Nice article. Running your own router is a nice way to learn a bit of networking, has a better track record of security updates, and helps you act as a part on the Internet.
Hey, I've got an apu2c4 and was actually thinking about installing Ubuntu or Debian and try to run ansible on it, but your Nixos idea sounds good. Do you have any references for the setup? Have you found any downsides?
The reason I want to move away from pfsense is the lack of support for Wireguard.
The router uses systemd-networkd, unbound, corerad, hostapd.
I'm not in a position to share my config yet. If you give me contact details, I can share a few bits.
Downsides:
* When you screw up, you can lose Internet connectivity.
* When you screw up, you can lose access to your router. I mitigate this by securing exposing the router on the Internet, and then using 4G to SSH to the router.
* It took a while for me to figure out how to get a decent IPv6 setup.
* NixOS specific: if you find some config on StackOverflow (eg) it takes a bit of time to figure out how to fit that into NixOS.
The result is great though:
* this router has been through 2-3 major upgrades, and it just works.
* NixOS is modern/popular enough that it has had wireguard/corerad packaged for a while.
* I have confidence my router is actually behaving according to its config, because NixOS does a great job of that. This allows me to easily rebuild, which is useful if I experiment with something but give up: revert code, then deploy and the router is back to its previous state.
For a year I had success with a Beaglebone Green[0] and OpenBSD installed and in a "Router on a stick" configuration[1]. It wasn't amazing preformance, but it was in a rural area with a slow ISP anyway. IPSec performance was sufficient for the single client I ever used with it.
For the year prior to this one, I had FreeBSD in almost the same configuration running on a Raspberry Pi (1!!!) B.
Both were rock solid stable without any serious problems, but in the end, I favored the OpenBSD/Beaglebone more. The sole reason for this is the strange behavior I encountered on FreeBSD while using vi over a serial connection - all of vi would appear in the serial console as a single line. I believe it was a known bug at the time. This made vi unusable, and I had to resort editing the firewall confgs line by line using sed and cat (FreeBSD sed doesn't have the in-place editing that GNU sed has). Quite a PITA.
not sure about any particulars of the issue you describe but it sounds like the terminal could not support something about your session to vi. maybe running GNU screen or tmux would make things work better?
I was connecting from a Linux laptop, and GNU screen was the terminal I used.
This was from 5 years ago. I believe I found a discussion online somewhere that touched upon the issue. Today, the closest thing I can find is this bug on pfSense: https://redmine.pfsense.org/issues/9569
It depends on how much should be open source (wifi generally involves a lot of blobs), and how much the router should do more than just route, but a good starting point should be OpenWRT on supported hardware.
I tend to separate the router and access points. Well working wifi hardware has traditionally been hard to find on consumer pricepoints, so I've used Ubiquiti thoughout. They're not open source at all, but neither are most network cards and wifi adapters so I consider them appliances. That way the router can be simple and separate.
Some criticisms, from somebody who doesn't know a whole ton about networking:
Can pure DNS site filtering really work these days? I have to imagine more and more of the internet is behind cloudflare / cloudfront / etc, and you probably can't block/grant access to a single site without catching a bunch of unrelated ones as well. An HTTP(S) proxy approach seems like it would work a lot better. No offense to the author, they clearly know their stuff, but this feels like they know networking pretty well and want to use it to solve a problem that it's no longer suited for. I remember the internet of the 90s and DNS filtering would have worked a treat back then.
Why does the term VLAN not show up anywhere in the guide? Can't VLANs (with radius (?)) be used to segment traffic without requiring multi-port NICs (and running N ethernet cables if I want to have access to N different network segments from the same room)? (I really, clearly, don't know that much about networking)
Increasingly, I get frustrated by network- and machine/OS-focused security measures. I don't want to bother with making sure all the unix user ids on all the machines on my network match in order for unix permissions to work right. I don't want to think about tagging traffic in iptables with unix users and only allowing traffic that belongs to my personal user to egress over the 'trusted' NIC. These things should be handled by app-layer controls, sort of BeyondCorp for everything.
> Can pure DNS site filtering really work these days? I have to imagine more and more of the internet is behind cloudflare / cloudfront / etc, and you probably can't block/grant access to a single site without catching a bunch of unrelated ones as well.
You're thinking about IP filtering. When site is behind Cloudflare/Cloudfront/... it _may_ share an IP with some other site, but it will most probably have a distinct DNS name that can be filtered upon during DNS resolution.
pi-hole/nextdns do this quite successfully for adblocking on network layer.
I have an old Soekris Net6501 which I would love to use OpenBSD on. However, they don't have any support for the Sierra WWAN modem I have.
Unfortunately these days finding an alternative Linux distro which supports an installation process which uses the serial terminal interface is really, really hard these days. So the device sits unused in one of my desk drawers.
You might have to PXE boot to launch the installation with non-default parameters but you should have little problem doing so (and both PXELINUX and iPXE support serial console).
I don't know the specifics of the Net6501, but can't you do a foreign debootstrap where you let debootstrap copy all files on a machine that is already installed, then boot it up on the Soekris itself and let it do the rest of its install work over the serial connection?
I’ve used pfsense on some soekris 5505s (i think its been a while).
It was sort of a pain, at first, to get pfsense on them. Its been a while since I’ve done it, but heres the short version.
1. I found a version of linux (voyage maybe?) that had some pxe boot stuff setup automatically. I just had to set the dhcp range and a few other options. Any distro with pxe boot works but I’m lazy.
2. Plugged the soekris box into my laptops ethernet port. The linux distro was just a vm. Set up the vm so its nic could communicate with the physical laptop ethernet port.
3. Hooked a serial cable up to the soekris and set it to pxe boot. I had to find the manual to figure out what speed i needed for the serial port. I want to say default was 9600, but double check. Then it got the image from the linux vm and was enough to get me a cmd line via serial port.
4. I copied the pfsense cf (i think its called that) to a exfat USB flash drive and plugged it into the USB port on the soekris.
5. I mounted the USB flash drive on the soekris and used dd to copy the image to the internal cf card.
6. Reboot the soekris when done, change boot order on it, if applicable, and from there plug the soekris into the network or somewhere where it can get a dhcp address so you can finish setup from a web browser.
If you’re interested i might be able to find my notes on it, but its probably been 5+ years.
Looks like a good article to follow. Anyone has recommendations on a small form factor board to get for this project? It appears that the ASRock Mini ITX board in the article is no longer available?
If you are providing a compatible ethernet board as in this writeup, virtually anything you can actually plug the board into will work. Not to imply that OBSD does not support most ethernet, as opposed to WiFi where you might have to be a bit more selective. Here is the list of appropriate WiFi drivers that can be used to make a OBSD based access point:
GP is implying that OPNsense is not OpenBSD, otherwise they would not have used the word "but", and used a comparison between their love of the GUI to their love of OpenBSD.
I run NixOS on a https://www.pcengines.ch/apu2e2.htm .