Gentoo router how-to, any takers?

[s0lid]

I've been thinking of replacing my current debian router with gentoo router and while I'm doing it I might as well document all of it. Gentoo install script, firewall rules generated by ferm, kernel configs, bird config, various /etc/ configs, scripts and fail proofing scripts for the the router (eg, cannot generate ferm rules if wan interface hasn't gotten ip from dhcp).

Why would I want to document everything publicly? To share ideas and possibly catch some from more experienced network/sys admins.

So any takers?

Going to fire up the test VM this weekend and look into the install script and kernel configs. After the test vm is up and running I'll just run the install script and drop in configs and it'll be done.
Rough software stack:
- kernel 4.4.1
- ferm
- bird
- isc-dhcp

Hardware:
- i3-3220T
- 8G ECC
- 32GB SLC SSD
- 4x gig intel nic
- 2x 10gig br1020 nic

Network topology:
- wan: get ip from ISP and nat 2 lan vlans
- lan: 3-4 lan vlans and 1 ovpn network

 

[MiniKnight]

I would like to see it, but why not just pfSense? I know that's prob a dumb question but it seems like it is much easier. I'm totally for the "just because" reason and I'd like to see how you do it.

 

[s0lid]

Learning something new and useful that pfsense cannot offer me (and the fact that i don't like webui's at all). And yeah I'm one of those "because I can" guys. It's more fun to research and improve your professional know-how than just go with out-of-the-box solution that works "ok". And I must way ferm is frigging powerful iptables rule generator, couple lines in ferm syntax can get you hundreds of iptables rules.

 

[TuxDude]

I'll give it a read, just because anything done with Gentoo is cool in my books. But I have to agree with @MiniKnight above - a pfSense would seem a lot more practical.

 

[Quasduco]

Personally, I think if you don't want a WebUI, then go OpenBSD. Very minimalistic, very conscientious coding, very powerful. Have seen OBSD in use in several datacenters, so others like it, too...

 

[djflow195]

Start here: Home Router - Gentoo Wiki

 

[Patrick]

Let me know if you want to make it a main site article.

 

[whitey]

Start here: Home Router - Gentoo Wiki

Yep, done this years ago and used it for years on end reliably, good old nat/masquerading setup w/ iptables. Looks like your gonna have fun, this gentoo article has been arnd forever. I was a gentoo zealot back arnd 2003-2007 but been hot on RHEL(work)/CentOS/Deb/Arch/Ubuntu for a good bit now.

 

[RTM]

While I must admit that I think using Gentoo as a router is a pretty weird idea (I'm guessing you have to update it VERY often), it does sound kind of cool in its own way

While you are at it, you should look into hardening the router with grsecurity, there's even a guide on the gentoo wiki.

 

[andrewbedia]

"Gentoo"
I'm detecting a subtle aroma of masochism.

 

[Crockett]

While I must admit that I think using Gentoo as a router is a pretty weird idea (I'm guessing you have to update it VERY often), it does sound kind of cool in its own way

While you are at it, you should look into hardening the router with grsecurity, there's even a guide on the gentoo wiki.

Every router should update if there are critical/high vulnerabilities found, sadly this doesn't always happen.
I personally think a router with Gentoo is a great/awesome idea specially for the hardening + built from scratch idea, i've been using Gentoo for certain things myself and seriously considering switching all my stuff to Gentoo builts.

 

[gigatexal]

Go for it op! Good luck

 

[s0lid]

I'm back after a while of hiatus from all homelabbing (set up lab subnet and 2 dns servers there this week so it counts!). Got interesting idea at work yesterday at middle of war sim... err, work. Why not run each lan subnet as it's own virtual router (vRx), let them do firewalling for that lan and let OSPFv2 do route adverts on VXLAN L2 between virtual routers and baremetal WAN (pR1) router handling NAT and ingress port forwarding.

This topology graph is where I got after a long day of working, injecting caffeine and reading RFC's while I had the time for it on breaks. For now it'll be a proof of concept (PoC) project, for instance I've never used VXLAN in practice and it's performance is a total mystery to me. Same goes for what will be the foot print of each vRx, it probably won't be a problem since ram and ssds are cheap. What I'm looking from this PoC is very dynamic way of adding and removing subnets to my network by just dropping another virtual router from template and enabling it's vlan on switchports.

Why this approach? I wanted to test vxlan for in-host-only networking along with having multiple virtual routers residing within single physical machine. Former being from being purely from curiosity and latter from practical stand point, when doing multiple lans from single linux router is a hassle. Every subnet can communicate with each other unless you drop all subnets except returning traffic (this is nat after all) and specifically allow incoming from wanted interfaces of subnets for all subnets at the same time. I wanted to go for much more isolated approach, only having one lan per virtual router allows much better control over what happens with that subnets firewalling. For instance havin default firewall rules that forbit all traffic from 10.0.0.0/8 and allows all returning traffic gets me roughly to point that internet works with no interraction with other vlans.

Software side... same old bird, ferm and isc-dhcp-server, although I'm not sure do I want to run gentoo or arch, gentoo involves lots of compiling when updating software, but gets the highest performance out of hardware with tweaking. Arch allows easier installs from scripts and updating is lighter thanks to not having to compile non-AUR packages.

For now the PoC hardware will be a 128GB Samsung SSD, C6100 fitted into lian li case, L5630 and 8GB of ram. No 10G interfaces for now, ran out of 10G ports on my G8000 so cannot do any 10G performance testing for now...

If the PoC performs adequatily I'll move it to the final hardware, which might be i3-3110T hardware described in the first post or i7-2630qm mini-itx setup I've lying around.

Sorry for possible typos and factual errors, it has been a long week for me and intoxiaction levels are bit high at this point of the day (past midnight).

 

[gigatexal]

I like to think I'm a smart enough guy but why is it that anything other than a flat network of class C ips and I'm lost? Good luck tho!

Actually, is there like a networking bootstrap course or video I can take to get up to speed?

 

[brendantay]

Following, I too am a 'why the hell not' kinda guy, keen to see results!

Sent from my Nexus 6 using Tapatalk

 

[mumford]

Any update?

 

[e97]

Let me help revive. I'm doing something similar.

why I went with gentoo vs. pfsense

pros:
+ wider hardware support
+ faster routing/performance based on testing
+ highly customizable

cons:
- "harder"/takes more time to setup (though if you script it once, you dont have to do it ever again)

mutual:
+ good security response time


stack:

dhcp: dnsmasq
iptables/shorewall: firewall
unbound: recursive resolve + DNS cache
qos: fireqos / CAKE
dpi: ndpi
IDS: suricata
metrics: netflow -> prometheus + grafana dash
vpn: wireguard / openvpn

hw:

amd apu
intel quad nic
16gb ecc 2666
nvme
mini ITX

idle: ~15w
load: 30W

pretty sure I can optimize this more.. turn off the GPU and lower voltages and what not.
Target is <15W load

Will handle 10G no problem and I can add in 40G QSFP card too when ready : )

 

[mb300sd]

I'm a big fan of VyOS if you haven't tried it. Debian based, iptables, with a Juniper-like CLI/config system. Switched off pfSense years ago because of lack of CLI, but I don't know if that's improved since.

 

[gigatexal]

Let me help revive. I'm doing something similar.

why I went with gentoo vs. pfsense

pros:
+ wider hardware support
+ faster routing/performance based on testing
+ highly customizable

cons:
- "harder"/takes more time to setup (though if you script it once, you dont have to do it ever again)

mutual:
+ good security response time


stack:

dhcp: dnsmasq
iptables/shorewall: firewall
unbound: recursive resolve + DNS cache
qos: fireqos / CAKE
dpi: ndpi
IDS: suricata
metrics: netflow -> prometheus + grafana dash
vpn: wireguard / openvpn

hw:

amd apu
intel quad nic
16gb ecc 2666
nvme
mini ITX

idle: ~15w
load: 30W

pretty sure I can optimize this more.. turn off the GPU and lower voltages and what not.
Target is <15W load

Will handle 10G no problem and I can add in 40G QSFP card too when ready : )

I’ve been mulling such an idea and installing an AC card with a bunch of attennaes to get good coverage.

Thing is for home use even if pfsense is slower it can’t be so much slower to make a difference. In a soho or biz usecase maybe but I think that point is mute. What irks me still is the lack of AC wireless support on BSD for the time being.

 

[Wolfstar]

Thing is for home use even if pfsense is slower it can’t be so much slower to make a difference. In a soho or biz usecase maybe but I think that point is mute. What irks me still is the lack of AC wireless support on BSD for the time being.

Honestly, it's not there because even most BSD fans don't use it for a desktop, and using just about any AC card as an access point is just asking for slowdowns. They're not optimized for multiple connections from different devices and in general will be a bad idea. You're much better served getting a standalone AP with decent specs than you are trying to homebrew it with a NIC, especially if you're streaming any media locally or want good transfer speeds from a NAS via wireless clients.