As per my previous post, I just purchased a mini-PC which I intend to turn into a router. Is anyone aware of a guide for turning a Debian PC into a _home_ router? I'd like to be running probably DNSmasq, using a blocklist, stuff like that. I've found webpages that tell me how to turn on network forwarding, or maybe configure DNSmasq, but not the whole process. Please don't suggest pfsense: I'm well aware of it, and it may well be better. But I'm very adept at managing Debian, and initially at least I intend to try to set this up. If it turns out to be direly difficult, pfsense may happen later. Thanks. -- Giles https://www.gilesorr.com/ gilesorr@gmail.com
On Thu, 7 Sept 2023 at 10:21, Giles Orr via talk <talk@gtalug.org> wrote:
As per my previous post, I just purchased a mini-PC which I intend to turn into a router. Is anyone aware of a guide for turning a Debian PC into a _home_ router? I'd like to be running probably DNSmasq, using a blocklist, stuff like that. I've found webpages that tell me how to turn on network forwarding, or maybe configure DNSmasq, but not the whole process.
Please don't suggest pfsense: I'm well aware of it, and it may well be better. But I'm very adept at managing Debian, and initially at least I intend to try to set this up. If it turns out to be direly difficult, pfsense may happen later.
You can install Proxmox VE, a hypervisor that you can run for free in a home environment: https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_11_Bullseye Then, you can run OpenWRT as a VM. OpenWRT has everything you'll ever need in a home router, and more.
On 2023-09-07 11:33, Val Kulkov via talk wrote:
On Thu, 7 Sept 2023 at 11:06, James Knott via talk <talk@gtalug.org> wrote:
A friend of mine is moving to pfSense or OPNsense, from OpenWRT.
I am curious what OpenWRT didn't provide that pfSense or OPNsense do provide.
Quite a lot. pfSense (OPNsense is a fork of pfSense) is closer to the "real" routers from companies like Cisco. For example, it supports routing protocols such as OSPF & BGP, which you are not likely to find in consumer grade routers. On my own network, I have 4 Ethernet ports on my router, with one connected to my WAN. One is my main LAN, which also has a VLAN for my guest WiFi. I also have a test LAN and another connected to my Cisco router. I run IPv4 & IPv6 and can also use OpenVPN for remote access. I have a DNS resolver, which goes directly to the root DNS servers, an NTP server, connected to 3 stratum 1 servers and 3 stratum 2 servers. It provides stratum 2 to my LAN. It can do a lot of other things that I haven't even bothered with. I have a separate access point for WiFi. There's really no comparison.
On 2023-09-07 12:21, James Knott via talk wrote:
On 2023-09-07 11:33, Val Kulkov via talk wrote:
On Thu, 7 Sept 2023 at 11:06, James Knott via talk <talk@gtalug.org> wrote:
A friend of mine is moving to pfSense or OPNsense, from OpenWRT.
I am curious what OpenWRT didn't provide that pfSense or OPNsense do provide.
Quite a lot. pfSense (OPNsense is a fork of pfSense) is closer to the "real" routers from companies like Cisco. For example, it supports routing protocols such as OSPF & BGP, which you are not likely to find in consumer grade routers. On my own network, I have 4 Ethernet ports on my router, with one connected to my WAN. One is my main LAN, which also has a VLAN for my guest WiFi. I also have a test LAN and another connected to my Cisco router. I run IPv4 & IPv6 and can also use OpenVPN for remote access. I have a DNS resolver, which goes directly to the root DNS servers, an NTP server, connected to 3 stratum 1 servers and 3 stratum 2 servers. It provides stratum 2 to my LAN. It can do a lot of other things that I haven't even bothered with. I have a separate access point for WiFi.
There's really no comparison. Being closer to Cisco is not an advantage in my books.
OpenWRT is a Debian based distribution that has been tuned to run in a small footprint that usually comes with consumer appliances but it is by no means limited to just that form factor. Out of the box OpenWRT is quite basic but there are something like 9000 software packages available to be installed. These include things like Quagga(BGP/OSPF et al), Openvpn, Wireguard, IPSEC, Vlans and oddre things like VOIP packages and docker. In general if you can find it in a mainstream linux distro you will find it in OpenWRT. The GUI is ok but I have not seen many firewalls with good UI's As pointed out the minimum server size has grown over the years and the latest versions will not run on my 10 year old d-link vpn firewall appliance but I doubt that OPNsense would either. There are lots of reasons to not like OpenWRT, as is true of just about any router OS, but lack of core functionality is not really one of them. -- Alvin Starr || land: (647)478-6285 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
On Thu, Sep 07, 2023 at 12:45:47PM -0400, Alvin Starr via talk wrote:
Being closer to Cisco is not an advantage in my books.
No kidding. :)
OpenWRT is a Debian based distribution that has been tuned to run in a small footprint that usually comes with consumer appliances but it is by no means limited to just that form factor.
Hmm, having used OpenWRT and Debian for many years, I have seen nothing what so ever to make me think they are at all related in any way. -- Len Sorensen
On 2023-09-09 16:47, James Knott via talk wrote:
On 2023-09-09 15:10, Lennart Sorensen via talk wrote:
Being closer to Cisco is not an advantage in my books. No kidding. 🙂
I was thinking in terms of features. As a (lapsed) CCNA, I agree they can be "fun" to configure.
I was thinking in terms of product quality. I have seen switches with up to 10% of ports with problems. It also seemed to me from that outside that to get a Cisco certificate all you needed was to have the support phone number memorized. -- Alvin Starr || land: (647)478-6285 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
On 2023-09-09 22:08, Alvin Starr via talk wrote:
I was thinking in terms of features. As a (lapsed) CCNA, I agree they can be "fun" to configure.
I was thinking in terms of product quality. I have seen switches with up to 10% of ports with problems. It also seemed to me from that outside that to get a Cisco certificate all you needed was to have the support phone number memorized.
I haven't experienced that issue and I have worked with quite a few devices. I also have an 8 port Cisco switch here on my network. I also have a Cisco 2600 series router, which I bought when I was working on my CCNA. Also, I can assure you getting certified takes a lot more than memorizing phone numbers. You have a timed test, in front of a computer and you have to get a passing grade in multiple sections, covering various topics. Also, the wording of the questions means you have to give them a lot of thought. Over the years, I have been certified for Novell Netware 3.x, OS/2 Warp 4 and CCNA. The CCNA test is by far the most difficult. One thing that annoyed me was the test covered some obsolete topics, such as frame relay, but MPLS was not even mentioned. The last time I saw frame relay was about 20 years before I got my CCNA. Also, they should have also been covering shortest path bridging, in addition to spanning tree. There were a few other things where they could have covered something a bit newer, with less emphasis on older stuff.
On 2023-09-09 15:10, Lennart Sorensen wrote:
On Thu, Sep 07, 2023 at 12:45:47PM -0400, Alvin Starr via talk wrote:
OpenWRT is a Debian based distribution that has been tuned to run in a small footprint that usually comes with consumer appliances but it is by no means limited to just that form factor. Hmm, having used OpenWRT and Debian for many years, I have seen nothing what so ever to make me think they are at all related in any way.
True. I guess I should have said it felt Debian-ish to me as opposed to being Redhat-ish. -- Alvin Starr || land: (647)478-6285 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
On Thu, 7 Sept 2023 at 12:21, James Knott via talk <talk@gtalug.org> wrote:
it supports routing protocols such as OSPF & BGP
https://www.linuxtechguy.com/2020/11/27/dynamic-routing-using-ospf-on-openwr... https://docs.daper.io/networking/bgp/openwrt/
One is my main LAN, which also has a VLAN for my guest WiFi
https://openwrt.org/docs/guide-user/network/vlan/switch_configuration
I run IPv4 & IPv6
https://openwrt.org/docs/guide-user/network/ipv6/start
can also use OpenVPN for remote access
https://openwrt.org/docs/guide-user/services/vpn/start
I have a DNS resolver, which goes directly to the root DNS servers
https://openwrt.org/docs/guide-user/base-system/dhcp
an NTP server, connected to 3 stratum 1 servers and 3 stratum 2 servers
https://openwrt.org/docs/guide-user/services/ntp/client-server -- Scott
On 2023-09-07 12:48, Scott Allen wrote:
On Thu, 7 Sept 2023 at 12:21, James Knott via talk<talk@gtalug.org> wrote:
it supports routing protocols such as OSPF & BGP https://www.linuxtechguy.com/2020/11/27/dynamic-routing-using-ospf-on-openwr... https://docs.daper.io/networking/bgp/openwrt/
I don't doubt OpenWRT can do those things, but can they do them as well as pfSense? You even said you were considering pfSense because of all it's features.
On Thu, 7 Sept 2023 at 12:56, James Knott <james.knott@jknott.net> wrote:
I don't doubt OpenWRT can do those things, but can they do them as well as pfSense?
I'm sure OpenWRT can do them just as well, once configured. I haven't looked at OpenWRT lately but I previously got the impression that many add-on packages and even built-in features didn't include GUI extensions. Configuration of these had to be done from a console. With pfSense and OPNsense, extending the GUI by installed packages seems to be the norm. I'm comfortable configuring using a console, having done it frequently during my employment, but these days I usually just want to get things done, without a lot of reading, learning and typing. Another reason for using OPNsense is just to play with something different and new to me. :-) -- Scott
On 2023-09-07 13:36, Scott Allen wrote:
I'm sure OpenWRT can do them just as well, once configured. I haven't looked at OpenWRT lately but I previously got the impression that many add-on packages and even built-in features didn't include GUI extensions. Configuration of these had to be done from a console.
Does it support DHCPv6-PD? That's the reason I switched to pfSense, as my Linux firewall/router didn't. I understand things may have changed in the 7.5 years I've been running pfSense.
On Thu, 7 Sept 2023 at 13:42, James Knott <james.knott@jknott.net> wrote:
Does it support DHCPv6-PD?
https://openwrt.org/docs/guide-user/network/ipv6/configuration "Automatic bootstrap from SLAAC, stateless DHCPv6, stateful DHCPv6, DHCPv6-PD and any combination" -- Scott
| From: James Knott via talk <talk@gtalug.org> | On 2023-09-07 13:36, Scott Allen wrote: | > I'm sure OpenWRT can do them just as well, once configured. I haven't looked | > at OpenWRT lately but I previously got the impression that many add-on | > packages and even built-in features didn't include GUI extensions. | > Configuration of these had to be done from a console. | | Does it support DHCPv6-PD? That's the reason I switched to pfSense, as my | Linux firewall/router didn't. I understand things may have changed in the 7.5 | years I've been running pfSense. (PD is Prefix Delegation) Do you mean as a server or as a client? <https://openwrt.org/docs/guide-user/network/ipv6/configuration> seems to cover DHCPv6-PD as a client and server (separate places). I don't know if this is relevant, but ISC no longer maintains ISC DHCP and has replaced it with Kea DHCP. <https://www.isc.org/blogs/isc-dhcp-eol/> I haven't looked into the consequences but I'm kind of used to maintaining the old config file format and expect the new format to be less human-friendly.
On 2023-09-09 09:23, D. Hugh Redelmeier via talk wrote:
Do you mean as a server or as a client?
Client. I don't run DHCPv6 on my LAN. I use SLAAC. Rogers provides IPv6 via DHCPv6-PD. I switched from a Linux firewall/router to pfSense, as SuSE Linux didn't support it. I have no idea if it does now. Also, thanks to some genius at Google, Android devices don't support DHCPv6.
Good discussion, everyone. I think there's merit to *WRT & *Sense distributions. Might I add a few other things to consider, if GUI isn't the concern. If you want features & good stability/security: *VyOS* (https://vyos.io/) -- it's fairly easy to build the image and have the latest LTS release. I have a license from the Volunteer WISP I help operate If you want lightweight / more exposure to the system: You could scratch that & just roll debian/ubuntu/suse/rhel and utilize the daemon itself, *FRR* (VyOS is just Debian with a python wrapper for FRR): https://frrouting.org/ With FRR, forget having a daemon "like the big vendors" , big vendors commit code to / use FRR. Finally, there's nothing wrong with the good ol' OpenBSD deployments -- https://www.openbsd.org/faq/pf/example1.html .. lots of IX's running on them for decades. Probably the best security considering OpenBSD's commitment to it. OpenBGPD is a a shining star. If you want just BGP, roll with *BIRD* or *GoBGP*: https://bird.network.cz/?get_doc&f=bird.html&v=20 https://github.com/osrg/gobgp If GUI is a concern, I'd say *WRT or OPNSense are the way to go today. In summary, there are /lots/ of great options; We're quite spoiled. Personally, I'm VyOS all the way. The syntax is right at home for Operators who are familiar with JunOS & similar platforms. Wish I could discuss this more at the next meeting, but I'll be at a book launch. - Mark On 2023-09-07 12:56, James Knott via talk wrote:
On 2023-09-07 12:48, Scott Allen wrote:
On Thu, 7 Sept 2023 at 12:21, James Knott via talk<talk@gtalug.org> wrote:
it supports routing protocols such as OSPF & BGP https://www.linuxtechguy.com/2020/11/27/dynamic-routing-using-ospf-on-openwr... https://docs.daper.io/networking/bgp/openwrt/
I don't doubt OpenWRT can do those things, but can they do them as well as pfSense? You even said you were considering pfSense because of all it's features.
--- Post to this mailing listtalk@gtalug.org Unsubscribe from this mailing listhttps://gtalug.org/mailman/listinfo/talk
-- Mark Prosser // E:mark@zealnetworks.ca // W:https://zealnetworks.ca
On Thu, 7 Sept 2023 at 11:33, Val Kulkov via talk <talk@gtalug.org> wrote:
I am curious what OpenWRT didn't provide that pfSense or OPNsense do provide.
I'm moving from DD-WRT to OPNsense (or maybe pfSense). One of the primary reasons I'm doing so is for keeping the firmware up to date. With all the "WRT" software (DD-WRT, OpenWRT, FreshTomato) there was always something that made it difficult to maintain my router at a release with the latest security fixes. With DD-WRT it's hard to tell what the latest release to use is. It seems the philosophy is "Try the latest. If it doesn't work, try previous ones and/or discuss or report the problem". With OpenWRT, it appears you have to re-install any manually installed packages after a system upgrade. Another problem with OpenWRT is that they seem to frequently up the minimum hardware requirements (flash and RAM) and drop support for older hardware with low resources. FreshTomato looks good for maintaining the latest firmware. However, it's limited to Broadcom based systems. Because of this, I'm not sure it will continue to be maintained in the long run. With OPNsense, you can check if a new release is available from the router's GUI itself and updating appears to be straightforward, either from the GUI or the console. -- Scott
On 2023-09-07 12:27, Scott Allen via talk wrote:
With OPNsense, you can check if a new release is available from the router's GUI itself and updating appears to be straightforward, either from the GUI or the console.
It is likewise very easy to update in pfSense. All I have to do is open the dashboard and it automagically checks the update status.
On Thu, 7 Sept 2023 at 12:28, Scott Allen <mlxxxp@gmail.com> wrote:
With OpenWRT, it appears you have to re-install any manually installed packages after a system upgrade. Another problem with OpenWRT is that they seem to frequently up the minimum hardware requirements (flash and RAM) and drop support for older hardware with low resources.
To the best of my knowledge, OpenWRT retains all manually installed packages during system upgrade if you use their "sysupgrade" utility, with the exception of the x86_64 platform. On x86_64, upgrading is indeed a pain. But then there is the "Attended Sysupgrade", which I have not tried yet: https://openwrt.org/docs/guide-user/installation/attended.sysupgrade
On Thu, Sep 07, 2023 at 01:25:15PM -0400, Val Kulkov via talk wrote:
To the best of my knowledge, OpenWRT retains all manually installed packages during system upgrade if you use their "sysupgrade" utility, with the exception of the x86_64 platform. On x86_64, upgrading is indeed a pain. But then there is the "Attended Sysupgrade", which I have not tried yet: https://openwrt.org/docs/guide-user/installation/attended.sysupgrade
I have to reinstall packages after every sysupgrade. It will keep a list of packages you installed, but it sure doesn't install them for you. I think they have an option now to generate images with a list of extra packages for you. I haven't looked at that yet. -- Len Sorensen
On Sat, 9 Sept 2023 at 15:07, Lennart Sorensen <lsorense@csclub.uwaterloo.ca> wrote:
On Thu, Sep 07, 2023 at 01:25:15PM -0400, Val Kulkov via talk wrote:
To the best of my knowledge, OpenWRT retains all manually installed packages during system upgrade if you use their "sysupgrade" utility, with the exception of the x86_64 platform. On x86_64, upgrading is indeed a pain. But then there is the "Attended Sysupgrade", which I have not tried yet: https://openwrt.org/docs/guide-user/installation/attended.sysupgrade
I have to reinstall packages after every sysupgrade. It will keep a list of packages you installed, but it sure doesn't install them for you.
I think they have an option now to generate images with a list of extra packages for you. I haven't looked at that yet.
Use "make menuconfig" to customize your image and add packages, save the changes and then execute: ./scripts/diffconfig.sh > diffconfig The "diffconfig" file will contain all your customizations and added packages. Next time you are about to build an image, execute: cp diffconfig .config make defconfig If you want to put custom files in your image, like for example your current configuration in /etc/config/* create <buildroot>/files/ and copy your files there. They will be baked into the image. For more details, see https://openwrt.org/docs/guide-developer/toolchain/use-buildsystem After that, you can build your image with
On 2023-09-07 10:20, Giles Orr via talk wrote:
Please don't suggest pfsense: I'm well aware of it, and it may well be better. But I'm very adept at managing Debian, and initially at least I intend to try to set this up. If it turns out to be direly difficult, pfsense may happen later.
I used to use SuSE Linux for my router/firewall, but had to switch to pfSense as Linux didn't support DHCPv6-PD, which is used to provide IPv6 from Rogers. You'll also find it's a much more capable router/firewall than you're likely to put together with Linux.
On Thu, 7 Sept 2023 at 10:21, Giles Orr via talk <talk@gtalug.org> wrote:
If it turns out to be direly difficult, pfsense may happen later.
What chipset is used for WiFi? BSD, and thus pfSense or OPNsense, is limited in the chipsets that it supports as an access point. Just curious; how/where is the WiFi antenna attached? (I suspect I'm the friend that James Knott just mentioned.) -- Scott
On Thu, 7 Sept 2023 at 11:08, Scott Allen <mlxxxp@gmail.com> wrote:
BSD, and thus pfSense or OPNsense, is limited in the chipsets that it supports as an access point.
I intended to include a URL: https://docs.netgate.com/pfsense/en/latest/wireless/hardware.html -- Scott
On 2023-09-07 10:20 a.m., Giles Orr via talk wrote:
As per my previous post, I just purchased a mini-PC which I intend to turn into a router. Is anyone aware of a guide for turning a Debian PC into a _home_ router? I'd like to be running probably DNSmasq, using a blocklist, stuff like that. I've found webpages that tell me how to turn on network forwarding, or maybe configure DNSmasq, but not the whole process.
Please don't suggest pfsense: I'm well aware of it, and it may well be better. But I'm very adept at managing Debian, and initially at least I intend to try to set this up. If it turns out to be direly difficult, pfsense may happen later.
This guide will get you pretty close, though it is a few years old: https://arstechnica.com/gadgets/2016/04/the-ars-guide-to-building-a-linux-ro... The author uses Ubuntu, but generally, I suspect it is in line with what you're envisioning (DNS, DHCP, and routing/firewall) on a Debian box. If I were building this system out, I might opt to use nftables and firewalld instead of iptables or ufw. However, if you're more familiar with either of the latter two it might be easier to start with them. I'd also suggest running pihole in a container to handle DNS. it blocks so many junk requests. Let us know how you get on with things. Cheers, Jamon
I sent this yesterday. To talk@gtalug.org and jamonation@gmail.com I got a bounce message from ubuntu-users-owner@lists.ubuntu.com ("Post by non-member to a members-only list") How would this get to the ubuntu users list with my address on it? | From: Jamon Camisso via talk <talk@gtalug.org> | To: talk@gtalug.org | Cc: Jamon Camisso <jamonation@gmail.com> | Date: Thu, 7 Sep 2023 14:54:30 -0400 | Subject: Re: [GTALUG] Debian Linux as-a-router Guide
D. Hugh Redelmeier via talk wrote on 2023-09-08 07:04:
I sent this yesterday. To talk@gtalug.org and jamonation@gmail.com I got a bounce message from ubuntu-users-owner@lists.ubuntu.com ("Post by non-member to a members-only list")
How would this get to the ubuntu users list with my address on it?
| From: Jamon Camisso via talk<talk@gtalug.org> | To:talk@gtalug.org | Cc: Jamon Camisso<jamonation@gmail.com> | Date: Thu, 7 Sep 2023 14:54:30 -0400 | Subject: Re: [GTALUG] Debian Linux as-a-router Guide
There's something weird going on in the world of mailing lists. First, it appears Jamon works/worked at Canonical, so there's a tangential relation to lists.ubuntu.com. Two days ago, I got a weird message from someone I barely know via a LUG that was "Checking in" and "Is this email still valid for you? There is something important I'd like to discuss." Checking list archives, the From: was valid, but the ReplyTo: had a couple extra numbers on the end, then a different domain. Very odd. Maybe he was hacked? The mailing list itself? Then, yesterday I awoke to a flood of incoming bounce messages from *MY* mail server. Someone logged into my server as admin@bclug.ca (SASL plain auth), and started sending messages full of base64-encoded attachments (spam). That scared me - how did this happen?!? I shut down postfix, archived the queue then analyzed it, then deleted it. Changed my SASL password (a very lengthy one before & after), and it appears to be okay now? Maybe there's some automated attack going on against small Linux email lists / servers? Also, there was a back-scatter issue a few / several months ago targeting a user and/or mailing list in SF. TL;DR: I dunno why you got the bounce from Ubuntu lists.
I shut down postfix, archived the queue then analyzed it, then deleted it. Changed my SASL password (a very lengthy one before & after), and it appears to be okay now?
Did you (re)use that password somewhere? It is best to have unique passwords, a different one for each login. Years ago I got spam/blackmail type of email stating something like "we got into your network with this pwd and we can do damage, send us some bitcoins". And the password used to be valid (!) years before for another of my email accounts (not for the account on which I got the blackmail). I had it changed back then when their server was hacked. Someone made an online profile for me, all accounts I have, passwords they could retrieve, etc - there is a black market for such. -- This email has been checked for viruses by Avast antivirus software. www.avast.com
| From: Giles Orr via talk <talk@gtalug.org> | As per my previous post, I just purchased a mini-PC which I intend to | turn into a router. Is anyone aware of a guide for turning a Debian | PC into a _home_ router? I'd like to be running probably DNSmasq, | using a blocklist, stuff like that. I've found webpages that tell me | how to turn on network forwarding, or maybe configure DNSmasq, but not | the whole process. There are lots of guides but it is hard to tell which are current and reliable. I've been using PCs as my gateway machine for perhaps 25 years. I've been lazy and only changed when forced to (and sometimes slow at that). I've always run some Red Hat distro (RHL, CentOS, Fedora). Here are some things that I hope you might find useful. - One surprise to me was that debian out-of-the-box doesn't have a firewall. Eek! - normal home setups are NOT complicated. There are, however, a number of services you might want to provide, and each requires a varying amount of design and configuring. On my system (that I remember) (You probably don't want all of these): filewall DNS for my LAN. DNS for the world (a hidden master for my zones) SMTP for the world SMTP, POP3, imap for my LAN SSH for the world and for LAN (forbid authentication by password!) DHCP client for upstream DHCP server for LAN I don't have an ASN. I don't see any reason or have the ability to run BGP and the like. I don't have multiple LANs or VLANs. People with home-made routers seem to like those things. - For firewalling, I evolved my own set of rules. Now I'm using firewalld For most people, I imagine that firewalld is a slightly gentler interface. Underneath it is the regular Linux firewall (nft these days) firewalld is easy to configure and does some of the work for you. The model it provides makes it easier to understand firewalling. Unlike raw filter rules, it is mostly declarative. But its modelling capability is a bit simplistic might not match your needs. One great thing is that the authors/maintainers are responsive. - I have two gateways that require PPPoE. That reduces the packet size that can transit the link. Path MTU discovery should handle that but some hosts in the internet just assume that the Path MTU bottleneck is always at the leaf. So: on one gateway, I have to add TCP MSS clamping to the firewall. For some reason I don't have to do that on the other (it might be a built-in feature of Roaring Penguin PPPoE). I find that half the problem is figuring out how to bypass the ISP's router. The documentation is bad. At least Rogers was simple. Things are more complicated with Bell. I landed on PPPoE pass through with my Bell-supplied GigaHub router/modem. Interestingly, that gives my router and the Bell router distinct public IPv4 addresses. I tried "Advanced DMZ" which was simpler (no PPPoE on my router) but that left both routers with the same IP address and I could not figure out how that could safely work (both are doing NAT and hence allocating ports, but without co-ordination). Interesting: Bell's "Fibe" application lets me watch TV with either IP address. A good thing about the Bell setup is that I could access the internet through the GigaHub directly, bypassing my own router, while my router is still live. Great for debugging.
On 2023-09-08 11:50, D. Hugh Redelmeier via talk wrote:
I've been using PCs as my gateway machine for perhaps 25 years. I've been lazy and only changed when forced to (and sometimes slow at that). I've always run some Red Hat distro (RHL, CentOS, Fedora).
I had been using an HP compact desktop computer for years, initially with SuSE but later pfSense, but then it died. I replaced it with a Qotom mini PC, which works well and takes a lot less power.
I don't have multiple LANs or VLANs. People with home-made routers seem to like those things.
You might want a guest VLAN/SSID. I have my firewall configured so that the only thing a guest can do on my network is ping the guest VLAN interface. Beyond that, they can only access the Internet. I even point them to Google's DNS server, instead of mine.
| From: James Knott via talk <talk@gtalug.org> | You might want a guest VLAN/SSID. I have my firewall configured so that the | only thing a guest can do on my network is ping the guest VLAN interface. | Beyond that, they can only access the Internet. I even point them to Google's | DNS server, instead of mine. Good point. It turns out that I could give guests the password for the Bell GigaHub WiFi. That's isolated from my LAN. In fact, I think that the GigaHub has a separate password for guests. More to your point, it may be convenient for your router to have more than two ethernet ports. Giles' box only has two, yours and mine have four. (Giles's box sure is cute.) Common wisdom has it that USB ethernet dongles are not always stable 24/7.
On 2023-09-08 14:49, D. Hugh Redelmeier via talk wrote:
More to your point, it may be convenient for your router to have more than two ethernet ports. Giles' box only has two, yours and mine have four. (Giles's box sure is cute.
Mine has 4. The other day, I mentioned I received a catalog from Qotom. I posted it on Digital Home Canada, as it's too big for me to email. Here's the link: https://www.digitalhome.ca/threads/qotom-mini-pc-catalog.295008/ As you can see, they have a LOT of models. Some have 2.5 Gb Ethernet ports and 10 Gb SFP ports.
On Fri, 8 Sept 2023 at 14:49, D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
More to your point, it may be convenient for your router to have more than two ethernet ports. Giles' box only has two, yours and mine have four. (Giles's box sure is cute.)
Common wisdom has it that USB ethernet dongles are not always stable 24/7.---
This is a subject I know way too much about - which means you've triggered a story that can be skipped by those not interested. The main point: I've never found a totally stable USB-to-Ethernet dongle - and I've tried quite a few. I'm fairly hardcore about having my computers connected to the network via wires rather than WiFi. I do use WiFi occasionally, to sit on the balcony or the couch - but the wireless router is on a physical switch which is off most of the time. Which means I've become very familiar with USB-to-Ethernet dongles and their quirky behaviour. The most stable I've ever dealt with are the Apple-branded ones attached to Apple computers (they're pretty good attached to non-Apple computers as well, although I rarely use them that way). But Linux computers with USB-to-Ethernet dongles are never totally stable. I would say I get a couple minutes of network drop-outs per day (across multiple brands). Which isn't a problem when I'm not in front of the computer (they're clients, not servers), but when you're using Barrier to use one computer's mouse and keyboard to control another computer, a network outage knocks you off the second computer completely. Sometimes these outages resolve themselves, occasionally (rarely) I have to run `dhclient` by hand on the machine with the dongle. I've never dug into the logs to figure out why. I have multiple USB3-to-Ethernet dongles: - one "Amazon Basics" - fairly good, but probably the most drop-outs? - two Anker "Unibody Aluminum" - slightly better - three Orico 3-port USB hub + Ethernet - these are noticeably more stable (still not perfect) and, because of the added USB ports, more useful - absolute worst: Belkin USB-C "docking bay" thingy: the Ethernet port on this bounced every 30 seconds to 1 minute, totally unusable (and of course being a "docking bay" it cost much more than the others). I ended up plugging one of the Ankers into a USB port on the docking bay! I've never seen this instability with built-in Ethernet ports: they work or they don't, end of story. -- Giles https://www.gilesorr.com/ gilesorr@gmail.com
| From: Giles Orr via talk <talk@gtalug.org> | I've never found a totally stable USB-to-Ethernet dongle - | and I've tried quite a few. That's really interesting and really unfortunate. Almost no notebooks come with ethernet ports these days. Notebooks are almost supplanting "regular" PCs. Notebooks are a bargain compared with regular PCs. USB-ethernet problems will prevent using notebooks as servers. They will also prevent most other computers from being used as routers. Any idea why USB-ethernet is so unreliable? Any useful diagnostics?
On Sat, Sep 9, 2023 at 9:56 AM D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
Notebooks are almost supplanting "regular" PCs.
IMO we're well beyond the "almost" in that statement. COVID led to work-from-home which necessitated laptops for employees in the services sector. Even though the COVID threat has reduced, WFH is never going away. For typical business use there is no compelling reason for a desktop. But also, for the purpose of this thread, even "regular" PCs are increasingly coming with wifi as an alternative to wired networking. Ditto printing, where only premium units have Ethernet but most have wifi. This makes sense as most homes are well wired for RJ11 POTS service, but few are wired for RJ45. So the usual solution I have seen lately is to blanket even large houses with mesh wifi like the TP-Link Deco line. This seems good enough for most people as even 4K televisions are fine with wifi. I was fortunate enough to buy a house from a developer when all that existed at the time of purchase was a sales office and a hectare or two of dirt. So I was able to do custom wiring. Requesting almost every room wired with RJ45 was so unusual it took me almost a full afternoon to explain it to the contractor. Then they brought in a commercial team that tried to sell me massively overpriced Ethernet switches. But I ended up happy with the result, though I have no idea if it will affect the house's resale value. I have three USB-to-Ethernet devices. One was supplied by Asus with the laptop. Another is a TP-Link UE300C That is used with other laptops. But the one I use the most is a $21 hub I bought on Aliexpress that also includes an HDMI port, an SD card reader, and some additional USB-A ports. All have worked well under both Windows and Linux (KDE Neon), though I haven't exactly stress-tested them. The hub is fussy about the order of plugging things in but it works.
Notebooks are a bargain compared with regular PCs.
This I won't agree with. I've been able to easily assemble desktop PCs with off-the-shelf parts (providing the shelves are at Canada Computers) for less money than an equivalent laptop. Desktop RAM is usually cheaper than the laptop variety. And of course you have the advantage of upgrading (or downgrading the screen, keyboard and pointing device to one of your choosing. Why pay for a touchpad if you're only going to plug a mouse in anyway? Most of the business users I know have a docking unit at home for their laptop, into which is plugged a mouse and keyboard as well as a second screen. This combo is never a bargain compared to a desktop PC that doesn't have redundant components. Also consider that at the low end, a mini PC capable of running most business apps can be had, with 12GB of RAM and Windows pre-loaded, for about $200 <https://www.amazon.ca/ACEMAGICIAN-N5095-Desktop-Computer-Ethernet/dp/B0BPP33R3L/ref=sr_1_13>. The evolution of the Intel NUC concept and its many competitors shows no sign of slowing. USB-ethernet problems will prevent using notebooks as servers.
A headless mini-PC as a server will be many times cheaper than a similarly-powered laptop and all of them come with at least one Ethernet, usually gigabit. They will also prevent most other computers from being used as routers.
Not if they have a free PCI slot <https://www.amazon.ca/Gigabit-Ethernet-Express-Network-Controller/dp/B07XJ8CMQX/ref=sr_1_14>, and most full-chassis desktops do. - Evan
On Sat, Sep 9, 2023 at 10:20 AM Evan Leibovitch via talk <talk@gtalug.org> wrote:
On Sat, Sep 9, 2023 at 9:56 AM D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
Notebooks are almost supplanting "regular" PCs.
IMO we're well beyond the "almost" in that statement. COVID led to work-from-home which necessitated laptops for employees in the services sector. Even though the COVID threat has reduced, WFH is never going away. For typical business use there is no compelling reason for a desktop.
Dunno - - - I would say that I see no compelling reason for a laptop. Power headaches, tiny monitor space (I have a seriously multi-monitor system (think 8620 x 3000 pixels almost all of it visible)) unable to use an ergo keyboard - - - - I wonder why anyone would want to use a laptop (lol)?
But also, for the purpose of this thread, even "regular" PCs are increasingly coming with wifi as an alternative to wired networking. Ditto printing, where only premium units have Ethernet but most have wifi. This makes sense as most homes are well wired for RJ11 POTS service, but few are wired for RJ45. So the usual solution I have seen lately is to blanket even large houses with mesh wifi like the TP-Link Deco line. This seems good enough for most people as even 4K televisions are fine with wifi.
If one is into privacy and security - - - wifi - - - not so hot - - - sorry! (radio waves are very indiscriminate!)
I was fortunate enough to buy a house from a developer when all that existed at the time of purchase was a sales office and a hectare or two of dirt. So I was able to do custom wiring. Requesting almost every room wired with RJ45 was so unusual it took me almost a full afternoon to explain it to the contractor. Then they brought in a commercial team that tried to sell me massively overpriced Ethernet switches. But I ended up happy with the result, though I have no idea if it will affect the house's resale value.
Gret for you but did they use cat 5 or 5e wiring. Today you might need cat 8 (6 and 7 seems to have been obsoleted - - - dunno). I would have dragged in conduit then you would be very future proof - - - with just cable runs you will have to redo every 20 odd years.
I have three USB-to-Ethernet devices. One was supplied by Asus with the laptop. Another is a TP-Link UE300C That is used with other laptops. But the one I use the most is a $21 hub I bought on Aliexpress that also includes an HDMI port, an SD card reader, and some additional USB-A ports. All have worked well under both Windows and Linux (KDE Neon), though I haven't exactly stress-tested them. The hub is fussy about the order of plugging things in but it works.
I may have found a unicorn. Label says its a Tripp-Lite (model U209-006-RJ-45-X) usb to RJ-45 cable made by Eaton. FreeBSD also gives that baby passing marks - - - -its the one one there that gets that. Wasn't cheap though (it was a newegg purchase and shipping was quick). Might be worth a look if you need such - - - I did/do because buying used commercial computers it seems that a second RJ-45 is considered irrelevant although there might be 4 or 5 USB 3.x ports. Big business doesn't think long term - - - its for use in the period of the lease (at most 3 years possibly 4) then the systems are replaced. M$ loves this and I like getting cheap reasonably high speced small form factor systems (they help keep my power costs down and space considerations lower as well). HTH
My experience with USB Ethernet NICs is the same as seemingly everyone else's here. I've given them a shot over the past 10 years and I've had the same dismal experience under all 3 major operating systems (Linux, macOS, Windows). Primary problem is regular connection dropouts, secondary problem is not reaching the maximum speed for given connection. Separate from that, when Apple came out with the first "Retina" MacBook Pro in 2012, I purchased their Thunderbolt 1 to Ethernet adapter, as that laptop did not have built in Ethernet. Ever since that time I've purchased several Thunderbolt NICs and every single one of them has been rock solid and are used by employees around the office to this day. I'm currently using Sonnet Solo 10G SFP+ unit (https://www.sonnettech.com/product/solo10g-sfp-tb3/overview.html) as I need to access the local network at 10Gbit for certain tasks.
On Sep 9, 2023, at 13:06, o1bigtenor via talk <talk@gtalug.org> wrote:
On Sat, Sep 9, 2023 at 10:20 AM Evan Leibovitch via talk <talk@gtalug.org> wrote:
On Sat, Sep 9, 2023 at 9:56 AM D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
Notebooks are almost supplanting "regular" PCs.
IMO we're well beyond the "almost" in that statement. COVID led to work-from-home which necessitated laptops for employees in the services sector. Even though the COVID threat has reduced, WFH is never going away. For typical business use there is no compelling reason for a desktop.
Dunno - - - I would say that I see no compelling reason for a laptop. Power headaches, tiny monitor space (I have a seriously multi-monitor system (think 8620 x 3000 pixels almost all of it visible)) unable to use an ergo keyboard - - - - I wonder why anyone would want to use a laptop (lol)?
But also, for the purpose of this thread, even "regular" PCs are increasingly coming with wifi as an alternative to wired networking. Ditto printing, where only premium units have Ethernet but most have wifi. This makes sense as most homes are well wired for RJ11 POTS service, but few are wired for RJ45. So the usual solution I have seen lately is to blanket even large houses with mesh wifi like the TP-Link Deco line. This seems good enough for most people as even 4K televisions are fine with wifi.
If one is into privacy and security - - - wifi - - - not so hot - - - sorry! (radio waves are very indiscriminate!)
I was fortunate enough to buy a house from a developer when all that existed at the time of purchase was a sales office and a hectare or two of dirt. So I was able to do custom wiring. Requesting almost every room wired with RJ45 was so unusual it took me almost a full afternoon to explain it to the contractor. Then they brought in a commercial team that tried to sell me massively overpriced Ethernet switches. But I ended up happy with the result, though I have no idea if it will affect the house's resale value.
Gret for you but did they use cat 5 or 5e wiring. Today you might need cat 8 (6 and 7 seems to have been obsoleted - - - dunno). I would have dragged in conduit then you would be very future proof - - - with just cable runs you will have to redo every 20 odd years.
I have three USB-to-Ethernet devices. One was supplied by Asus with the laptop. Another is a TP-Link UE300C That is used with other laptops. But the one I use the most is a $21 hub I bought on Aliexpress that also includes an HDMI port, an SD card reader, and some additional USB-A ports. All have worked well under both Windows and Linux (KDE Neon), though I haven't exactly stress-tested them. The hub is fussy about the order of plugging things in but it works.
I may have found a unicorn. Label says its a Tripp-Lite (model U209-006-RJ-45-X) usb to RJ-45 cable made by Eaton. FreeBSD also gives that baby passing marks - - - -its the one one there that gets that.
Wasn't cheap though (it was a newegg purchase and shipping was quick).
Might be worth a look if you need such - - - I did/do because buying used commercial computers it seems that a second RJ-45 is considered irrelevant although there might be 4 or 5 USB 3.x ports. Big business doesn't think long term - - - its for use in the period of the lease (at most 3 years possibly 4) then the systems are replaced. M$ loves this and I like getting cheap reasonably high speced small form factor systems (they help keep my power costs down and space considerations lower as well).
HTH --- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
On Sat, Sep 09, 2023 at 12:06:41PM -0500, o1bigtenor via talk wrote:
Gret for you but did they use cat 5 or 5e wiring. Today you might need cat 8 (6 and 7 seems to have been obsoleted - - - dunno). I would have dragged in conduit then you would be very future proof -
Anything installed now still tends to be 5E or 6. 5E is good enough for 10GbaseT up to 30m, so perfectly fine in a house. 6 increases it to 55m and 6A to 100m. I am perfectly happy with 5E or 6 in the walls. I am still trying to get 10G equipment figured out so I can start using that. -- Len Sorensen
I was fortunate enough to buy a house from a developer when all that existed at the time of purchase was a sales office and a hectare or two of dirt. So I was able to do custom wiring. Requesting almost every room wired with RJ45 was so unusual it took me almost a full afternoon to explain it to the contractor. Then they brought in a commercial team that tried to sell me massively overpriced Ethernet switches. But I ended up happy with the result, though I have no idea if it will affect the house's resale value. I wouldn't trust an electrician to do it, unless they have Ethernet experience. My Ethernet wiring was done by Rogers, when I first got a cable modem, in the late 90s. They did a nice job, including fishing
On 2023-09-09 13:06, o1bigtenor via talk wrote: through walls, etc.. I provided the plain CAT5, as 5e wasn't common back then.
Gret for you but did they use cat 5 or 5e wiring. Today you might need cat 8 (6 and 7 seems to have been obsoleted - - - dunno). I would have dragged in conduit then you would be very future proof - - - with just cable runs you will have to redo every 20 odd years.
Gigabit was designed for plain CAT5, before 5e was available, so that's all you need, unless you're going above 1 Gb. There's no such thing as CAT7, according to IEEE specs. Even if there were, it would be a waste of money.
| From: Evan Leibovitch via talk <talk@gtalug.org> | On Sat, Sep 9, 2023 at 9:56 AM D. Hugh Redelmeier via talk <talk@gtalug.org> | wrote: | > Notebooks are almost supplanting "regular" PCs. | > | | IMO we're well beyond the "almost" in that statement. I was thinking "almost completely", so I agree. But my "data" is highly anecdotal. | So I was able to do custom wiring. We lived for decades with cables on the walls, not in the walls. Perhaps a good thing: the technology changed. After a renovation, we have decent wiring in the walls (until the technology changes again). Stewart Brand's "How buildings learn" is an excellent book about how buildings evolve after they have been built. He discusses the idea that there are different layers of a house that evolve and different rates and that architects don't often design for this. For example - furniture changes most quickly and easily - wall covering (wall paper and paint) a little less so - walls still less - plumbing still less (When I was young, many British houses had exterior plumbing added after construction (you can see it in old movies). Every once in a while it would freeze.) | I have three USB-to-Ethernet devices. One was supplied by Asus with the | laptop. Another is a TP-Link UE300C That is used with other laptops. But | the one I use the most is a $21 hub I bought on Aliexpress that also | includes an HDMI port, an SD card reader, and some additional USB-A ports. | All have worked well under both Windows and Linux (KDE Neon), though I | haven't exactly stress-tested them. The hub is fussy about the order of | plugging things in but it works. I'm guessing that Giles is more stringent than you are. | > Notebooks are a bargain compared with regular PCs. | > | This I won't agree with. See for example: <https://forums.redflagdeals.com/dell-inspiron-15-3520-fhd-laptop-i3-1215u-8-256gb-405-code-2639290/5/#p38040379> I don't think that you are going to get a desktop with these features for this price. (This i3 processor is quite good, not like many previous ones.) | I've been able to easily assemble desktop PCs with | off-the-shelf parts (providing the shelves are at Canada Computers) for | less money than an equivalent laptop. Not me. I guess that part of the difference is I look for bargains. There are a lot more laptop bargains than desktop bargains. | Desktop RAM is usually cheaper than | the laptop variety. And of course you have the advantage of upgrading (or | downgrading the screen, keyboard and pointing device to one of your | choosing. Why pay for a touchpad if you're only going to plug a mouse in | anyway? Being able to use a discrete GPU is another reason. | Most of the business users I know have a docking unit at home for their | laptop, into which is plugged a mouse and keyboard as well as a second | screen. This combo is never a bargain compared to a desktop PC that doesn't | have redundant components. Also consider that at the low end, a mini PC | capable of running most business apps can be had, with 12GB of RAM and | Windows pre-loaded, for about $200 | <https://www.amazon.ca/ACEMAGICIAN-N5095-Desktop-Computer-Ethernet/dp/B0BPP33R3L/ref=sr_1_13>. That is a good price. It's not a great desktop, just like a netbook isn't a great notebook. It's a brand with no track record for support in Canada. The processor is obsolete and slow but not terrible. 12G of RAM is odd. That means it has mismatched SODIMMs: 4G and 8G. | The evolution of the Intel NUC concept and its many competitors shows no | sign of slowing. I'm partial to the earlier ThinkCentre Tiny computers. They are designed for business so they are expensive and conservative. I've snagged a few, all but one used. I used Zotac Zboxes for years before the NUC. The ones I bought came with two NICs. Great for routers. | > USB-ethernet problems will prevent using notebooks as servers. | | A headless mini-PC as a server will be many times cheaper than a | similarly-powered laptop and all of them come with at least one Ethernet, | usually gigabit. As discussed above, several of us use mini-PCs with multiple 2.5G ethernet ports. | They will also prevent most other computers from being used as routers. | > | | Not if they have a free PCI slot | <https://www.amazon.ca/Gigabit-Ethernet-Express-Network-Controller/dp/B07XJ8CMQX/ref=sr_1_14>, | and most full-chassis desktops do. mini PC's tend not to have the ability to add ethernet ports. Some Lenovo, Dell, or HP tiny PCs can be optioned with a second NIC. SFF PC's usually have room for a low-profile NIC, possibly requiring a riser card. That's what I used 25 years ago: DEC PCs with Pentium 60 (I had two: one with the FDIV bug and one without). I'm very glad that my router is a mini PC: it is fanless, low power, and low volume.
Reviewing your original request (sorry, I lost it due to spam filtering in Thunderbird) ... I think this guide might get you in the direction you want: https://arstechnica.com/gadgets/2016/04/the-ars-guide-to-building-a-linux-ro... The guide is quite old (last updated ~2018) but still should give you the ideas needed to get your Debian install in the right direction. I still think VyOS is a good method, since you can access Debian any time you want, but this is more along what you asked. On 2023-09-07 10:20, Giles Orr via talk wrote:
As per my previous post, I just purchased a mini-PC which I intend to turn into a router. Is anyone aware of a guide for turning a Debian PC into a _home_ router? I'd like to be running probably DNSmasq, using a blocklist, stuff like that. I've found webpages that tell me how to turn on network forwarding, or maybe configure DNSmasq, but not the whole process.
Please don't suggest pfsense: I'm well aware of it, and it may well be better. But I'm very adept at managing Debian, and initially at least I intend to try to set this up. If it turns out to be direly difficult, pfsense may happen later.
Thanks.
-- Mark Prosser // E: mark@zealnetworks.ca // W: https://zealnetworks.ca
participants (14)
-
Alex Kink -
Alvin Starr -
Aurelian Melinte -
BCLUG -
D. Hugh Redelmeier -
Evan Leibovitch -
Giles Orr -
James Knott -
Jamon Camisso -
Lennart Sorensen -
Mark Prosser -
o1bigtenor -
Scott Allen -
Val Kulkov