
The Ars guide to building a Linux router from scratch - thehoff
http://arstechnica.com/gadgets/2016/04/the-ars-guide-to-building-a-linux-router-from-scratch/
======
danielrhodes
If you don't want to do all that configuration, PFSense is a good alternative.
[https://www.pfsense.org/download/](https://www.pfsense.org/download/)

PFSense is the same thing below the hood, but with a web front-end and
plugins.

Most off the shelf wireless routers work fine as an access point, but are
quite bad as a router. So you can just plug your old wireless router into this
thing (with DHCP etc turned off), and your whole setup will be much better.

~~~
anderiv
I'll echo the pfSense recommendation. One correction, though: pfSense is built
upon FreeBSD, not linux.

~~~
bcook
IPFire is my choice if you prefer Linux.

------
tyingq
Ubiquiti's EdgeRouter Lite is a popular, fast, cheap (<$100), solution in this
space.

People are running FreeBSD and Linux on it:

[http://www.daemonology.net/blog/2016-01-10-FreeBSD-
EdgeRoute...](http://www.daemonology.net/blog/2016-01-10-FreeBSD-EdgeRouter-
Lite.html)

[https://wiki.gentoo.org/wiki/MIPS/ERLite-3](https://wiki.gentoo.org/wiki/MIPS/ERLite-3)

~~~
vostok
One note is that it's my understanding that running Linux or even FreeBSD will
mean that you can't hit 1Mpps if that's important to what you're doing.

~~~
Titanous
The driver for the network offload is proprietary, however the pre-installed
OS is Debian Linux with a fork of Vyatta.

~~~
vostok
Excellent point. I should have been more specific.

------
Mister_Snuggles
Here's a tutorial for doing the same thing with OpenBSD from a few years ago:
[http://www.bsdnow.tv/tutorials/openbsd-
router](http://www.bsdnow.tv/tutorials/openbsd-router)

~~~
zdw
The OpenBSD site has an example as well.

[http://www.openbsd.org/faq/pf/example1.html](http://www.openbsd.org/faq/pf/example1.html)

As a point of comparison, the iptables syntax as shown in the Ars article is
far harder to grok at first glance than either of the pf examples. For
example:

    
    
        pass in on egress inet proto tcp from any to (egress) port { 80 443 } rdr-to <ipaddr>
    

vs:

    
    
        -A PREROUTING -p tcp -m tcp -i p4p1 --dport 80 -j DNAT --to-destination <ipaddr>:80
        -A FORWARD -p tcp -d <ipaddr> --dport 80 -j ACCEPT

~~~
Mister_Snuggles
Yeah, I've always found iptables to be a little hard to understand.

It also sounds like it's getting replaced[0]. My guess is that we will see
iptables around for a long time after it's been deprecated. ifconfig, for
example, is deprecated[1] yet it's still around and being used.

[0] [https://lwn.net/Articles/564095/](https://lwn.net/Articles/564095/) [1]
[https://lists.debian.org/debian-
devel/2009/03/msg00780.html](https://lists.debian.org/debian-
devel/2009/03/msg00780.html)

~~~
Decade
ifconfig is still used on BSD and, most importantly, MacOS X. Also, the Linux
replacement for ifconfig is ip from iproute2, and that was made by the guy who
did Linux QoS. He sort of sucks at usability.

For example, `ifconfig eth0 down` becomes `ip link set dev eth0 down` and
`ifconfig eth0 192.168.1.2` becomes `ip add add 192.168.1.2/24 brd + dev
eth0`; I had to look these up to make sure I had the correct syntax.

Okay, the actual command is `ip address add` and not `ip add add`, but it
allows extreme abbreviation at the expense of discoverability.

------
INTPenis
I'm sad they don't use dnsmasq in the article, it's a ton more easier to setup
than bind and even commercial routers use it.

~~~
tdkl
Yeah, plus it can also serve as DHCP server, one less package to
install/maintain.

------
goda90
I wonder how well the Turris Omnia[1] will compare to a homebrew solution like
this.

[1][https://omnia.turris.cz/en/](https://omnia.turris.cz/en/)

~~~
urza
I cant wait for mine to arrive :)

I like those automatic security updates and network traffic analysis...

------
briHass
I had trouble getting a hold of one of those C1037U boxes from China. The
seller would 'run out of stock' frequently if I found one for a decent price.

I ended up going with the APU2B4 board (an upgrade from the APU1D mentioned in
the article.) I put pfSense on it, and it's been running perfect for a few
weeks now.

Even that board is probably massive overkill for most people. I have 50/50
internet, and with full bandwidth used by torrents, a VPN and ssh session open
to the router, and the web interface open, I'm still only getting about 10-15%
CPU.

[http://pcengines.ch/apu2b4.htm](http://pcengines.ch/apu2b4.htm)

~~~
shimon_e
Interesting. I have been using such PCs in my Chinese office for about a year.
They are made in a factory about 30 minutes from me. I was considering
designing a better looking case and bundling a more reliable power supply to
export these but I got busy with bigger business.

These Shenzhen factories are somehow getting these Intel CPUs for next to
nothing. Factory price for the i5 model was about $100.

~~~
aroch
At least in the past, I've heard of people getting lots of low binned /
questionable QC'd intel chips for dollars per chip. They basically go for
auction to the highest bidder. If you're willing to deal with a high defect
rate (Either extensive QC yourself or just don't give a shit), it is a pretty
good deal.

------
mynewtb
Seems to be missing on of the most crucial parts: Keeping the software up to
date to avoid being a victim to security issues.

~~~
cnvogel
During the "Linux-Setup" part of the article:

""" ...and whether you want automatic security upgrades. (Spoiler: Yes, you
do.) """

------
mdewinter
This is also a nice simple and cheap device running OpenWRT ($25) with
Wireless N, 2 100 mbit lan and USB: [https://revspace.nl/GL-
iNet](https://revspace.nl/GL-iNet) \- [http://www.gl-inet.com/](http://www.gl-
inet.com/).

I've got a about 50 deployed, managing them with Ansible, super nice and
cheap. USB powered as well.

~~~
kogepathic
If you like that, check out the Nexx WT3020H. Very similar specs but you can
get them from China for about $13 USD.

Best of all, they're based around a MediaTek CPU, which doesn't have the same
USB quirks as the Atheros AR9330 used in the GL-iNet.

I've personally upgraded my 3020H units from 8MB SPI to 16MB, but I've also
heard that you can order them directly from the factory with 16MB if your
order is large enough, or they're willing to customize.

------
dsr_
At least in my setup, a small SSD means that a complete reboot for the router
takes 22-24 seconds, and so TCP sessions will not drop.

~~~
bluedino
Be careful when using a very small SSD or something like a CF card for a
router. Enabling logging to disk can wear the flash memory out in a matter of
weeks

~~~
dsr_
I have a 64GB SSD and a little over 4.5GB used in the last year. I don't think
that flash exhaustion is likely in the near future... but I also have a 32GB
USB stick plugged in, which gets a backup copy once a week. The great thing
about building your own router is that you can easily replace parts.

------
35bge57dtjku
1400 - 2400 usd for that small box? Is that worth it??

~~~
song
It was $250 before, a lot of sellers on aliexpress just jack the price when
they're out of stock instead of delisting the item.

------
Decade
It is almost 4 years since World IPv6 Launch. I’m very disappointed that,
other than a few randomly timed rants from Iljitsch van Beijnum, Ars Technica
has made no visible movement to IPv6. No AAAA record for Arstechnica.com, no
guides to installing IPv6, and now a tutorial for setting up routers spreading
FUD about how difficult it is to install IPv6.

------
madengr
I have been running Linux boxes for 20 years as my home router, but just
recently bought a Cisco RV325. Sort of got tired of maintaining it, and it
took allot more power.

How will these smaller, embedded motherboards handle 1G Ethernet? Will be
getting google fiber within next year.

~~~
INTPenis
Been using an APU board since they came out and I have a 1Gbps fibre
connection. Unfortunately my measured speed comes to about 500/700Mbit but I
belive that's due to either shitty equipment in the city wide fibre grid or my
own switches/cables. I'm not really a network tech.

Either way the APU handles it fine for a home network and generates no
noticeable heat.

------
shekhar101
Curious if the 120 GB SSD could be doubled as network storage acessible
through WiFi?

~~~
Sanddancer
Yep. Just install the samba/nfs/iscsi/other networking daemon and off you go.
About the only thing to keep in mind is that you are going to need to
configure the daemon before you use it to ensure that it's not listening on
your WAN address, because you probably don't wanna have your files visible to
all and sundry.

------
Nux
I'd like to play with Linux on this multi-nic board when I get some time and
money [http://www.banana-pi.org/r1.html](http://www.banana-pi.org/r1.html)

------
pcunite
I use MikroTik for the nice hardware, low power, and RouterOS.

~~~
tacon
I bought MikroTik for the netflow feature, which can reveal active malware via
hardware packet counters by endpoint.[0] The next cheapest router with netflow
is in the thousands of dollars. MikroTik is $180 at Amazon.

[0]
[http://www.irongeek.com/i.php?page=videos/houseccon2015/t302...](http://www.irongeek.com/i.php?page=videos/houseccon2015/t302-the-
fox-is-in-the-henhouse-detecting-a-breach-before-the-damage-is-done-josh-
sokol)

~~~
lvillani
Which one do you have? Mine is an RB751U-2HnD and it is plagued with problems,
to the point that I set-up an automatic reboot every other day and I'm
thinking about switching to Ubiquiti gear...

~~~
nier
A client of mine has a RouterBOARD 1100 X2 AH that I also decided to reboot
daily for stability reasons. A RouterBOARD 951G 2HnD used in a branch office
lost all IPSec configuration and hangs when viewing the settings on the
command line. Certified MikroTik technician says the thing has to be
reformatted and set up from scratch.

My first experience with MikroTik products. Not good.

~~~
jlgaddis
Just to chime in with another anecdote, I've got several MikroTik RB493G's
acting as PPPoE access concentrators that are stable as hell and have been in
service for a couple of years with no issues.

In general, I've had better luck with the lower end of their product line.

------
skinowski
Looks like he hasn't hit the ip_conntrack_tcp_be_liberal problem/setting yet.
Good luck with streaming Netflix with that router...

~~~
lightlyused
Care to explain?

~~~
skinowski
Here we go: [https://www.pitt-
pladdy.com/blog/_20091125-185551_0000_Linux...](https://www.pitt-
pladdy.com/blog/_20091125-185551_0000_Linux_Netfilter_and_Window_Scaling/)

~~~
lightlyused
Anything recent? That is from 2009.

~~~
skinowski
ip_conntrack_tcp_be_liberal is still in kernel sources and it is enabled in
distributions like openwrt. The author does not mention this, so very likely
that his/her custom router will drop traffic. Recently I ran into the issue
with Netflix traffic which seemed to use window scaling. In my case I did not
disable scaling, but had to enable this option on arch Linux.

------
x0
I have a lot of respect for those who know iptables well enough to make things
like this. It looks so fascinating, but so complex.

~~~
peatmoss
Me too! As others in the thread have mentioned, OpenBSD and pf make for a
(IMHO) much easier configuration. Not sure what kind of difference in
performance one might expect. I suspect both Linux and OpenBSD are more than
capable of keeping up with any traffic one might throw at such a router.

~~~
wtallis
BSD is at a huge disadvantage in QoS capability, to the point that it really
shouldn't be recommended as the OS for the gateway on a typical low-speed
bufferbloated residential ADSL or DOCSIS connection.

~~~
zxv
I don't see any disadvantages of BSD for QoS.

I believe the syntax for writing QoS on FreeBSD and OpenBSD provides very good
expressive capability [1]. By using tagging [2], one can assign QoS priority
to anything that a firewall rule can define.

Having used FreeBSD QoS on dial-up, ISDN, DSL and cable over the years, it is
this expressiveness that is one of the reasons I prefer the pf packet filter
and thus BSD.

Here's an example for bandwidth limited wan. Interactive ssh sessions get a
queue with a minimum bandwidth; scp and sftp bulk transfers go to a separate
queue.

    
    
      queue rootq on em0 bandwidth 100M max 100M 
      queue ssh parent rootq bandwidth 20M 
      queue  ssh_interactive parent ssh bandwidth 10M min 5M 
      queue  ssh_bulk parent ssh bandwidth 10M 
      queue std parent rootq bandwidth 20M default
    
      block return out on em0 inet all set queue std 
      pass out on em0 inet proto tcp from any to any port 22 set queue(ssh_bulk, ssh_interactive)
    

[1] PF - Packet Queueing and Prioritization
[http://www.openbsd.org/faq/pf/queueing.html](http://www.openbsd.org/faq/pf/queueing.html)

[2] PF - Packet Tagging (Policy Filtering)
[http://www.openbsd.org/faq/pf/tagging.html](http://www.openbsd.org/faq/pf/tagging.html)

~~~
wtallis
OpenBSD doesn't support any form of Active Queue Management or fair queuing.
It _used to_ support an old and mostly useless AQM (RED) but dropped support
in 5.6. Now there isn't even a way to apply ECN marking.

A hierarchy of dumb FIFO queues does not make a real QoS system. It can
produce reasonable-looking benchmark numbers when the prioritization rules and
benchmark are contrived to match, but in the face of real-world traffic that
uses HTTP to carry vastly different kinds of traffic over links that don't
have constant bandwidth and latency, OpenBSD is hopeless. Even the rate-
limiting capability that OpenBSD has is rudimentary and lacks the ability to
account for per-packet overhead and framing overhead, which is necessary for
accurate traffic shaping on common service types like ADSL.

If you say you don't see any disadvantages for OpenBSD on QoS, then your idea
of QoS is twenty years out of date.

~~~
zxv
FreeBSD and PFSense do currently have ECN. I should have limited my comments
to them.

You're right, OpenBSD no longer has ECN, and my comments regarding OpenBSD
were out of date.

And yes, ECN is far more effective because it provides feedback to the sender.

~~~
wtallis
Yes, they've got ECN capability, if you're satisfied with RED as your AQM.
pfSense apparently also has an implementation of plain CoDel. Work is also
underway to bring fair queuing to the BSD world so that networks with more
than one simultaneous traffic flow can get some good QoS:
[http://caia.swin.edu.au/freebsd/aqm/](http://caia.swin.edu.au/freebsd/aqm/)

All of the BSDs are still way behind; the best by only a few years, while
others are stuck in the 1990s.

~~~
zxv
I believe you can use ECN with CoDel. None of this is restricted to a single
flow.

~~~
wtallis
CoDel doesn't do fair queuing so its performance on a mixed stream of traffic
is much worse than fq_codel and other AQMs that have a fair queuing component.
Please, read _some_ of the literature on what's been developed in recent
years. You don't seem to know anything about this subject other than having
seen some of these terms show up in pfSense configuration pages and thinking
it means it's at parity with Linux.

~~~
zxv
Perhaps it would be helpful for you to cite some of this literature.

~~~
wtallis
I doubt it would help to point you to anything specific, since you've managed
to not find for yourself any of the wealth of relevant information that's been
written over the past several years, from draft RFCs to LWN articles and
Wikipedia articles to blog and mailing list discussions by internet luminaries
and even some of their comments in recent HN discussions. At some point you
have to actually put in the minimal effort of googling a topic and skimming at
least one of the results, instead of assuming that the people around you are
making stupid and obvious mistakes.

------
pronoiac
Going back to the first article: it was around $300. But as a project for my
home, the lack of wifi is more frustrating.

~~~
kebolio
realistically, what is the best option for adding wireless networking to this
or any other setup based on a generic box? i assume one can build an access
point with a typical wifi dongle but i am not aware of any of the software
means required.

~~~
Decade
Realistically, WiFi driver code sucks, and there is inherent tension between
routing, which benefits from wires, and WiFi, which benefits from open space.
See, for example, how the Google OnHubs have the minimum of just 1 LAN port.

You can add WiFi to a generic box, but the Ars Technica staff are promoting a
consensus that it’s better to use a separate access point that is designed to
be good as an access point.

[http://arstechnica.com/gadgets/2015/10/review-ubiquiti-
unifi...](http://arstechnica.com/gadgets/2015/10/review-ubiquiti-unifi-made-
me-realize-how-terrible-consumer-wi-fi-gear-is/)

