Techne
Apache
Atop
Bash
Btrbk
Btrfs
Caddy
Carpal Tunnel Syndrome
Cgit
Chimera Linux
Debian
DietPi
DRM
Fail2Ban
Fedora Atomic
Firewalld
FreeBSD
GitLab
Grafana
Home Assistant
Hugo
Internet Archive
Kernel
Lemmy
Loki
LVM2
Mastodon
MinIO
Networking
Nextcloud
NFS
Nmap
Orange Pi 5 Plus
Packet Tracer
Parallel
Pixelfed
PostgreSQL
Prometheus
Qcow2
Qemu
RAID
Resident Evil HD
RetroPie
Router
RSS
Systemd
Techne
Torrenting
Void Linux
Windows

Router

  • Ubuntu 24.04
  • Orange Pi 5 Plus
  • ISP router in bridge mode
  • Ethernet from ISP router -> Orange Pi 5 Plus WAN port
  • Ethernet from Orange Pi 5 Plus LAN port to switch

Install packages

sudo apt install neovim firewalld fail2ban atop htop python3-dev nmap tcpdump rsync rsyslog iptraf-ng iftop sysstat conntrack logwatch unattended-upgrades byobu

Install Tailscale.

curl -fsSL https://tailscale.com/install.sh | sh

Register router as Tailnet node.

sudo systemctl enable --now tailscaled.service
sudo tailscale up

Netplan with DHCP WAN

sudo nvim /etc/netplan/01-netcfg.yaml

network:
	version: 2
		renderer: networkd
		ethernets:
			eth0:   # WAN interface (connected to internet)
				dhcp4: true
				dhcp6: false
				nameservers:
					addresses:
						- 9.9.9.9
						- 149.112.112.112
		    eth1:   # LAN interface (connected to local network)
			    dhcp4: false
			    dhcp6: false
			    addresses:
				    - 10.0.2.1/24
				nameservers:
					addresses:
						- 9.9.9.9
						- 149.112.112.112

Bridged LAN+Wifi AP

network:
	version: 2
	renderer: networkd
	ethernets:
		eth0:
			dhcp4: true
			dhcp6: false
			nameservers:
				addresses:
					- 9.9.9.9
					- 149.112.112.112
		eth1:
			dhcp4: false
			dhcp6: false
			addresses:
				- 10.0.2.1/24
			nameservers:
				addresses:
					- 9.9.9.9
					- 149.112.112.112
	wifis:
		wlan0:
			access-points:
				coffeenet:
					auth:
						key-management: psk
						password: "password" 
	bridges:
		br0:
			interfaces:
				- eth1
				- wlan0
			addresses:
				- 10.0.2.1/24
			nameservers:
				addresses:
					- 9.9.9.9
					- 149.112.112.112

Netplan with static IP

network:
	version: 2
	renderer: networkd
	ethernets:
		eth0: # WAN interface (connected to internet)
			addresses:
				- WAN public IP/prefix
			nameservers:
				addresses:
					- 9.9.9.9
					- 149.112.112.112
			routes:
				- to: default
				  via: WAN default gateway
				  metric: 100
		eth1:
			dhcp4: false
			dhcp6: false
			addresses:
				- 10.0.2.1/24
			nameservers:
				addresses:
					- 9.9.9.9
					- 149.112.112.112

Bridged LAN+Wifi AP

network:
	version: 2
	renderer: networkd
	ethernets:
		eth0:
			dhcp4: false
			dhcp6: false
			addresses:
				- WAN public IP
			nameservers:
				addresses:
					- 9.9.9.9
					- 149.112.112.112
			routes:
				- to: default
				  via: WAN default gateway
				  metric: 100
		eth1:
			dhcp4: false
			dhcp6: false
			addresses:
				- 10.0.2.1/24
			nameservers:
				addresses:
					- 9.9.9.9
					- 149.112.112.112
	wifis:
		wlan0:
			access-points:
				coffeenet:
					auth:
						key-management: psk
						password: "password"
	bridges:
		br0:
			interfaces:
				- eth1
				- wlan0
			addresses:
				- 10.0.2.1/24
			nameservers:
				addresses:
					- 9.9.9.9
					- 149.112.112.112

Apply the netplan settings:

sudo netplan apply

IP forwarding

echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Firewalld

sudo firewall-cmd --permanent --zone=home --add-interface=br0
sudo firewall-cmd --permanent --zone=home --add-service={ssh,dns,http,https,dhcp}
sudo firewall-cmd --permanent --zone=home --add-forward
sudo firewall-cmd --permanent --zone=external --add-interface=eth0
sudo firewall-cmd --permanent --zone=external --add-service=dhcpv6-client
sudo firewall-cmd --permanent --zone=external --add-forward

Create /etc/firewalld/policies/masquerade.xml to allow traffic to flow from LAN to WAN.

<?xml version="1.0" encoding="utf-8"?>
<policy target="ACCEPT">
<masquerade/>
<ingress-zone name="home"/>
<egress-zone name="external"/>
</policy>

Reload the firewall configuration:

sudo firewall-cmd --reload