Hacker News

This is a great writeup! Perhaps I can put in a plug for the create_ap script which I have been maintaining for many years (http://github.com/dlenski/create_ap).

It's a shell script that allows you to turn any ol' Linux computer into a WiFi router in one quick command-line:

By default, it will setup your WiFi card as an access point (allows WPA2/3, MAC filtering, etc), setup packet forwarding and routing, and run a DHCP and DNS server. It will generally pick sensible defaults, but it's also highly customizable. If your WiFi card supports simultaneous AP and client mode, it will allow that.

Its requirements are extremely minimal: basically just Linux, a compatible wireless card, and a few common configuration packages (hostapd, iw, iproute2, iptables, dnsmasq). No NetworkManager needed.

I used it as my own home Internet gateway for many years, running on an ancient fanless Atom mini-PC.

Because it can quickly setup and teardown WiFi networks on-the-fly, it's also a valuable tool for setting up test networks when reverse-engineering IoT devices. I use it frequently for this purpose (see https://snowpatch.org/posts/i-can-completely-control-your-sm...).

Lots of "just use X" comments but the article is about showing the bare minimum/how easy the core part of routing actually is.

Also, if you have ever used docker or virtual machines with NAT routing (often the default), you've done exactly the same things.

If you have ever enabled the wifi hotspot on an android phone also, you've done pretty much what the article describes on your phone.

All of these use the same Linux kernel features under the hood. In fact there is a good chance this message traversed more than one Linux soft router to get to your screen.

This really takes me back. My first actual 'use' for Linux was making routers out of leftover computers.

The perfect machine back then was a 100MHz Pentium, in a slimline desktop case. At the time, the Pentium III was the current desktop chip, so you'd have a pile of early Pentium-class machines to use. And even a 10mb ISA network card (3Com if possible) would have plenty of power for the internet connections of the day. But 100mb PCI cards were still fairly cheap.

Install two NICs, load your favorite Linux distro, and then follow the IP-Masquerading HOWTO and you've got internet access for the whole apartment building, office, or LAN party.

Eventually I moved on to Linux Firewalls by Robert Ziegler for a base to build on.

After that I started piling other services on, like a spam filter, Squid cache, it was amazing to get so much use out of hardware that was going to just get thrown out.

I've got one of those N100+10Gbit router devices with a handful of ports. It seems a pretty reasonable device with one of the router distros running on it, but it doesn't seem nearly as efficient as my ucg-fiber/route10 devices, and that wouldn't bother me except that I suspect the packet latency is significantly higher too. Those devices AFAIK have hardware programmable router chips, which means the forwarding is done 100% without the interaction of the main CPU, so there isn't any interrupt/polling/etc delays when a packet arrives, the header gets rewritten, the checksum verified and off it goes.

Anyone actually measured this? I see a lot of bandwidth/etc style tests but few that can show the actual impact of enabling disabling deep packet inspection and a few of the other metrics that I actually care about. Serve the home seems to have gotten some fancy test HW but they don't seem to be running these kinds of tests yet.

You actually don't even need two interfaces on the box if you have a managed switch. It's not too difficult to configure your only interface as an 802.11q trunk port, and then you can use the managed switch as a sort of "interface expander". This is referred to as a "router on a stick" configuration, and it's how my home network is configured. Plus, if it's a PoE managed switch, you can install some cheap enterprise surplus Aruba IAPs around the house for Wi-Fi which is a lot higher quality than a consumer router or a mesh setup.

My home router was an old Thinkpad for a while, but then I switched over to a slightly newer Dell Optiplex that my work was throwing out. The plus side of that is that the i7 is total overkill for routing so I can also have my "router" run some VMs for network services and cut down on the number of boxen in my homelab rack.

Alpine is a great distro for this.

I’ve been using OpnSense/pfsense [0] for years and would highly recommend it. It has a great automatic update experience, config backups, builtin wireguard tunnels and advanced features like packet filtering options via suricata.

When I am doing network management on my weekends, I’m so glad I’m not stuck in the Linux terminal learning about networking internals and can instead just go to a webui and configure my router.

0: https://opnsense.org/

This seems like it might be a good place to ask: does anyone know of a low-cost, readily-available SBC box with built-in dual Ethernet interfaces?

I've been very interested in some of Radxa's boards in the ~$30-70 range, like the E52C [0] and the E20C [1], but they don't have many distributors and seem to have stocking issues [2].

[0] https://radxa.com/products/network-computer/e52c/

[1] https://radxa.com/products/network-computer/e20c/

[2] https://shop.allnetchina.cn/products/radxa-e52c?variant=5034...

I'm curious about the policy rationale behind banning router imports. If a government were considering legislation like that, what would the primary concern usually be? Given that so much internet traffic is now protected by TLS/SSL and other encryption, why would it still matter if citizens were using routers that might be backdoored?

Is the concern mainly things like botnets and DDoS activity, weak default credentials on network equipment, or compromised business networks where poorly secured routers or attached NAS devices could expose sensitive or proprietary data? In other words, is the concern less about decrypting traffic and more about using the router as a foothold for surveillance, disruption, or access to poorly secured internal systems?

I recommend replacing hostapd with an enterprise access point plugged directly into an ethernet port on the router. Most support VLAN tagging based on SSID, so you can still set up different subnets and firewall rules for the different SSIDs.

As much as I love hostapd... the performance using commodity hardware has always sucked for me. I can get 150MB/s over wifi with my proprietary AP!

Something I did not see in the article are router specific tuning such as

    net.ipv4.ip_early_demux = 0
    net.ipv4.tcp_early_demux = 0
    net.ipv4.udp_early_demux = 0

in /etc/sysctl.d/10_router.conf to slightly reduce overhead when being used primarily as a router. There are many other router related knobs but those I would always set especially if trying to reduce overhead for VoIP/Gaming setups. There are many other knobs I tune such as gro_flush_timeout and napi_defer_hard_irqs, sch_cake tuning, lowat and output limits and hundreds more but those rabbit holes would require a large write-up. My overall goal is to give family members latency, jitter and throughput numbers that improve their quality of life and gaming scores of course.

Such things do not preclude additional tuning on the client and server sides as well but those are even bigger topics.

“Just use OPNsense” is great advice for production, but terrible advice for learning. This article is valuable precisely because it shows how little magic is actually involved in routing.

> While it may seem appealing, I would highly recommend against installing loads of software right on the router, and instead forward traffic to a device in a DMZ or VLAN.

Why not? I use an old gaming PC as a "router" (machine exposed to the WAN), and run dozens of services on it besides the firewall/NAT (iptables). Among others: email, Web server, multiple game servers, and many internal services (DNS, hostapd, loads of Docker containers).

Hmm I've always had a manually configured low power generic box as router.

But I've never even tried to set up my own access point, I just pay Unifi for that [1]. The software part is doable but I don't want to learn to handle the signal issues.

[1] Switched to Unifi in anger after my first consumer level 5 Ghz wifi needed reboots weekly because it was overheating. Do yourself a favour and get the semi pro stuff, Unifi or others.

Maybe someone in this thread has a couple of ideas:

What’s the simplest way to spin up a simple „cattle, not pet“ routing VM? I don’t want to mess with any state, I just want version controllable config files. Ideally, if applying a version fails, it would automatically roll back to the previous state.

OpenWRT seems like it fits my description most closely, but maybe someone here is a fan of something more flashy/modern.

OpenWrt has a generic x86 PC build that can also be used to turn basically any random PC into a router, complete with an operating system actually designed and developed for that purpose.

There's a famous Polish song "Mój jest ten kawałek podłogi", written in times of Soviet influence, about a man building wall around his home, but later he gets hungry and there's no exit...

Anyone with translate.kagi can find it and translate

I wonder if consumer routers will end up being built in a trivially-not-a-router configuration - something akin to a pull-tab or turn of the screw that closes a circuit, transforming the device from legally something else into a router after it's purchased.

What a dumb timeline.

Pleasant thing about routers that is is so simple to build one after learning basics of networking and pretty much any OS or distro can act as one. There are obvious choices like OPN\PFSENSE, OpenWRT, DD-WRT, FreshTomato, but literally any PC with a single Ethernet port can act as one. My favorite setup was a laptop running Ubuntu and the whole router setup was in a single netplan file + dnsmasq for DHCP.

Edit: And ofc best cheap device imo is OrangePI R1 LTS and a whatever usb wifi dongle. Came in clutch a few times, such a nice little device.

Just ensure the firewall appliance thing you buy has I226 intel chipset not I225

The first two versions of 225 have packet drop issues and it’s unclear to me whether v3 third time lucky fixed it. And getting the stepping info out of aliexpress supplier is hard so 226 is safer

Love the "An ExpressCard-PCIe bridge in the ThinkPad’s expansion bay".

Would you have a picture of the ExpressCard laptop connector?

nftables syntax is pretty tough to read. I wonder why they didn't go for an easier to read DSL. I do understand it's likely super fast to parse though, and has a 1:1 relationship to its struct in the kernel.

Anyone has done mesh WiFi (ideally triband) using off the shelf parts and Linux?

I have an Orbi AX system which works reliably, but now I want to upgrade the radio to WiFi 7 and that means I need to upgrade all the hardware.

Hoping to move to using off the shelf parts so in the future I can just change the radio (ideally bunch of USB sticks).

I understand this is not strictly just the router. I can (and used to have) a router as separate device, but any mesh WiFi right now that I can find need a pricy router that acts as the coordinator, essentially negates the economic benefits.

Can anyone recommend a good, energy-efficient, inexpensive dual-NIC SBC or miniPC? Last time I looked into this there were not many good options.

I am truly sorry. I can't understand the physical networking from the pics or the description... I'm probably just missing something. There is one blue plug going from the laptop to the cisco switch or the pci wifi module? I see a blue plug going to each device. So I'm guessing everything is plugged into the cisco switch?

if you could show all the wiring and label it (according to the table below) i think it would add a lot of value for someone less familiar with these kinds of setups (like me)

Routing is pretty easy for most use cases... firewalling an Internet connection, on the other hand, is just about impossible (thanks TLS 1.3) without pretty serious overhead, 3rd party maintained live subscriptions, TLS interception, and a willingness to say "no" to a lot of the shenanigans that modern programs and devices try to pull.

I recommend the free home version of Sophos for the least painful way to do it. Buy a Palo Alto with a full subscription if you are really serious.

Try it with this! https://www.dewalt.com/en-us/product/dwp611pk/dewalt-1-14-hp...

When I got started, the NSFnet backbone was a bunch of IBM RS/6000 systems with comms cards. There were no routers.[1]

[1] https://www.rcsri.org/collection/nsfnet-t3/

Surely something like OPNsense/PFsense would be better for the average user than setting up all the software manually?

Here I was thinking this article would tell me how to turn my unmanaged switches into routers, but no, "anything" actually means "any fully featured general purpose computer with networking".

Anyone know how necessary UPnP is? From what I can tell, this setup does not run UPnP for automatic port forwarding

I live in the SF Bay Area, and ended up with Sonic Internet, and a 10gbe connection. Routing this with anything off the shelf was going to be "very expensive".

I ended up with an Opnsense box. It's an m920q (i5-8500), with riser card and a dual SFP+ nic in it. All in, it was less than 200 bucks (now it would be closer to three). I ended up with a cheap, Chinese "media converter" (from aliexpress because the same thing on amazon is 3x the price) that just had two SFP+ ports on it. That let me go from an SPF+ copper ethernet module to a DAC and not dump a bunch of heat into the 1L pc.

I have to say that the functionality made it a worth while investment: traffic shaping, wireguard and the like have been mostly a joy. And the documentation for Opnsense made the setup and use (mostly) easy.

I did kind of the opposite, I made my main beefy gaming computer the router, then connected to it a nice wireless AP in bridge mode to serve internet to the rest of the computers. That way I can have a local llm agent manage my network and firewall by simply asking.

Nobody I know makes routers and more importantly WiFi combo AP in the US except for high end corporate stuff - even the US only cable modem stuff from Comcast are Chinese OEM ???.

Some more idiocy from the FCC chair.

We are just scraping the surface here; let's imagine a really easy to use and install bit of router software that includes all kinds of p2p bells and whistles.

The extreme difficulty of setting up networking and routers is (obviously?) a weird endgame result of how companies and safety and capitalism and restriction intersect* and given the relatively insane regulatory ideas we're seeing these days, time for another look at all of this.

*edit, and not, e.g. an inherent property of "networking technology," it does NOT have to be this hard.

Qotom mini PCs are my cheatcode. These little PCs are often available with multiple NICs, and I use one as a wifi bridge/router for my office network. Put Linux or FreeBSD on one and you have a very capable little network-appliance box.

Great writeup. One advantage true routers have e.g. Edgerouter or Mikrotik are dedicated hardware for IP & TCP header processing. Some can offload AES for VPN encryption. This leads to cooler temps, lower power utilization & longer life.

I encourage everyone to run a hardware router. A cheap dedicated wired router can be had for $50. Run PfSense or the vendor firmware . It’s very rewarding. Also a long term investment since routers tend to last for many years while wifi standards are revised every year or so .

A fun project that results in a unique and stylish router is repurposing a Mac Pro Trashcan. They can be picked up for a few hundred dollars, offer dual 1GbE Intel NICs that work natively on Linux, and have plenty of CPU and RAM overhead. Throw OPNsense on there and you’re off to the races.

> sudo systemctl enable [email protected]

:-)

Let me guess, ".*@.*\..*"?

if fancy a bit more of capability, dockerized opnsense and just play right with your vlans. One cable is enough into your switch...did I said managed... and your opn/telco eth exit.

I think the NanoPi range (https://www.friendlyelec.com/index.php?route=product/categor...) has great hardware for making your own router. They support various flavours of Linux, including OpenWRT (or at least their branded version called FriendlyWRT). I like the NanoPi M5 model as it supports using a NVMe so it can happily run some Docker containers on it. The case is really well made and uses passive cooling, so it's ideal for a router.

Im running a Beelink EQ15 + OpnSense to do something very similar.

Does routing on Linux have any hardware acceleration for IP packets?

It becomes harder if you try to do it with 10 Gbps. Most CPUs struggle with it without dedicated accelerator chips.

you might as well just use vyos.

A router only really needs one network interface.

Any computer with a single network interface, maybe even an (old) laptop, can be used. Anything x86 from at least the last 10 years is energy efficient and fast enough to route at gigabit speed. If you don't care about energy usage, any x86-based computer from the last 20 years is fast enough.

The magic trick is to use VLANs, which require switches that support VLANs, which can be had for cheap. VLANS also allows you to create separate isolated networks for IoT or other 'less secure' or untrusted devices.

I’ve always made my own routers by using low-power devices running Linux (Debian) with IPtables and now NFtables.

No special router OS or software required.

Highly recommend.

P.S. that single network interface is very likely never a bottleneck because network interfaces are full-duplex. Only when your router is also your file server (not recommended), internet traffic and file server traffic could start to compete with each other.

I'm currently running a Debian lite weight server on an old ml100 (onlogic) nuc. It's an old i3, with 16gb ram and no fan. But I have another. Anyone recommend a solid router setup on one of these ancient artifacts? Presently using openwrt on a proper router, though if the nuc is capable, I'd dedicate it thusly.

Seeing an old T60 with an ExpressCard-PCIe bridge used as a router is a great look. It's a solid reminder that even a "trash-picked" 18-year-old machine has way more CPU than you actually need for a home gigabit line. The mention of the serial console (ttyS0) is the real pro-tip in this guide. If you're running a headless box in a closet, a serial getty is a lifesaver for the moment you inevitably misconfigure a firewall rule and lock yourself out of SSH. Sticking to a minimal Debian base with nftables is often much cleaner than using OPNsense/pfSense; there's no GUI abstraction layer hiding what's actually happening to your packets.

I'm curious - for power consumption, considering that you can get RaspPi products for so cheaply, is a discarded laptop more or less impactful on your electrical bill than a RaspPi?

Like is the "free" laptop going to cost you more in the long-run then a nice little power-sipping ARM like a Pi5? Or do you need those extra operations-per-second that the more power-hungry x86 CPU gets you?

This will certainly work, but the whole mesh networking and more advanced aspects of a real wifi router won't really be present.

I get by without it, but I can imagine some won't be able to.

is this the new age .. how to run doom on it?

tl;dr:

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

[dead]

> you can make a router out of basically anything resembling a computer.

So if anything can be turned into a router will importing anything be banned as well?