Search Results

Basic Components This is a Mini PC purchased from AliExpress to act as a router/firewall. It only provides expansion through USB and focuses more on power efficiency than raw performance. This allows it to run without any fan for cooling. Compute Processo...

Operating System Proxmox Virtual Environment 6.x Configuration Proxmox configuration has been transitioned to being automated by an Ansible Role

Operating System Proxmox Virtual Environment 6.x Configuration Proxmox configuration has been transitioned to being automated by an Ansible Role

Description LXC container acting as a router/firewall. You can read more about how it is setup at Project Router. Configuration Resources Hostname CPU Memory ember 4 vCPU 2048MB Storage Mount Point Source Mount Path Si...

Logging One problem I ran into is that access to kernel logging is limited or unavailable from inside of a LXC container. For some usecases (like netfilter's LOG action) any logging that happens in a LXC container will be blackholed and not recorded anywhere ...

I had two goals I wanted to accomplish with VPNs. I need to redirect all outbound traffic from a specific subnet through a VPN so any client on that subnet would have its privacy protected by the VPN. Allow me to VPN into my home network from somehwe...

Zero copy transmit mode is effective on large packet sizes. It typically reduces the host CPU overhead by up to 15% when transmitting large packets between a guest network and an external network, without affecting throughput. Source: Red Hat - Network Tu...

Example: Rename Device Example: Move MSI-X The QEMU vfio-pci device option is x-msix-relocation= which allows specifying the bar to use for the MSI-X tables, ex. bar0...bar5. Since this device uses a 64bit bar0, we can either extend that BAR or choose...

Introduction If you're just looking to get started reading about how I setup everything you can skip down to the Goals section or go straight to Guest Setup to get started. Background From when I first started using computers as a kid I treated all things r...

As I discussed in Introduction: Novice to Network Admin the goal is to run a router/firewall inside a LXC guest so there is little to no overhead when routing packets. So I created an unpriviledged LXC guest with a Debian 10 template. Resources The mini PC t...

Configure Interfaces I need Internet access to download all the packages necessary so I setup DHCP on the WAN connection eth0. Setting all the local network interfaces to `manual` and not providing any addresses prevents any accidental routing before everyth...

Option 1: Unbound $ apt install unbound Recursive DNS can sometimes sacrifice speed for security so the unbound server is going to be limited to only serve DNS requests from loopback addresses. Everyone else will have to go through a DNS caching server (dn...

Install Shorewall To manage nftables/iptables I decided to go with Shorewall since it is easy to configure and very mature. At some point I may look into switching to FireHol since it looks even simpler to configure but I wanted something I knew I'd be able t...

Install dnsmasq I decided to use dnsmasq since it can fulfull multiple roles as both a DHCP and DNS cache. I'll first configure it for IPv4 and then later add in the few extra IPv6 lines needed. Setup DHCP The following can look complicated but that is just...

Install Shorewall6 Configuring Shorewall for IPv6 is nearly identical to how I did it for IPv4. The biggest different is I can skip most things related to masquerading since that is less often necessary in the world of IPv6. The only changes that need to be ...

I already setup dnsmasq for IPv4 and so there is very little that needs to be done to add IPv6 support. I just needed to add dhcp-range lines for each subnet. I am tagging them the same as before and using the ::,constructor:<interface> syntax to tell dnsmasq...

I'd recommend reading about Prefix Delegation to get a better understanding of it but the gist is that using DHCPv6 it is possible to request a "prefix" where any IPv6 address starting with that will be routed to the router. Then the router can use that to con...

Refresher For a quick crash course into IPv6 checkout my IPv6 Quick Explainer guide. Why Did I Setup IPv6? Beyond just being good to know because it'll be what we're all using sooner than later there are a few practical advantages of IPv6 over IPv4. Most im...

Funneling all traffic from an Ethernet interface through a Wireguard interface is relatively easy once I became familar with how packets flow through Linux. I mostly just needed to modify my Wireguard *.conf file to add the Table, PostUp, and PreDown parameter...

Allowing remote access is just a matter of setting up a new Wireguard interface, allowing incoming traffic to that interface, and making sure the firewall allows that traffic to connect to the rest of the network. Create Interface # cd /etc/wireguard # umas...