Sick Gaming
Fedora - How to use Fedora Server to create a router / gateway - Printable Version

+- Sick Gaming (https://www.sickgaming.net)
+-- Forum: Computers (https://www.sickgaming.net/forum-86.html)
+--- Forum: Linux, FreeBSD, and Unix types (https://www.sickgaming.net/forum-88.html)
+--- Thread: Fedora - How to use Fedora Server to create a router / gateway (/thread-85918.html)



Fedora - How to use Fedora Server to create a router / gateway - xSicKxBot - 08-03-2018

How to use Fedora Server to create a router / gateway

<div style="margin: 5px 5% 10px 5%;"><img src="http://www.sickgaming.net/blog/wp-content/uploads/2018/08/how-to-use-fedora-server-to-create-a-router-gateway.png" width="825" height="396" title="" alt="" /></div><div><p>Building a router (or gateway) using Fedora Server is an interesting project for users wanting to learn more about Linux system administration and networking. In this article, learn how to configure a Fedora Server minimal install to act as an internet router / gateway.<span id="more-21941"></span></p>
<p>This guide is based on <a href="https://getfedora.org/en/server/">Fedora 28</a> and assumes you have already installed Fedora Server (minimal install). Additionally, you require a suitable network card / modem for the incoming internet connection. In this example, the  <a href="https://www.draytek.com/en/products/products-a-z/router.all/vigornic-132-series/">DrayTek VigorNIC 132</a> NIC was used to create the router.</p>
<h3>Why build your own router</h3>
<p>There are many benefits for building your own router over buying a standalone box (or using the one supplied by your internet provider):</p>
<ul>
<li>Easily update and run latest software versions</li>
<li>May be less prone to be part of larger hacking campaign as its not a common consumer device</li>
<li>Run your own VMs or containers on same host/router</li>
<li>Build OpenShift on top of router (future story in this series)</li>
<li>Include your own VPN, Tor, or other tunnel paths along with correct routing</li>
</ul>
<p>The downside is related to time and knowledge.</p>
<ul>
<li>You have to manage your own security</li>
<li>You need to have the knowledge to troubleshoot if an issue happens or find it through the web (no support calls)</li>
<li>Costs more in most cases than hardware provided by an internet provider</li>
</ul>
<p>Basic network topology</p>
<p>The diagram below describes the basic topology used in this setup. The machine running Fedora Server has a PCI Express modem for VDSL. Alternatively, if you use a <a href="https://fedoraproject.org/wiki/Architectures/ARM/Raspberry_Pi">Raspberry Pi</a> with external modem the configuration is mostly similar.</p>
<p><img src="http://www.sickgaming.net/blog/wp-content/uploads/2018/08/how-to-use-fedora-server-to-create-a-router-gateway.png" alt="topology" /></p>
<h3>Initial Setup</h3>
<p>First of all, install the packages needed to make the router. Bash auto-complete is included to make things easier when later configuring. Additionally, install packages to allow you to host your own VMs on the same router/hosts via KVM-QEMU.</p>
<pre><strong>dnf install -y bash-completion NetworkManager-ppp qemu-kvm qemu-img virt-manager libvirt libvirt-python libvirt-client virt-install virt-viewer </strong></pre>
<p>Next, use <strong>nmcli</strong> to set the MTU on the WAN(PPPoE) interfaces to align with DSL/ATM MTU and create <strong>pppoe</strong> interface. This <a href="https://www.sonicwall.com/en-us/support/knowledge-base/170505851231244">link</a> has a great explanation on how this works. The username and password will be provided by your internet provider.</p>
<pre><strong>nmcli connection add type pppoe ifname enp2s0 username [email protected] password XXXXXX 802-3-ethernet.mtu 1452</strong></pre>
<p>Now, set up the firewall with the default zone as external and remove incoming SSH access.</p>
<pre><strong>firewall-cmd --set-default-zone=external firewall-cmd --permanent --zone=external --remove-service=ssh</strong></pre>
<p>Add LAN interface(br0) along with preferred LAN IP address and then add your physical LAN interface to the bridge.</p>
<pre><strong>nmcli connection add ifname br0 type bridge con-name br0 bridge.stp no ipv4.addresses 10.0.0.1/24 ipv4.method manual nmcli connection add type bridge-slave ifname enp1s0 master br0</strong></pre>
<p style="padding-left: 30px"><span style="color: #ff0000">Remember to use a subnet that does not overlap with your works VPN subnet. For example my work provides a 10.32.0.0/16 subnet when I VPN into the office so I need to avoid using this in my home network. If you overlap addressing then the route provided by your VPN will likely have lower priority and you will not route through the VPN tunnel.</span></p>
<p>Now create a file called <em>bridge.xml</em>, containing a bridge definition that <strong>virsh</strong> will consume to create a bridge in <strong>QEMU</strong>.</p>
<pre><span style="font-weight: 400">cat &gt; bridge.xml &lt;&lt;EOF</span> <span style="font-weight: 400">&lt;network&gt;</span> <span style="font-weight: 400">    &lt;name&gt;host-bridge&lt;/name&gt;</span> <span style="font-weight: 400">    &lt;forward mode="bridge"/&gt;</span> <span style="font-weight: 400">    &lt;bridge name="br0"/&gt;</span> <span style="font-weight: 400">&lt;/network&gt;</span> <span style="font-weight: 400">EOF</span></pre>
<p>Start and enable your libvirt-guests service so you can add the bridge in your virtual environment for the VMs to use.</p>
<pre><strong>systemctl start libvirt-guests.service </strong><span style="font-weight: 400"><strong>systemctl enable libvirt-guests.service</strong></span> </pre>
<p>Add your “host-bridge” to QEMU via virsh command and the XML file you created earlier.</p>
<pre><strong>virsh net-define bridge.xml</strong></pre>
<p>virsh net-start host-bridge virsh net-autostart host-bridge</p>
<p>Add br0 to internal zone and allow DNS and DHCP as we will be setting up our own services on this router.</p>
<pre><strong>firewall-cmd --permanent --zone=internal --add-interface=br0</strong> <strong>firewall-cmd --permanent --zone=internal --add-service=dhcp</strong> <strong>firewall-cmd --permanent --zone=internal --add-service=dns</strong></pre>
<p>Since many DHCP clients including Windows and Linux don’t take into account the MTU attribute in DHCP, we will need to allow TCP based protocols to set MSS based on PMTU size.</p>
<pre><strong>firewall-cmd --permanent --direct --add-passthrough ipv4 -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu</strong></pre>
<p>Now we reload the firewall to take permanent changes into account.</p>
<pre><strong>nmcli connection reload</strong></pre>
<h3>Install and Configure DHCP</h3>
<p>DHCP configuration depends on your home network setup. Use your own desired domain name and and the subnet was defined during the creation of <strong>br0</strong>. Be sure to note the MAC address in the config file below can either be capture from the command below once you have DHCP services up and running or you can pull it off the label externally on the device you want to set to static addressing.</p>
<pre><strong>cat /var/lib/dhcpd/dhcpd.leases</strong></pre>
<pre><strong>dnf -y install dhcp</strong> <strong>vi /etc/dhcp/dhcpd.conf </strong></pre>
<section>
<pre>option domain-name "lajoie.org"; option domain-name-servers 10.0.0.1; default-lease-time 600; max-lease-time 7200; authoritative; subnet 10.0.0.0 netmask 255.255.255.0 { range dynamic-bootp 10.0.0.100 10.0.0.254; option broadcast-address 10.0.0.255; option routers 10.0.0.1; option interface-mtu 1452; } host ubifi { option host-name "ubifi.lajoie.org"; hardware ethernet f0:9f:c2:1f:c1:12; fixed-address 10.0.0.2; }</pre>
<p>Now enable and start your DHCP server</p>
<pre><strong>systemctl start dhcpd systemctl enable dhcpd</strong></pre>
</section>
<section>
<header>
<h1>DNS Install and Configure</h1>
</header>
<p>Next, install <strong>bind</strong> and and <strong>bind-utils</strong> for tools like <strong>nslookup</strong> and <strong>dig</strong>.</p>
<pre><strong>dnf -y install bind bind-utils</strong></pre>
<p>Configure your bind server with listening address (LAN interface in this case) and the forward/reverse zones.</p>
<pre>$ <strong>vi /etc/named.conf</strong></pre>
<pre>options { listen-on port 53 { 10.0.0.1; }; listen-on-v6 port 53 { none; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; secroots-file "/var/named/data/named.secroots"; recursing-file "/var/named/data/named.recursing"; allow-query { 10.0.0.0/24; }; recursion yes; forwarders {8.8.8.8; 8.8.4.4; }; dnssec-enable yes; dnssec-validation yes; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; include "/etc/crypto-policies/back-ends/bind.config"; }; controls { }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; view "internal" { match-clients { localhost; 10.0.0.0/24; }; zone "lajoie.org" IN { type master; file "lajoie.org.db"; allow-update { none; }; }; zone "0.0.10.in-addr.arpa" IN { type master; file "0.0.10.db"; allow-update { none; }; }; };</pre>
<p>Here is a zone file for example and make sure to update the serial number after each edit of the bind service will assume no changes took place.</p>
<pre>$ <strong>vi /var/named/lajoie.org.db</strong></pre>
<pre>$TTL 86400 @ IN SOA gw.lajoie.org. root.lajoie.org. ( 2018040801 ;Serial 3600 ;Refresh 1800 ;Retry 604800 ;Expire 86400 ;Minimum TTL ) IN NS gw.lajoie.org. IN A 10.0.0.1 gw IN A 10.0.0.1 ubifi IN A 10.0.0.2</pre>
<p>Here is a reverse zone file for example and make sure to update the serial number after each edit of the bind service will assume no changes took place.</p>
<pre>$ <strong>vi /var/named/0.0.10.db</strong></pre>
<pre>$TTL 86400 @ IN SOA gw.lajoie.org. root.lajoie.org. ( 2018040801 ;Serial 3600 ;Refresh 1800 ;Retry 604800 ;Expire 86400 ;Minimum TTL ) IN NS gw.lajoie.org. IN PTR lajoie.org. IN A 255.255.255.0 1 IN PTR gw.lajoie.org. 2 IN PTR ubifi.lajoie.org.</pre>
<p>Now enable and start your DNS server</p>
<pre><strong>systemctl start named systemctl enable named</strong></pre>
</section>
<section>
<header>
<h1>Secure SSH</h1>
</header>
<p>Last simple step is to make SSH service listen only on your LAN segment. Run this command to see whats listening at this moment. Remember we did not allow SSH on the external firewall zone but this step is still best practice in my opinion.</p>
<pre><strong>ss -lnp4</strong></pre>
<p>Now edit the SSH service to only listen on your LAN segment.</p>
<pre><strong>vi /etc/ssh/sshd_config</strong></pre>
<pre>AddressFamily inet ListenAddress 10.0.0.1</pre>
<p>Restart your SSH service for changes to take effect.</p>
<pre><strong>systemctl restart sshd.service</strong></pre>
</section>
<section>
<header>&lt;!– </p>
<h1>Optional WiFi Configuration<br />
</header>
<p> In this optional section we have the configuration for Wireless AP and 4G WAN. I used Ubiquiti wireless in my setup as I needed multi AP and seamless handover. For WiFi you probably want WPA2 pre-shared key, RSN security protocol, and CCMP group as shown below. We also set the AP to run as 5GHz band via “802-11-wireless.band a”. </p>
<pre><strong>dnf install NetworkManager-wifi</strong> <strong>nmcli connection add type wifi ifname wlp6s0 con-name ap0 autoconnect yes ssid HOMENET 802-11-wireless.mode ap 802-11-wireless.band a 802-11-wireless-security.proto rsn 802-11-wireless-security.pairwise ccmp 802-11-wireless-security.group ccmp 802-11-wireless-security.psk xxxxxxxxx 802-11-wireless-security.key-mgmt wpa-psk ipv4.method shared</strong></pre>
<h1>Optional  4G Configuration</h1>
<p> Now install wwan support and if you have a WWAN USB modem like me that needs to be switched to modem mode vs. storage. </p>
<pre><strong>dnf install NetworkManager-wwan ModemManager</strong></pre>
</section>
<div></div>
<div>Enable and start the ModemManager</div>
<section>
<pre><strong>systemctl start ModemManager </strong> <strong>systemctl enable ModemManager</strong></pre>
<div>Plug your device in and make sure ModemManager and NetworkManager both see the wwan device.</div>
<pre><strong>mmcli -M</strong> <strong>nmcli dev</strong></pre>
<div>If you don’t see your device I recommend you go to this <a href="https://fedoraproject.org/wiki/Features/MoreMobileBroadband">link</a> and open a bug report.</div>
<p> Now configure your 3GPP WAN connection and reload to make sure everything auto-starts. </p>
<pre><strong>nmcli connection add type gsm con-name Telekom gsm.apn web.vodafone.de ifname ttyUSB0 </strong></pre>
</section>
<p> Since we have the default zone for our firewall set to external, this wwan interface will be put into the correct zone.–&gt;</p>
<h1>Thank you</h1>
<p>Thanks and please leave a comment below if you have any ideas, edits or questions.</p>
</div>