Jan 24, 2017

My router runs Fedora - Part 1

My principle of 2017

For me 2017 is going to be the first year of the dog food. Eating your own dog food, or simply dogfooding, is reference to a scenario in which one uses its own creation to test and promote it. Until 2016 I was way too focused of being user of state-of-the-art, and I missed many interesting adventures. Let me go and catch up with how things really works.

Why start with my router?

I love OpenWRT, I really do. But you know what I miss there? systemd...

My job transformed my negative feelings about systemd into some love. I would do anything to be far away from systemd an year ago, but now I like it. systemd had the chance to start again, and leaving 40 years of bash hacks in the past is... awesome!

For a long time I was using a $ 20 router. This was the device in which I learned how to use and love OpenWRT. The only limitation of this cheap router is the 100 Mbps Ethernet ports which is a problem for the 200 Mbps I get from my ISP. The natural choice for an upgrade would be one of Linksys' WRT routers and I went for the top of the line, the Linksys WRT3200ACM.

Figure 1: Linksys WRT3200ACM with it's awesome two wifi radios

Wifi speed is pretty good, and I could finally use my ISP full speed, but... The stock interface is ok, but it doesn't support VPN for having isolated networks. It is easy to update to a new firmware, however at the time I had my router the wifi drivers and firmware were not available for OpenWRT(I didn't quite like dd-wrt). So I was stuck with an awesome WRT-friendly hardware that was not supported yet. Argh! Sent it back to the store and got my money back.

Well, what you do when you can't solve a problem with embedded? You go for x86, right? I went for a ZOTAC ZBOX CI323 NANO(+ 8GB of RAM and SSD) which is one of the cheapest barebones I could find.

Figure 2: ZOTAC ZBOX CI323 NANO with 2 Ethernet and wifi

The case isn't as attractive as the previous one, but guess what? It has all I needed, even more. It has good built quality, and four x86 cores. I added 8GB of RAM, and more SSD space I could probably use. From the networking perspective it has two gigabit ports and wifi. What is the natural choice when you are moving from OpenWRT? Fedora of course! So I installed latest Fedora 25 Server.

The network

I can't say my home network is simple, but it is definitively not big. All home specific stuff like phones, tv, printer, and wife's computer are on wifi, while the stuff related to my work is on the wired network. The wired network doesn't have loads of devices, as I only have only two 5-port Netgear Prosafe GS105E-200PES switches. Besides that my router has one port directly connected to the cable modem, and I have two cross-over connections between two test servers(10Gbps for pretty cool stuff, but this is another story). Total of 11 Ethernet cables. Here's how it looks like:

Figure 3: Peter's home network

I use the rectangles on the right to represent the internal logic of the router that has two ethernet interfaces enp2s0 and enp3s0 and wireless wlp4s0. I made the drawing in a way that the router is between the Internet (enp2s0) and my private network(enp3s0 and wlp4s0). Then I add some interesting words on top of the interfaces like macvlan, vlan, and bridge. I'll explain in details these in Part-2.

The left side show how I connect the ethernet cables. The red and green solid lines represent my VLANs. The red dotted line show access permissions between networks. The blue dotted lines show how I use my two external IP addresses.

Why 2 VLANs Peter?

Basically for isolation. I want to be able to have multiple dhcp servers if I need to, and I want the freedom to do interesting things on my work network without interfering with the home network. I measure the success of my setup by the number of times wife comes with "You are messing with the Internet again, aren't you?". At the time of writing, I'm clean for more than 30 days. But on first week of my router adventures I was getting in average 3 complaints per day.

I also don't like guests having access to my embedded devices. So no access to my VLANs from wifi.

Yeah, right but why 2? I use one for my workstation and for the embedded devices, and recently I added a second one for a test lab.

Part 2, how to turn Fedora into a router?

On Part 2 I'll describe in details how to configure Fedora as a router. There a thousand details, but it is fun. Some keywords for Part 2: hostapd, 4addr, bridge, vlan, macvlan, firewall-cmd, systemd-networkd, routing tables, masquerade
Post a Comment