Another OpenWRT based configuration (+PC) for traffic processing

Statement of the problem.

Recently, in some areas, the topic of processing transit traffic on a home router has become more popular than ever before. The interval between new calls has been reduced from several years to several days. The tasks are becoming more interesting and complex.

The router re-flashed to OpenWRT is still coping and would probably cope for some time. But the software is becoming heavier, there is less and less time for debugging and installing it. With all the advantages of OpenWRT, disadvantages are starting to emerge – a specific architecture and limited resources. In addition, for me personally, a router is an intimate place and not every software wants to be installed on it without looking. The situation in my case is aggravated by the fact that the setup is done remotely through this very router, so unsuccessful attempts are fraught with great difficulties.

Like many others, I have a small PC-based NAS next to my router. Which, with the help of a second network card, could easily be turned into a router. But how can this be done remotely? And how can I turn a server into a router without touching the server and the router, if possible? Easy!

It is assumed that the reader has basic network and Linux administration skills. The instructions look step-by-step, but in fact they are a concept, written from memory, there is no place to test them word for word at the moment.

Configuration

We use OpenWRT + server on Debian + LXCExperienced comrades have already understood everything here and don’t need to read any further.

We agreed not to touch the cables. Therefore, traffic to the server will enter and exit through 1 network card connected to the LAN port of the router. We will not mix everything together and use 802.1Q VLAN for separation.

Traffic will flow as follows:
client – router – container_on_server – router – internet.

Adding VLAN for clients (I describe the actions in the web interface):
Network – Switch – Add VLAN
VLAN ID we specify the first free number (for example “3”)
The CPU and LAN ports to which the server is connected are set to “tagged”, the rest are set to “off”
from here on after each change we press “save&apply”

Adding a new WiFi network
Network – Wireless – Add
AccessPoint – – we are not specifying the network yet
SSID, password, etc. are specified to taste; this will be a Wi-Fi network for clients with processed traffic.

Adding a bridge
Network – Interface – Devices – Add device
Bridge Device – brLAN3 – eth0.3
Bridge ports will need to be selected from the list. eth0 is the CPU interface, yours may be different. 3 – VLANID you specified above.

Adding an interface without IP
Network – interfaces – Add interface (“LAN3” – “Unmanaged” – “brLAN3”)
LAN3 – network name, I add the VLAN number for convenience

Let's go back and add an interface to Wi-Fi
Network – Wireless – SSID_Name – Edit
Network: LAN3

The network should appear, but when you try to connect, no IP should be given.

If you need to connect a client to this network with a cable, for example to port #4, then let's go
Network – Switch
in the column corresponding to the required port
For VLANID 1: untagged change to off
For VLANID 3: off change to untagged

That's all for the router.

Let's go to the server.

We install LXC according to the instructions. (in the simplest case sudo apt install lxc)

Hidden text

I considered KVM/QEMU redundant, although there will potentially be fewer problems with it and installation and configuration will be even easier. But it will also eat up more resources.

Among the LXC distributions, OpenWRT is available, but I wanted a full-fledged Debian.

I will leave the choice between privileged and non-privileged containers behind the scenes, everything is perfectly described at the link.

create a container (I use the same debian)
lxc-create -n containerouter -t download -- --dist debian --release bullseye --arch amd64

Next (I did this in the graphical shell a long time ago when installing the system, now I don’t have a machine at hand to check the nmcli commands)
1. remove the local cable connection.
2. create a bridge br0 by specifying a network card (something like “enpXsY”) in bridged connections.
3. Specify IP settings in br0 parameters

br0 will be our virtual switch similar to the physical one in the router.

We will leave lxcbr0 together with the standard container network system and will not use it in this example.

Open /var/lib/lxc/containerouter/config

Hidden text

# Network configuration
lxc.net.0.type = veth
lxc.net.0.name = eth0
lxc.net.0.link = br0
lxc.net.0.flags = up
lxc.net.0.ipv4.address = 192.168.1.103/24
lxc.net.0.ipv4.gateway = 192.168.1.1
lxc.net.1.type = vlan
lxc.net.1.name = eth1
lxc.net.1.vlan.id = 3
lxc.net.1.link = enpXsY
lxc.net.1.flags = up
lxc.net.1.ipv4.address = 192.168.3.1/24

192.168.1.103 is the container address in your router. Reserve it in your DHCP settings just in case. 192.168.1.1 is the router address.

192.168.3.1/24 is the subnet from which the container router clients will receive addresses.

enpXsY is our physical network interface that we added to the bridge on the host above.

pay attention to the vlan.id number, we configured the same number in the router.

The IP address 192.168.1.103 in this config is given for decoration in this case, because I do not recommend using the default DHCP client in the container due to its curvature. We will return to this below. How to make it more beautiful, write in the comments.

If the router has tunnels based on the tun interface, for example openvpn, add the line below

lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file

We launch the container.

lxc-start --name=containerouter

If there are no errors, we connect

lxc-attach containerrouter

Here we have almost regular Debian.

First of all, let's set up a real IP in /etc/systemd/network/eth0.network

[Match]
Name=eth0

[Network]
Address=192.168.1.100/24
Gateway=192.168.1.1
DNS=192.168.1.1

exit, reboot, enter

we install updates right away, I usually install midnight commander right away (apt install mc)

install dnsmasq

apt install dnsmasq

/etc/dnsmasq.d/dhcp.conf

port=0

interface=eth1

dhcp-range=192.168.14.100,192.168.14.150,255.255.255.0,12h
dhcp-option=3,192.168.3.1 # Gateway
dhcp-option=6,8.8.8.8,8.8.4.4 # DNS servers edit if necessary
dhcp-leasefile=/var/lib/misc/dnsmasq.leases
dhcp-authoritative

log dhcp
log queries
log-facility=/var/log/dnsmasq.log

Exit, restart the container, reconnect. Between stopping and starting the container, you may need to wait a minute until the container network service removes the tagged VLAN from the host network interface, otherwise the container will not start.

In the simplest case, you can add something like

iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -j MASQUERADE

let's check that

root@containerouter# cat /proc/sys/net/ipv4/ip_forward
1

And clients of the new network should receive addresses and Internet

We configure the firewall, ssh, etc. to taste. Do not forget to set a password for the root. The system has two network interfaces eth0 is the external one, it looks at the local network of the router. eth1 is the internal one, it distributes addresses to clients.

Write comments, if there are no difficulties with the interface, I will supplement and correct.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *