# a debian router sbc?
I think the time is now. we're finally ready
## config scribbles
### network interface names
customize in udev
/etc/udev/rules.d/70-persistent-net.rules
```
SUBSYSTEM=="net", ACTION=="add", KERNELS=="fe2a0000.ethernet", NAME:="wan"
SUBSYSTEM=="net", ACTION=="add", KERNELS=="0000:01:00.0", NAME:="lan1"
SUBSYSTEM=="net", ACTION=="add", KERNELS=="0001:01:00.0", NAME:="lan2"
```
### configure LEDS
needs to happen early enough to detect link state change
```
echo "stmmac-0:01:link" > /sys/class/leds/green:wan/trigger
echo "r8169-0-100:00:link" > /sys/class/leds/green:lan-1/trigger
echo " > /sys/class/leds/green:lan-2/trigger
```
final overlay is this
```
/dts-v1/;
/plugin/;
&{/gpio-leds/led-wan} {
linux,default-trigger = "stmmac-0:01:link";
};
&{/gpio-leds/led-lan1} {
linux,default-trigger = "r8169-0-100:00:link";
};
&{/gpio-leds/led-lan2} {
linux,default-trigger = "r8169-1-100:00:link";
};
```
## lane's roadmap
### basic armbian support
- [x] add CSC definition for board
- [x] add udev config to build for renaming NICs to WAN LAN1 LAN2
- [x] add DT Overlays to configure LEDS (overlay works better than a script because lights dont turn on if link is already hot before trigger is changed)
going to wait on this until perf testing etc.. armbian-hardware-optimize is a tangle.
- [ ] static interrupt assignment for NICs
### custom armbian extension
- [x] remove wpa_supplicant, network-manager, chrony
- [x] enable netplan, systemd-networkd, systemd-timesyncd, systemd-cron, enable DHCP on wan interface only
- [x] enable schedutil governor
- [x] enable irqbalance
Extra credit for later:
* some sort of semi-opinionated base config
* firewalld or nftables
* normies probably want nftables
* default firewall for WAN
* basic DNSmasq setup
* NAT configured on WAN
* static IP LAN setup on LAN1
* DHCP server on LAN2
#### clean-up tasks i'm seeing
##### fix armbian networkd
```
systemctl unmask systemd-networkd
```
* also had to reboot for lacp to take effect.. thinking because of above
#### Misc Tunning
* `apt install -y irqbalance`
* use `schedutil`
Those 2 things above seemed to give me a experience as good or better than leaning on armbian-hardware-optimize and the settings used by
the "media kernel" devices
* read up on https://serverfault.com/questions/1066607/tuning-linux-router-and-server-for-better-performance-solving-single-tcp-conne
### clammy-ng
Easy to manage router on vanilla debian thanks to ansible managing the following:
* netplan
* ~~firewalld~~ foomuuri!!!
* dnsmasq
* frrouting
* wireguard
#### base
- [x] enable ipv4 forwarding
#### netplan
- [x] configure WAN interface
- [x] configure LACP on LAN1 LAN2
- [x] configure VLANs
#### dnsmasq
- [x] configure DNS server
- [x] configure DHCP for vlans
- [x] static reservations
- [x] seed hosts
#### foomuuri
tip here on integrating fail2ban with foomuuri
https://blog.frehi.be/2023/10/29/setting-up-foomuuri-an-nftables-based-firewall/
## internal notes
### network testing env
#### testing vlans
1000
1001
1002
### cutover todo
- [x] copy vlans configs
- [x] USER
- [x] SERVER
- [x] add alias interface for haproxy 172.17.20.2
- [x] IntranetOT
- [x] IOT
- [x] Gateway
- [x] DHCP static leases
- [x] Static DNS entries
- [x] DNS conditional forwarding
- [ ] DNS conditional reverse forwarding
- [x] YOLO firewall setting
- [x] NAT
- [x] Port forwarding
- [x] haproxy setup
- [x] manual dns update
### post cutover todo
- [ ] firewall groups
- [ ] ports
- [ ] hosts
- [ ] networks
- [ ] add firewall rules again
- [ ] dyndns client setup
- [ ] mdns repeater
#### data
##### static leases
` fgrep static EDGEOS_CONFIG.old |fgrep dhcp| awk '{print $9, $11}'`
HDHomeRun 192.168.3.197
HDHomeRun '00:18:DD:05:66:8B'
p2pbridge-kay 192.168.3.141
p2pbridge-kay '9c:53:22:c7:5b:50'
p2pbridge-shed 192.168.3.129
p2pbridge-shed '9c:53:22:c7:57:fc'
r69 192.168.3.137
r69 '12:6e:bc:3e:c7:3b'
switch1 192.168.3.2
switch1 'd8:0d:17:89:72:a9'
clammy 172.17.21.2
clammy '02:07:4a:95:8d:7c'
AmcrestDogcam 172.17.25.115
AmcrestDogcam '9c:8e:cd:0:af:34'
AmcrestOutdoor1 172.17.25.105
AmcrestOutdoor1 '3c:ef:8c:8c:42:35'
AmcrestOutdoor2 172.17.25.108
AmcrestOutdoor2 '3c:ef:8c:8c:41:5d'
yi-hack 172.17.25.99
yi-hack 'b0:d5:9d:96:29:b1'
armdocker-1 172.17.20.163
armdocker-1 '02:81:1f:10:1a:c3'
armdocker-2 172.17.20.161
armdocker-2 '02:81:ac:0c:7d:b0'
armdocker-3 172.17.20.162
armdocker-3 '02:81:9f:ea:fe:02'
lanecloud0-hashicontrol1 172.17.20.179
lanecloud0-hashicontrol1 '02:11:32:21:36:75'
##### static host
apc.angrybear.com ups.angrybear.com
apc.angrybear.com 192.168.3.5
diskstation.angrybear.com 192.168.3.142
diskstation.server.angrybear.com ldap.server.angrybear.com
diskstation.server.angrybear.com 172.17.20.10
haproxy.angrybear2.local 172.17.20.2
haproxy.angrybear.com 172.17.20.2
printer.angrybear.com larryprinter.angrybear.com
printer.angrybear.com 192.168.3.22
puesta-del-server.jjj.angrybear.com 10.98.97.2
router.angrybear.com 192.168.3.1
scarif.friendnet.angrybear.com 10.98.29.1
switch1.angrybear.com 192.168.3.2
switch2.angrybear.com 192.168.3.4
switch3.angrybear.com 192.168.3.6
switch4.angrybear.com 192.168.3.7
switch5.angrybear.com 192.168.3.8
##### firewall address groups
set firewall group address-group PROTECT_THE_INNOCENT address 0.42.42.42
set firewall group address-group PROTECT_THE_INNOCENT description 'people to intercept DNS'
set firewall group address-group PublicLoadBalancer address 10.98.29.13
set firewall group address-group PublicLoadBalancer address 10.98.29.7
set firewall group address-group PublicLoadBalancer address 10.98.29.12
set firewall group address-group PublicLoadBalancer address 10.128.32.6
set firewall group address-group PublicLoadBalancer description 'Public Ingress Boxes'
set firewall group address-group VIP address 172.17.20.175
set firewall group address-group VIP address 172.17.20.183
set firewall group address-group VIP address 172.17.20.189
set firewall group address-group VIP address 172.17.20.200
set firewall group address-group VIP address 172.17.20.157
set firewall group address-group VIP description 'admin stuff'
set firewall group address-group VIP-VPN-USERS address 10.98.19.2
set firewall group address-group VIP-VPN-USERS address 10.98.20.2
set firewall group address-group VIP-VPN-USERS address 10.98.19.3
set firewall group address-group VIP-VPN-USERS address 10.98.20.3
set firewall group address-group VIP-VPN-USERS address 10.98.19.1
set firewall group address-group VIP-VPN-USERS address 10.98.19.21
set firewall group address-group VIP-VPN-USERS description 'Important users like me'
set firewall group address-group WS-DISCOVERY-IP address 239.255.255.250
set firewall group address-group WS-DISCOVERY-IP description 'WS-DISCOVERY Mutlicast IP'
set firewall group address-group badips address 115.57.127.137
set firewall group address-group badips description 'IPs of badguys'
set firewall group address-group band-stuff address 10.98.19.21
set firewall group address-group band-stuff description 'band stuff'
set firewall group address-group fabio address 172.17.20.163
set firewall group address-group fabio address 172.17.20.161
set firewall group address-group fabio address 172.17.20.191
set firewall group address-group fabio address 172.17.20.200
set firewall group address-group fabio address 172.17.20.166
set firewall group address-group fabio description 'fabio load balancers'
set firewall group address-group haproxy address 172.17.20.2
set firewall group address-group haproxy description ''
##### firewall address groups
set firewall group network-group HOMEUSER description 192.168.3.0/24
set firewall group network-group HOMEUSER network 192.168.3.0/24
set firewall group network-group armbian description 'armbian wireguard'
set firewall group network-group armbian network 10.98.98.0/24
set firewall group network-group britthome description britt20
set firewall group network-group britthome network 172.16.20.0/24
set firewall group network-group britthome network 10.252.0.0/16
set firewall group network-group friendnet description friendnet
set firewall group network-group friendnet network 10.98.29.0/24
set firewall group network-group homeplus description 'user and server'
set firewall group network-group homeplus network 192.168.3.0/24
set firewall group network-group homeplus network 172.17.20.0/24
set firewall group network-group lanecloud description lanecloud
set firewall group network-group lanecloud network 10.128.32.0/24
set firewall group network-group lanecloud network 10.128.32.6/31
set firewall group network-group sam description 'sams stuff'
set firewall group network-group sam network 10.11.0.0/22
set firewall group network-group sam network 10.99.99.12/30
set firewall group network-group testvlans description testvlans
set firewall group network-group testvlans network 192.168.100.0/24
set firewall group network-group testvlans network 192.168.101.0/24
set firewall group network-group testvlans network 192.168.102.0/24
##### firewall port groups
set firewall group port-group CoreServices description 'NTP, SNMP, DNS'
set firewall group port-group CoreServices port ntp
set firewall group port-group CoreServices port snmp
set firewall group port-group CoreServices port 53
set firewall group port-group Fabio description 'fabio ports'
set firewall group port-group Fabio port 9997
set firewall group port-group Fabio port 9998
set firewall group port-group Fabio port 9999
set firewall group port-group Fileshare description 'File Sharing Protocls'
set firewall group port-group Fileshare port nfs
set firewall group port-group Fileshare port 137-139
set firewall group port-group Fileshare port 445
set firewall group port-group Fileshare port ftp
set firewall group port-group FoscamCustomPorts description 'Default and Custom Foscam Ports '
set firewall group port-group FoscamCustomPorts port 9101
set firewall group port-group FoscamCustomPorts port 9100
set firewall group port-group FoscamCustomPorts port 9102
set firewall group port-group FoscamCustomPorts port 9103
set firewall group port-group FoscamCustomPorts port 88
set firewall group port-group FoscamCustomPorts port 888
set firewall group port-group FoscamCustomPorts port 443
set firewall group port-group GoogleHangoutPorts description 'Additional Ports for google hangouts UDP/TCP'
set firewall group port-group GoogleHangoutPorts port 19302-19309
set firewall group port-group GoogleHangoutPorts port 5222-5224
set firewall group port-group GoogleHangoutPorts port 5228
set firewall group port-group GoogleHangoutPorts port 5229
set firewall group port-group Hashi description 'HashiCorp Ports'
set firewall group port-group Hashi port 4646
set firewall group port-group Hashi port 8500
set firewall group port-group Hashi port 9998
set firewall group port-group Hashi port 8200
set firewall group port-group Hashi port 8300
set firewall group port-group Hashi port 8301
set firewall group port-group Hashi port 8302
set firewall group port-group Hashi port 8201
set firewall group port-group Hashi port 8501
set firewall group port-group IOT-Ports description 'ports for IOT'
set firewall group port-group IOT-Ports port 1883
set firewall group port-group IOT-Ports port 514
set firewall group port-group NetworkCameras description 'RTSP Ports'
set firewall group port-group NetworkCameras port 554
set firewall group port-group NetworkCameras port 88
set firewall group port-group PlaystationNetworkTCP description 'Playstation network ports'
set firewall group port-group PlaystationNetworkTCP port 10040-10060
set firewall group port-group PlaystationNetworkUDP description 'Ports for Playstation network'
set firewall group port-group PlaystationNetworkUDP port 50000-60000
set firewall group port-group PlaystationNetworkUDP port 2053
set firewall group port-group Plex description 'Plex Service Ports'
set firewall group port-group Plex port 32400
set firewall group port-group WS-DISCOVERY description 'Web Services Discovery'
set firewall group port-group WS-DISCOVERY port 3702
set firewall group port-group WebServices description 'HTTP AND HTTPS'
set firewall group port-group WebServices port 80
set firewall group port-group WebServices port 443
set firewall group port-group WebServices port 8080
set firewall group port-group mqtt description 'IOT messaging'
set firewall group port-group mqtt port 1883
set firewall group port-group mqtt port 8883
set firewall group port-group mqtt port 9001
set firewall group port-group syncthing description syncthing
set firewall group port-group syncthing port 21027
set firewall group port-group syncthing port 22000
##### conditional DNS forwarding
set service dns forwarding options server=/compound.angrybear.com/1.1.1.1
set service dns forwarding options server=/home.reactornet.net/172.16.20.1
set service dns forwarding options rev-server=172.16.20.0/24,172.16.20.1
set service dns forwarding options server=/britt.local/172.16.20.1
set service dns forwarding options server=/brittnet.local/172.16.20.1
set service dns forwarding options 'server=/consul.angrybear.com/172.17.20.162#8600'
set service dns forwarding options 'server=/consul.service.angrybear.com/172.17.20.162#8600'
set service dns forwarding options server=/backtrackpandemic.angrybear.com/1.1.1.1
set service dns forwarding options server=/home.samdoran.com/10.99.99.13
set service dns forwarding options server=/0.11.10.in-addr.arpa/10.99.99.13
set service dns forwarding options server=/home.reactornet.net/1.1.1.1
set service dns forwarding options server=/tritium.reactornet.net/172.16.20.1
set service dns forwarding options server=/radiun.reactornet.net/172.16.20.1
##### WAN port-forwarding
set port-forward rule 1 description http
set port-forward rule 1 forward-to address 172.17.20.2
set port-forward rule 1 forward-to port 80
set port-forward rule 1 original-port 80
set port-forward rule 1 protocol tcp
set port-forward rule 2 description plex-syn
set port-forward rule 2 forward-to address 192.168.3.142
set port-forward rule 2 forward-to port 32400
set port-forward rule 2 original-port 32400
set port-forward rule 2 protocol tcp
set port-forward rule 3 description https
set port-forward rule 3 forward-to address 172.17.20.2
set port-forward rule 3 forward-to port 443
set port-forward rule 3 original-port 443
set port-forward rule 3 protocol tcp
set port-forward rule 4 description 'clammy wg0'
set port-forward rule 4 forward-to address 172.17.21.2
set port-forward rule 4 forward-to port 54613
set port-forward rule 4 original-port 54613
set port-forward rule 4 protocol udp
set port-forward rule 6 description wg-armbian
set port-forward rule 6 forward-to address 172.17.21.2
set port-forward rule 6 forward-to port 54002
set port-forward rule 6 original-port 54002
set port-forward rule 6 protocol udp
set port-forward rule 7 description syncthing
set port-forward rule 7 forward-to address 192.168.3.142
set port-forward rule 7 forward-to port 22000
set port-forward rule 7 original-port 22000
set port-forward rule 7 protocol tcp_udp
set port-forward rule 8 description wireguard-jjj0
set port-forward rule 8 forward-to address 172.17.21.2
set port-forward rule 8 forward-to port 59897
set port-forward rule 8 original-port 59897
set port-forward rule 8 protocol udp
set port-forward rule 10 description ''
set port-forward rule 10 forward-to address 172.17.20.191
set port-forward rule 10 forward-to port 54615
set port-forward rule 10 original-port 54615
set port-forward rule 10 protocol udp
set port-forward rule 11 description 'clammy brittnet'
set port-forward rule 11 forward-to address 172.17.21.2
set port-forward rule 11 forward-to port 53700
set port-forward rule 11 original-port 53700
set port-forward rule 11 protocol udp
set port-forward rule 13 description 'clammy friendnet0'
set port-forward rule 13 forward-to address 172.17.21.2
set port-forward rule 13 forward-to port 53701
set port-forward rule 13 original-port 53701
set port-forward rule 13 protocol udp
set port-forward rule 14 description 'clammy wg_ra'
set port-forward rule 14 forward-to address 172.17.21.2
set port-forward rule 14 forward-to port 51820
set port-forward rule 14 original-port 51820
set port-forward rule 14 protocol udp
## administration tricks
Show leases
`awk '{if ($1) {$1=strftime("%c",$1); print}}' /var/lib/misc/dnsmasq.leases|sort`
### IPv6
Do I have ip6?
`tcpdump -i wan 'icmp6 && ip6[40] == 134' -vv`
more debugging with ndisc6
`rdisc6 -1 ens3`
## Demo stuff
Basic foomuuri poc (without ansible) also shows off nanopi-r5s doing bonding via netplan / clammy-ng config
[![asciicast](https://asciinema.org/a/oicZHCzBCD3uJET7eZ4Pwrr30.svg)](https://asciinema.org/a/oicZHCzBCD3uJET7eZ4Pwrr30)
Updating firewall demo with ansible / clammy-ng
[![asciicast](https://asciinema.org/a/qOuyMdIWZzd683I7zL0FhFDTD.svg)](https://asciinema.org/a/qOuyMdIWZzd683I7zL0FhFDTD)
Clean interface names thanks to netplan
![](https://m3.lane-fu.com/codimd/uploads/c41df0bc-291c-4e4a-9b37-d69acc3b668c.png)
Handy Script to view dhcp leases
![](https://m3.lane-fu.com/codimd/uploads/52157beb-3ddd-48f5-a3b9-3c048fe899f9.png)
Filter live firewall logs easily with lnav
![](https://m3.lane-fu.com/codimd/uploads/8de9f4ec-794d-43e0-9beb-89ef8819883b.png)
Bandwidth Monitoring with bmon
![](https://m3.lane-fu.com/codimd/uploads/b82856ea-1f72-4de9-83f3-5768c7e04a8a.png)