View previous topic :: View next topic |
Author |
Message |
weiypan_us Tux's lil' helper
Joined: 25 Feb 2017 Posts: 109
|
Posted: Sun Jul 22, 2018 6:10 pm Post subject: Gentoo as home router |
|
|
Does anyone use gentoo as a home router ?
I am going to build a linux home router to replace commercial one from the market.
My home router should have VPN and wifi |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54236 Location: 56N 3W
|
Posted: Sun Jul 22, 2018 6:44 pm Post subject: |
|
|
weiypan_us,
I run Gentoo in a KVM as a router.
It manages 4 zones Internet, DMZ, WiFi and Wired.
Wifi is not permitted to connect to wired.
A VPN is on my todo list but I may spin up another KVM for that. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
weiypan_us Tux's lil' helper
Joined: 25 Feb 2017 Posts: 109
|
Posted: Sun Jul 22, 2018 6:51 pm Post subject: |
|
|
Hi NeddySeagoon,
Does gentoo community have "How to Guide" on it?
VPN is the main motivation for me to build my own router as the vpn routers on market are really suck. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54236 Location: 56N 3W
|
Posted: Sun Jul 22, 2018 7:02 pm Post subject: |
|
|
weiypan_us,
There is a home router guide
I use shorewall and shorewall6 as I have both IPv4 and IPv6.
VPN is not covered there _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
weiypan_us Tux's lil' helper
Joined: 25 Feb 2017 Posts: 109
|
Posted: Sun Jul 22, 2018 7:17 pm Post subject: |
|
|
NeddySeagoon
Thank you for rich information.
What is shorewall? is it a router including OS or just tool running on any linux OS to make router configuration easier? |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Sun Jul 22, 2018 7:20 pm Post subject: |
|
|
I have a Gentoo router providing wifi, wireguard VPN to my phone/laptop, and a manual nftables setup doing NAT to the outside. It's stuck behind a dumb ISP/modem so it only gets IPv4 service, but everything on the LAN is IPv6.
I didn't use the wiki guide for mine, but it looks like a good starting point. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54236 Location: 56N 3W
|
Posted: Sun Jul 22, 2018 7:26 pm Post subject: |
|
|
weiypan_us,
Shorewall is a tool for writing IPv4 firewall rules so you don't have to learn iptables.
Shorewall6 is the same for IPv6.
IPv4 and IPv6 are totally separate. If you have both, you need to control both.
All IPv6 addresses beginning with a 2 are public
Code: | $ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.20 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::2e0:4cff:fe69:1509 prefixlen 64 scopeid 0x20<link>
inet6 2 ... prefixlen 64 scopeid 0x0<global> |
so my system in directly accessible from the internet on IPv6, or would be if my router did not prevent it.
If you don't have IPv6, its not a problem. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
weiypan_us Tux's lil' helper
Joined: 25 Feb 2017 Posts: 109
|
Posted: Sun Jul 22, 2018 7:34 pm Post subject: |
|
|
Hi Neddy,
Does shorewall6 has included in portage tree? I only can find net-firewall/shorewall.
NeddySeagoon wrote: | weiypan_us,
Shorewall is a tool for writing IPv4 firewall rules so you don't have to learn iptables.
Shorewall6 is the same for IPv6.
IPv4 and IPv6 are totally separate. If you have both, you need to control both.
All IPv6 addresses beginning with a 2 are public
Code: | $ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.20 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::2e0:4cff:fe69:1509 prefixlen 64 scopeid 0x20<link>
inet6 2 ... prefixlen 64 scopeid 0x0<global> |
so my system in directly accessible from the internet on IPv6, or would be if my router did not prevent it.
If you don't have IPv6, its not a problem. |
|
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54236 Location: 56N 3W
|
Posted: Sun Jul 22, 2018 7:48 pm Post subject: |
|
|
weiypan_us,
Its still there.
Code: | $ eix shorewall
* net-firewall/shorewall
Available versions: 4.5.21.9[1] (~)4.5.21.10-r1[1] 4.6.10.1[1] (~)4.6.13[1] (~)4.6.13.1[1] (~)5.0.1[1] 5.2.0.4 {doc +init +ipv4 ipv6 lite4 lite6 selinux KERNEL="linux"}
Homepage: http://www.shorewall.net/
Description: A high-level tool for configuring Netfilter
* net-firewall/shorewall-core [1]
Available versions: 4.5.21.9 (~)4.5.21.10-r1 {selinux}
Homepage: http://www.shorewall.net/
Description: Core libraries of shorewall / shorewall(6)-lite
* net-firewall/shorewall6 [1]
Available versions: 4.5.21.9 (~)4.5.21.10-r1 {doc}
Homepage: http://www.shorewall.net/
Description: The Shoreline Firewall, commonly known as Shorewall, IPv6 component
|
_________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
weiypan_us Tux's lil' helper
Joined: 25 Feb 2017 Posts: 109
|
Posted: Sun Jul 22, 2018 8:06 pm Post subject: |
|
|
Hi Neddy,
Looks it has been combined into one. here is my search for 6. It come out same as 4.
Quote: | blk161@asus ~ $ sudo emerge --search net-firewall/shorewall6
[ Results for search key : net-firewall/shorewall6 ]
Searching...
* net-firewall/shorewall
Latest version available: 5.2.0.4
Latest version installed: [ Not Installed ]
Size of files: 813 KiB
Homepage: http://www.shorewall.net/
Description: A high-level tool for configuring Netfilter
License: GPL-2
[ Applications found : 1 ]
|
NeddySeagoon wrote: | weiypan_us,
Its still there.
Code: | $ eix shorewall
* net-firewall/shorewall
Available versions: 4.5.21.9[1] (~)4.5.21.10-r1[1] 4.6.10.1[1] (~)4.6.13[1] (~)4.6.13.1[1] (~)5.0.1[1] 5.2.0.4 {doc +init +ipv4 ipv6 lite4 lite6 selinux KERNEL="linux"}
Homepage: http://www.shorewall.net/
Description: A high-level tool for configuring Netfilter
* net-firewall/shorewall-core [1]
Available versions: 4.5.21.9 (~)4.5.21.10-r1 {selinux}
Homepage: http://www.shorewall.net/
Description: Core libraries of shorewall / shorewall(6)-lite
* net-firewall/shorewall6 [1]
Available versions: 4.5.21.9 (~)4.5.21.10-r1 {doc}
Homepage: http://www.shorewall.net/
Description: The Shoreline Firewall, commonly known as Shorewall, IPv6 component
|
|
|
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54236 Location: 56N 3W
|
Posted: Sun Jul 22, 2018 8:28 pm Post subject: |
|
|
weiypan_us,
Looks like you are correct.
Code: | router ~ # emerge shorewall -pv
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] net-firewall/shorewall-5.2.0.4::gentoo USE="init ipv4 ipv6 -doc -lite4 -lite6 (-selinux)" 0 KiB
Total: 1 package (1 reinstall), Size of downloads: 0 KiB
* IMPORTANT: 38 news items need reading for repository 'gentoo'.
* Use eselect news read to view new items.
router ~ # emerge shorewall6 -pv
These are the packages that would be merged, in order:
Calculating dependencies... done!
emerge: there are no ebuilds to satisfy "shorewall6".
|
That's from my KVM router.
I missed the [1] in my previous post, which means its an ebuild from my local overlay. I did that a long time ago to delay updating to shorewall-5 because I though it might be a mess.
The rest of the household use the router. The update is done, so I can remove those ebuilds from my overlay.
Sorry for misleading you. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
weiypan_us Tux's lil' helper
Joined: 25 Feb 2017 Posts: 109
|
Posted: Sun Jul 22, 2018 8:34 pm Post subject: |
|
|
Hi Neddy, Thank you for help.
NeddySeagoon wrote: | weiypan_us,
Looks like you are correct.
Code: | router ~ # emerge shorewall -pv
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] net-firewall/shorewall-5.2.0.4::gentoo USE="init ipv4 ipv6 -doc -lite4 -lite6 (-selinux)" 0 KiB
Total: 1 package (1 reinstall), Size of downloads: 0 KiB
* IMPORTANT: 38 news items need reading for repository 'gentoo'.
* Use eselect news read to view new items.
router ~ # emerge shorewall6 -pv
These are the packages that would be merged, in order:
Calculating dependencies... done!
emerge: there are no ebuilds to satisfy "shorewall6".
|
That's from my KVM router.
I missed the [1] in my previous post, which means its an ebuild from my local overlay. I did that a long time ago to delay updating to shorewall-5 because I though it might be a mess.
The rest of the household use the router. The update is done, so I can remove those ebuilds from my overlay.
Sorry for misleading you. |
|
|
Back to top |
|
|
weiypan_us Tux's lil' helper
Joined: 25 Feb 2017 Posts: 109
|
Posted: Sun Jul 22, 2018 8:38 pm Post subject: |
|
|
Hi Ant,
I used L2TP and heard openvpn, it is my first time know there is a wireguard VPN.
Does wireguard is easy to setup one?
Ant P. wrote: | I have a Gentoo router providing wifi, wireguard VPN to my phone/laptop, and a manual nftables setup doing NAT to the outside. It's stuck behind a dumb ISP/modem so it only gets IPv4 service, but everything on the LAN is IPv6.
I didn't use the wiki guide for mine, but it looks like a good starting point. |
|
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1144 Location: Romania
|
Posted: Mon Jul 23, 2018 2:01 am Post subject: |
|
|
weiypan_us wrote: | Hi Ant,
I used L2TP and heard openvpn, it is my first time know there is a wireguard VPN.
Does wireguard is easy to setup one? |
I bet if you were to describe in great detail what you are trying to accomplish, in your own words, it would go much faster.
A router in linux is essentially a linux that has 1 in /proc/sys/net/ipv4/ip_forward
Everything else you build on top of that are services. Neddy mentioned zones (that is a dns server), dhcp, ant mentioned wifi (i think) that maybe just a simple network interface or something more complex like an AP. either way it's services.
One of which you were preoccupied from post one. I don't exactly know how router and VPN go together, but ok. What exactly are you trying to accomplish? First tell us what you want, then each of us will probably suggest their own VPN software and how to do it. |
|
Back to top |
|
|
P.Kosunen Guru
Joined: 21 Nov 2005 Posts: 309 Location: Finland
|
Posted: Mon Jul 23, 2018 10:28 am Post subject: |
|
|
https://firehol.org/
I used to use FireHOL to set up firewall and routing, it's bit easier than dealing with iptables directly. |
|
Back to top |
|
|
bunder Bodhisattva
Joined: 10 Apr 2004 Posts: 5934
|
Posted: Mon Jul 23, 2018 12:46 pm Post subject: |
|
|
I've written my own iptables script twice over, but I've also had a look at net-firewall/fwbuilder which is a gui frontend for iptables and a few other *nix firewalls. It reminds me a fair bit of the Checkpoint firewall console we use at work (except that iptables doesn't cost me a few grand). _________________
Neddyseagoon wrote: | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54236 Location: 56N 3W
|
Posted: Mon Jul 23, 2018 5:38 pm Post subject: |
|
|
axl,
I used to run Smoothwall on its own hardware. When I couldn't make it install into a KVM I did my own thing with Gentoo and shorewall, mimicking Smoothwall but without the GUI.
The zones I was was referring to are trust zones rather than dns zones
The Internet is untrusted.
The DMZ is shielded from the ravages of the internet but some incoming connections are permitted.
WiFi is like the DMZ but incoming connections are not permitted. As wifi is not secure, its not trusted much more that the Internet.
Wired is the trusted zone.
Well it started out like that. Untrusted devices like DVD Players, TVs etc are in the WiFi zone regardless of how they are connected.
The router also runs a dhcp server for those zones that are on three separate wired networks.
I'm tempted to add a VPN server, so I can use public wifi when I'm out and about but that really belongs on another system. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
|