Router

  • Ubuntu 24.04
  • Orange Pi 5 Plus
  • ISP router in bridge mode
  • Ethernet from ISP router -> Orange Pi 5 Plus WAN port
  • Ethernet from Orange Pi 5 Plus LAN port to switch
sudo apt install neovim firewalld fail2ban atop htop python3-dev nmap tcpdump rsync rsyslog iptraf-ng iftop sysstat conntrack logwatch unattended-upgrades byobu

Install Tailscale.

curl -fsSL https://tailscale.com/install.sh | sh

Register router as Tailnet node.

sudo systemctl enable --now tailscaled.service
sudo tailscale up

2 Netplan with DHCP WAN

sudo nvim /etc/netplan/01-netcfg.yaml
network:
	version: 2
		renderer: networkd
		ethernets:
			eth0:   # WAN interface (connected to internet)
				dhcp4: true
				dhcp6: false
				nameservers:
					addresses:
						- 9.9.9.9
						- 149.112.112.112
		    eth1:   # LAN interface (connected to local network)
			    dhcp4: false
			    dhcp6: false
			    addresses:
				    - 10.0.2.1/24
				nameservers:
					addresses:
						- 9.9.9.9
						- 149.112.112.112

2.1 Bridged LAN+Wifi AP

network:
	version: 2
	renderer: networkd
	ethernets:
		eth0:
			dhcp4: true
			dhcp6: false
			nameservers:
				addresses:
					- 9.9.9.9
					- 149.112.112.112
		eth1:
			dhcp4: false
			dhcp6: false
			addresses:
				- 10.0.2.1/24
			nameservers:
				addresses:
					- 9.9.9.9
					- 149.112.112.112
	wifis:
		wlan0:
			access-points:
				coffeenet:
					auth:
						key-management: psk
						password: "password" 
	bridges:
		br0:
			interfaces:
				- eth1
				- wlan0
			addresses:
				- 10.0.2.1/24
			nameservers:
				addresses:
					- 9.9.9.9
					- 149.112.112.112

3 Netplan with static IP

network:
	version: 2
	renderer: networkd
	ethernets:
		eth0: # WAN interface (connected to internet)
			addresses:
				- WAN public IP/prefix
			nameservers:
				addresses:
					- 9.9.9.9
					- 149.112.112.112
			routes:
				- to: default
				  via: WAN default gateway
				  metric: 100
		eth1:
			dhcp4: false
			dhcp6: false
			addresses:
				- 10.0.2.1/24
			nameservers:
				addresses:
					- 9.9.9.9
					- 149.112.112.112

3.1 Bridged LAN+Wifi AP

network:
	version: 2
	renderer: networkd
	ethernets:
		eth0:
			dhcp4: false
			dhcp6: false
			addresses:
				- WAN public IP
			nameservers:
				addresses:
					- 9.9.9.9
					- 149.112.112.112
			routes:
				- to: default
				  via: WAN default gateway
				  metric: 100
		eth1:
			dhcp4: false
			dhcp6: false
			addresses:
				- 10.0.2.1/24
			nameservers:
				addresses:
					- 9.9.9.9
					- 149.112.112.112
	wifis:
		wlan0:
			access-points:
				coffeenet:
					auth:
						key-management: psk
						password: "password"
	bridges:
		br0:
			interfaces:
				- eth1
				- wlan0
			addresses:
				- 10.0.2.1/24
			nameservers:
				addresses:
					- 9.9.9.9
					- 149.112.112.112

Apply the netplan settings:

sudo netplan apply

4 IP forwarding

echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

5 Firewalld

sudo firewall-cmd --permanent --zone=home --add-interface=br0
sudo firewall-cmd --permanent --zone=home --add-service={ssh,dns,http,https,dhcp}
sudo firewall-cmd --permanent --zone=home --add-forward
sudo firewall-cmd --permanent --zone=external --add-interface=eth0
sudo firewall-cmd --permanent --zone=external --add-service=dhcpv6-client
sudo firewall-cmd --permanent --zone=external --add-forward

Create /etc/firewalld/policies/masquerade.xml to allow traffic to flow from LAN to WAN.

<?xml version="1.0" encoding="utf-8"?>
<policy target="ACCEPT">
<masquerade/>
<ingress-zone name="home"/>
<egress-zone name="external"/>
</policy>

Reload the firewall configuration:

sudo firewall-cmd --reload