
Show HN: Router7 – A pure-Go implementation of a small home internet router - secure
https://github.com/rtr7/router7
======
chrissnell
I want to look into adding support for sniffing and forwarding the 802.1x
packets that the AT&T fiber modem/gateways use to authenticate. This is done
to bypass the crappy performance and insecurity of their device. There are
some hacky implementations of this but I want to do it in Go. I've gotten as
far as sniffing the packets using gopacket under FreeBSD. Unfortunately,
FreeBSD doesn't seem to support VLAN 0 so I was unable to implement this for
PFSense. Perhaps router7 would be a better option for me.

~~~
jokamoto
This is a functional implementation of that behavior in Go:

[https://github.com/mjonuschat/eap_parrot](https://github.com/mjonuschat/eap_parrot)

~~~
secure
Neat!

In case anyone wants to use this on router7, where CGO_ENABLED=0, you’d need
something like
[https://github.com/google/gopacket/pull/470](https://github.com/google/gopacket/pull/470)

------
secure
Author here. Happy to answer any questions you might have :)

~~~
init-as
Where would a person even begin to learn how to do something like this? I’m a
programmer but wouldn’t even know where to start on a project like this.

~~~
secure
There are a bunch of tutorials out there on how to build your own router based
on Linux or one of the BSDs. I’d recommend such a tutorial as a good starting
point for a top-down view.

The lower-level is very visible through Wireshark, with which you can capture
all network traffic.

Does that help?

------
gonzo
One of the owners of Netgate, the main company behind pfSense here...

Looks great! I’m impressed.

I’m actually about to be out of touch for a week, so I’ve cloned the code for
Router7 to read while I’m offline.

~~~
chrissnell
For those unfamiliar with Netgate, they make fantastic little appliances for
DIY routers (in addition to the commercial pfSense offerings). They're a great
option if you are looking for an alternative to PC Engines. I don't have any
affiliation with them, other than having run their 8-port model at home for
the last two years without any issues.

~~~
Fnoord
Netgate is far, far more expensive than PC Engines (do you see anything near
$100 or 100 EUR here? [1] No, you don't). It isn't even remotely in the same
league. An 8 port model at home is overkill, and expensive. You're better off
using a switch plus an appliance.

If we're casually mentioning alternatives to PC Engines (who provide, AFAIK,
the cheapest solution and are using Coreboot):

[https://opnsense.org/about/about-opnsense/](https://opnsense.org/about/about-
opnsense/) developed & supported by Deciso BV. Still supports x86-32, unlike
pfSense. Their official hardware is also expensive though, just like Netgate.

If you want a cheap PC Engines alternative running Linux I can recommend
Ubiquiti gear instead. The entry level products are cheap (ER-L, for example,
has 3 ports and costs ~100 EUR), and the Unifi products are user-friendly,
while the EdgeMAX allow more freedom/control at the price of user-
friendliness. Although it isn't DIY like the other solutions, that could be an
advantage. But if you're going the DIY route anyway, PC Engines gives the best
bang for the buck _unless_ you _need_ 4G modem support.

[1] [https://store.netgate.com/](https://store.netgate.com/)

~~~
JustSomeNobody
Appears the SG-1000 is $149. Only 2 GBe ports (WAN, LAN), but as you say, you
can use a swtich.

~~~
Fnoord
Yeah, that's the cheapest device available. If you only need 2 ports, the
apu2c0 is only $99 w/o case (~$10 for the case) [1]. An espressobin (w/o
peripherals) goes for $50. EdgeRouter X (1 WAN, 4 LAN ports) goes for 50 EUR
here, with SFP module it goes for 75 EUR. Those are competitive prices.
Netgate's cheapest device is expensive by comparison. Doesn't say anything
about the quality though!

[1]
[https://www.pcengines.ch/newshop.php?c=4](https://www.pcengines.ch/newshop.php?c=4)

~~~
15155
These are full x86 machines that can handle a much different workload than an
EdgeRouter X.

Try and do any kind of meaningful traffic shaping, firewalling, with an ERX.
Or, just make some configuration change which knocks traffic handling out of
silicon and into the CPU: you'll quickly see where the extra money would've
been nice.

My only serious complaint about pfSense is that BSD only has single-threaded
PPPoE, which really does not work well at anything approaching gigabit speeds.

~~~
Fnoord
> These are full x86 machines that can handle a much different workload than
> an EdgeRouter X.

These are x86-64 (AMD64) machines, running a 64-bit fork of FreeBSD. pfSense
doesn't run on x86-32 anymore (even though x86-32 works perfectly fine as
router). The argument is that its "ancient" hardware; yet here we are
discussing single-threaded PPPoE...

EdgeRouter X is a bit weak, sure (though it also does not use a lot of power),
EdgeRouter Lite (which I got) is already much better performance, sports a
MIPS64 and more RAM.

> [..] you'll quickly see where the extra money would've been nice.

If I'd want the highest performance + bang of buck + got the time to maintain
(including the hardware) I'd go for PC Engines plus OPNsense _or_ Router-7.
But I don't want to put a lot of effort/time in maintaining my home router.

I'm positive we'll have loads of fun with RISV-V routers in the near future.
If not the big corps, perhaps smaller ones. Amazon also appears to have plans
to sell switches with AWS support.

There's also MicroTik/RouterOS.

~~~
15155
For the record: I run RouterOS in ESXi on a Supermicro SYS-5018D-FN8T (1U,
Xeon D1518).

Mikrotik hardware suffers the same problems as Ubiquiti (and most other
manufacturers): it's very easy to lose gigabit routing performance with even
the most basic of home firewall rulesets.

~~~
Fnoord
I got no throughput issues with my Ubiquiti hardware whatsoever as long as I
keep using hardware offloading. Which doesn't work with bridging. Either way I
use a DMZ on the third port of my ER-L on which I run a WAP for guests which I
(or they) fire up when they're here. Latency is very low on these MIPS
machines.

------
blattimwind
Stupid question: why is all the code marked "Copyright 2018 Google Inc."?

~~~
secure
Have a look at
[https://opensource.google.com/docs/releasing/](https://opensource.google.com/docs/releasing/)
for details.

~~~
ValleZ
In California when you work at your time on your equipment you own copyright
on the project.

~~~
jhabdas
In the US you only think so

~~~
ValleZ
It's written in my current offer and refers CA Labor Code 2870. I missed that
author is in Switzerland.

~~~
jhabdas
From what I understand the burden of proof in Lab. Code, § 2872. falls on the
employee. If they work on some code in their "spare" time and that code
contains a license with the word "Google" in it it would seem the license is a
first attempt to establish the burden of proof as opposed to the freedoms one
might enjoy writing under the Expat or GPL, for example.

------
grizzles
Any chance for split horizon dns? The ability to perma-name all my home
computers is something I've always wanted in a home router.

~~~
secure
[https://godoc.org/github.com/rtr7/router7/cmd/dnsd](https://godoc.org/github.com/rtr7/router7/cmd/dnsd)
already resolves computer names from DHCP leases. Is that what you mean? If
no, can you elaborate on what the use-case is?

Edit: forgot to mention, you can use static leases, too, permanently assigning
an IP/hostname to a MAC address: just remove the expiration field in
/perm/dhcp4d/leases.json :)

~~~
chrissnell
Here's a use case that I am currently doing at home:

I have a live weather station [1] that pulls data from a Go-based service that
I wrote and run on a server on my home network. When I'm outside of the house,
mhkweather.com resolves to a Digital Ocean IP, where I run a proxy to forward
requests back to home IP. However, when I'm at home, mhkweather.com resolves
to a local 10.x.x.x IP and goes straight the the local service, no proxy. It
faster this way. I want to be able to set DNS overrides for local things. I
can do this with unbound but it would be nice if dnsd could do this for me.

[1] [https://mhkweather.com](https://mhkweather.com)

~~~
secure
Thanks for elaborating.

For the time being, you’d need to modify dnsd to install your custom handler.
It should be as simple as adding another server.mux.HandleFunc call in
internal/dns/dns.go.

If this turns out to be a feature which many people would like, I’ll think
about how to best structure the code to make this easier.

------
voidmain0001
@secure: Are you using netfilter or nftables for the firewall / NAT services?

~~~
blattimwind
nftables

[https://github.com/rtr7/router7/blob/master/cmd/netconfigd/n...](https://github.com/rtr7/router7/blob/master/cmd/netconfigd/netconfigd.go)

~~~
arminiusreturns
So can you tell me what you think of nft? Details if you feel like it please.
I'm a sysadmin type who has stared at way too much iptables and decided to
start going full nftables. I haven't hit any showstopper yet but I figure it
would be worth asking someone who has dealt with its complexities. I've been
putting off Bpf because it feels like actual programming in yet another
language. Did you try that?

One last comment, you might check out Dragonfly BSDs network stack if you
haven't yet for ideas, the last benchmarks I ran were surprising.

To anyone listening, does Bpf enable us to get past the 10gbs dma issues on a
Linux router?

------
tedchs
This is super exciting as I've had this on my "hobby to do list" for a
while... now I don't have to do it! :)

------
ejanus
I am currently reading some source codes on tap-based IP/TCP stack and Babel.
I have not wrapped my head around some of the concepts because I need to first
understand some RFCs . I would be reading your code base soon, but can one
fire it up to work on Raspberry Pi3 ? And can it work with something that is
not fibre ?

~~~
secure
You can fire it up on a Raspberry Pi 3, yes. That’s how I started developing
it, to be sure the architecture works before I spend the effort of porting
gokrazy to the apu2c4 :)

It can work with any ISP (not just fiber7) as long as you have an ethernet
interface and the ISP uses DHCPv4 and DHCPv6 for configuration. If that’s not
the case, you’d need to develop e.g. PPPoE support yourself.

~~~
avip
Do you have some docs wrt Pi3 setup (or - there's no "setup" other than
installing Router7?)

~~~
secure
Unfortunately there are no docs, as the Raspberry Pi is not an actively used
platform for router7 (I switched to the apu2 after prototyping).

That said, your guess is likely correct, this gokr-packer invocation should do
the trick:

gokr-packer \ -hostname=router7 \ -overwrite=/dev/sdb \
-gokrazy_pkgs=github.com/gokrazy/gokrazy/cmd/ntp \
github.com/rtr7/router7/cmd/...

But note that you might need to rebuild
[https://github.com/gokrazy/kernel](https://github.com/gokrazy/kernel) with
some additional kernel options from
[https://github.com/rtr7/kernel](https://github.com/rtr7/kernel), plus options
for whichever USB ethernet adapter you’re going to use.

Note that you won’t have automated recovery (rtr7-recover), as that uses PXE
boot, which Raspberry Pi’s don’t do by default (and rtr7-recovery-init has
some hard-coded values which won’t work on the Raspberry Pi, at least not when
using an SD card for storage).

------
pjmlp
Nice work.

I would consider a router software stack, systems level coding.

------
jhabdas
Go is cool and all. But what's the point of buried cable when one can get
50Mbps for $5 to $10 a month on 4G in Indonesia?

~~~
secure
1 Gbps >> 50 Mbps, and I enjoy the faster speeds.

Also, 4G is a shared medium, so I prefer my dedicated 1 Gbps line. We should
handle internet load on dedicated lines where possible, so that the shared
medium keeps working well for people who have no other choice.

