DJPhoeniX 23 Nov 2013 in 10:02

All-in-one home server - success story

9 min

138K

Linux setup *System administration *Network technologies *

Tutorial

Recovery Mode

Once upon a time I had a router from a good company with the letter “Dead”. Well, that's what actually happened to him..
I looked at the prices of new ones, at the pile of computer junk in the corner, at the list of connections on my home computer... And I realized that I didn’t need a router. I'll build my own, with normal routing, DNS, WINS, i2p, ~~blackjack~~ and so on.

How it was?

After a short excavation in iron deposits, they brought to light:
• Processor Intel Core 2 Duo E8400 @ 3GHz
• He also has an Asus P5Q motherboard with him.
• 2 DDR2 2Gb strips
• PCI-e network card TP-Link TG-3468
• Unidentified WiFi network card (b/g/n) based on Ralink RT3060
• Seagate 250Gb hard drive
The output of lshw can be viewed here.
All this was cleaned of dust, mounted in a case with a power supply, launched and tested in memtest and mhdd. Having found no defects, I began installing everything I needed.

Basics

As a basis, I took the Debian Testing distribution, rolled out through Debootstrap. openssh-server, firmware-ralink and pppoe/pppoeconf were immediately installed on top.
Having rebooted into the newly installed system, I immediately transferred SSH to 192.168.1.1 and disabled password authorization (having previously installed my own key).

Let there be a network!

To begin with, pppoeconf was launched. A network card named eth1 was connected to the DOCSIS modem, as a result the following config was obtained /etc/ppp/peers/rt:

noipdefault
defaultroute
replacedefaultroute
hide-password
noauth
persist
plugin rp-pppoe.so eth1
user "ptn"
usepeerdns

But that's not all - you also need to configure /etc/network/interfaces as follows:

auto rt
iface rt inet ppp
        pre-up /sbin/ifconfig eth1 up
        provider rt

Turning the router into WiFi-AP

The original idea was to make 2 WiFi networks: one for their computers and laptops, with a strong password and connection to all the necessary resources, and the second for guests who wanted to access the Internet, but did not need to know about it. what's going on on my network.
As a result, hostapd was installed on the server with the following config (all network names and passwords were changed):

interface=wlan0
driver=nl80211
country_code=RU
ieee80211d=1
hw_mode=g
channel=9

ssid=Private
bridge=br0
preamble=1
ignore_broadcast_ssid=0
wpa=3
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
rsn_pairwise=CCMP
wpa_passphrase=MyVeryStrongPassword
wmm_enabled=1
ieee80211n=1
ht_capab=[HT40-][SHORT-GI-20][SHORT-GI-40]
internet=1

bss=wlan0_0
ssid=Guest
preamble=1
ignore_broadcast_ssid=0
wpa=3
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
rsn_pairwise=CCMP
wpa_passphrase=passw0rd
wmm_enabled=1
ieee80211n=1
ht_capab=[HT40-][SHORT-GI-20][SHORT-GI-40]
internet=1

Here we also install a bridge for eth0 and wlan0 - this will allow those connected to our network to see it as a whole, and not the wireless segment. Modifying networks:

auto eth0 wlan0 wlan0_0 br0

iface eth0 inet manual

allow-hotplug wlan0
allow-hotplug wlan0_0

iface wlan0 inet manual
        pre-up ifconfig wlan0 hw ether f2:7d:68:6d:51:30

iface br0 inet static
        bridge_ports eth0 wlan0
        address 192.168.1.1
        netmask 24

iface wlan0_0 inet static
        address 192.168.254.1
        netmask 24

A little about the magic in the pre-up for wlan0: to work with multiple APs we need to use more than one MAC address. Hostapd assigns a MAC for virtual interfaces (wlan0_0 in our case) automatically, but for this to happen, the address of the first access point must have several “empty” bits at the end. I didn’t waste time on trifles and freed 4 pieces at once. Homework task - calculate how many maximum APs can now be run on one card.

Fly in - IP for everyone, free of charge!

Unfortunately, all computers on the network must be given IP addresses. Yes, yes, this is what we will do.
Without thinking twice, a DHCP server with the following configuration was launched on the server:

update-static-leases on;
authoritative;
allow unknown-clients;
use-host-decl-names on;
log-facility local7;

subnet 192.168.1.0 netmask 255.255.255.0 {
        interface br0;
        authoritative;
        range 192.168.1.2 192.168.1.254;
        option subnet-mask 255.255.255.0;
        option ntp-servers 192.168.1.1;
        option domain-name-servers 192.168.1.1;
        option netbios-name-servers 192.168.1.1;
        option routers 192.168.1.1;
        option domain-name "local";
}

subnet 192.168.254.0 netmask 255.255.255.0 {
        interface wlan0_0;
        authoritative;
        range 192.168.254.2 192.168.254.254;
        option subnet-mask 255.255.255.0;
        option domain-name-servers 8.8.8.8, 8.8.4.4;
        option routers 192.168.254.1;
}

local-address 192.168.1.1;

It can be seen that for 192.168.1.1/24 DNS, WINS, NTP and gateway 192.168.1.1 are also issued - it’s time to configure them.
Everything is simple with the gateway, I think only the lazy don’t know these commands:

sysctl net.ipv4.ip_forward=1
iptables –t nat -A POSTROUTING -o ppp0 -j MASQUERADE

Of course, we set iptables-persistent to save our settings, and we also write the corresponding parameters in /etc/sysctl.conf.
Now our server is a full-fledged Chinese router for $10. What? Does it seem a little weak to you? Me too. Let's move on.

How do I get to the library?

I don't think anyone has forgotten that we need DNS? The simplest forwarding is ridiculously simple to set up, but we are making a full-fledged server with resolution and reverse zones... We install bind9 and configure:

options {
        directory "/var/cache/bind";
        forwarders {
                8.8.8.8;
                8.8.4.4;
        };
        dnssec-validation auto;
        auth-nxdomain no;
        listen-on { 127.0.0.1; 192.168.1.1; };
        allow-transfer { none; };
        version none;
};
zone "local" IN {
        type master;
        file "/var/lib/bind/db.localnet";
};
zone "1.168.192.in-addr.arpa" IN {
        type master;
        file "/var/lib/bind/db.localnet-rev";
};

Now we need forward and reverse zone files:

/var/lib/bind/db.localnet

$ORIGIN .
$TTL 86400      ; 1 day
local                   IN SOA  ns.local. router.local. (
                                200216990  ; serial
                                28800      ; refresh (8 hours)
                                7200       ; retry (2 hours)
                                604800     ; expire (1 week)
                                86400      ; minimum (1 day)
                                )
                        NS      ns.local.
$ORIGIN local.
$TTL 86400      ; 1 day
ns                      A       192.168.1.1
server          A       192.168.1.1
router                  A       192.168.1.1

/var/lib/bind/db.localnet-rev

$ORIGIN .
$TTL 86400      ; 1 day
1.168.192.in-addr.arpa  IN SOA  ns.local. router.local. (
                                2001105214 ; serial
                                28800      ; refresh (8 hours)
                                14400      ; retry (4 hours)
                                3600000    ; expire (5 weeks 6 days 16 hours)
                                86400      ; minimum (1 day)
                                )
                        NS      ns.local.
$ORIGIN 1.168.192.in-addr.arpa.
$TTL 3600       ; 1 hour
1                       PTR     router.local.

Just? Now let’s make sure that every computer on the network can be seen not by IP, but by DNS name.
To do this we need to configure DDNS. This technology allows you to link the DHCP server that issues addresses and the DNS server.
First, let's create a key for our DDNS:

dnssec-keygen -a HMAC-MD5 -b 128 -r /dev/urandom -n USER DDNS_UPDATE

This command will create 2 files with a DDNS key. We need the contents of the key:

cat Kddns_update.+157+36693.key
DDNS_UPDATE. IN KEY 0 3 157 HEyb0FU9+aOXnYFQiXfiVA==

«HEyb0FU9+aOXnYFQiXfiVA==" is our key.
Let's edit our DHCP config a little by adding the following options to it::

ddns-updates on;
ddns-update-style interim;
key rndc-key { algorithm HMAC-MD5; secret HEyb0FU9+aOXnYFQiXfiVA==; }
zone local. { primary 192.168.1.1; key rndc-key; }
zone 1.168.192.in-addr.arpa. { primary 192.168.1.1; key rndc-key; }
subnet 192.168.1.0 netmask 255.255.255.0 {
        …
        ddns-domainname "local.";
        ddns-rev-domainname "in-addr.arpa.";
}

We'll do the same with DNS.:

key "rndc-key" {
        algorithm hmac-md5;
        secret "HEyb0FU9+aOXnYFQiXfiVA==";
};

zone "local" IN {
        …
        allow-update { key rndc-key; };
};
zone "1.168.192.in-addr.arpa" IN {
        …
        allow-update { key rndc-key; };
};

Voila - and this killer feature works.

The future is here after all. Sixth version

It so happened historically © that my provider (a contemptuous look towards Rostelecom) does not issue IPv6 (although promised).

Currently, throughout the entire length of the network, Rostelecom has provided the ability to work using the IPv6 protocol, the operator’s press service counters..

Well, let's fix this misunderstanding. As a broker I chose sixxs.net – they have tunnel servers in Russia and their tunnel is easy to configure for dynamic IP cases.
I will omit the process of registering and obtaining tunnel/subnet settings - everything is quite simple there. I'll focus on the settings.
Configuring IPv6 on the server itself is carried out in 2 stages. First, let's install the aiccu package - this is the tunneling program. During installation, we will be asked for sixxs login and password, and some other data. After launch we will have a new interface:

sixxs     Link encap:IPv6-in-IPv4
          inet6 addr: 2a02:578:5002:xxx::2/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP  MTU:1280  Metric:1
…

The server now has access to the v6 network - why not share it with others?
First, let's enable IPv6-forwarding (don't forget to write it in /etc/sysctl.conf):

sysctl net.ipv6.conf.all.forwarding=1

There is no need to make any settings with iptables - hello, 21st century!
Next, on the sixxs website we get the subnet. Its address will be very similar to the address of our tunnel - be careful, they are different!
After receiving an address like 2a02:578:5002:xxxx::/64, let's start setting it up. First, let's set the address 2a02:578:5002:xxxx::1 to our server by adding the following lines to interfaces:

iface br0 inet6 static
        address 2a02:578:5002:xxxx::1
        netmask 64

Secondly, we will allow IPv6 to be issued to computers on the network. Let's install the radvd package and configure it as follows:

interface br0
{
        AdvSendAdvert on;
        prefix 2a02:578:5002:xxxx::/64
        {
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr on;
        };
        RDNSS 2a02:578:5002:xxxx::1 { };
};

Let's add IPv6 DNS to the settings of our bind - for complete feng shui:

options {
        forwarders {
                …
                2001:4860:4860::8888;
                2001:4860:4860::8844;
        };
        listen-on-v6 { ::1/128; 2a02:578:5002:xxxx::/64; };
        …
};

That's all - now we have access to, for example, ipv6.google.com, or, what is much more valuable - to ipv6.nnm-club.me ;)

Penguin looking out the window

I love it when everything on my network is beautiful. And this is only possible in case of complete harmony. For example, when all computers see each other. For Windows workstations, it’s fair to remember about WINS (remember, we even issued this setting in DHCP).
Setting it up is extremely simple: install the samba package. The default config needs to be changed a little:

workgroup = WORKGROUP
wins support = yes
dns proxy = yes
interfaces = lo br0
bind interfaces only = yes
server role = standalone server

Checking the results... Oh, everything is fine here!

By the way, since we have samba, we can immediately set up a file dump. But this is already such a hackneyed topic that I leave it on the shoulders of Google. In fact, everything should work out of the box anyway - except that read only for homes is turned off yes smbpasswd -a user…

What time is it now?

Let's set up time distribution on the server: install ntp. With configs everything is ridiculously simple:

server 0.ru.pool.ntp.org
server 1.ru.pool.ntp.org
server 2.ru.pool.ntp.org
server 3.ru.pool.ntp.org
…
broadcast 192.168.1.1

And here is the result:

We are already very close to microtik level routers for $150-$200. But that's not all? Of course not.

Killer feature #1: I2P

Why not have access to this network without any settings, without proxy servers, and so on? So I think “why”. First, let's install a sane version of Java:

echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu precise main" >> /etc/apt/sources.list
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys EEA14886
apt-get update
apt-get install oracle-java7-installer

And we’ll install the router itself:

echo "deb http://deb.i2p2.no/ unstable main" >> /etc/apt/sources.list
wget "http://www.i2p2.de/_static/debian-repo.pub" -O- -q | apt-key add -
apt-get update
apt-get install i2p i2p-keyring

Now let's create a zone that directs all requests to *.i2p to our server. In the bind config:

zone "i2p" IN {
        type master;
        file "/etc/bind/db.i2p";
};

The zone itself:

$ORIGIN i2p
$TTL 7200
i2p.    IN      SOA     ns.i2p. hostmaster.i2p. (
                        2010020701      ; serial
                        7200            ; refresh
                        1800            ; retry
                        7200            ; expire
                        7200            ; minimum
                        )
i2p.    IN      NS      ns.i2p.
ns.i2p. IN      A       192.168.1.1

*.i2p.  IN      A       192.168.1.1
*.i2p.  IN      AAAA    2a02:578:5002:xxxx::1

Great, but how to process this now? It was trite that I couldn’t turn all the traffic to the router port - the proxy swore that it couldn’t work like that. I had to set up nginx+php5-fpm and write a small script. How to do the first part - you don’t need to search for a long time, fortunately there are plenty of manuals on the Internet. Second part:

/etc/nginx/sites-enabled/i2p

server {
        listen [2a02:578:5002:xxxx::1]:80;
        listen 192.168.1.1:80;
        # по этому адресу можно будет получить доступ к конфигам роутера
        server_name localhost.i2p;
        location / {
                proxy_pass http://127.0.0.1:7657;
        }
}
server {
        listen [2a02:578:5002:xxxx::1]:80;
        listen 192.168.1.1:80;
        server_name *.i2p;
        location / {
                fastcgi_pass unix:/var/run/php5-fpm;
                include fastcgi_params;
                # принудительно задаём адрес скрипта
                fastcgi_param SCRIPT_FILENAME /etc/nginx/proxy.php;
                # передаём скрипту параметр с адресом HTTP proxy от i2p
                fastcgi_param PROXY_PASS 127.0.0.1:4444;
        }
}

The script itself can be seen here.
This is all! Now we have access to i2p even from our phone - no problems.

Killer-feature #2: turning the workplace into a work network

It so happened historically © that I am a remote system administrator in several companies at once. And it is very useful to have access to them from any computer on the network. We configure OpenVPN (or any other) for the server as for any other client. For example, after these steps we now have a tap0 interface with IP 10.0.0.7/24. But if we access address 10.0.0.1 from the local network, then the traffic will go to the provider’s default gateway. Let's fix this shortcoming:

iptables -t nat -A POSTROUTING -d 10.0.0.0/24 -o tap0 -j MASQUERADE
iptables-save > /etc/iptables/rules.v4

We do the same for all networks on the server.

Instead of a conclusion

We have a full-fledged server that we can use at our discretion. DNS, nginx, IPv6, i2p... You can also set up a zone for local development, for example, *.dev, and test your sites from any device on the local network. Since each computer on the network has its own permanent IPv6 address, you can access it from anywhere in the world (Security warning! Configure firewalls correctly!).
And this is all just the tip of the iceberg. What will be its underwater part is up to you to decide.

I will be glad to hear comments, suggestions, sound criticism, etc. Thank you.

Tags:

Hubs:

+86

Yuri Popov @DJPhoeniX

Hardcore IoT fullstack dev & CTO

Comments 87

Domini 23 Nov 2013 in 10:26

Thank you very much for the good howto. I’ve been wanting to do something similar for a long time, but I imagined how much mana I would have to dig through (not an admin by profession) - I always left it for later and was content with a soho router, which efficiently performs only the main function - distributing the IPv4 Internet, and relies on its other performance and qualities and the breadth of available software is lacking. Admit it: did you really do this in one day or is this the fruit of many days (many months?) of work to improve your home server? :)

On topic: could shed more light on “Security warning! Configure firewalls correctly! How? Is it possible to provide at least basic protection from the router, for example, to allow only connections initiated by the computer behind it, but not incoming ones? As I understand it, this requires conntrack? Will it work without NAT? What else should be done from the router itself to protect IPv6?

DJPhoeniX 23 Nov 2013 in 10:34

Of course, this is not a one-day job. All this was built up gradually - at first there was only a router, then I installed IPv6, added RDNS/DDNS, and so on as needed. I will say more - this is not all that is spinning on the server, but all the other tinsel (such as the same .dev zone or a local bug tracker) is either not worthy of attention at all or is worthy of a separate article. Perhaps I’ll continue someday if I see some interesting and unique material in this.

Regarding firewalls, opinions may differ. I limited myself to leaving everything by default for installing “sparkle” (for Windows). For users of “beasts” and other imperfections where everything is turned off, I can only say what is necessary:
1. ENABLE firewall!!!
2. For everything that is OUTSIDE the local network - block ANY incoming traffic (default rule).
3. For local networks - add services of the “workstation” type to the exceptions (default exception).

For Linux, in fact, the rules are the same: local network under the “loyal” filter, the rest - cut the hell out. “Pretend to be a rag and don’t reflect (don’t ping))».

fstleo 23 Nov 2013 in 11:08

My laptop is weaker than the router in the article. :(
PS Tags are still read.

+14

yoda33 25 Nov 2013 in 01:06

Me too. It's already been 7 years. And I won’t change it until he finally dies 8)

MrPing 23 Nov 2013 in 11:27

almost 1 in 1 my home computer in terms of characteristics (

DJPhoeniX 23 Nov 2013 in 11:34

As a home computer, I have an absolute beast. :) vk.com/photo2634397_297274014

-10

Alkop 23 Nov 2013 in 11:29

Thank you! Class! I've been wanting to update my home server for a long time. I'll know how :) Thanks again for your work!

ValdikSS 23 Nov 2013 in 11:35

Or they could use dnsmasq instead of separate dnsd, dhcpd and radvd. But, as I understand it, you didn’t use it only because of ddns?

DJPhoeniX 23 Nov 2013 in 14:31

I already answered in a personal message, but I’ll duplicate it for the Community:
It all came about gradually - I did what I knew best :)

The task initially was to “make it work” - at first it all consisted of bicycles with crutches instead of wheels, but, in parallel with writing the article, I put everything in order :)

nitso 23 Nov 2013 in 12:00

Thank you for putting in this great job of writing this article..
But still, how does your instruction differ from most others on this topic?
And a small imho: now it’s very ~~popular~~ Virtualization is developed, and you have a fairly powerful work computer. Try using it only as a router and as a workstation. One less noisy box.

nitso 23 Nov 2013 in 12:06

Small addition: I am writing from ~~iron~~ virtual machines for XenServer. I can recommend it as a completely reproducible solution if you are interested ;)

DJPhoeniX 23 Nov 2013 in 12:39

My instructions... Well, in defense of the fact that I published it after all (I had thoughts similar to yours), I can say that this is the only man that describes a real case of setting up a delicate ecosystem, where all the parts are closely intertwined into a single mechanism, and not launched once for the sake of writing an article, but actually works flawlessly 24/7 for a N-th amount of time.
Regarding virtualization... My home machine (as I, again, wrote a little higher) is a very power-hungry piece of crap, so it doesn’t work around the clock. And all sorts of laptops, phones, parents’ computers, and other equipment want to see the network even when I’m not within a radius of two meters from my computer. Well, as I wrote at the end of the article and in one of the previous comments, the router is not the only function of this server :)

warlock9600 23 Nov 2013 in 12:18

Mmm, c2d e8400?
Eats at least three hundred watts)
Parents pay for electricity?)

ZUZ 23 Nov 2013 in 13:38

ark.intel.com/ru/products/33910
«Max. calc. power 65 W»

-2

Genius_A 23 Nov 2013 in 12:31

Perhaps I don’t understand the topic so deeply, but why not do it all through www.pfsense.org/?

DJPhoeniX 23 Nov 2013 in 14:22

Because its functionality is not enough for me, obviously :)

achekalin 23 Nov 2013 in 12:51

> After digging into the iron deposits, they brought to light:

I know that I should write in a personal message, but such a frequent reservation... Please, never write such phrases, it is very jarring to read such “turns of phrase”. Compare: “Having dug into iron deposits, I brought to light:»

achekalin 23 Nov 2013 in 13:01

On the topic of the article: why do you need it on such and such hardware? Are you using it at... hmm... 0.0.1%? Isn’t it a bit expensive (in all respects, including cost of ownership)? Network matters on the same Mikrotik would be solved on much lower watts and with a much more useful experience in life: it’s not so often that this kind of thing in production is transferred to general-purpose servers. You also didn’t say a word about reliability, by the way - but household components - they are household ones…

I don’t want to offend, but really, try to approach it from a critical point of view. Everything has its price and its benefits: the benefit of making unnecessary hardware work is a blessing. The harm from consuming 150-200 watts every hour is already evil. The harm comes from the fact that, God forbid, you forgot something somewhere, you were hacked, and your server (with its power) began sending spam - maybe a small probability, but also possible.

Try installing Proxmox (or something similar) on your machine, and cut it into virtual machines for all your tasks. You will improve your experience, apply the “divide and conquer” principle, again, you can configure the network as you want. As a router, take the good old Vyatta, everything is closer to cli-control, “almost like cisco” - such an experience will not be superfluous. Maybe your screw is small, but you can easily attach a small SSD to it in the flashcache, and the system will be much more fun to work with.

DJPhoeniX 23 Nov 2013 in 14:04

I use it, say, 40 percent for memory and 10-15 (at peak times - 35%) for the processor. As I wrote above (don’t read the comments @ reply immediately), the router is not the only function of this server.

Mikrotik was dropped because of the price - I finally assembled this server from what I had, having received everything that is now absolutely free. Well, launching an IPv6 tunnel with i2p on it will be at least problematic. I have experience with mekrotics without it :)

Uptime will tell you about reliability: 3 weeks without reboots, except for service restarts due to updating configs. In addition, all equipment status (temperature sensors, coolers, SMART data) is monitored by zabbix.

I repeat, there is no waste. Honestly, my refrigerator eats more than this server. An overpayment of 100 rubles per month is not a problem for me - I pay more for mobile communications per week, I won’t even remember about transport. For this money I have, I repeat, a full-fledged server, with functionality that no tsiska will give me for an amount 4-5 times more expensive than all the hardware.

Security is thought out - 0.0.0.0 is listened only by those who should, and those who cannot be configured otherwise - the latter are cut by iptables.

I already answered about virtualization.

achekalin 24 Nov 2013 in 01:28

Well, maybe I’m being a little categorical... :) But you are a bit powerful for the routing task... And as for virtualization and so on, the point is that it’s better to distribute network and server matters to different machines.

Not to mention that backing up (using a virtualization system) a virtual machine is much easier than saving all the configs of what you have running on one. And Zabbix won’t save you if the screw happens to die - I’m talking about this in terms of reliability. I've seen servers with uptimem lasting 3-4 years, which due to stupidity during the initial configuration crashed because of the same disk, because of the cable, because of thermal paste... Backups solve the problem! ))

DJPhoeniX 24 Nov 2013 in 01:36

Backups are our everything, fact :)

artyfarty 24 Nov 2013 in 07:03

To be fair, it’s also very easy to set up Mikrotik crookedly. I'm not a network guy at all, so I spent a couple of days as a DNS amplifier before I figured out what was going on.

achekalin 24 Nov 2013 in 07:34

Well, this is where the difference between “home routers” and more or less full-fledged network hardware comes to light.

In principle, no matter what you mess around with, you can get some entertainment for yourself, only the degree of control will be different: with Mikrotik you could study the traffic, and write the rules, and even draw scripts, but on some soho-segment router you could spend years with hole lived, and you didn’t even have an option to shut her up. True, they wouldn’t even know about it, what a problem? :)

But, setting up the same thing for yourself on the basis of some Ubuntu (oh, well, this is pop, I agree, well, let you have a specially assembled Gentoo “special as firewall edition” based on recommendations from the Internet) - you think this fact has already eliminated would you need to critically examine the installation and ask yourself, “how would I break something like that if necessary?»?

Therefore... if you, as a “non-networker”, are installing a piece of hardware “just to have it”, then, probably, the choice is up to backdoor Soho solutions. the nerves will be intact. If you also want to “drive the bus you’re riding in,” then there are no options, you have to try to figure it out. Mikrotik and others like him are not really to blame for this :)

artyfarty 24 Nov 2013 in 07:39

Well, I was chasing power, and basically I'm happy. All home routers seem like toys after this monster, which solved all my problems with dlna, stability and connection speed. And most importantly, software. An end was put to dancing with a tambourine around the router in some scenarios, when only a reboot helped an expensive home Asus, after which amnesia could also happen. And no dd-vrt and other miracles made him better.

And here - complete control. Yes, you have to answer for your mistakes yourself (oh, how fun it was for me to accidentally miss and turn off the bridge), but that’s okay. I did something stupid, but at least I learned something. Without the tools built into the router, by the way, I would never really get to the bottom of the truth.

kivsiak 24 Nov 2013 in 10:27

This is not the first time I have heard mention of microics. What kind of models are these? I walked around the site and found either serious hardware or bare boards.

DJPhoeniX 24 Nov 2013 in 10:51

This is exactly what “serious hardware” is meant. From the RouterBOARD series. How do I remember the first contact with 2011UAS-2HnD-IN — still cringes.

Simpler models should be enough for your home - for example 951Ui-2HnD. Although the description says “soho”, RouterOS Level 4 is still more than decent.

But, again, this is not a full-fledged server, but a router. Although the class is above average - not “Delinks” with “Zukhels”».

achekalin 24 Nov 2013 in 11:42

Why didn’t you like this beast (I’m talking about 2011UAS-2HnD-IN)?

DJPhoeniX 24 Nov 2013 in 11:54

No, no, no, you misunderstood me :) It’s just that this was my first contact with Mikrotik and RouterOS. When I saw this mission control center... I have absolutely nothing against the devices themselves - on the contrary, I recommend them where their appearance is appropriate :)

achekalin 24 Nov 2013 in 12:36

Because in Soho, this model’s most magical action occurs when one of the strangers sees a touch screen with graphs.

Then comes the question about the price, and, having learned that such a monster (and it has quite the parameters) costs less than 5 thousand rubles, many people think very hard... Moreover, as for business tasks, at this price it’s easier to take a second one as a spare parts kit.

Another way to surprise is to show a completely working BGP on a device for 1900 rubles. Of course, you have to cut routes, not without it, but not everyone really needs to live with Full View, unless you are an operator.

PS And I was stuck on the word “distorts”. I thought, wow, people have a reaction to glands :))

artyfarty 24 Nov 2013 in 17:56

Oh, this is the thing I have.

RouterOS left the same first impression, and then it turned out that everything was laid out quite logically on the shelves. Perhaps my only complaint is the inability to put protective caps on the buttons to shoot yourself in the foot. Because missing the mark and cutting off the branch on which you are sitting in the list of interfaces is a bad thing to do. It’s good that there are backup telnets through all sorts of comports or connecting to a Mac address from Winbox.

Meklon 25 Nov 2013 in 00:38

Config backups are our everything)) I, too, while learning to work with it, turned it into a working and closed box that is not controlled from the outside in any way))

Voiddancer 30 Jul 2015 in 21:10

Safe Mode returns everything as it was when it was turned on if the connection is lost.
Sorry for the necroposting, in case someone finds it useful.

Meklon 31 Jul 2015 in 01:31

Thank you)

Meklon 24 Nov 2013 in 10:52

Excellent hardware for the advanced home and small business level. you'll get it for about $100 full control over your network. Up to perversions such as load balancing between providers. Cons - out of habit, the control panel looks like the control panel of the Enterprise ship after the “home” models. And what’s typical is that you don’t want to go back to your wretched, uncustomizable households. RouterOS is updated regularly for all models. Configs are transferred from one piece of hardware to another without problems. Power supply via twisted pair is possible. Extremely reliable compared to the “home” segment. Very productive. They pull a bunch of VPN channels, torrents and still have some left. Of course I'm talking about home and small business use.

woooody 25 Nov 2013 in 05:50

The myth is that he eats so much.
I measured a similar machine (nforce 610i + e7200 + 2Gb ram + HDD 2.5") and was amazed at the energy consumption.

28watts in idle mode, which is even less than a similar machine on the D945GCLF2 (it ate 30 watts)
Well, under load it naturally jumped to ~70, unlike the atom (which only up to 35).

dorne 23 Nov 2013 in 13:47

I once had a couple of routers running on ancient hardware running Win Server 2003 (yup)... It became really sad to maintain them, and no one would give money to update the hardware and software (and there are two machines, one is a Pentium 2, the other is Pentium 3).
This is exactly the way I did everything, except, of course, i2p (thanks for the recipe, I’ll do it on my home router), and ipv6. And another tunnel between the two grids. True, I had to read the mana myself :-).
Practice has shown that Pentium 2-3 level machines are more than enough for these purposes..

cdkrot 23 Nov 2013 in 13:58

«tags are still read?»

Yes.

pavelpromin 23 Nov 2013 in 14:12

I have a desire to buy a MicroServer (or a semi-professional NAS), but I don’t have the opportunity. I have the opportunity to build a server from old hardware, but I have no such desire.
So let's drink to ensure that our desires coincide with our capabilities!
I mean, this is all cool, of course, but such a “machine” is redundant for home tasks (at least for me), and not very elegant/compact in light of devices such as NAS and platforms such as Raspberry Pi / NUC / etc.
Thanks for the article!

DJPhoeniX 23 Nov 2013 in 14:14

> such a “machine” is redundant for household tasks
The richer we are, the more we route :)

deep 23 Nov 2013 in 14:20

Hmm, right now I'm sitting at a computer with a Core2Duo E processor7200 )
I once had a similar router/fileserver based on the Athlon XP 2500, but I found it too power-hungry and replaced it with a regular D-Link. And I built the file storage on the basis of Mini-ITX platforms on Atom. As a result, the amount in electricity bills decreased by 150 rubles per month.

dorne 23 Nov 2013 in 15:09

Also, good routers can be made from old Atom netbooks, provided there is an ExpressCard slot for a gigabit network card :-). Power-saving, and, if the battery is alive, also with backup power :-)

As a bonus, in case of incorrect firewall settings and loss of connection with the router, there is a console :-)

DJPhoeniX 23 Nov 2013 in 15:15

As an unpleasant bonus, they quickly overheat and subsequently die. I have one of these lying around, with a dead motherboard, after working as a web server for a week without turning it off. The service center said that it would be cheaper to buy a new one - I see no reason not to believe them.

dorne 23 Nov 2013 in 15:31

Maybe you're just unlucky (

woooody 25 Nov 2013 in 06:00

I’m just reading a thread about myself.
Athlon XP was a router
There was also an e7200 (and now works as a router), and as I wrote above, it eats no more than an atom when idle.
The netbook (albeit still an ancient one - on Celeron) died within a day

pavelpromin 23 Nov 2013 in 14:39

Offtopic of course, but I vote for server solutions in the house!
1 low-power/low-eating server for running infrastructure
1 powerful server for game streaming, virtualization, heavy application applications

DJPhoeniX 23 Nov 2013 in 14:45

If, when you say “server solutions,” you mean hardware (such as Supermicro platforms with xeons and ECC memory) - then, I’m sorry, I don’t share your opinion. This is an enterprise class for large and medium-sized companies. For home and small offices this is overkill - regular “household” hardware is enough, maximum RAID support.

If you are talking about software, then yes, I agree. Routers are good, of course, but where an admin or at least a geek lives, they can’t do without a server under any circumstances :)

The only question is - what is a “powerful server” for... I somehow manage without everything that you attributed to it :)

WarP 23 Nov 2013 in 16:31

And the IPsec tunnel with BINAT, in theory, is also easy to build on this, yes? :)

DJPhoeniX 24 Nov 2013 in 01:07

I had no experience in such tasks, but I think setting it up will be no more difficult than usual. Then just fix the routing.

iavael 24 Nov 2013 in 14:35

For naked ipsec in Linux, there is no need to edit routing, because xfrm policies already set what is sent to where and through what. And this, by the way, is quite inconvenient sometimes.

TerAnYu 23 Nov 2013 in 16:34

The article is good, it will be useful, no doubt about it.
I didn’t ask anyone, but how do you monitor channel congestion (if you do), check active connections, block unwanted government IPs, Is it all just through the console or is there some kind of face more or less similar to Mikrotik, as an option?.

ysv 23 Nov 2013 in 16:49

how much does your router consume? I have long wanted to install a machine based on the GA-C1037UN or something similar precisely because of its low consumption. does it make sense to bother with reducing power consumption??

DJPhoeniX 24 Nov 2013 in 01:26

Just as a router (at first) it consumed... it’s hard to say how much. The processor is in idle, the hard drive is in spin-off, only 3 network adapters are working - I think in this state it can drop to 50-80 watts, if not lower.
Now it works much more actively, and is a server, not a router. Therefore, it consumes a decent amount - again, it’s difficult to say how much. But it’s not affordable.

olku 23 Nov 2013 in 17:08

Hmm, a home server (with a mini server in the closet) is nice and solid. People at home look at it (the server room) with reverence, and non-IT guests are delighted. I lived with a 486 (IBM PC AT, yeah) router for a long time. The fan is removed from it as it is not needed, and any mini-Linux is installed. After loading the disk is not accessed. Silence.

kDas 23 Nov 2013 in 17:27

I got the i2p connection from here. :)

iavael 23 Nov 2013 in 18:04

> I used the Debian Testing distribution as a basis.

For what reason was testing chosen and not stable+backports??

DJPhoeniX 24 Nov 2013 in 01:18

I just have a more pleasant relationship with testing. stable+backports are, after all, two branches, which gives rise to some conflicts. More than once I had to rack my brain when I saw how two packages depend on different versions of a third. In testing it’s still easier with this.

lost55 23 Nov 2013 in 18:55

I once had a squid inversion go like this:

##iptables -t nat -A PREROUTING -i eth0 -d 0.0.0.0/0 -p tcp -m multiport --dport 80,8080 -j DNAT --to 192.168.105.10:3128
##iptables  -A PREROUTING -d ! 192.168.105.0/255.255.255.0 -i eth0 -p tcp -m multiport --dports 80,8080 -j DNAT --to-destination 192.168.105.10:3128
##iptables -t nat -A PREROUTING -s 192.168.2.0/24  -i eth0  -p tcp -m multiport --dport 80 -j REDIRECT --to-port 3128

All traffic was transparently wrapped, and then in the config (alas, I lost it a long time ago) it passed through adzapper and was distributed directly to TOR/I2P, depending on the domain. But this config is not very secure.
and nginx is now used for one purpose, mirror Ubuntu on your computer and distribute beech.

DJPhoeniX 24 Nov 2013 in 01:01

This approach has pitfalls. Since port 80 traffic is turned to a proxy, everything that goes through port 80, but is not HTTP, will break and not work. In particular, in one of the companies where I came, this was done - WebMoney Keeper, for example, and some other programs did not work. I turned off redirection of all traffic to the proxy - everything started working.

lost55 24 Nov 2013 in 02:31

I agree, there is such a thing.
but I didn’t come across it myself or the squid config was successfully copied and the problem did not manifest itself in any way.

lightman 23 Nov 2013 in 19:05

After a short excavation in iron deposits, they brought to light:
• Processor Intel Core 2 Duo E8400 @ 3GHz
• He also has an Asus P5Q motherboard with him.
• 2 DDR2 2Gb strips
• PCI-e network card TP-Link TG-3468
• Unidentified WiFi network card (b/g/n) based on Ralink RT3060
• Seagate 250Gb hard drive

By the way, what about fire safety? I somehow got used to being wary of “large” system units in this regard.
At the same time, I am quite relaxed about “small” 24/7 operating devices, such as routers and media players.

I have no doubt about the validity of the danger from large computers - I’ve seen them burn before my eyes. But how justified is my careless attitude towards small devices? Maybe they should also be wary of when leaving their apartments, switch off the light?

Another question: is it possible to build some kind of home automatic fire protection for devices running 24/7??

lost55 23 Nov 2013 in 19:08

Yes, it will work 24/7 from the network. In case of spontaneous combustion, who will extinguish it??

lightman 23 Nov 2013 in 19:10

How about passive protection in the black box style?»?

lost55 23 Nov 2013 in 19:12

and the drive of the fire extinguishing system is a cable from the box to a household fire extinguisher?
then yes, it’s true that you can’t completely remove the power cord into the armor.

Oxyd 23 Nov 2013 in 20:18

It will be necessary to work on bringing the domestic two-headed third, under the axle shaft, into divine form. Otherwise, the constant reboots of the buggy router are boring. In general, everything is worth it, just set up firewall routing, but some of the things from your article are applicable in my case, thanks!

Cord 23 Nov 2013 in 21:37

Reminded in spirit of the Beast CD
100-IN-1
I have always admired such combines

Respect, of course.

Lopar 29 Jul 2015 in 13:32

By the way, look: only a few years have passed, and all ZVER combines are hated by the majority of IT specialists. While tinkering with another new home server on a virtual machine, I am constantly afraid of the same thing - one day this machine will simply not be needed and I will throw it away in disgust, switching to a regular router that can handle the web face of a home site and a torrent out of the box.

forgotten 24 Nov 2013 in 01:29

Wrapping *.i2p in I2P is a very, very bad idea. It’s extremely easy to unvirtualize you - put a picture or script from the regular Internet on an i2p site - voila, your ip (and, if you’re lucky, cookies) in full view.
In I2P you only need to use a separate browser, which in principle should not be able to access the regular Internet.

DJPhoeniX 24 Nov 2013 in 01:41

If the purpose of going to i2p is precisely anonymous access to some “not too white” information, then, of course, everything is correct. If the goal is simply to gain access to resources that are not on the “general” Internet, then everything is fine.

forgotten 24 Nov 2013 in 04:57

What are these white resources that are available in i2p, but not on the regular Internet??

Meklon 24 Nov 2013 in 05:08

Apparently, trackers with Varez are not very good. There is no particular punishment for end users, but trackers are covered little by little…

DJPhoeniX 24 Nov 2013 in 05:10

nnm-club.i2p/ (I prefer to access from there, although ipv6 is available. the main mirror is available every other time...)
freezone.i2p/
progromore.i2p/
flibusta.i2p/
lib.i2p/
Well, and many, many others.
I wouldn't say they're crystal white, but they're definitely not Silk Road. :)

SADKO 24 Nov 2013 in 05:22

1.The trouble is that the ubiquitous posts of funny pictures in i2p are not even funny anymore, some customs officer will look into your browser cache and “hello ass New Year!»
2.The Lord protects those who are careful; the convoy protects those who are not careful. Who would suffer from the de-anonymization of i2p users out of idle interest... And from “elusive Joe” you automatically turn into an object of surveillance, and you need it, even if you are an absolutely law-abiding pretzel.
3.Well, above, people wrote about virtualization for a reason, you can afford it and that’s cool, effective protection begins with the awareness of the fact that it is impossible to foresee all possible attack vectors. Virtualization is never a panacea here, but it’s a relatively easy way to add hemorrhoids to “researchers” and the ability to brazenly use all sorts of murky software is again useful for gaining access to non-public repositories of all kinds…

jaguard 24 Nov 2013 in 01:59

A router humming with all its fans like a full-fledged PC is some kind of bad dream…

DJPhoeniX 24 Nov 2013 in 02:07

Everyone - which ones? I came across a power supply with a slow-moving Carlson - except for the rustling noise coming from it. On the processor, the cooler turns on once every 5 minutes for about 20 seconds. At times of peak loads, of course, it hums at full speed, but at night I usually don’t leave it to work :)

forester11 24 Nov 2013 in 06:08

There is another option to make a home router + server -> use a hypervisor and virtualization.
In the latest hypervisors, PCI-express devices can be transferred entirely to virtual machines, i.e. the virtual machine can have full control over network interfaces.
We install the hypervisor, for which we give all the network cards a virtual machine, there we already configure the router as described.
Further, so that the hardware does not stand idle, you can add servers with separate virtual machines, this is safer than, for example, installing servers on a router.
On my home computer I have several Linux systems, a router (serves a home LAN, a separate LAN for servers, two external IPs through which traffic is routed depending on the internal LAN), plus a gaming Windows 8 (with graphics turned up). Everything is under Xen.
The bonus of this approach is that backup and recovery are simplified, you can make rollbacks and mirrors of all virtual machines, plus the hardware does more than just one task (a home computer is usually quite powerful).

DJPhoeniX 24 Nov 2013 in 08:36

You are already the fourth, if not the fifth, who advises me to virtualize everything and everyone… :)

achekalin 24 Nov 2013 in 12:38

… maybe it's not in vain? :)))

DJPhoeniX 24 Nov 2013 in 12:48

The first rule of an admin: “if it works, don’t touch it.”!»
Moreover, it works well.

achekalin 24 Nov 2013 in 12:50

… and the second “there is no need to check if it works: if it buzzes, then everything is in order!»

And the “why” has already been written - backups, controllability, replicability of machines (however, your disk is not large, you won’t be replicable).

Personally, it’s easier for me to allocate one machine per service, the overhead costs even under KVM/Xen are small, and under OpenVZ you don’t have to remember at all.

DJPhoeniX 24 Nov 2013 in 13:03

Well, I don’t like to remember which IP address I run which service. There is .1.1 - this is the server. All.
I already have backups - all the configs are packed and merged into a dropbox and onto an external hard drive, and I have a “file dump” on it just for the sake of access to /home/ /web/ .dev - nothing critical is ever lying around there.

achekalin 24 Nov 2013 in 13:06

....1.x - you are in vain :)

Do not take the zero and first subnets, almost certainly one day you will accidentally plug something new into the network, and this new one will by default have some address from these subnets, or it will even give out addresses in it, and you will catch difficult-to-catch glitches.

DJPhoeniX 24 Nov 2013 in 13:13

I have a habit of not plugging anything new into the network in the “default” configuration. First, move “where it needs to be” from the laptop, then connect.

eps 24 Nov 2013 in 06:08

By the way, everything listed in the article rises perfectly to OpenWRT, installed on a more or less powerful piece of hardware like TP-Link 3600.

Even if you buy this piece of hardware and already have a server, it will pay for itself in energy savings in a year and a half

DJPhoeniX 24 Nov 2013 in 08:42

You will also raise I2P on this piece of hardware?
And in this situation, the server will still have to be left (for me personally) as a server.

eps 24 Nov 2013 in 13:09

You will also raise I2P on this piece of hardware?

Why not? 128 MB of memory and a 500 MHz processor should cope.

Meklon 24 Nov 2013 in 13:12

They won't cope. With a normal channel it eats up a lot. It’s even noticeable on my Core i5. I created a separate virtual machine.

sharptop 24 Nov 2013 in 13:19

This means I’m not alone when I got tired of D-Link’s reboots and installed a router with almost the same functionality as the author’s on an idle Atom N2800. True, it doesn’t make any noise at all - this processor doesn’t require fans - the temperature on it doesn’t rise above 56, and instead of a hard drive I installed an mSATA SSD. And a little electricity is consumed - 750 W UPS shows about 1-3% of the load.