| From: Giles Orr via talk <talk@gtalug.org> | As per my previous post, I just purchased a mini-PC which I intend to | turn into a router. Is anyone aware of a guide for turning a Debian | PC into a _home_ router? I'd like to be running probably DNSmasq, | using a blocklist, stuff like that. I've found webpages that tell me | how to turn on network forwarding, or maybe configure DNSmasq, but not | the whole process. There are lots of guides but it is hard to tell which are current and reliable. I've been using PCs as my gateway machine for perhaps 25 years. I've been lazy and only changed when forced to (and sometimes slow at that). I've always run some Red Hat distro (RHL, CentOS, Fedora). Here are some things that I hope you might find useful. - One surprise to me was that debian out-of-the-box doesn't have a firewall. Eek! - normal home setups are NOT complicated. There are, however, a number of services you might want to provide, and each requires a varying amount of design and configuring. On my system (that I remember) (You probably don't want all of these): filewall DNS for my LAN. DNS for the world (a hidden master for my zones) SMTP for the world SMTP, POP3, imap for my LAN SSH for the world and for LAN (forbid authentication by password!) DHCP client for upstream DHCP server for LAN I don't have an ASN. I don't see any reason or have the ability to run BGP and the like. I don't have multiple LANs or VLANs. People with home-made routers seem to like those things. - For firewalling, I evolved my own set of rules. Now I'm using firewalld For most people, I imagine that firewalld is a slightly gentler interface. Underneath it is the regular Linux firewall (nft these days) firewalld is easy to configure and does some of the work for you. The model it provides makes it easier to understand firewalling. Unlike raw filter rules, it is mostly declarative. But its modelling capability is a bit simplistic might not match your needs. One great thing is that the authors/maintainers are responsive. - I have two gateways that require PPPoE. That reduces the packet size that can transit the link. Path MTU discovery should handle that but some hosts in the internet just assume that the Path MTU bottleneck is always at the leaf. So: on one gateway, I have to add TCP MSS clamping to the firewall. For some reason I don't have to do that on the other (it might be a built-in feature of Roaring Penguin PPPoE). I find that half the problem is figuring out how to bypass the ISP's router. The documentation is bad. At least Rogers was simple. Things are more complicated with Bell. I landed on PPPoE pass through with my Bell-supplied GigaHub router/modem. Interestingly, that gives my router and the Bell router distinct public IPv4 addresses. I tried "Advanced DMZ" which was simpler (no PPPoE on my router) but that left both routers with the same IP address and I could not figure out how that could safely work (both are doing NAT and hence allocating ports, but without co-ordination). Interesting: Bell's "Fibe" application lets me watch TV with either IP address. A good thing about the Bell setup is that I could access the internet through the GigaHub directly, bypassing my own router, while my router is still live. Great for debugging.