forked from JAMESMTL/debian-v9-router
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README
289 lines (207 loc) · 11.6 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
BUILD A DEBIAN LINUX ROUTER FROM SCRATCH FOR BELL FTTH INTERNET & TV
A How-to by example using an install script
Every once in a while I'll get asked how to build a router using linux. The
problem people seem to have is not a lack of information on how to go about
it but an overload of conflicting how-tos. So I started thinking about
putting together yet another how-to but never really got motivated.
And then, upnatom posted his posted his awesome patch for BCM57810S based NICs
https://www.dslreports.com/forum/r32230041-Internet-Bypassing-the-HH3K-up-to-2-5Gbps-using-a-BCM57810S-NIC
This was a game changer for those of us on Bell FTTH looking to sync with the
Bell SFP ONTs at 2.5G without having to purchase an UBNT ES-16-XG. This patch
can be built for either linux or or bsd (pfsense). If pfsense is not for
you, then linux is the only option. This brings us back full circle, how to
build a router using linux?
So I started off building a how-to, you know a simple list of install this and
configure that. This method works fine but take forever and at the end of the
day the user will probably just end up copy/pasting directly from the how-to.
So instead of putting together a simple how-to, I decided to wrap it up into
an install script + archive of preconfigured config files + utility scripts
ready for Bell FTTH internet and iptv. Using this script a user can quickly
build a fully functional router that you can play with and dig into.
The router can be built from scratch in less than 15 minutes.
As this is also a how-to let's start by looking at the install script. It's
a super simple script, most of which is dedicated to user feedback and
making copies of all the files so that the user can compare the original files
with a working config.
The actual script can be found here:
https://github.com/JAMESMTL/debian-v9-router/blob/master/install.sh
Summary of what the script does:
https://github.com/JAMESMTL/debian-v9-router/blob/master/files/opt/router/docs/install-script
List of the packages the script will install:
https://github.com/JAMESMTL/debian-v9-router/blob/master/files/opt/router/docs/packages
List of the config files and utility scripts that will be installed:
https://github.com/JAMESMTL/debian-v9-router/blob/master/files/opt/router/docs/files
You can browse all of the files here:
https://github.com/JAMESMTL/debian-v9-router/tree/master/files
Before getting into the how-to part here are some design choices I made:
With the upcomming debian 10 release, debian will switch from using the
iptables framework to the nftables framework (next gen iptables) which
introduces native support for sets, dictionaries, etc as part of the
underlying framework.
So keeping that in mind, I used ipsets instead of traditional iptables
rules for both port forwarding and forced dns redirection.
What may be even more interesting with nftables are improvements
in it's efficientcy and the introdution of flowtables, native
offloading (fastpath) for linux.
https://wiki.nftables.org/wiki-nftables/index.php/Main_Page
https://www.kernel.org/doc/Documentation/networking/nf_flowtable.txt
Another design choice I made which differs significatly with
how most people who bypass the hh3k is how i deal with the iptv dns queries.
Most guides I've seen forward a few zones such as *.iptv.bell.ca to bell's
10.2/16 dns servers. I take a different approach in that I pass bell's 10.2/16
dns servers directly to the receivers. The up side to this approach is that iptv
will continue working even if bell changes the required dns zones. The down
side is that you have to add the receivers mac address to the dhcp server's
dhcp host file. This is a one time entry which is a simple as
d4:0a:a9:21:fc:a7,BELLPVR,set:iptv-dns
name the device with xx mac address BELLPVR (or whatever), set the iptv-dns tag
and your done. Of course if you prefer the other approach you can just add the
required forward zones to the base unbound dns config.
Another design choice I made was to get everything needed for Bell IPv6 ready
from the get go. So every is configured for IPv6 either via dhcpv6-pd (bell) or
using an HE.net 6in4 tunnel. HE.net has it's own table so those rules need to be
configured instead of making HE the default route. This way both can co-exist
once Bell starts providing service.
SO LET"S GET TO IT ALREADY!
First off you will need a couple of tools. WinSCP to remotely edit files on the
router, and to transfer files back and forth. I sugest WinSCP because it will follow
symlinks. The other tool you will need is your favorite ssh client. It's easier to
work with ssh than on the console as you can easily copy/paste.
We will be doing a net install of debian meaning the VM or target device needs
internet access for the install. Both to install additional packackages and to
download the script and archive file. While an offline install is possile I
will not get into that here. Once the target VM or device is configured you
will activate it, as in enable some needed configs such as setting the static
address of 192.168.2.1 and to enable dhcp services.
Step 1 - Install a fresh copy of debian server to your target VM or device.
If you don't dilly dally you can install a fresh copy of debian in about
3-5 minutes
Here are is a quick debian install guide. Seriously don't try and get all
fancy, all you want is a basic install.
https://github.com/JAMESMTL/debian-v9-router/blob/master/files/opt/router/docs/install-debian
Step 2 - Log into the console as root OR via ssh using the build account (user)
and run
SU
to get root access.
note: you may need to log into the console to get the device IP prior to
logging in via ssh.
Step 3 - Download and run the install script
wget -q -O /tmp/install.sh https://raw.githubusercontent.com/JAMESMTL/debian-v9-router/master/install.sh && sh /tmp/install.sh
You may be asked if you want to install open-vm-tools if a hypervisor is
detected.
Press enter for all of the package configuration prompts (blue screen).
Don't waste your time entering anything as the config files will
wipe out anything you enter anyways.
Total script execution time is about 2 minutes
Step 4 - Configure the router
Because the firewall rules and services are configured with wan interfaces
named wan0, wan1, etc and lan interfaces named lan0, lan1 etc you will
need to map the your actual interface names to that pattern. First off you
need to know your interface names and macs so run
ip a
to get that information. ex:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 00:0c:29:66:25:e5 brd ff:ff:ff:ff:ff:ff
3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:66:25:ef brd ff:ff:ff:ff:ff:ff
inet 192.168.2.228/24 brd 192.168.2.255 scope global ens224
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe66:25ef/64 scope link
valid_lft forever preferred_lft forever
once you have that information log into the the VM or device using WinSCP
and navigate to the /root/router/config directory
in that directory you will find symlinks to all the basic config files
which you can edit directly by opening them up in WinSCP
To get up and running start with:
a) edit persistent network interace names
~/router/config/network_persistent_rules
so that your lan0 and wan0 devices match your interface names ex.
KERNEL=="ens192", ATTR{address}=="00:0c:29:66:25:e5", NAME="wan0"
KERNEL=="ens224", ATTR{address}=="00:0c:29:66:25:ef", NAME="lan0"
b) edit your bell pppoe credentials (user & pass)
~/router/config/network_pppoe
You now have configured all you need to configure for bell internet.
You can configure more settings but I would suggest simply start
with internet.
You now need to run the activate script. This script will copy the
temporary network interface config where the device gets an ip via dhcp
to the static address of 192.168.2.1
and to enable dhcp services. run the following
~/router/action/activate.sh
The router WILL NOW SHUTDOWN!
The next time it starts it will act as a router so you need to shutdown
your existing router before restart the new one.
HOW-TO: Enable iptv
a) edit ~/router/config/network_interfaces
- remove comments from iptv interface section
b) edit ~/router/config/dhcp_hosts
- add receivers to iptv-dns group (tag)
c) reboot
HOW-TO: Enable port forwarding
a) edit ~/router/config/firewall_forwarding_v4.set
or ~/router/config/firewall_forwarding_v6.set
- add rules
b) run ~/router/action/forwarding-rules.sh to reload rules
HOW-TO: Enable HE IPv6 tunnel
a) edit ~/router/config/network_interfaces
- edit he-net interface section
- replace address value of 2001:db8:1:1::2 with HE Client IPv6 Address
- replace endpoint value of 216.66.38.58 with HE Server IPv4 Address
- replace rule prefix of 2001:db8:100::/48 with HE Routed IPv6 Prefix
b) edit lan0 interface section
- replace address value of 2001:db8:100:1::1 with an ip+prefix from your routed range
- add route for that prefix to interface
c) edit ~/router/config/dhcp_base
- uncomment ipv6 dhcp-range for lan0 interface (config as desired)
d) edit ~/router/config/ddns_he_tunnel
- replace henet_username, henet_prefix_pass, and he_host_999999
where henet_prefix_pass = update key found on the adavnce tab of the HE tunnel page
where he_host_999999 = tunnel id or hostnum found at end of HE DDNS Example Update URL
e) edit -edit ~/router/config/network_wan_up
- uncomment /opt/router/scripts/ddns/ddns-ipv4-he-tunnel
f) reboot
That should be enough to get started
list of quick scripts:
~/router/action/activate.sh
script to copy over the temporary network interface and dhcp server config
files then remap symlinks
~/router/action/backup.sh
script that will create an archive of files installed by the script that have
been modified by the user.
WARNING it will only backup files installed by the script not additional files
created by the user.
~/router/action/filelist.sh
script that will list all the file installed by the script and it identify
files that are missing from the system and those that have been modified
since installation
~/router/action/forwarding-rules.sh
script to reload the forwadring ipsets and regenerate the firewall
DNATHOSTS entries
~/router/action/restore.sh
script that will restore the files from the original install archive of
as well as the files last backed up by the user.
WARNING it will only restore files installed by the script not additional files
created by the user.
~/router/action/ssh-lock.sh
script that will disable ssh password authentication and enable pubkey
authentication
WARNING: make sure you get the ssh rsa private key ~/.ssh/root@hostname first
or will lock yourself out via ssh
~/router/action/ssh-reset.sh
script that will enable ssh password authentication and disable pubkey
authentication, will delete the files fromm ~/.ssh, and will then
generate a new set of keys.
~/router/action/ssh-unlock.sh
script that will enable ssh password authentication and disable pubkey
authentication.
NOTE users may be interested in installing the vnstat package to monitor
network usage. Ex. how much internet traffic this month, etc. I havent added
it yet to the nase instal as I want to add the backups of the usage data to the
existing script.
apt install vnstat*