Difference between revisions of "Router"

From ArchWiki
Jump to: navigation, search
(update interlanguage links)
(Tag: wiki-scripts)
 
(85 intermediate revisions by 19 users not shown)
Line 1: Line 1:
[[Category:Networking]]
+
[[Category:Network sharing]]
 
[[Category:Security]]
 
[[Category:Security]]
 +
[[ja:ルーター]]
 +
[[zh-cn:Router]]
 +
{{Poor writing|The introduction states that this page "focuses on ''security''", but 99% is plain system configuration. It also needs massive deduplication, security is already covered [[Simple stateful firewall|elsewhere]].}}
 +
 
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.
 
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.
  
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Share]].
+
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet sharing]].
  
 
==Hardware Requirements==
 
==Hardware Requirements==
Line 13: Line 17:
 
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.
 
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.
  
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name eth0, eth1, etc.
+
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name enp2s0, enp1s1, etc.
* '''extern1''': the network card connected to the external network (or WAN). It will probably have the name eth0, eth1, etc.
+
* '''extern0''': the network card connected to the external network (or WAN). It will probably have the name enp2s0, enp1s1, etc.
 
+
==Installation==
+
{{Note | For a full installation guide, see the [[Official Arch Linux Install Guide]].}}
+
 
+
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.
+
 
+
===Partitioning===
+
 
+
For security purposes, /var, /tmp and /home should be separate from the / partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.
+
 
+
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. /var should be the largest partition - it is where  databases, logs and long-term caches are stored. If you have a lot of RAM, mounting /tmp as tmpfs is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that /tmp is mounted as tmpfs by default in Arch.
+
 
+
===Post-Installation===
+
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].
+
  
 
==Network interface configuration==
 
==Network interface configuration==
  
===Persistent naming===
+
===Persistent naming and Interface renaming===
When you let [[udev]] handle loading the modules, you will notice your NIC's switch names: one boot your LAN NIC is eth0, the other boot it is eth1, etc.
+
Systemd automatically chooses unique interface names for all your interfaces. These are persistent and will not change when you reboot. If you would like to rename interface to user friendlier names read [[Network configuration#Device names]].
 
+
To fix this problem, read [[Udev#Setting_static_device_names]].
+
  
 
===IP configuration===
 
===IP configuration===
Now you will need to configure the network interfaces. The best way to do so is using [[netcfg]] profiles, instead of the regular [[network]] daemon. You will need to create two profiles.
+
Now you will need to configure the network interfaces. The best way to do so is using [[netctl]] profiles. You will need to create two profiles.
 
+
{{Note|If you will be connecting to the Internet only via PPPoE (you have one WAN port) you '''do not need''' to setup or enable the extern0-profile. See below for more information on configuring PPPoE.}}
* /etc/network.d/extern0-profile
+
* {{ic|/etc/netctl/extern0-profile}}
  CONNECTION='ethernet'
+
  Description='Public Interface.'
DESCRIPTION='Public Interface.'
+
  Interface=extern0
  INTERFACE='extern0'
+
Connection=ethernet
 
  IP='dhcp'
 
  IP='dhcp'
  
* /etc/network.d/intern0-profile
+
* {{ic|/etc/netctl/intern0-profile}}
  CONNECTION='ethernet'
+
  Description='Private Interface'
  DESCRIPTION='Private Interface.'
+
  Interface=intern0
  INTERFACE='intern0'
+
  Connection=ethernet
 
  IP='static'
 
  IP='static'
  ADDR='10.0.0.1'
+
  Address=('10.0.0.1/24')
NETMASK='255.255.255.0'
+
BROADCAST='10.0.0.255'
+
  
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the netmask and broadcast to accommodate a smaller range.}}
+
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the CIDR suffix to accommodate a smaller range. For example /27 will give you 10.0.0.1 to 10.0.0.30. You can find many CIDR calculators online.}}
  
Next up is to set up the interfaces.
+
Next up is to set up the interfaces with netctl.
 +
# netctl enable extern0-profile
 +
# netctl enable intern0-profile
  
* Define the profiles in {{ic|/etc/conf.d/netcfg}}:
+
==ADSL connection/PPPoE==
NETWORKS=(extern0-profile intern0-profile)
+
Using rp-pppoe, we can connect an ADSL modem to the {{ic|extern0}} interface of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though (either half-bridge or RFC1483), otherwise the modem will act as a router too. [[Install]] the {{pkg|rp-pppoe}} package.
  
* Replace the {{ic|network}} daemon with {{ic|net-profiles}} in {{ic|/etc/[[rc.conf]]}}:
+
It should be noted that if you use only PPPoE to connect to the internet (ie. you do not have other WAN port, except for the one that connects to your modem) you do not need to set up the {{ic|extern0-profile}} as the external pseudo-interface will be ppp0.
DAEMONS=( ... net-profiles ... )
+
  
* If using [[systemd]], net-profiles.service is a symlink to netcfg.service.  So you may do:
+
===PPPoE configuration===
# systemctl enable net-profiles.service
+
You can use netctl to setup the pppoe connection. To get started
or if that fails:
+
  # cp /etc/netctl/examples/pppoe /etc/netctl/
# systemctl enable netcfg.service
+
and start editing. For the interface configuration choose the interface that connects to the modem. If you only connect to the internet through PPPoE this will probably be {{ic|extern0}}. Fill in the rest of the fields with your ISP information. See the pppoe section in netctl.profile man page for more information on the fields.
 
+
==ADSL connection==
+
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though, otherwise the modem will act as a router too.
+
  # pacman -S rp-pppoe
+
 
+
===Configuration: rp-pppoe===
+
/usr/sbin/pppoe-setup
+
The questions are all documented. You can select "no firewall" because we will let Shorewall / iptables handle that part.
+
  
 
==DNS and DHCP==
 
==DNS and DHCP==
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites.
+
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites. [[Install]] it with the {{Pkg|dnsmasq}} package.
 
+
First, install '''dnsmasq''':
+
# pacman -S dnsmasq
+
 
+
Now, dnsmasq needs to be configured. To do this:
+
  
Edit /etc/dnsmasq.conf and add the following lines
+
Dnsmasq needs to be configured to be a DHCP server. To do this, edit {{ic|/etc/dnsmasq.conf}}:
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)
+
{{bc|<nowiki>
expand-hosts      # add a domain to simple hostnames in /etc/hosts
+
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)
domain=foo.bar    # allow fully qualified domain names for DHCP hosts (needed when
+
expand-hosts      # add a domain to simple hostnames in /etc/hosts
                  # "expand-hosts" is used)
+
domain=foo.bar    # allow fully qualified domain names for DHCP hosts (needed when
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN:  
+
                  # "expand-hosts" is used)
                  # from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a
+
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN:  
                  # DHCP lease of 1 hour (change to your own preferences)
+
                  # from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a
 +
                  # DHCP lease of 1 hour (change to your own preferences)
 +
</nowiki>}}
  
 
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.
 
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.
  
Now start dnsmasq:
+
Now [[start]] {{ic|dnsmasq.service}}.
# /etc/rc.d/dnsmasq start
+
and add the daemon to the DAEMONS list in /etc/rc.conf.
+
  
 
==Connection sharing==
 
==Connection sharing==
  
 
Time to tie the two network interfaces to each other.
 
Time to tie the two network interfaces to each other.
===iptables===
 
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.
 
  
===Shorewall===
+
This can be done with Shorewall. See [[Shorewall]] for detailed configuration.
Shorewall, an iptables frontend, can be used as an easier alternative.
+
  
# pacman -S shorewall
+
==IPv6 tips==
  
====Shorewall configuration====
+
{{Merge|IPv6|Merge into the main article, the topic is not specific to ''router configuration''. The wording should be probably changed along the way.}}
  
Time to configure Shorewall! Open its config file in /etc/shorewall/shorewall.conf and start editing. The file is very well documented.
+
Useful reading: [[IPv6]] and the [[wikipedia:IPv6]].
SUBSYSLOCK=/var/lock/shorewall
+
IP_FORWARDING=On : it is a gateway, remember! ;)
+
STARTUP_ENABLED=Yes # when you are done editing
+
  
After installing shorewall, run
+
=== Unique Local Addresses ===
$ pacman -Ql shorewall | grep Sample
+
to see where the sample files are. cd into the directory "two-interfaces" and copy the contents to the /etc/shorewall/ directory.
+
Now use [http://www.shorewall.net/two-interface.htm Shorewall's guide] to set up the files correctly.
+
  
Read the document carefully. Take special care to '''change eth0 and eth1 (or ppp0 in if you are using PPPoE where appropriate''' in your config files as the Shorewall guide uses different names for the interfaces. When you have followed it thoroughly, make the following changes:
+
You can use your router in IPv6 mode even if you do not have an IPv6 address from your ISP. Unless you disable IPv6 all interfaces should have been assigned a unique {{ic|fe80::/10}} address.
* /etc/shorewall/interfaces : add "dhcp" to the ''loc'' line to allow computers on the LAN to make use of our DHCP server
+
* /etc/shorewall/rules : add
+
ACCEPT        loc        $FW        TCP      2367
+
but change 2367 into whatever port you have your SSH server listening on.
+
  
Finally, run
+
For internal networking the block {{ic|fc00::/7}} has been reserved. These addresses are guaranteed to be unique and non-routable from the open internet. Addresses that belong to the {{ic|fc00::/7}} block are called [[wikipedia:Unique_local_address|Unique Local Addresses]]. To get started [http://www.simpledns.com/private-ipv6.aspx generate a ULA /64 block] to use in your network. For this example we will use {{ic|fd00:aaaa:bbbb:cccc::/64}}. Firstly we must assign a static IPv6 on the internal interface. Modify the {{ic|intern0-profile}} we created above to include the following line
# /etc/rc.d/shorewall start
+
  
From here on, the Arch box is operational. Connect a hub or switch to intern0 and a computer to the LAN to test it.
+
  IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::1/64 dev intern0')
  
=====Port forwarding (DNAT)=====
+
This will add the ULA to the internal interface. As far as the router goes, this is all you need to configure.
* /etc/shorewall/rules : here is an example for a webserver on our LAN with IP 10.0.0.85. You can reach it on port 5000 of our "external" IP.
+
DNAT        net        loc:10.0.0.85:80        tcp        5000
+
  
==Cleanup==
+
=== Global Unicast Addresses ===
  
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.
+
If your ISP or WAN network can access the IPv6 Internet you can additionally assign global link addresses to your router and propagate them through SLAAC to your internal network. The global unicast prefix is usually either ''static'' or provided through ''prefix delegation''.
  
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):
+
==== Static IPv6 prefix ====
  
$ pacman -Qm
+
If your ISP has provided you with a static prefix then edit {{ic|/etc/netctl/extern0-profile}} and simply add the IPv6 and the IPv6 prefix (usually /64) you have been provided
  
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.
+
IPCustom=('-6 addr add 2002:1:2:3:4:5:6:7/64 dev extern0')
  
$ pacman -Qet
+
You can use this in addition to the ULA address described above.
  
Completely remove the packages you do not need along with their configuration files and dependencies:
+
====Acquiring IPv6 prefix via DHCPv6-PD====
  
# pacman -Rsn package1 package2 package3
+
If your ISP handles IPv6 via prefix delegation then you can follow the instructions in the [[IPv6#Prefix_delegation_.28DHCPv6-PD.29|main IPv6 article]] on how to properly configure your router. Following the conventions of this article the WAN interface is {{ic|extern0}} (or {{ic|ppp0}} if you are connecting through PPPoE) and the LAN interface is {{ic|intern0}}.
  
== Logrotate ==
+
=== Router Advertisement and Stateless Autoconfiguration (SLAAC) ===
  
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.
+
To properly hand out IPv6s to the network clients we will need to use an advertising daemon. Follow the details of the [[IPv6#For_gateways|main IPv6 article]] on how to setup {{ic|radvd}}. Following the convention of this guide the LAN facing interfaces is {{ic|intern0}}. You can either advertise all prefixes or choose which prefixes will be assigned to the local network.
 
+
Logrotate is installed by default, so you will not have to install it.
+
  
 
==Optional additions==
 
==Optional additions==
  
 
===UPnP===
 
===UPnP===
The above configuration of shorewall does not include [http://en.wikipedia.org/wiki/UPnP UPnP] support. Use of [http://en.wikipedia.org/wiki/UPnP UPnP] is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications such as MSN require this to function correctly.
+
The above configuration of shorewall does not include [[Wikipedia:UPnP|UPnP]] support. Use of UPnP is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications require this to function correctly.
 +
 
 +
To enable UPnP on your router, you need to install an UPnP Internet gateway daemon (IGD). To get it, install {{Pkg|miniupnpd}} from the [[official repositories]].
  
 
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information
 
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information
Line 170: Line 128:
 
===Remote administration===
 
===Remote administration===
  
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).
+
[[OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).
  
 
=== Caching web proxy ===
 
=== Caching web proxy ===
Line 177: Line 135:
  
 
=== Time server ===
 
=== Time server ===
To use the router as a time server, see [[Network Time Protocol]].
+
To use the router as a time server, see [[Network Time Protocol daemon]].
  
 
Then, configure shorewall or iptables to allow NTP traffic in and out.
 
Then, configure shorewall or iptables to allow NTP traffic in and out.
Line 183: Line 141:
 
=== Content filtering ===
 
=== Content filtering ===
  
Install and configure [[DansGuardian]] if you need a content filtering solution.
+
Install and configure [[DansGuardian]] or [[Privoxy]] if you need a content filtering solution.
  
 
=== Traffic shaping ===
 
=== Traffic shaping ===
Line 190: Line 148:
  
 
==== Traffic shaping with shorewall ====
 
==== Traffic shaping with shorewall ====
 
+
See [[Shorewall#Traffic shaping]]
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.
+
 
+
Here is my config as an example:
+
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.
+
ppp0        4mbit        256kbit
+
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.
+
# interactive traffic (ssh)
+
ppp0            1      full    full    0
+
# online gaming
+
ppp0            2      full/2  full    5
+
# http
+
ppp0            3      full/4  full    10
+
# rest
+
ppp0            4      full/6  full    15              default
+
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.
+
1      0.0.0.0/0      0.0.0.0/0      tcp    ssh
+
2      0.0.0.0/0      0.0.0.0/0      udp    27000:28000
+
3      0.0.0.0/0      0.0.0.0/0      tcp    http
+
3      0.0.0.0/0      0.0.0.0/0      tcp    https
+
I have split it up my traffic in 4 groups:
+
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.
+
# online gaming: needless to say you ca not play when your ping sucks. ;)
+
# webtraffic: can be a bit slower
+
# everything else: every sort of download, they are the cause of the lag anyway.
+
 
+
===Intrusion detection and prevention with snort===
+
 
+
See [[Snort]].
+
  
 
==See also==
 
==See also==
 
*[[Simple stateful firewall]]
 
*[[Simple stateful firewall]]
*[[Internet Share]]
+
*[[Internet sharing]]

Latest revision as of 19:59, 21 July 2016

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: The introduction states that this page "focuses on security", but 99% is plain system configuration. It also needs massive deduplication, security is already covered elsewhere. (Discuss in Talk:Router#)

This article is a tutorial for turning a computer into an internet gateway/router. It focuses on security, since the gateway is connected directly to the Internet. It should not run any services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.

This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see Internet sharing.

Hardware Requirements

  • At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.
  • At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.
  • A hub, switch or UTP cable: You need a way to connect the other computers to the gateway

Conventions

Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.

  • intern0: the network card connected to the LAN. On an actual computer it will probably have the name enp2s0, enp1s1, etc.
  • extern0: the network card connected to the external network (or WAN). It will probably have the name enp2s0, enp1s1, etc.

Network interface configuration

Persistent naming and Interface renaming

Systemd automatically chooses unique interface names for all your interfaces. These are persistent and will not change when you reboot. If you would like to rename interface to user friendlier names read Network configuration#Device names.

IP configuration

Now you will need to configure the network interfaces. The best way to do so is using netctl profiles. You will need to create two profiles.

Note: If you will be connecting to the Internet only via PPPoE (you have one WAN port) you do not need to setup or enable the extern0-profile. See below for more information on configuring PPPoE.
  • /etc/netctl/extern0-profile
Description='Public Interface.'
Interface=extern0
Connection=ethernet
IP='dhcp'
  • /etc/netctl/intern0-profile
Description='Private Interface'
Interface=intern0
Connection=ethernet
IP='static'
Address=('10.0.0.1/24')
Note: The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the CIDR suffix to accommodate a smaller range. For example /27 will give you 10.0.0.1 to 10.0.0.30. You can find many CIDR calculators online.

Next up is to set up the interfaces with netctl.

# netctl enable extern0-profile
# netctl enable intern0-profile

ADSL connection/PPPoE

Using rp-pppoe, we can connect an ADSL modem to the extern0 interface of the firewall and have Arch manage the connection. Make sure you put the modem in bridged mode though (either half-bridge or RFC1483), otherwise the modem will act as a router too. Install the rp-pppoe package.

It should be noted that if you use only PPPoE to connect to the internet (ie. you do not have other WAN port, except for the one that connects to your modem) you do not need to set up the extern0-profile as the external pseudo-interface will be ppp0.

PPPoE configuration

You can use netctl to setup the pppoe connection. To get started

# cp /etc/netctl/examples/pppoe /etc/netctl/

and start editing. For the interface configuration choose the interface that connects to the modem. If you only connect to the internet through PPPoE this will probably be extern0. Fill in the rest of the fields with your ISP information. See the pppoe section in netctl.profile man page for more information on the fields.

DNS and DHCP

We will use dnsmasq, a DNS and DHCP daemon for the LAN. It was specifically designed for small sites. Install it with the dnsmasq package.

Dnsmasq needs to be configured to be a DHCP server. To do this, edit /etc/dnsmasq.conf:

interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)
expand-hosts      # add a domain to simple hostnames in /etc/hosts
domain=foo.bar    # allow fully qualified domain names for DHCP hosts (needed when
                  # "expand-hosts" is used)
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: 
                  # from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a
                  # DHCP lease of 1 hour (change to your own preferences)

Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.

Now start dnsmasq.service.

Connection sharing

Time to tie the two network interfaces to each other.

This can be done with Shorewall. See Shorewall for detailed configuration.

IPv6 tips

Merge-arrows-2.pngThis article or section is a candidate for merging with IPv6.Merge-arrows-2.png

Notes: Merge into the main article, the topic is not specific to router configuration. The wording should be probably changed along the way. (Discuss in Talk:Router#)

Useful reading: IPv6 and the wikipedia:IPv6.

Unique Local Addresses

You can use your router in IPv6 mode even if you do not have an IPv6 address from your ISP. Unless you disable IPv6 all interfaces should have been assigned a unique fe80::/10 address.

For internal networking the block fc00::/7 has been reserved. These addresses are guaranteed to be unique and non-routable from the open internet. Addresses that belong to the fc00::/7 block are called Unique Local Addresses. To get started generate a ULA /64 block to use in your network. For this example we will use fd00:aaaa:bbbb:cccc::/64. Firstly we must assign a static IPv6 on the internal interface. Modify the intern0-profile we created above to include the following line

 IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::1/64 dev intern0')

This will add the ULA to the internal interface. As far as the router goes, this is all you need to configure.

Global Unicast Addresses

If your ISP or WAN network can access the IPv6 Internet you can additionally assign global link addresses to your router and propagate them through SLAAC to your internal network. The global unicast prefix is usually either static or provided through prefix delegation.

Static IPv6 prefix

If your ISP has provided you with a static prefix then edit /etc/netctl/extern0-profile and simply add the IPv6 and the IPv6 prefix (usually /64) you have been provided

IPCustom=('-6 addr add 2002:1:2:3:4:5:6:7/64 dev extern0')

You can use this in addition to the ULA address described above.

Acquiring IPv6 prefix via DHCPv6-PD

If your ISP handles IPv6 via prefix delegation then you can follow the instructions in the main IPv6 article on how to properly configure your router. Following the conventions of this article the WAN interface is extern0 (or ppp0 if you are connecting through PPPoE) and the LAN interface is intern0.

Router Advertisement and Stateless Autoconfiguration (SLAAC)

To properly hand out IPv6s to the network clients we will need to use an advertising daemon. Follow the details of the main IPv6 article on how to setup radvd. Following the convention of this guide the LAN facing interfaces is intern0. You can either advertise all prefixes or choose which prefixes will be assigned to the local network.

Optional additions

UPnP

The above configuration of shorewall does not include UPnP support. Use of UPnP is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications require this to function correctly.

To enable UPnP on your router, you need to install an UPnP Internet gateway daemon (IGD). To get it, install miniupnpd from the official repositories.

Read the Shorewall guide on UPnP for more information

Remote administration

OpenSSH can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).

Caching web proxy

See Squid or Polipo for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.

Time server

To use the router as a time server, see Network Time Protocol daemon.

Then, configure shorewall or iptables to allow NTP traffic in and out.

Content filtering

Install and configure DansGuardian or Privoxy if you need a content filtering solution.

Traffic shaping

Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.

Traffic shaping with shorewall

See Shorewall#Traffic shaping

See also