【究極のハック】あらゆるデバイスを最強のルーターに変える方法

手元にある古いPCや余っているシングルボードコンピュータを、自分専用の高性能ルーターに作り変えてみませんか？この記事では、Linuxなどのネットワーク機能を駆使して、あらゆるデバイスをネットワークの司令塔（ルーター）に転用するための基本的な考え方やアプローチをまとめています。市販のルーターでは満足できない、カスタマイズ好きのエンジニア必見の内容です！

OpnSense/pfsense [0] を何年も使ってるけど、マジでおすすめ。自動アップデートも優秀だし、設定のバックアップや Wireguard トンネル、Suricata でのパケットフィルタリングみたいな高度な機能も内蔵されてる。週末にネットワーク管理をするとき、Linux のターミナルにこもって内部構造を勉強するんじゃなく、WebUI でパパッとルーターの設定ができるのは本当に助かる。

Lots of "just use X" comments but the article is about showing the bare minimum/how easy the core part of routing actually is.

Also, if you have ever used docker or virtual machines with NAT routing (often the default), you've done exactly the same things.

If you have ever enabled the wifi hotspot on an android phone also, you've done pretty much what the article describes on your phone.

All of these use the same Linux kernel features under the hood. In fact there is a good chance this message traversed more than one Linux soft router to get to your screen.

“Just use OPNsense” is great advice for production, but terrible advice for learning.
This article is valuable precisely because it shows how little magic is actually involved in routing.

This really takes me back. My first actual 'use' for Linux was making routers out of leftover computers.

The perfect machine back then was a 100MHz Pentium, in a slimline desktop case. At the time, the Pentium III was the current desktop chip, so you'd have a pile of early Pentium-class machines to use. And even a 10mb ISA network card (3Com if possible) would have plenty of power for the internet connections of the day. But 100mb PCI cards were still fairly cheap.

Install two NICs, load your favorite Linux distro, and then follow the IP-Masquerading HOWTO and you've got internet access for the whole apartment building, office, or LAN party.

Eventually I moved on to Linux Firewalls by Robert Ziegler for a base to build on.

After that I started piling other services on, like a spam filter, Squid cache, it was amazing to get so much use out of hardware that was going to just get thrown out.

I'm curious about the policy rationale behind banning router imports. If a government were considering legislation like that, what would the primary concern usually be? Given that so much internet traffic is now protected by TLS/SSL and other encryption, why would it still matter if citizens were using routers that might be backdoored?

Is the concern mainly things like botnets and DDoS activity, weak default credentials on network equipment, or compromised business networks where poorly secured routers or attached NAS devices could expose sensitive or proprietary data? In other words, is the concern less about decrypting traffic and more about using the router as a foothold for surveillance, disruption, or access to poorly secured internal systems?

I've got one of those N100+10Gbit router devices with a handful of ports. It seems a pretty reasonable device with one of the router distros running on it, but it doesn't seem nearly as efficient as my ucg-fiber/route10 devices, and that wouldn't bother me except that I suspect the packet latency is significantly higher too. Those devices AFAIK have hardware programmable router chips, which means the forwarding is done 100% without the interaction of the main CPU, so there isn't any interrupt/polling/etc delays when a packet arrives, the header gets rewritten, the checksum verified and off it goes.

Anyone actually measured this? I see a lot of bandwidth/etc style tests but few that can show the actual impact of enabling disabling deep packet inspection and a few of the other metrics that I actually care about. Serve the home seems to have gotten some fancy test HW but they don't seem to be running these kinds of tests yet.

This is a great writeup! Perhaps I can put in a plug for the create_ap script which I have been maintaining for many years (http://github.com/dlenski/create_ap (http://github.com/dlenski/create_ap)).

It's a shell script that allows you to turn any ol' Linux computer into a WiFi router in one quick command-line:

By default, it will setup your WiFi card as an access point (allows WPA2/3, MAC filtering, etc), setup packet forwarding and routing, and run a DHCP and DNS server. It will generally pick sensible defaults, but it's also highly customizable. If your WiFi card supports simultaneous AP and client mode, it will allow that.

Its requirements are extremely minimal: basically just Linux, a compatible wireless card, and a few common configuration packages (hostapd, iw, iproute2, iptables, dnsmasq). No NetworkManager needed.

I used it as my own home Internet gateway for many years, running on an ancient fanless Atom mini-PC.

Because it can quickly setup and teardown WiFi networks on-the-fly, it's also a valuable tool for setting up test networks when reverse-engineering IoT devices. I use it frequently for this purpose (see https://snowpatch.org/posts/i-can-completely-control-your-sm... (https://snowpatch.org/posts/i-can-completely-control-your-smart-thermostat/#fn:3)).

Something I did not see in the article are router specific tuning such as

    net.ipv4.ip_early_demux = 0
    net.ipv4.tcp_early_demux = 0
    net.ipv4.udp_early_demux = 0

in /etc/sysctl.d/10_router.conf to slightly reduce overhead when being used primarily as a router. There are many other router related knobs but those I would always set especially if trying to reduce overhead for VoIP/Gaming setups. There are many other knobs I tune such as gro_flush_timeout and napi_defer_hard_irqs, sch_cake tuning, lowat and output limits and hundreds more but those rabbit holes would require a large write-up. My overall goal is to give family members latency, jitter and throughput numbers that improve their quality of life and gaming scores of course.

Such things do not preclude additional tuning on the client and server sides as well but those are even bigger topics.

You actually don't even need two interfaces on the box if you have a managed switch. It's not too difficult to configure your only interface as an 802.11q trunk port, and then you can use the managed switch as a sort of "interface expander". This is referred to as a "router on a stick" configuration, and it's how my home network is configured. Plus, if it's a PoE managed switch, you can install some cheap enterprise surplus Aruba IAPs around the house for Wi-Fi which is a lot higher quality than a consumer router or a mesh setup.

My home router was an old Thinkpad for a while, but then I switched over to a slightly newer Dell Optiplex that my work was throwing out. The plus side of that is that the i7 is total overkill for routing so I can also have my "router" run some VMs for network services and cut down on the number of boxen in my homelab rack.

Alpine is a great distro for this.

I'm more worried about how to turn anything into a fiber modem, as I'm pretty sure the gateway that AT&T gave me is a piece of crap (has to be rebooted every 2-3 weeks otherwise it gets really slow, hard to configure, probably has all sorts of malware and security holes on it). Any guides on that?