Unlike TFA I did not try to replace my ISP-provided ONT, and I use nftables (via firewalld) instead of iptables, unbound instead of dnsmasq, and systemd-networkd instead of dhclient and radvd. I also run haproxy to terminate TLS for some exposed LAN servers, and a local OpenSUSE package repository since many of my LAN machines are OpenSUSE.
For the internet facing services (chrony, haproxy, unbound) I wrote systemd override files to harden them (run as non-root, temporary mounts instead of direct filesystem access, etc). I also run them in individual network namespaces.
I highly recommend a Linux-based router if you have the hardware to spare and want a completely customizable and secure router, never having to worry about ISP malware or lack of updates again. Of course if what you have is more embedded than a full x86 motherboard then something like OpenWRT would be better than Debian.
The rules make extensive use of policy routing, such that every device on my network has its own view of what services it is allowed to access, and what Internet horizon it sees. Loading the rules fails safe in that forwarding is only enabled after a successful (re)load, and the rules fail safe such that if a connection doesn't have a valid fwmark then it's not allowed to go out any interface. This allows me to do things like have two web browsing VMs that display side by side, one coming from my physical infrastructure IP and one coming from a often-rotated data center IP.
The system has served me well, but is obviously quite bespoke. I'd love to factor it out some day and publish it for general consumption, but I haven't quite figured out how to retain the flexibility while making it have broad appeal.
It's basically a Manjaro vs Arch situation. FreeBSD is fine, but these downstreams like pfSense / OPNsense with only a handful of maintainers just delay patches pointlessly. I'd much rather use upstream directly.
(I switched to Debian instead of FreeBSD because, if I was going to have to set up networking from scratch, I'd much rather do it in an OS I'm more familiar with.)
If I really need to update the host with no router: I plug my iPhone via USB, and I'm off to the races.
My new firewall is Debian managed by Ansible, the playbook sets up pppoe, nftables and nettopng.
I really missed pfblockerng, so I wrote a shell script to download Firehol feeds and inject them as a set into my nftables rules.
Whole thing works great off a Proxmox J3455/8Gb mini PC with 2 NICs, leaving room for some LXC and Docker containers/
Fans are throttled to 8% and I'm having Icinga2 watch system temperatures, which are usually between 35 - 45°C. It's barely audible, and currently sitting 1,5m away from my ears. I think idle power consumption is something between 20 - 30W.
It's based on Debian 11, and I'm only using tools available from Debian's repo: dnsmasq, nftables, wireguard, ipsec, haproxy, some policy based routing. Provisioning via ansible.
Rock solid platform. I've recently had to reboot for the 1st time in about 600 days due to physically moving some things around - I know, uptime is not supposed to be a flex.
Might replace the Intel PCIe card with a 1x SFP+ for a DAC connection to my core switch soon-ish since we finally seem to be getting our apartment complex connected to residential fiber.
I guess what I'm saying is - I congratulate the tenacity and expertise that went into OPs blog post, as far as homelab routers go, I'm very happy with my (very easy to set up) HW/SW.
A step further would be a laptop that can come by with 5-10W and still run circles around typical arm-based off the shelf routers. thou the second nic will probably connect via usb3, you get a real keyboard and screen for troubleshooting.
1. Massive DoS at a strategic moment, which is more relevant at country-scale with everyone losing communication simultaneously, rather than a few rare people having personal problems with their infrastructure.
2. Eavesdropping and backhauling the network traffic somehow. This mainly applies to corporations and governments wanting to keep using outdated plain text or even unauthenticated protocols. Individuals should be encrypting everything regardless of who makes the network gear. Especially as most countries lack privacy legislation or functional constraints on government, meaning that the WAN gear is an attacker regardless of who made it.
As far as wifi access points, I never had a problem with Debian or now NixOS. OpenWRT is a bunch of clicking and bespoke management, which is exactly what I don't want.
It would not be a big deal for one individual user to have their ONT / router / etc. killed, but if you had a million devices bricked at approximately the same time it would be extremely disruptive. With work-from-home being so prevalent these days, having a million households suddenly knocked off the internet could be disastrous to the economy. Let alone if something like this happened to an ISP or telco's backbone equipment.
Nothing that could not be worked around eventually, given time and replacement equipment, but then consider the case where the kill-switch is activated during a trade embargo and you can't source replacement equipment for weeks/months... not fun. Let alone the case where a kill-switch is activated as a disruption immediately prior to a military conflict (even if your military and government comms are 100% unaffected, there would be utter chaos on the civilian side as people assumed their friends have been bombed because they can't get in contact, remote work being crippled, etc. that would take days or weeks to calm down).
Completely legit IMHO to not want Huawei deployed at scale or as part of infrastructure in your country, or any equipment with similar concerns, and I am glad it is banned in my country. It sounds paranoid, but keep in mind the Chinese government must agree as well - they are trying to replace their dependence on foreign tech by replacing it with local equivalents , such as replacing Intel gear with China's domestically manufactured Zhaoxin processors.
Rather the comment I responded to seemed to just be uncritically beating the dead horse of "Huawei bad", when it's not really a big deal in the individual use context. And in fact rereading the original post, the original ISP-supplied gear was Huawei as well! Which I do agree that widespread usage of is a problem. But the author's replacing of a Huawei standlone ONT with a Huawei SFP ONT doesn't affect much there!
And sure maybe it could have been great opportunity to harden up the author's infrastructure so that they could still have comms even if everyone else's went dark. Except that the OLT (other end of the link) is likely Huawei as well since ONTs aren't chosen in a vacuum.
What we need is new update to this book:
Linux Routers: A Primer for Network Administrators (2nd Ed):
Does anyone know of any all-in-one hardware that has ADSL, 5 switch ports and WiFi, that is Linux capable?
OpenWRT supports a few lantiq systems with xDSL modems.
I was running both, but in the end switched to bridge mode on a dedicated modem.