Turn linux server into a router?

Submitted ⁨⁨1⁩ ⁨day⁩ ago⁩ by ⁨Toralv@lemmy.world⁩ to ⁨selfhosted@lemmy.world⁩

Hello selfhosted.

My router just burnt up and instead of buying a new one, I’m thinking of turning my own built NAS/home server into a router. Is this possible?

The server in question is a normal computer running debian, where I have a few disks in RAID and host some web services. The motherboard only has one RJ45 port, so my guess is that I have to at least get a network card that supports 2 ports. I’m no stranger to linux but physical networking is not my home field, though I’m very interested.

If someone could point me in the right direction, I would be more than happy.

source

Comments

Sort:hotnew top

rtxn@lemmy.world ⁨23⁩ ⁨hours⁩ ago
You can use OPNSense inside a virtual machine. You can use QEMU or install the Proxmox toolkit over Debian to manage it.

You’ll have to create a bridge network for the WAN and the LAN interface, connect them to the VM, then configure the virtual interfaces inside OPNSense.

source
- Toralv@lemmy.world ⁨23⁩ ⁨hours⁩ ago
  Ah I see, did not think of that. A network card with two ports would be enough right? One for the modem, and the other for clients, which ideally could be a switch, for more ports. That’s possible right?
  
  source
  - rtxn@lemmy.world ⁨23⁩ ⁨hours⁩ ago
    Yes, that will be enough. You can also use a single port on the NIC and the one on the motherboard if it can handle the ethernet speed you want.
    
    This is my network setup on Proxmox: Image
    
    vmbr0 is a bridge that has a single port going to the modem. The OPNSense VM’s first virtual interface is connected to this and configured as a WAN interface. Nothing else connects to this bridge as it is exposed to the internet.
    
    vmbr1 also has a single port that goes to the physical switch. OPNSense’s second interface connects to it as a LAN port, as well as every other VM and container running on the server.
    
    source
    -> View More Comments
  - xavier666@lemmy.umucat.day ⁨12⁩ ⁨hours⁩ ago
    If you virtualize, you’ll have to deal with the overhead. Unless you’re not running anything high-throughput, this approach is fine.
    
    source
  - frongt@lemmy.zip ⁨21⁩ ⁨hours⁩ ago
    You only need one port. WAN to switch, switch to router. The router routes and sends it back to the switch, and the switch to the LAN. Vice versa for outbound traffic. It’s called a router on a stick.
    
    Not recommended if you’re paranoid about security, because a malicious client or particularly malformed inbound traffic could bypass your router. For general use it’s perfectly fine.
    
    source
    -> View More Comments
  - Semi_Hemi_Demigod@lemmy.world ⁨23⁩ ⁨hours⁩ ago
    Yes, that’s possible
    
    source
  - glizzyguzzler@piefed.blahaj.zone ⁨23⁩ ⁨hours⁩ ago
    Add to that, for an extant installation I’d rec Incus for the VM work with its web-ui. You get to keep your kernel, you’re less tied at the hip to it.
    
    2 port Intel NIC + some switch and your server is a router too. Opnsense’s web ui is great, can be difficult to find stuff but searching gets you there, but most is easy enough and it’s the best web ui + automatic updates for routers out there.
    
    source
- Dultas@lemmy.world ⁨13⁩ ⁨hours⁩ ago
  Only issue I’ve had with this setup is if you’re running in a cluster and you have to restart the cluster then you run into a deadlock. The cluster won’t start VMa without a quorum and it can’t form a quorum without the OPNSense VM up. So you have to manually intervene.
  
  source
talkingpumpkin@lemmy.world ⁨22⁩ ⁨hours⁩ ago
Not sure if others already said this (I seem to see mostly comments explaining how to do it, but didn’t read them all), but, while it’s certainly feasible, you may not want to do that.

A router is the cornerstone of your network (if it goes down, so does the network) and if you are a self-hoster you’ll probably fiddle endlessly with your home server, and of course break it from time to time… the two things just don’t go well together.

Personally, I’d recommend getting some second-hand router appliance that can run openwrt and use that (make sure to check the flashing procedure before deciding what to buy - some are easier than others). Or you could get a dedicated x86 machine… probably overkill though.

source
- frongt@lemmy.zip ⁨21⁩ ⁨hours⁩ ago
  Agreed. Separate device. If your VM or hypervisor dies, or you misconfigure something, you take your Internet down. Not a fun thing to recover from.
  
  source
- Toralv@lemmy.world ⁨20⁩ ⁨hours⁩ ago
  I truly understand this sentiment, and if I ever find it troublesome to maintain, I will do just that, but right now I just want to use this as an excuse to fiddle around haha ;). I don’t run anything high-profile and my server uptime is still on par with the frequent power outages in my area
  
  source
possiblylinux127@lemmy.zip ⁨17⁩ ⁨hours⁩ ago
You can but I would strongly recommend that you set up a dedicated box. It doesn’t matter that much what OS it is running but it shouldn’t be the same device running other services.

source
- StuffYouFear@lemmy.world ⁨16⁩ ⁨hours⁩ ago
  As someone who has done their router as both a VM and a stand alone physical box, just do a stand alone box. It doesnt take much to run pfsense
  
  source
  - CyberChicken@whatcom.social ⁨15⁩ ⁨hours⁩ ago
    To add to this, Suricata is available as a service in Pfsense, it isn’t hard to get going with an IDS and with some tweaking an IPS. +1 to pfsense!
    
    source
suicidaleggroll@lemmy.world ⁨15⁩ ⁨hours⁩ ago
OPNSense is a great option for turning x86 hardware into a router. That said, I would not recommend combining your router with other functionality. The router should be a dedicated system that only does one thing. Leave your NAS and web services on another machine.

source
thebardingreen@lemmy.starlightkel.xyz ⁨23⁩ ⁨hours⁩ ago
This is extremely possible and I have done a lot of stuff like it (I set up my first home built Linux firewall over 20 years ago). You do want to get some kind of multiport network card (or multiple network cards… usb -> ethernet adapters can do OK filling in in a pinch). It also gives you a lot of power if you want to do specific stuff with specific connections (sub netting, isolation of specific hosts, etc).

There’s a lot of ways to do it, but the one I’m most familiar with is just to use IP tables.

The very first thing you want to do is open up /proc/sys/net/ipv4/ip_forward and change the 0 to a 1 to turn on network forwarding.

You want to install bridge-utils and isc-dhcp-server (or some other DHCP server). Google or get help from an LLM to configure them, because they’re powerful and there’s a lot of configs.

Your basic iptables rule is going to be something like

iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE, but again there’s lots of possible IP tables rules so read up on those.

source
- Toralv@lemmy.world ⁨23⁩ ⁨hours⁩ ago
  This was my first thought. I have some experience with iptables so I think this would be doable. Thank you
  
  source
  - thebardingreen@lemmy.starlightkel.xyz ⁨23⁩ ⁨hours⁩ ago
    I’m happy to answer specific questions as you dig into it. :) Good luck.
    
    source
  - Cawifre@lemmy.world ⁨21⁩ ⁨hours⁩ ago
    I’d recommend dnsmasq for a DNS/DHCP server component. It is time tested, used on some consumer routers as a daily-driver industry component. It has a far easier learning curve compared to the like of ISC’s offering, and the feature gaps are not going to affect you until you have a firm grasp on many deeper DNS or DHCP nuances.
    
    source
- thfi@discuss.tchncs.de ⁨23⁩ ⁨hours⁩ ago
  I had a very similar problem as @Toralv@lemmy.world a few weeks ago. I repurposed a small, fanless x86 desktop computer as my new router. It has only one RJ45 port and due to its small size cannot be extended with a proper network card. As it has an unused USB3 port, I acquired a cheap Realtek-based USB3-to-RJ45 ‘adapter’ as the second network interface. It works without any further issues in Linux (Arch) and has no problems to handle Gbps traffic.
  
  For the router configuration, I am using ‘nftables’ instead of ‘iptables’, as the former is supposed the successor of the latter. I only used the new nftables configuration, but there are wrappers available so that one can continue to use iptables syntax if desired.
  
  For network configuration, I am using systemd’s networkd. Check systemd.network(5): Configuration option ‘IPMasquerade’ takes care of telling nftables/iptables to setup masquerading (rendering the iptables invocation @thebardingreen@lemmy.starlightkel.xyz exemplified unnecessary), options ‘IPv4Forwarding’ and ‘IPv6Forwarding’ renders manually changing ‘/proc/sys/net/ipv4/ip_forward’ unnecessary.
  
  systemd’s networkd has a built-in DHCP server; check option ‘DHCPServer’ and section ‘DHCPServer’ for that (same man page as above). This way you can skip installing/configuring a separate DHCP server, but systemd’s DHCP server has some limitations, such as only supporting DHCPv4 and lack of proper command line tools. For example, to retrieve the list of current leases, you would have to make a dbus call to networkd, e.g. via busctl or dbus-send.
  
  Bridges can also be configured with systemd’s networkd, making a separate bridge tool unnecessary. Rather straight-forward with three small configuration files, telling networkd that you want to have a bridge, its name (e.g. br0), its MAC address, which NICs will be part of the bridge, and the bridge’s configuration like a NIC itself (e.g. static IP address, that the networkd’s DHCP server shall listen here, …).
  
  source
  - thebardingreen@lemmy.starlightkel.xyz ⁨21⁩ ⁨hours⁩ ago
    
    systemd’s networkd has a built-in DHCP server; check option ‘DHCPServer’ and section ‘DHCPServer’ for that (same man page as above).
    
    Is that true in Debian? If so, cool. I did not know that.
    
    source
rumba@lemmy.zip ⁨19⁩ ⁨hours⁩ ago
Personally, I’ve always been a big fan of running the firewall/router/DNS separate of everything else. It’s harder to accidentally make a security blunder and doing regular system maintenance on your hosting server won’t knock out internet to the rest of the house.

source
leggt@lemmy.sdf.org ⁨17⁩ ⁨hours⁩ ago
I’ve been using a raspberry pi for my router for a few years. Followed this guide mostly

technicallywizardry.com/raspberry-pi-network-moni…

source
ObM@lemmy.world ⁨12⁩ ⁨hours⁩ ago
Hey there! Sorry, I got busy with work today.

I was just noticing that you have plenty of replies. I think you seem to have enough to go on with.

If you still need anything, hit a reply to this one and I can give you my 2-cents worth of opinion.

source
Nollij@sopuli.xyz ⁨18⁩ ⁨hours⁩ ago
I did this back in the days of Smoothwall, ~20 years ago. I used an old, dedicated PC, with 2 PCI NICs.

It was complicated, and took a long time to setup properly. It was loud and used a lot of power, and didn’t give me much beyond the standard $50 routers of the day (and is easily eclipsed by the standard $80 routers of today). But it ran reliably for a number of years without any interaction.

I also didn’t learn anything useful that I could ever apply to something else, so ended up just being a waste of time. 2/10, spend your time on something more useful.

source
- quokka1@mastodon.au ⁨18⁩ ⁨hours⁩ ago
  @Nollij @Toralv ahhh #Smoothwall... takes me back to dual Slot 2 Pentium 2 full tower in my cellar next to the old coal chute
  source
ObM@lemmy.world ⁨1⁩ ⁨day⁩ ago
First question. Was your router also your modem? As in describe each connection/device from street until you get to your router.

source
- Toralv@lemmy.world ⁨23⁩ ⁨hours⁩ ago
  No, the modem is separate (fiber).
  
  source
avidamoeba@lemmy.ca ⁨21⁩ ⁨hours⁩ ago
As others have mentioned this is practical with a VM. It might also be doable with Docker, saving some resources.

source
kylian0087@lemmy.dbzer0.com ⁨23⁩ ⁨hours⁩ ago
I know you can run openwrt as a VM on a NAS. Might be a good solution for you. Theoreticaly you can use virtual interfaces and bridges on the NAS to use a single fysical network interface. But a second card will be the interface.

source
aislopmukbang@sh.itjust.works ⁨1⁩ ⁨day⁩ ago
Short answer: yes

Though anything else I could not say better than this guide: opnsense.org/get-started/

source
- Toralv@lemmy.world ⁨1⁩ ⁨day⁩ ago
  Sorry I was probably not very clear on one part, I’m looking to run a router additionally to my already existing debian installation. OPNsense seems very nice, but that would require me switching to FreeBSD, which I’m not very keen on right now.
  
  source
  - Rivalarrival@lemmy.today ⁨23⁩ ⁨hours⁩ ago
    You can create a virtual machine, running within your debian install, to server as your router. It actually works very well.
    
    source
    -> View More Comments
  - bacon_pdp@lemmy.world ⁨23⁩ ⁨hours⁩ ago
    Well all Linux systems can easily be turned into routers if they have 2 or more networking ports.
    
    All you have to do is enable routing, the firewall rules for routing internal traffic and restrictions on external traffic, and dhcp services to the internal network (assuming that you don’t have a dedicated dhcp server)
    
    Here is an example: github.com/dhenkes/router
    
    Basically any Linux router guide (for any Linux distribution) can be used with minimal translation as they are all going to be using the exact same software with virtually identical configurations.
    
    source
  - possiblylinux127@lemmy.zip ⁨17⁩ ⁨hours⁩ ago
    What do you mean by router?
    
    A router is a layer 3 device that routes packets. What functionality are you wanting?
    
    source
ftbd@feddit.org ⁨13⁩ ⁨hours⁩ ago
A router is not a network switch is not a wireless access point. Using the machine as a router works with one ethernet port.

I would still not recommend this approach, as your network will be unusable when this machine goes down.

source
rmrf@lemmy.ml ⁨13⁩ ⁨hours⁩ ago
I’ve gone down this path.

You want an archer c7 with OpenWRT. I got one for 5 dollars on marketplace, flashing it took all of 2 minutes, and it kicks ass.

source
Semi_Hemi_Demigod@lemmy.world ⁨23⁩ ⁨hours⁩ ago
Here’s a pretty good tutorial on how to do this on a system with two network cards medium.com/…/setting-up-ubuntu-as-a-router-with-a…

source
- Toralv@lemmy.world ⁨23⁩ ⁨hours⁩ ago
  Thank you
  
  source
boydster@sh.itjust.works ⁨23⁩ ⁨hours⁩ ago
Is your router the issue, or the modem that decodes the signal from your ISP?

Last I checked, router/AP stuff is pretty easy to DIY (OpenWRT, PFsense, etc). But that’s the step after the modem has done what it needs to do.

source
- Toralv@lemmy.world ⁨23⁩ ⁨hours⁩ ago
  My router physically burnt up, up in flames. No idea why, tired of life I guess.
  
  source
  - possiblylinux127@lemmy.zip ⁨17⁩ ⁨hours⁩ ago
    Can you buy a new one?
    
    source
  - avidamoeba@lemmy.ca ⁨21⁩ ⁨hours⁩ ago
    The 8K porn was too hot.
    
    source
nutbutter@discuss.tchncs.de ⁨17⁩ ⁨hours⁩ ago
👉

There! Happy?

source