../
2024-03-24
Recently, I bought a cheap industrial mini-PC with an Intel Celeron processor. This host has two network cards, making it very suitable for use as a router. Since my router is old and doesn’t support IPv6, I decided to use this machine to replace the original router. The original wireless router will be used only as an Access Point. Normally, a dedicated router OS like OpenWRT should be chosen for a router, but I still want this machine to handle many server functions simultaneously. Debian feels more comfortable to use, but the trade-off is the lack of a user-friendly one-stop web configuration interface, requiring manual operation.
So, here I will record how to configure a usable server using Debian.
This host has two network cards, named enp2s0 and enp4s0 in the operating system. Theoretically, with VLANs, a single network port can serve as a router. However, in my experience, configuring a router-on-a-stick based on VLANs is troublesome. Adhering to the principle of “keep it simple,” I suggest using two network cards here. If the motherboard only has one network card, you can purchase a USB 3.0 network card to achieve the same effect.
Here, I use enp2s0 as the WAN port, with the network segment assigned by the ISP. enp4s0 is the LAN port; the IPv4 subnet is 192.168.31.0/24, and the router’s IP address is 192.168.31.63; the IPv6 subnet is fc61:5887:1acd:4260::/64, and the router’s own IPv6 address is fc61:5887:1acd:4260::1.
The IPv4 subnet can be chosen arbitrarily from 192.168.*.* as long as there are no conflicts. IPv6 private subnets start with fc, so as long as it starts with fc, the rest can be filled in arbitrarily. I used a randomly generated 64-bit segment here. If you want to use fc11:4514:1919:8100::/64, that is also fine.
Debian now uses the networking service to configure the network. Edit /etc/network/interfaces and add:
allow-hotplug enp2s0
iface enp2s0 inet dhcp
iface enp2s0 inet6 dhcp
Then run:
sudo systemctl restart networking
Similarly, edit /etc/network/interfaces and add:
allow-hotplug enp4s0
iface enp4s0 inet static
address 192.168.31.63/24
iface enp4s0 inet6 static
address fc61:5887:1acd:4260::1/64
Then run:
sudo systemctl restart networking
Edit /etc/sysctl.conf and add:
net.ipv4.ip_forward = 1
net.ipv6.conf.enp2s0.accept_ra = 2
net.ipv6.conf.all.forwarding=1
Then make the configuration take effect immediately:
sudo sysctl -p
However, after this takes effect, the default routing rule disappears for some reason. I don’t know what the issue is, so I chose to add the routing rule manually:
sudo ip -6 route add \
default via fe80::1 \
dev enp2s0 \
proto ra \
metric 1024 \
hoplimit 255 \
pref medium
Routing rules may differ in different network environments. You can check what the current routing rules are with the following command before enabling IPv6 forwarding:
sudo ip -6 route | grep default
Additionally, this code needs to be added to the startup script.
Configuration of Linux firewalls has entered the nftables era, but I haven’t learned nftables much yet, so I chose the iptables compatibility layer.
IPv4 NAT configuration:
IPT=/usr/sbin/iptables
SUB_NET=192.168.31.0/24
WAN_FACE=enp2s0
LAN_FACE=enp4s0
$IPT -t nat -I POSTROUTING 1 -s $SUB_NET -o $WAN_FACE -j MASQUERADE
$IPT -I INPUT -i $LAN_FACE -j ACCEPT
$IPT -I FORWARD -i $WAN_FACE -o $LAN_FACE -j ACCEPT
$IPT -I FORWARD -i $LAN_FACE -o $WAN_FACE -j ACCEPT
IPv6 NAT configuration:
IPT=/usr/sbin/ip6tables
SUB_NET=fc61:5887:1acd:4260::/64
WAN_FACE=enp2s0
$IPT -t nat -A POSTROUTING -o $WAN_FACE -j MASQUERADE
These are two bash scripts, which also need to be added to the startup script.
Theoretically, IPv6 requires absolutely no NAT. However, because I can’t quite figure out my ISP’s IPv6 address allocation rules, I chose to settle for the next best thing and opted for a safe NAT configuration.
Debian 12 provides a DHCP server, isc-dhcp-server:
sudo apt install isc-dhcp-server
First, modify /etc/default/isc-dhcp-server. Here we only need IPv4:
INTERFACESv4="enp4s0"
INTERFACESv6=""
Then edit /etc/dhcp/dhcpd.conf:
option domain-name-servers 223.5.5.5;
subnet 192.168.31.0 netmask 255.255.255.0 {
range 192.168.31.100 192.168.31.200;
option routers 192.168.31.63;
}
The DNS server selected here is Alibaba Cloud’s server, mainly for use in China. If you are abroad, you can simply choose 8.8.8.8 or 1.1.1.1.
For IPv6, DHCP is not needed; you can directly use IPv6 stateless autoconfiguration [*].
First, install radvd:
sudo apt install radvd
Then create the configuration /etc/radvd.conf:
interface enp4s0 {
AdvSendAdvert on;
MinRtrAdvInterval 30;
MaxRtrAdvInterval 100;
prefix fc61:5887:1acd:4260::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
};
Finally, restart the DHCP server and radvd:
sudo systemctl restart isc-dhcp-server
sudo systemctl restart radvd
If these two servers operate normally, the soft router can be declared complete.
Mistivia - https://mistivia.com