
Building My Perfect Router - oneowl
https://blog.tjll.net/building-my-perfect-router/
======
tya99
I did a similar thing in order to implement network segregation via VLANs and
VPN routing.

Personally I think Alpine Linux is one of the better distributions to use for
routers because it uses musl which is ultra small.
[https://www.etalabs.net/compare_libcs.html](https://www.etalabs.net/compare_libcs.html)

I have separate VLANs:

• VLAN 1: Management (no tag, null route)

• VLAN 2: Untrusted (routes direct to ISP via ppp0)

• VLAN 3: Trusted (routes direct to ISP via ppp0)

• VLAN 4: Trusted (routes via tun0 - VPN connection for private browsing etc)

• VLAN 5: Null route for devices that do not require internet access of any
kind, desk phones printers etc.

(Doesn't have to be a Raspberry Pi, you can use anything that Alpine Linux
runs on which is x86_64, x86, ppc64le, s390x, armhf, aarch64 (ARM8 like
Raspberry Pi 3), armv7 (Raspberry Pi 2, and friends).[1]

[0]
[https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a...](https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a_Raspberry_Pi_\(IPv6\))

[1] [https://alpinelinux.org/downloads/](https://alpinelinux.org/downloads/)

The idea is that anything on VLAN2 is completely segregated at the switch and
router level from the rest of my network.

~~~
oneowl
Can you explain a bit more on your VPN setup? Did you create it on the same
machine as the router itself?

~~~
tya99
> Can you explain a bit more on your VPN setup? Did you create it on the same
> machine as the router itself?

Yes.

Essentially it operates as a mult-home router.

Traffic on VLAN2 goes directly out to the ISP. This is useful for low latency
needs such as online gaming. It is useful when you need your real IP address
and do not want to trip security systems such as a online banking site might
have.

VLAN 3 is used for everything else, downloading packages (apt, pacman etc, and
all my web browsing). The router will send all traffic through the VPN ie
tun0.

In addition I can be on VLAN3, and have "exceptions" such as to my mailserver
even when on VLAN3 (my VPN VLAN).

I used CONNMARK, for this. In these circumstances the connections from VLAN3
are normally marked with a connection mark[0].

[0]:
[https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a...](https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a_Raspberry_Pi#Advanced_IPtables_rules_that_allow_us_to_route_into_our_two_routing_tables)

I am at the moment finishing up the configs as Jinja templates, so that one
may just input their configuration into the JSON configuration files and it
will populate all the configs with envtpl
[https://github.com/andreasjansson/envtpl](https://github.com/andreasjansson/envtpl)
it would be trivial for one to extend this into an implementation orchestrated
by something like Ansible.

I use that on combination with Yadm [https://yadm.io](https://yadm.io) and
store it in my dotfiles.

------
virgakwolfw
I update the router about once a month, just to ensure all the relevant
packages are kept current with upstream. So far the only breakages have been
in kernel incompatibilities with the ipt-netflow module, but I think that’s
only happened once so far - any Arch updates to shorewall, dnsmasq, etc. have
been stable.

