title: Router
sudo apt install neovim firewalld fail2ban atop htop python3-dev nmap tcpdump rsync rsyslog iptraf-ng iftop sysstat conntrack logwatch unattended-upgrades byobu
Install Tailscale.
curl -fsSL https://tailscale.com/install.sh | sh
Register router as Tailnet node.
sudo systemctl enable --now tailscaled.service
sudo tailscale up
sudo nvim /etc/netplan/01-netcfg.yaml
network:
version: 2
renderer: networkd
ethernets:
eth0: # WAN interface (connected to internet)
dhcp4: true
dhcp6: false
nameservers:
addresses:
- 9.9.9.9
- 149.112.112.112
eth1: # LAN interface (connected to local network)
dhcp4: false
dhcp6: false
addresses:
- 10.0.2.1/24
nameservers:
addresses:
- 9.9.9.9
- 149.112.112.112
network:
version: 2
renderer: networkd
ethernets:
eth0:
dhcp4: true
dhcp6: false
nameservers:
addresses:
- 9.9.9.9
- 149.112.112.112
eth1:
dhcp4: false
dhcp6: false
addresses:
- 10.0.2.1/24
nameservers:
addresses:
- 9.9.9.9
- 149.112.112.112
wifis:
wlan0:
access-points:
coffeenet:
auth:
key-management: psk
password: "password"
bridges:
br0:
interfaces:
- eth1
- wlan0
addresses:
- 10.0.2.1/24
nameservers:
addresses:
- 9.9.9.9
- 149.112.112.112
network:
version: 2
renderer: networkd
ethernets:
eth0: # WAN interface (connected to internet)
addresses:
- WAN public IP/prefix
nameservers:
addresses:
- 9.9.9.9
- 149.112.112.112
routes:
- to: default
via: WAN default gateway
metric: 100
eth1:
dhcp4: false
dhcp6: false
addresses:
- 10.0.2.1/24
nameservers:
addresses:
- 9.9.9.9
- 149.112.112.112
network:
version: 2
renderer: networkd
ethernets:
eth0:
dhcp4: false
dhcp6: false
addresses:
- WAN public IP
nameservers:
addresses:
- 9.9.9.9
- 149.112.112.112
routes:
- to: default
via: WAN default gateway
metric: 100
eth1:
dhcp4: false
dhcp6: false
addresses:
- 10.0.2.1/24
nameservers:
addresses:
- 9.9.9.9
- 149.112.112.112
wifis:
wlan0:
access-points:
coffeenet:
auth:
key-management: psk
password: "password"
bridges:
br0:
interfaces:
- eth1
- wlan0
addresses:
- 10.0.2.1/24
nameservers:
addresses:
- 9.9.9.9
- 149.112.112.112
Apply the netplan settings:
sudo netplan apply
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
sudo firewall-cmd --permanent --zone=home --add-interface=br0
sudo firewall-cmd --permanent --zone=home --add-service={ssh,dns,http,https,dhcp}
sudo firewall-cmd --permanent --zone=home --add-forward
sudo firewall-cmd --permanent --zone=external --add-interface=eth0
sudo firewall-cmd --permanent --zone=external --add-service=dhcpv6-client
sudo firewall-cmd --permanent --zone=external --add-forward
Create /etc/firewalld/policies/masquerade.xml
to allow traffic to flow from LAN to WAN.
<?xml version="1.0" encoding="utf-8"?>
<policy target="ACCEPT">
<masquerade/>
<ingress-zone name="home"/>
<egress-zone name="external"/>
</policy>
Reload the firewall configuration:
sudo firewall-cmd --reload