Back on the DIY router route!

Hola amigos/amigas (I hope that doesn’t get me arrested!), hi friends…

After a lengthy hiatus I’m once again looking at putting my own router together. I have:

• a Minisforum MS-A1 w/ 9600X, 32GB RAM & enough SSD incoming (also a MS-01; I’m currently favoring the MS-A1 - six cores will be more than adequate; just hope the 9600X isn’t too new)
• a Netgear AX3000 WAP (just the one so far)
• Netgear 2.5Gbps and gigabit switches (LAN is currently gigabit, going to 2.5Gpbs and then who knows?)
• a sub-gigabit connection to my internet provider

So, the big issue is software. I’m totally ready to stick pfSense on the machine (maybe opnSense too, but pfSense seems to be the one everyone prefers).

However, I’m a Linux maniac, or as much of one as you can be without ever having installed Arch (Manjaro doesn’t count? Debian and Fedora for me, for the most part, and I only steer clear of Arch because I don’t want to have to learn yet another package manager!) I’d love to cobble together a replacement for my trusty civilian-tier Linksys WRT1900AC or whatever its designation is, using only Linux. I obviously don’t have the most demanding of setups although I do have a veritable small enterprise division-worth of computer hardware hooked up to the LAN, wired and wireless.

Is there a tried & trusted recipe for setting up a Linux-based router, or should I just do the sensible thing and install pfSense? I’ve searched of course, and there’s some decent tips and lists out there, but the overwhelming advice seems to be install pfSense or opnSense.I don’t mind battling with Linux services (probably on Debian 12 or 13 if I go that route) - it’s all a learning opportunity, right? - but only if I’m going to end up with a working router. I will, anyway - if I tried the Linux route and failed and gave up then I’d fall back to the pfSensible solution.

Any ideas/thoughts/recommendations/disrecommendations gladly received, even if it’s: just install pfSense already.

BTW, after my previous to-ing and fro-ing on this subject last year I’ve decided to forego Proxmox. It seems quite a few homelab mavens set up their routers on Proxmox, but one of the nuggets of info that I received from Level1Techs last year was to forego virtualization. Proxmox will have to wait for another project, or I could stick it on which of the MS-A1 or MS-01 doesn’t end up being the router.

I was considering ARM-based solution at one point for the low power/always on aspect, but that’s going to wait until there’s a beefier solution than my Raspberry Pi 5.

Thanks as always!

That is way too much for a bare metal router to support a sub gigabit internet feed, could easily double up as Nas / homeland starter with a proxmox/ forbidden router setup
If Linux is your thing and you don’t mind command line then look into vyos, otherwise openwrt…

I know, but things are getting faster at a reasonable clip, and compute hardware is pretty affordable so I’m OK with it, and maybe I’ll future-proof myself (famous last words with tech). A NAS is another device I’m looking at, quite possibly on the same hardware (time to play with LVM).

ClearOS seemed the better Linux option to me; at least I liked the sound of it in a list of about 12 Linux router alternatives that I read earlier. I’ll take another look at VyOS.

There’s a significant proportion of experimentation here. Once I get something sorted I can always “downgrade” to the ARM/Risc-V/SBC solution.

Cheers.

Never heard of clearOs, vyos is command line only, no gui, so if you’re used to pfsense/opnsense it is a big leap.
It runs on debian, dev ISOs are free, official ISOs have a significant cost …

Amen for the hardware overprovisioning , you do you

I just have a systemd-networkd setup on Debian and it does routing, and I have dnsmasq, and that takes care of dhcp and dns.

The hard parts are:

• the host also does other things (there’s docker in there).
• hardware dies, and then things need to be restored, (I have snapper and rclone scripts)
• software evolves and needs updating/upgrading.

The hardware is just an old n3150 box, with a usb3 adapter for wan interface. I get 1000/50 cable at home.

I don’t know if there’s any real benefits to this.

The software engineer in me, wishes to write “backup and restore” scripts, and “script to rebuild such router from scratch”, and write bazel tests that spawn qemu and ensure that the process is permanently repeatable and never regresses…

… but I don’t have that kind of time.

I think if I ever get fiber at home, I’ll probably just get a boring old unifi router of some kind.

Overprovisioning today, rightsizing tomorrow.

You DIY’d and struck a blow against The Man! It’s this sort of thing that gives me hope and encouragement. I have fantasies about diving into the Linux kernel and IP stack, but I shouldn’t have to (and it’s been decades since I wrote code at that level) or DIY my own user mode router process or service, either from the software parts bin or scratch - it’s not like I’m doing anything else with my time. (Much more likely I’ll return to reality and use something pre-existing.)

Ah, just get some newer hardware and continue the fight against tech oligarchy!

so … turns out…if you have a large amount of time on your hands…

you can write a small utility that runs in userspace to handle new connections, and deal with existing connections using a piece of eBPF code in the NIC, … thus making packets bypass the kernel networking stack altogether, and in some cases even the CPU (depending on what NIC you have).

I up and go play a padel match , but … to each their own, so writing your own micro networking stack is a perfect use of your time as well

I vote just Debian.

I tend to use nftables and some mix of reading /usr/share/doc/nftables/examples/ and the nftables/arch/gentoo wikis.

Then add things as you need them. DHCP and DNS are easy.

Though if pfsense is on the table…OpenBSD is pretty nice and what I went with. It has a tried and trusted recipe for setting up a router:

(https://openbsdrouterguide.net/ is an interesting longer complementary read, though obviously not as authoritative/trusted as the previous).

OpenBSD has limited work opportunities, but being across Linux networking is worth gold. So the Debian router from scratch has that additional value.

I am delving into eBPF and have written a few ncap utilities, so you’re pretty much onto what I’ve been researching.

A Debian solution is my preference. I was researching the various ip tables and bridging solutions last year when I first started down this rabbit hole.

I might have a slightly eccessive list of requirements for my router, but if I were to manually implement them myself, then keep it organized, updated, portable and easily restorable I think that would take me forever, even after having tinkered with linux servers/networks for many a decades now.
Vyos for me is the right spot, debian base, I have the sources, it can be configured (and backed up) through a cli …
The vyos devs are a bit on the arsehole side, making you go through loops to get you going with a non paid iso but compared to the snotty openbsd ones and the ouright hostile truenas ones that is ok for me as long as I get what I need.

Now, what is it that I need:

• DNS forwarding
• DHCP
• Multiple subnets/VLANS
• IPV4/IPV6
• WAN load balancing /failover over multiple connections
• WAN rules easily configurable per device
• Wireguard
• NAT/Firewalling that does not leak
• Dynamic DNS
• NTP local server
• Prometheus collector

All in a nice iso that I can rebuild myself when I feel the ened to, that seamlessly upgrades from one version to another, and can also run multiple versions at the same time … for a router/firewall that o me is the most important thing

I would classify Vyos primarily as Router, not really as much a FIrewall per se and while fast, I think a layer 3 switch being faster sets that stage and finally, I’m not a fan of, " VyOS is now free as in speech, but not as in beer" and their prices are a HELL of a lot more than any beer!

They are using other people’s code, so my personal opinion is that they can go somewhere alright, and it’s not onto any of my Hardware. Nothing angers me more than people that think they can take free code, written, donated and maintained by others, and then have the nerve to charge outrageous rates to get their customized ISOs, and make no mistake, that’s what’s going on here… it’s not just about support, they abusing the license(s) of the code that is Open Source and this is not how Open Source works! If you’re going to pay this much, I say stick to Cisco; better yet, IMHO just pass on it completely.