for resillience, load balancing or just because.
-I assume you have two ISPs, let's call them **FastISP** and **ReliableISP**. If you have only one ISP, just ignore anything related to the second one. I will also assume that you are renting / have access to two separate static IP's on the internet that will be your public facing access. Two for resilience: if you have only one, that's fine.
-You will be handling the following //networks//:
-  * Internal network: 10.0.0.0/24 - all home devices will connect to this network
-  * FastISP network: 192.168.1.0/24 - ISP router on 192.168.1.1
-  * ReliableISP network 192.168.0.0/24 - ISP router on 192.168.0.1
-  * Main external host: static IP 99.99.99.99
-  * Secondary external host: static IP 75.75.75.75
-The two external servers should ideally be on different networks, but that is not mandatory.
-Your internal server will act as home router and provide DHCP and DNS services to any device inside your home.
-Your server will then require three network connections. I suggest them to be three wired ethernet, but you can also use one WiFi device. Since most computers come with one single ethernet (sometimes nowadays not even that), i found useful to purchase USB ethernet cards to. I suggest you don't cheap out on brand and prefer USB-C ones to get good quality hardware, which is critical when going USB.
-So, the internal server interfaces will be:
-  * LAN: with static IP 10.0.0.1
-  * FastISP on WAN1: with static IP 192.168.1.10
-  * ReliableISP on WAN2: with static IP 192.168.0.10
-Use all static IPs for the internal server, it will save you lost of headache and will allow the use of SNAT which is faster than MASQUERADING.
-====== Gentoo Network Configuration ======
-For a full static network setup you don't need to go fancy and stock Gentoo network configuration is pretty easy and straightforward. If you need to support WiFi / WAP or other stuff, please refer to the Gentoo Handbook network section.
-First of all you need to find out the names of your ethernet devices, these can be found under **/sys/class/net**. Trial and error will help you pinpoint which one is which one. Refer to [[https://wiki.gentoo.org/wiki/Netifrc|this page]] for more detailed instruction on how to setup networking. Fill up the **/etc/conf.d/net** configuration file like this (//adapt to your needs!//):
-<file - net>
-# LAN on enp0s31f6
-config_enp0s31f6="10.0.0.1/24"
-# FastISP on enp59s0u2u4c2
-config_enp59s0u2u4c2="192.168.1.10/24"
-routes_enp59s0u2u4c2="default via 192.168.1.254"
-# ReliableISP on enp0s20f0u4u4c2
-config_enp0s20f0u5u3="192.168.0.10/24"
-</file>
-this assumes that your **default route** will go trough FastISP. You will be able to change this later on with a neat script, even on the fly.
-Now, create the needed symlinks and start the networks:
-<code bash>
- > for i in enp0s31f6 enp59s0u2u4c2 enp0s20f0u4u4c2
- > do
- > ln -s /etc/init.d/net.lo /etc/init.d/net.$i
- > rc-upate add net.$i default
-</code>
-Now you need to tell Gentoo that only **one** of these needs to be up for networking to be ready. If you don't do this, then all your services will fail as soon as one goes down. Edit the file **/etc/rc.conf** and change the following line to "NO":
-<code>
-rc_depend_strict="NO"
-</code>
-===== Router configuration =====
-The goal is to configure you home server to act as a router/gateway for your internal network. First of all, make sure your home network is **not** connected physically to any ISP gateway/router/modem. For security, you want all your traffic to go trough your home server.
-The home server will act as DNS server, DHCP server and gateway for your internal network. To achieve this goal i will show you how to use [[https://wiki.gentoo.org/wiki/Dnsmasq/|DNSmasq]] which is a very simple but powerful tool.
-Enable a couple of useful use-flags:
-<code bash>
- > echo net-dns/dnsmasq dhcp-tools dnssec >> /etc/portage/package.use/dnsmasq
-</code>
-**dhcp.tools** is needed to ensure dnsmasq will support DHCP, while **dnssec** will be useful to enable dnssec support on the home network.
-First of all emerge it:
-<code bash>
- > emerge dnsmasq
-</code>
-All you actually need to do it create a meaningful configuration file, take this one as example:
-<file - dnsmasq.conf>
-# Here put your home LAN interface
-interface=enp0s31f6
-# do not resolve your internal DNS names outside
-domain-needed
-# Never forward addresses in the non-routed address spaces
-bogus-priv
-# Use AdGuard DNS service to filter ads
-no-resolv
-no-poll
-server=94.140.14.14
-server=94.140.15.15
-# You can add your own ads filters here (for me, AdGuard works good enough)
-#addn-hosts=/etc/adblock.hosts
-#  DHCP settings for internal network (from 100 to 250, under 100 are fixed ips)
-dhcp-range=10.0.0.100,10.0.0.250,12h
-# Send gateway and DNS values to the DHCP clients
-dhcp-option=option:router,10.00.0.1
-dhcp-option=option:dns-server,10.00.0.1
-# Preassign fixed IPs via DHCP to specific hosts:
-#dhcp-host=34:f3:9a:73:a6:a4,10.0.0.99
-</file>
-Well, this is almost all. Start //dnsmasq// service and make it start on boot:
-<code bash>
- > rc-update add dnsmasq default
- > /etc/init.t/dnsmasq start
-</code>
-Now you can connect your devices to the home network and they will get an IP address and a full network configuration to go with it.
-<WRAP center round todo 60%>
-Add DNS forced redirection to force all devices to go trough your ad blocker filters
-</WRAP>
-===== Enabling NAT =====
-If you want your home network to be able to reach the outside internet, you need to enable Network Address Translation on the home server.
-There are at least two different types of NAT that you can use:
-  * SNAT (source NAT)
-  * Masquerading
-SNAT is faster but require your **upstream** interface to have a static IP address, because it's a NAT associated to a fixed IP address.
-Masquerading does not depend on a fixed IP, but since it queries the interface for it's current IP for each packet routed, it's slower and require a little bit more resources. Since in your setup the upstream network interfaces have **static** IP address, i will show you SNAT. Masquerading is required when you have a PPP upstream connection, for example, or when you are forced to use DHCP from your ISP.
-Enabling SNAT with **nft** is pretty easy and can be achieved with the following commands on the server:
-<code bash>
- > nft add table nat
- > nft add chain nat postrouting { type nat hook postrouting priority 100\;}
- > nft add rule nat postrouting oifname "enp59s0u2u4c2" iifname enp0s31f6 snat to 192.168.1.10
-</code>
-These rules:
-  * Create a new table called nat
-  * Create a new chain called postrouting
-  * Append to it a rule that will apply SNAT to all packets coming from the LAN interface (iifname) and routes them on the WAN interface (oifname) replacing it's IP address as 192.168.1.10
-I am showing you how to use **nftables** tool, which replaced //iptables//. Here is a nice [[https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes|NFT Quick Reference Table]] if you need it...
-You should, now, route your home network to the outside world...
-One last step is to enable IP forwarding, since you will need this both for containerized services and the home network. Create a new file called **/etc/sysctl.d/ip_forward.conf**:
-<file - ip_forward.conf>
-net.ipv4.ip_forward=1
-net.ipv4.conf.default.rp_filter=1
-</file>
-Now either reboot or manually enable:
-<code bash>
- > sysctl net.ipv4.ip_forward=1
-> sysctl net.ipv4.conf.default.rp_filter=1
-</code>
-====== Leveraging having more than one ISP / upstream connection ======
-If you have **two** upstream connections (for example, one could be a cell phone link, only for emergencies) it would be great to be able to:
-  * Switch between the two ISPs when needed
-  * Route access to specific servers trough ISP1 or ISP2
-  * Route specific programs trough ISP1 or ISP2
-  * Load-balance your traffic
-I will address at this time only the first three points.
-Having two ISPs is important for redundancy. When you start to rely on your home services for your everyday life you want them to be always accessible, so if ISP1 goes down switch to ISP2.
-If your ISP1 is, for example, much faster **but** with a data-cap, while ISP2 is slower, but with unlimited data? It would be great to route all traffic trough ISP1, but some apps (like //usenet// or //torrent//) trough ISP2...
-More over, you will want to set-up two SSH tunnels one trough ISP1 and one trough ISP2 so in any case you have remote access.
-To achieve this you need to operate on two levels:
-  * At **nft** level to set specific rules for packet filtering & modification inside the kernel
-  * At **route** level, because packets **need** to be properly routed outside
-==== select ISP based on destination ====
-I will assume ISP1 is your **default gateway**, and you can have only one default route. The basic idea is that if i want to reach //external-server1// via ISP2, i need to add one **route** rule //and// one **nft** rule.
-==== select ISP based on service ====
-Make service 1 always go trough ISP2.
-==== Automation  ====
-[[https://github.com/gardiol/routes-setup.git|routes setup script]]
-====== All done? ======
-Now you can access internet safely from the home network.
-To learn how to reach the internal server from the **internet**, head to the [[selfhost:ssh_tunnel|SSH tunnel description]]

Willy's Wiki

User Tools

Differences