129 views
# a debian router sbc? I think the time is now. we're finally ready ## config scribbles ### network interface names customize in udev /etc/udev/rules.d/70-persistent-net.rules ``` SUBSYSTEM=="net", ACTION=="add", KERNELS=="fe2a0000.ethernet", NAME:="wan" SUBSYSTEM=="net", ACTION=="add", KERNELS=="0000:01:00.0", NAME:="lan1" SUBSYSTEM=="net", ACTION=="add", KERNELS=="0001:01:00.0", NAME:="lan2" ``` ### configure LEDS needs to happen early enough to detect link state change ``` echo "stmmac-0:01:link" > /sys/class/leds/green:wan/trigger echo "r8169-0-100:00:link" > /sys/class/leds/green:lan-1/trigger echo " > /sys/class/leds/green:lan-2/trigger ``` final overlay is this ``` /dts-v1/; /plugin/; &{/gpio-leds/led-wan} { linux,default-trigger = "stmmac-0:01:link"; }; &{/gpio-leds/led-lan1} { linux,default-trigger = "r8169-0-100:00:link"; }; &{/gpio-leds/led-lan2} { linux,default-trigger = "r8169-1-100:00:link"; }; ``` ## lane's roadmap ### basic armbian support - [x] add CSC definition for board - [x] add udev config to build for renaming NICs to WAN LAN1 LAN2 - [x] add DT Overlays to configure LEDS (overlay works better than a script because lights dont turn on if link is already hot before trigger is changed) going to wait on this until perf testing etc.. armbian-hardware-optimize is a tangle. - [ ] static interrupt assignment for NICs ### custom armbian extension - [x] remove wpa_supplicant, network-manager, chrony - [x] enable netplan, systemd-networkd, systemd-timesyncd, systemd-cron, enable DHCP on wan interface only - [x] enable schedutil governor - [x] enable irqbalance Extra credit for later: * some sort of semi-opinionated base config * firewalld or nftables * normies probably want nftables * default firewall for WAN * basic DNSmasq setup * NAT configured on WAN * static IP LAN setup on LAN1 * DHCP server on LAN2 #### clean-up tasks i'm seeing ##### fix armbian networkd ``` systemctl unmask systemd-networkd ``` * also had to reboot for lacp to take effect.. thinking because of above #### Misc Tunning * `apt install -y irqbalance` * use `schedutil` Those 2 things above seemed to give me a experience as good or better than leaning on armbian-hardware-optimize and the settings used by the "media kernel" devices * read up on https://serverfault.com/questions/1066607/tuning-linux-router-and-server-for-better-performance-solving-single-tcp-conne ### clammy-ng Easy to manage router on vanilla debian thanks to ansible managing the following: * netplan * ~~firewalld~~ foomuuri!!! * dnsmasq * frrouting * wireguard #### base - [x] enable ipv4 forwarding #### netplan - [x] configure WAN interface - [x] configure LACP on LAN1 LAN2 - [x] configure VLANs #### dnsmasq - [x] configure DNS server - [x] configure DHCP for vlans - [x] static reservations - [x] seed hosts #### foomuuri tip here on integrating fail2ban with foomuuri https://blog.frehi.be/2023/10/29/setting-up-foomuuri-an-nftables-based-firewall/ ## internal notes ### network testing env #### testing vlans 1000 1001 1002 ### cutover todo - [x] copy vlans configs - [x] USER - [x] SERVER - [x] add alias interface for haproxy 172.17.20.2 - [x] IntranetOT - [x] IOT - [x] Gateway - [x] DHCP static leases - [x] Static DNS entries - [x] DNS conditional forwarding - [ ] DNS conditional reverse forwarding - [x] YOLO firewall setting - [x] NAT - [x] Port forwarding - [x] haproxy setup - [x] manual dns update ### post cutover todo - [ ] firewall groups - [ ] ports - [ ] hosts - [ ] networks - [ ] add firewall rules again - [ ] dyndns client setup - [ ] mdns repeater #### data ##### static leases ` fgrep static EDGEOS_CONFIG.old |fgrep dhcp| awk '{print $9, $11}'` HDHomeRun 192.168.3.197 HDHomeRun '00:18:DD:05:66:8B' p2pbridge-kay 192.168.3.141 p2pbridge-kay '9c:53:22:c7:5b:50' p2pbridge-shed 192.168.3.129 p2pbridge-shed '9c:53:22:c7:57:fc' r69 192.168.3.137 r69 '12:6e:bc:3e:c7:3b' switch1 192.168.3.2 switch1 'd8:0d:17:89:72:a9' clammy 172.17.21.2 clammy '02:07:4a:95:8d:7c' AmcrestDogcam 172.17.25.115 AmcrestDogcam '9c:8e:cd:0:af:34' AmcrestOutdoor1 172.17.25.105 AmcrestOutdoor1 '3c:ef:8c:8c:42:35' AmcrestOutdoor2 172.17.25.108 AmcrestOutdoor2 '3c:ef:8c:8c:41:5d' yi-hack 172.17.25.99 yi-hack 'b0:d5:9d:96:29:b1' armdocker-1 172.17.20.163 armdocker-1 '02:81:1f:10:1a:c3' armdocker-2 172.17.20.161 armdocker-2 '02:81:ac:0c:7d:b0' armdocker-3 172.17.20.162 armdocker-3 '02:81:9f:ea:fe:02' lanecloud0-hashicontrol1 172.17.20.179 lanecloud0-hashicontrol1 '02:11:32:21:36:75' ##### static host apc.angrybear.com ups.angrybear.com apc.angrybear.com 192.168.3.5 diskstation.angrybear.com 192.168.3.142 diskstation.server.angrybear.com ldap.server.angrybear.com diskstation.server.angrybear.com 172.17.20.10 haproxy.angrybear2.local 172.17.20.2 haproxy.angrybear.com 172.17.20.2 printer.angrybear.com larryprinter.angrybear.com printer.angrybear.com 192.168.3.22 puesta-del-server.jjj.angrybear.com 10.98.97.2 router.angrybear.com 192.168.3.1 scarif.friendnet.angrybear.com 10.98.29.1 switch1.angrybear.com 192.168.3.2 switch2.angrybear.com 192.168.3.4 switch3.angrybear.com 192.168.3.6 switch4.angrybear.com 192.168.3.7 switch5.angrybear.com 192.168.3.8 ##### firewall address groups set firewall group address-group PROTECT_THE_INNOCENT address 0.42.42.42 set firewall group address-group PROTECT_THE_INNOCENT description 'people to intercept DNS' set firewall group address-group PublicLoadBalancer address 10.98.29.13 set firewall group address-group PublicLoadBalancer address 10.98.29.7 set firewall group address-group PublicLoadBalancer address 10.98.29.12 set firewall group address-group PublicLoadBalancer address 10.128.32.6 set firewall group address-group PublicLoadBalancer description 'Public Ingress Boxes' set firewall group address-group VIP address 172.17.20.175 set firewall group address-group VIP address 172.17.20.183 set firewall group address-group VIP address 172.17.20.189 set firewall group address-group VIP address 172.17.20.200 set firewall group address-group VIP address 172.17.20.157 set firewall group address-group VIP description 'admin stuff' set firewall group address-group VIP-VPN-USERS address 10.98.19.2 set firewall group address-group VIP-VPN-USERS address 10.98.20.2 set firewall group address-group VIP-VPN-USERS address 10.98.19.3 set firewall group address-group VIP-VPN-USERS address 10.98.20.3 set firewall group address-group VIP-VPN-USERS address 10.98.19.1 set firewall group address-group VIP-VPN-USERS address 10.98.19.21 set firewall group address-group VIP-VPN-USERS description 'Important users like me' set firewall group address-group WS-DISCOVERY-IP address 239.255.255.250 set firewall group address-group WS-DISCOVERY-IP description 'WS-DISCOVERY Mutlicast IP' set firewall group address-group badips address 115.57.127.137 set firewall group address-group badips description 'IPs of badguys' set firewall group address-group band-stuff address 10.98.19.21 set firewall group address-group band-stuff description 'band stuff' set firewall group address-group fabio address 172.17.20.163 set firewall group address-group fabio address 172.17.20.161 set firewall group address-group fabio address 172.17.20.191 set firewall group address-group fabio address 172.17.20.200 set firewall group address-group fabio address 172.17.20.166 set firewall group address-group fabio description 'fabio load balancers' set firewall group address-group haproxy address 172.17.20.2 set firewall group address-group haproxy description '' ##### firewall address groups set firewall group network-group HOMEUSER description 192.168.3.0/24 set firewall group network-group HOMEUSER network 192.168.3.0/24 set firewall group network-group armbian description 'armbian wireguard' set firewall group network-group armbian network 10.98.98.0/24 set firewall group network-group britthome description britt20 set firewall group network-group britthome network 172.16.20.0/24 set firewall group network-group britthome network 10.252.0.0/16 set firewall group network-group friendnet description friendnet set firewall group network-group friendnet network 10.98.29.0/24 set firewall group network-group homeplus description 'user and server' set firewall group network-group homeplus network 192.168.3.0/24 set firewall group network-group homeplus network 172.17.20.0/24 set firewall group network-group lanecloud description lanecloud set firewall group network-group lanecloud network 10.128.32.0/24 set firewall group network-group lanecloud network 10.128.32.6/31 set firewall group network-group sam description 'sams stuff' set firewall group network-group sam network 10.11.0.0/22 set firewall group network-group sam network 10.99.99.12/30 set firewall group network-group testvlans description testvlans set firewall group network-group testvlans network 192.168.100.0/24 set firewall group network-group testvlans network 192.168.101.0/24 set firewall group network-group testvlans network 192.168.102.0/24 ##### firewall port groups set firewall group port-group CoreServices description 'NTP, SNMP, DNS' set firewall group port-group CoreServices port ntp set firewall group port-group CoreServices port snmp set firewall group port-group CoreServices port 53 set firewall group port-group Fabio description 'fabio ports' set firewall group port-group Fabio port 9997 set firewall group port-group Fabio port 9998 set firewall group port-group Fabio port 9999 set firewall group port-group Fileshare description 'File Sharing Protocls' set firewall group port-group Fileshare port nfs set firewall group port-group Fileshare port 137-139 set firewall group port-group Fileshare port 445 set firewall group port-group Fileshare port ftp set firewall group port-group FoscamCustomPorts description 'Default and Custom Foscam Ports ' set firewall group port-group FoscamCustomPorts port 9101 set firewall group port-group FoscamCustomPorts port 9100 set firewall group port-group FoscamCustomPorts port 9102 set firewall group port-group FoscamCustomPorts port 9103 set firewall group port-group FoscamCustomPorts port 88 set firewall group port-group FoscamCustomPorts port 888 set firewall group port-group FoscamCustomPorts port 443 set firewall group port-group GoogleHangoutPorts description 'Additional Ports for google hangouts UDP/TCP' set firewall group port-group GoogleHangoutPorts port 19302-19309 set firewall group port-group GoogleHangoutPorts port 5222-5224 set firewall group port-group GoogleHangoutPorts port 5228 set firewall group port-group GoogleHangoutPorts port 5229 set firewall group port-group Hashi description 'HashiCorp Ports' set firewall group port-group Hashi port 4646 set firewall group port-group Hashi port 8500 set firewall group port-group Hashi port 9998 set firewall group port-group Hashi port 8200 set firewall group port-group Hashi port 8300 set firewall group port-group Hashi port 8301 set firewall group port-group Hashi port 8302 set firewall group port-group Hashi port 8201 set firewall group port-group Hashi port 8501 set firewall group port-group IOT-Ports description 'ports for IOT' set firewall group port-group IOT-Ports port 1883 set firewall group port-group IOT-Ports port 514 set firewall group port-group NetworkCameras description 'RTSP Ports' set firewall group port-group NetworkCameras port 554 set firewall group port-group NetworkCameras port 88 set firewall group port-group PlaystationNetworkTCP description 'Playstation network ports' set firewall group port-group PlaystationNetworkTCP port 10040-10060 set firewall group port-group PlaystationNetworkUDP description 'Ports for Playstation network' set firewall group port-group PlaystationNetworkUDP port 50000-60000 set firewall group port-group PlaystationNetworkUDP port 2053 set firewall group port-group Plex description 'Plex Service Ports' set firewall group port-group Plex port 32400 set firewall group port-group WS-DISCOVERY description 'Web Services Discovery' set firewall group port-group WS-DISCOVERY port 3702 set firewall group port-group WebServices description 'HTTP AND HTTPS' set firewall group port-group WebServices port 80 set firewall group port-group WebServices port 443 set firewall group port-group WebServices port 8080 set firewall group port-group mqtt description 'IOT messaging' set firewall group port-group mqtt port 1883 set firewall group port-group mqtt port 8883 set firewall group port-group mqtt port 9001 set firewall group port-group syncthing description syncthing set firewall group port-group syncthing port 21027 set firewall group port-group syncthing port 22000 ##### conditional DNS forwarding set service dns forwarding options server=/compound.angrybear.com/1.1.1.1 set service dns forwarding options server=/home.reactornet.net/172.16.20.1 set service dns forwarding options rev-server=172.16.20.0/24,172.16.20.1 set service dns forwarding options server=/britt.local/172.16.20.1 set service dns forwarding options server=/brittnet.local/172.16.20.1 set service dns forwarding options 'server=/consul.angrybear.com/172.17.20.162#8600' set service dns forwarding options 'server=/consul.service.angrybear.com/172.17.20.162#8600' set service dns forwarding options server=/backtrackpandemic.angrybear.com/1.1.1.1 set service dns forwarding options server=/home.samdoran.com/10.99.99.13 set service dns forwarding options server=/0.11.10.in-addr.arpa/10.99.99.13 set service dns forwarding options server=/home.reactornet.net/1.1.1.1 set service dns forwarding options server=/tritium.reactornet.net/172.16.20.1 set service dns forwarding options server=/radiun.reactornet.net/172.16.20.1 ##### WAN port-forwarding set port-forward rule 1 description http set port-forward rule 1 forward-to address 172.17.20.2 set port-forward rule 1 forward-to port 80 set port-forward rule 1 original-port 80 set port-forward rule 1 protocol tcp set port-forward rule 2 description plex-syn set port-forward rule 2 forward-to address 192.168.3.142 set port-forward rule 2 forward-to port 32400 set port-forward rule 2 original-port 32400 set port-forward rule 2 protocol tcp set port-forward rule 3 description https set port-forward rule 3 forward-to address 172.17.20.2 set port-forward rule 3 forward-to port 443 set port-forward rule 3 original-port 443 set port-forward rule 3 protocol tcp set port-forward rule 4 description 'clammy wg0' set port-forward rule 4 forward-to address 172.17.21.2 set port-forward rule 4 forward-to port 54613 set port-forward rule 4 original-port 54613 set port-forward rule 4 protocol udp set port-forward rule 6 description wg-armbian set port-forward rule 6 forward-to address 172.17.21.2 set port-forward rule 6 forward-to port 54002 set port-forward rule 6 original-port 54002 set port-forward rule 6 protocol udp set port-forward rule 7 description syncthing set port-forward rule 7 forward-to address 192.168.3.142 set port-forward rule 7 forward-to port 22000 set port-forward rule 7 original-port 22000 set port-forward rule 7 protocol tcp_udp set port-forward rule 8 description wireguard-jjj0 set port-forward rule 8 forward-to address 172.17.21.2 set port-forward rule 8 forward-to port 59897 set port-forward rule 8 original-port 59897 set port-forward rule 8 protocol udp set port-forward rule 10 description '' set port-forward rule 10 forward-to address 172.17.20.191 set port-forward rule 10 forward-to port 54615 set port-forward rule 10 original-port 54615 set port-forward rule 10 protocol udp set port-forward rule 11 description 'clammy brittnet' set port-forward rule 11 forward-to address 172.17.21.2 set port-forward rule 11 forward-to port 53700 set port-forward rule 11 original-port 53700 set port-forward rule 11 protocol udp set port-forward rule 13 description 'clammy friendnet0' set port-forward rule 13 forward-to address 172.17.21.2 set port-forward rule 13 forward-to port 53701 set port-forward rule 13 original-port 53701 set port-forward rule 13 protocol udp set port-forward rule 14 description 'clammy wg_ra' set port-forward rule 14 forward-to address 172.17.21.2 set port-forward rule 14 forward-to port 51820 set port-forward rule 14 original-port 51820 set port-forward rule 14 protocol udp ## administration tricks Show leases `awk '{if ($1) {$1=strftime("%c",$1); print}}' /var/lib/misc/dnsmasq.leases|sort` ### IPv6 Do I have ip6? `tcpdump -i wan 'icmp6 && ip6[40] == 134' -vv` more debugging with ndisc6 `rdisc6 -1 ens3` ## Demo stuff Basic foomuuri poc (without ansible) also shows off nanopi-r5s doing bonding via netplan / clammy-ng config [![asciicast](https://asciinema.org/a/oicZHCzBCD3uJET7eZ4Pwrr30.svg)](https://asciinema.org/a/oicZHCzBCD3uJET7eZ4Pwrr30) Updating firewall demo with ansible / clammy-ng [![asciicast](https://asciinema.org/a/qOuyMdIWZzd683I7zL0FhFDTD.svg)](https://asciinema.org/a/qOuyMdIWZzd683I7zL0FhFDTD) Clean interface names thanks to netplan ![](https://m3.lane-fu.com/codimd/uploads/c41df0bc-291c-4e4a-9b37-d69acc3b668c.png) Handy Script to view dhcp leases ![](https://m3.lane-fu.com/codimd/uploads/52157beb-3ddd-48f5-a3b9-3c048fe899f9.png) Filter live firewall logs easily with lnav ![](https://m3.lane-fu.com/codimd/uploads/8de9f4ec-794d-43e0-9beb-89ef8819883b.png) Bandwidth Monitoring with bmon ![](https://m3.lane-fu.com/codimd/uploads/b82856ea-1f72-4de9-83f3-5768c7e04a8a.png)