I also use Debian 12 for my home router (switched away from OPNsense). It's an old PC that became redundant when I built a new one, now stripped down to just the motherboard in a benchtable. The LAN NIC is an Intel I350 card and wifi is from an AR9280-based PCIe card, so no problems with firmware etc.
Unlike TFA I did not try to replace my ISP-provided ONT, and I use nftables (via firewalld) instead of iptables, unbound instead of dnsmasq, and systemd-networkd instead of dhclient and radvd. I also run haproxy to terminate TLS for some exposed LAN servers, and a local OpenSUSE package repository since many of my LAN machines are OpenSUSE.
For the internet facing services (chrony, haproxy, unbound) I wrote systemd override files to harden them (run as non-root, temporary mounts instead of direct filesystem access, etc). I also run them in individual network namespaces.
I highly recommend a Linux-based router if you have the hardware to spare and want a completely customizable and secure router, never having to worry about ISP malware or lack of updates again. Of course if what you have is more embedded than a full x86 motherboard then something like OpenWRT would be better than Debian.
Flexibility indeed. My first router was Linux/ipfwadm, and after many years of trying various off the shelf devices I finally came back to straight GNU/Linux. Debian for the longest time, now NixOS, as a virtual machine on a larger host. I use nftables directly, with a template engine - the same config generates rules for two premises routers and a bunch of cloud hosts (with a fully-connected mesh of wireguard links between each pair of routers, of course)
The rules make extensive use of policy routing, such that every device on my network has its own view of what services it is allowed to access, and what Internet horizon it sees. Loading the rules fails safe in that forwarding is only enabled after a successful (re)load, and the rules fail safe such that if a connection doesn't have a valid fwmark then it's not allowed to go out any interface. This allows me to do things like have two web browsing VMs that display side by side, one coming from my physical infrastructure IP and one coming from a often-rotated data center IP.
The system has served me well, but is obviously quite bespoke. I'd love to factor it out some day and publish it for general consumption, but I haven't quite figured out how to retain the flexibility while making it have broad appeal.
I stuck with OPNsense when I upgraded but I virtualized everything which make everything so much easier. [1] You can just replace the router if you want or revert it if an update fails. No more digging up an USB to Serial adapter to connect to the the console on an ALIX board.
It's basically a Manjaro vs Arch situation. FreeBSD is fine, but these downstreams like pfSense / OPNsense with only a handful of maintainers just delay patches pointlessly. I'd much rather use upstream directly.
(I switched to Debian instead of FreeBSD because, if I was going to have to set up networking from scratch, I'd much rather do it in an OS I'm more familiar with.)
I wonder why the OPNsense maintainer took your question so personally. Asking for transparency with how an OS project deals with CVE-impacted packages doesn't seem particularly controversial to me.
Not OP, and I don't use proxmox, but in my case the host is just another client of the router. Of course, if the router is borken for whatever reason, the host won't get any updates. But if that's the case, upgrading the host is unlikely to be my top priority.
If I really need to update the host with no router: I plug my iPhone via USB, and I'm off to the races.
I’m finding I can do pretty much everything between systemd-networkd and firewalld. The addition of policies that allow specifying ingress and egress zones was the last piece to make firewalld really useful on a router.
I'm doing the exact same thing, I switched ISPs and found that PFsense would only give me 10% of my WAN bandwidth due to the way the pppoe daemon is threaded.
My new firewall is Debian managed by Ansible, the playbook sets up pppoe, nftables and nettopng.
I really missed pfblockerng, so I wrote a shell script to download Firehol feeds and inject them as a set into my nftables rules.
Whole thing works great off a Proxmox J3455/8Gb mini PC with 2 NICs, leaving room for some LXC and Docker containers/
My router at the moment is a 1U Poweredge R230. Got it for 70€ off of ebay about 3,5 years ago. It's using a Pentium G4600, one stick of 16G DDR4 ECC RAM, and a small cheap 2,5'' SSD. There's an extra PCIe card with 2x 1G Intel RJ45 ports as well, giving me 4x 1G plus IPMI (or whatever Dell calls it).
Fans are throttled to 8% and I'm having Icinga2 watch system temperatures, which are usually between 35 - 45°C. It's barely audible, and currently sitting 1,5m away from my ears. I think idle power consumption is something between 20 - 30W.
It's based on Debian 11, and I'm only using tools available from Debian's repo: dnsmasq, nftables, wireguard, ipsec, haproxy, some policy based routing. Provisioning via ansible.
Rock solid platform. I've recently had to reboot for the 1st time in about 600 days due to physically moving some things around - I know, uptime is not supposed to be a flex.
Might replace the Intel PCIe card with a 1x SFP+ for a DAC connection to my core switch soon-ish since we finally seem to be getting our apartment complex connected to residential fiber.
I guess what I'm saying is - I congratulate the tenacity and expertise that went into OPs blog post, as far as homelab routers go, I'm very happy with my (very easy to set up) HW/SW.
That's quite impressive reverse engineering of the ONT. What made you choose to go through all that effort instead of using the ISP's stand-alone Huawei ONT?
If you don't know why someone would avoid trusting Huawei equipment, please read the news from recent years.
If you cannot access this news unrestricted or without government MitM, try going through non-Huawei equipment.
Really nice tutorial, and great experiment, however, at home, I would prefer to stay within a much narrower power budget like 5-10 watts max for the router. This one seems in the 40watts-60watts.
I have an ECS mini pc with a Core i3 and dual nic that I use as a router at home. For normal internet usage it stays well within that 5-10 watt range. Only slightly more than a raspberry pi but with much, much more performance.
For 10-20Watts you can use a slightly dated office-desktop (thin-client) that will take a pcie nic and usually has more than enough processing power.
A step further would be a laptop that can come by with 5-10W and still run circles around typical arm-based off the shelf routers. thou the second nic will probably connect via usb3, you get a real keyboard and screen for troubleshooting.
I use a NUC clone with a J4125 Celeron as a Debian file server and it hovers just under 3W. These tend to have only one Ethernet port so you will need to add additional ports on USB for use as a router.
Not sure how wise it is to use Huawei networking gear when it's been banned in some countries for security reasons. Also, setting up wifi access points through Debian can be a bit tedious. I simply recommend OpenWRT when it comes to router software, especially since it comes with firmware and patches for wifi, (such as 5ghz transmit support on atheros) and also provides simple configuration for things like 802.11s mesh networking, and multiple concurrent SSIDs.
Perhaps you could elaborate on a specific threat model rather than just handwaving about Huawei? As far as I can tell, the two significant threats of Huawei infrastructure are:
1. Massive DoS at a strategic moment, which is more relevant at country-scale with everyone losing communication simultaneously, rather than a few rare people having personal problems with their infrastructure.
2. Eavesdropping and backhauling the network traffic somehow. This mainly applies to corporations and governments wanting to keep using outdated plain text or even unauthenticated protocols. Individuals should be encrypting everything regardless of who makes the network gear. Especially as most countries lack privacy legislation or functional constraints on government, meaning that the WAN gear is an attacker regardless of who made it.
As far as wifi access points, I never had a problem with Debian or now NixOS. OpenWRT is a bunch of clicking and bespoke management, which is exactly what I don't want.
I'd be more worried about a more permanent DoS with some kind of remote kill-switch. Maybe something that sets an e-fuse and permanently bricks a device.
It would not be a big deal for one individual user to have their ONT / router / etc. killed, but if you had a million devices bricked at approximately the same time it would be extremely disruptive. With work-from-home being so prevalent these days, having a million households suddenly knocked off the internet could be disastrous to the economy. Let alone if something like this happened to an ISP or telco's backbone equipment.
Nothing that could not be worked around eventually, given time and replacement equipment, but then consider the case where the kill-switch is activated during a trade embargo and you can't source replacement equipment for weeks/months... not fun. Let alone the case where a kill-switch is activated as a disruption immediately prior to a military conflict (even if your military and government comms are 100% unaffected, there would be utter chaos on the civilian side as people assumed their friends have been bombed because they can't get in contact, remote work being crippled, etc. that would take days or weeks to calm down).
Completely legit IMHO to not want Huawei deployed at scale or as part of infrastructure in your country, or any equipment with similar concerns, and I am glad it is banned in my country. It sounds paranoid, but keep in mind the Chinese government must agree as well - they are trying to replace their dependence on foreign tech by replacing it with local equivalents [1], such as replacing Intel gear with China's domestically manufactured Zhaoxin processors.
I wasn't downplaying the problem with widespread infrastructure being Huawei? The scenario you're describing is exactly what I was alluding to in my #1.
Rather the comment I responded to seemed to just be uncritically beating the dead horse of "Huawei bad", when it's not really a big deal in the individual use context. And in fact rereading the original post, the original ISP-supplied gear was Huawei as well! Which I do agree that widespread usage of is a problem. But the author's replacing of a Huawei standlone ONT with a Huawei SFP ONT doesn't affect much there!
And sure maybe it could have been great opportunity to harden up the author's infrastructure so that they could still have comms even if everyone else's went dark. Except that the OLT (other end of the link) is likely Huawei as well since ONTs aren't chosen in a vacuum.
Hah, thanks. I meant, are there any open-source hardware/software solutions for feeding in a coax input into such a setup to get the full modem/router experience
Oh, for cable modems? No, there's no cable-modem-on-a-card. You should be able to get straight DOCSIS-to-ethernet bridges, assuming your cable ISP will permit them on-net. Arris CM9200, e.g., is DOCSIS3.1 to 2.5G ethernet.
Unlike TFA I did not try to replace my ISP-provided ONT, and I use nftables (via firewalld) instead of iptables, unbound instead of dnsmasq, and systemd-networkd instead of dhclient and radvd. I also run haproxy to terminate TLS for some exposed LAN servers, and a local OpenSUSE package repository since many of my LAN machines are OpenSUSE.
For the internet facing services (chrony, haproxy, unbound) I wrote systemd override files to harden them (run as non-root, temporary mounts instead of direct filesystem access, etc). I also run them in individual network namespaces.
I highly recommend a Linux-based router if you have the hardware to spare and want a completely customizable and secure router, never having to worry about ISP malware or lack of updates again. Of course if what you have is more embedded than a full x86 motherboard then something like OpenWRT would be better than Debian.