Hello,
when you know something about Linux you can use software from sratch.
I have also my own router with two network interfaces and one wireless
lan card
take a look at
bind9 - DNS Server
isc-dhsp-server - DHCP Server for IPv4 and/or IPv6
hostapd - Wireless Daemon
nftables - !!!Important / Firewall
optionally if you like
webmin - Web based GUI
Am 03.12.2021 um 23:04 schrieb Ross Boylan:
Hi, all!
In short: if my box has 2 ethernet connections, one to the outside
world and one to my LAN, do I need to add a routing instruction so
that packets from my lan can make it out to the internet? Using
/etc/network/interfaces.
Fuller Question:
Currently my main system has one ethernet attached to my local network
(a switch, or maybe a dumb router); a wireless router on the network
is connected to the (outside) internet and currently provides NAT,
firewall and DHCP.*
My goal is to attach the internet directly to my system by an ethernet
cable from the modem and take over as the primary router/firewall.
Do I need to add an ip route command to get outbound (public internet)
traffic to actually go out? This includes both traffic from my system
and from others on my local network. Unlike nft, ip doesn't seem to
do negative commands, so I guess I would first give routing rules for
my local network and then send the rest out.**
E.g., with eth0 my LAN and eth1 the WAN
ip route add 192.168.1.0/24 <http://192.168.1.0/24> dev eth0
# other routes I know something about
# other unused private routes--or maybe those should just be dropped
by nft?
# perhaps
ip route add blackhole 192.168.0.0/16 <http://192.168.0.0/16>
ip route add default dev eth1
# nft does SNAT on the result
I'm using ifup as my primary configuration; and have examples of nft
setup for firewalls and routers, including SNAT. This is on buster,
though I hope to upgrade soon. I edited sysctl.conf to allow forwarding.
I had a similar setup a few years ago with iptables, and I don't
remember needing to route manually, so maybe I'm missing something.
I've found it difficult to get current information; the "Debian
Reference" and "Securing Debian" are both pre nft, as is
https://wiki.debian.org/DebianFirewall. The documentation on netfilter
is naturally focused on nft, not on other changes one needs, and is
not Debian specific. The Debian specific information on iproute2 is
minimal; nftables does have some useful info on Debian integration.
ifup has a fair amount of documentation, though it does leave exactly
how specification in interfaces get translated to specific kernel
settings to the imagination (e.g., if I specify 2 interfaces will it
automatically guess how to route?).
The whole thing is made more complex by the possible presence of other
dynamically created networks from libvirt and Docker. I've mostly
been avoiding docker since it doesn't seem to play well with others,
e.g., it may delete all my existing rules.
Ross
*DHCP is the problem. My main system provides customized DHCP and
DNS. My old wireless router let me disable DHCP; my new Deco 5 only
lets me disable DHCP by disabling *all* the router features. Which is
why I'm trying to get my main system to act as the router.
**Given that interfaces listed first are not reliably configured
first, I'm not sure how to guarantee the outside routes get added
after the inside routes, at least if each is set when their respective
interface comes up.
--
Mit freundlichen Grüßen
Jörg Jellissen
Friesenstraße 3
47445 Moers
Mobil: (01573) / 5 34 42 18
Fax: (02841) / 4 08 62 77
E-Mail:joerg.jellis...@t-online.de
