Hacker News new | past | comments | ask | show | jobs | submit login
Building My Perfect Router (tjll.net)
32 points by oneowl on April 14, 2019 | hide | past | favorite | 4 comments



I did a similar thing in order to implement network segregation via VLANs and VPN routing.

Personally I think Alpine Linux is one of the better distributions to use for routers because it uses musl which is ultra small. https://www.etalabs.net/compare_libcs.html

I have separate VLANs:

• VLAN 1: Management (no tag, null route)

• VLAN 2: Untrusted (routes direct to ISP via ppp0)

• VLAN 3: Trusted (routes direct to ISP via ppp0)

• VLAN 4: Trusted (routes via tun0 - VPN connection for private browsing etc)

• VLAN 5: Null route for devices that do not require internet access of any kind, desk phones printers etc.

(Doesn't have to be a Raspberry Pi, you can use anything that Alpine Linux runs on which is x86_64, x86, ppc64le, s390x, armhf, aarch64 (ARM8 like Raspberry Pi 3), armv7 (Raspberry Pi 2, and friends).[1]

[0] https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a...

[1] https://alpinelinux.org/downloads/

The idea is that anything on VLAN2 is completely segregated at the switch and router level from the rest of my network.


Can you explain a bit more on your VPN setup? Did you create it on the same machine as the router itself?


> Can you explain a bit more on your VPN setup? Did you create it on the same machine as the router itself?

Yes.

Essentially it operates as a mult-home router.

Traffic on VLAN2 goes directly out to the ISP. This is useful for low latency needs such as online gaming. It is useful when you need your real IP address and do not want to trip security systems such as a online banking site might have.

VLAN 3 is used for everything else, downloading packages (apt, pacman etc, and all my web browsing). The router will send all traffic through the VPN ie tun0.

In addition I can be on VLAN3, and have "exceptions" such as to my mailserver even when on VLAN3 (my VPN VLAN).

I used CONNMARK, for this. In these circumstances the connections from VLAN3 are normally marked with a connection mark[0].

[0]: https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a...

I am at the moment finishing up the configs as Jinja templates, so that one may just input their configuration into the JSON configuration files and it will populate all the configs with envtpl https://github.com/andreasjansson/envtpl it would be trivial for one to extend this into an implementation orchestrated by something like Ansible.

I use that on combination with Yadm https://yadm.io and store it in my dotfiles.


I update the router about once a month, just to ensure all the relevant packages are kept current with upstream. So far the only breakages have been in kernel incompatibilities with the ipt-netflow module, but I think that’s only happened once so far - any Arch updates to shorewall, dnsmasq, etc. have been stable.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: