# NUC (1nic) as gateway/router

## dalu

Hello,

semi-unique scenario,

I'm on cable. My ISP believes that it owns the router and restricts most configuration options and an alternative router is "not possible" since their DOCSIS 3.0 impl authenticates via the MAC of the cable modem and no DOCSIS 3.0 pci/pcie/usb modems are available for purchase. The modem/router is provisioned via TR-069/CWMP and port 5060 is filtered to force their SIP accounts and addition of new accounts is limited by the configuration but can be circumvented with hacks (and they need to be re-applied every time the router receives a new cfg or firmware). Since the ISP controls the firmware and has turned off any means to telnet or ssh into the box there is no known way to flash a custom firmware. As a result I don't trust it, there's a piece of hard- and software in my living room someone else controls with a firmware that is built to their own liking. The also rewrite DNS responses to point to their own servers. Pretty evil stuff in my book.

So, I'd like to isolate my home LAN's traffic from the router's.

Since I'm pretty inexperienced when it comes to bridges, vlans and the like I'm asking here.

I have a Intel NUC, which only has 1 NIC and a 8 port switch ( http://www.dlink.com/-/media/Business_Products/DGS/DGS%20108/Datasheet/DGS_108_Datasheet_DE.pdf , supports IEEE 802.1Q) and the router.

The ISP hands out a IPv4 address and a /56 IPv6 prefix.

I connect my 4+ boxes to the switch, also the router.

I want:

My network on 192.168.100.0

192.168.100.1 to be the gateway address

192.168.100.1 being a DNS and DHCP4/6 server

DNS queries forwarded to my outside server, but answering local domains (done already)

The NUC should assign its own IPv6 prefix and do NAT for v6 (3.18 kernel supports this iirc)

Only the NUC should have a IPv6 address assigned by the router, it should be dynamic and refresh once/day.

Anything from my LAN to the outside (starting with router) should go via 192.168.178.1

Anything on 192.168.100.0 should remain inside and nothing from 192.168.178.0 should make it to 192.168.100.0, except responses of outbound requests. Basically allow 192.168.178.1 to reach 192.168.100.1 and filter on 192.168.100.1.

So

(192.168.100.0)

my network, my clients, none of their business

(192.168.178.0)

their network

Maybe I'm overcomplicating it, but where to start?

What is appropriate? Bridge, VLAN, TUN/TAP, VPN, other?

----------

## dalu

Ok I have created a VLAN on the nuc.

```

ip link add link eno1 name eno1.100 type vlan id 100

```

and added an IPv4 address

```

ip addr add 192.168.100.1/24 brd 192.168.100.255 dev eno1.100

```

and it's up

on a client:

added 192.168.100.2

```

ip addr add 192.168.100.2/24 brd 192.168.100.255 dev mydev

ip route add 192.168.100.2 via 192.168.100.1

```

but I'm getting weird results

```

ping 192.160.100.1

PING 192.160.100.1 (192.160.100.1) 56(84) bytes of data.

64 bytes from 192.160.100.1: icmp_seq=1 ttl=233 time=156 ms

64 bytes from 192.160.100.1: icmp_seq=2 ttl=233 time=156 ms

64 bytes from 192.160.100.1: icmp_seq=3 ttl=233 time=156 ms

^C

```

and

```

ssh root@192.168.100.1

ssh: connect to host 192.168.100.1 port 22: No route to host

```

and

```

nmap 192.168.100.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-05 02:46 CET

Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn

Nmap done: 1 IP address (0 hosts up) scanned in 3.05 seconds

```

and

```

ping 192.168.100.1

PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.

From 192.168.100.2 icmp_seq=1 Destination Host Unreachable

From 192.168.100.2 icmp_seq=2 Destination Host Unreachable

From 192.168.100.2 icmp_seq=3 Destination Host Unreachable

From 192.168.100.2 icmp_seq=4 Destination Host Unreachable

From 192.168.100.2 icmp_seq=5 Destination Host Unreachable

From 192.168.100.2 icmp_seq=6 Destination Host Unreachable

From 192.168.100.2 icmp_seq=7 Destination Host Unreachable

^C

--- 192.168.100.1 ping statistics ---

8 packets transmitted, 0 received, +7 errors, 100% packet loss, time 7009ms

pipe 4

```

edit:

The first step needs to be done on every node of the network.

I'm still missing the info about how to make the NUC become the gateway computerLast edited by dalu on Tue Jan 06, 2015 10:06 am; edited 1 time in total

----------

## szatox

 *Quote:*   

> an alternative router is "not possible" since their DOCSIS 3.0 impl authenticates via the MAC of the cable modem and no DOCSIS 3.0 pci/pcie/usb modems are available for purchase.

 Routers typicaly allow you cloning mac address from other device. Or specifying one manualy. Perhaps it's not as big problem as it sounds at first?

Also, doesn't reset switch clear all settings when you hold it for 10 seconds?  :Smile: 

----------

## dalu

Something like that, you can do a factory reset and have access to all settings.

However those default settings get overwritten the very instant it establishes a connection with the CMTS (= the other end of the modem's line).

You can do an export of the settings but passwords are AES crypted and multiple segments of the file are (iirc) CRC32 hashed, but this has been broken and is one way to append custom voip (SIP account data) configuration.

Yes you can clone or spoof a MAC but what's the use if you don't have a modem? And why would you want to change the modem/router's MAC? You would not be authenticated.

----------

## szatox

You mentioned alternative routers. So, can't you use alternative router and clone the original's one MAC?

You say that routr from ISP is being configured by the peer on the internet? That sounds like a reason to change ISP...

Anyway, perhaps in that case you could unplug external network, set a firewall to filter incoming traffic and then connect again? Or maybe you had to install some shit on your PC that feeds router with "accepted" config?

----------

## dataking

 *szatox wrote:*   

> That sounds like a reason to change ISP...

 What ISP is it?  I'd say find a new one, if they are really as tyrannical as you imply.

----------

## dataking

Also, IIRC, those NUC's have at least 1 USB port.  Check into a USB->eth NAD.

----------

## dalu

 *szatox wrote:*   

> You mentioned alternative routers. So, can't you use alternative router and clone the original's one MAC?
> 
> You say that routr from ISP is being configured by the peer on the internet? That sounds like a reason to change ISP...
> 
> Anyway, perhaps in that case you could unplug external network, set a firewall to filter incoming traffic and then connect again? Or maybe you had to install some shit on your PC that feeds router with "accepted" config?

 

Every factory router/modem, no matter if DSL or cable listens to TR-069/CWMP requests.

http://www.broadband-forum.org/cwmp.php

https://www.youtube.com/watch?v=gFP5YcvQsKM

That's old news.

The router is a Fritz!Box 6340. Fritz implies German so the ISP is KabelBW/Unitymedia/Liberty Global.

Traditional DSL routers like the 7series Fritz!Boxes are customizable and also listen to CWMP requests. Since they belong to you when you sign a 2 year bound contract you can do whatever with them. The cable sector is more proprietary.

There is no alternative ISP for me if I want 100+mbit/s down:5+mbit/s up. DSL in my area is 16mbits/1mbits at most, VDSL and what's the upgrade to it called... vectoring are only available in the center of the town. So there is no affordable alternative if I want high bandwidth internet access. Fiber costs some 2k € / month and it's not my house but a rented appartment, so I'm not paying that some company gets their infrastructure fibered on my costs. If it was my house I'd consider it.

On the pro side, I get to keep my public IPv4 address for like 1-3 months and there is no forced daily reconnection. On the other hand the router sucks, download a torrent and you'll have to reboot the router because well weak hardware.

Another pro point really good response times compared to DSL (10-15ms pings)

Buying my own modem I don't know the voip configuration data, aka no free nationwide landline calls.

So knowing they modify DNS responses if you use their DNS I bought a NUC (also for other reasons) set up a dhcp4 server, and configured bind to forward DNS requests to my outside server.

And now I'd like to have the NUC as a gateway/router/firewall.

```

client ---- switch ---- router

client ----

client ----

client ----

client ----

nuc   ----

```

I believe this can be done with VLAN tagging, since the switch supports that.

I order to have my internal network invisible to the router I configure the dhcp server to hand out 192.168.100.* addresses.

If I'm not mistaken 192.168.100.* destination packets won't reach 192.168.178.* .

Now all that's left to do is firewall 192.168.178.*<>192.168.100.*

and let packets intended for public IPs be forwarded to 192.168.178.1

and a solution for IPv6.

The USB/Eth adapter is an option, but let's see if it can be done without. I have one here that's used for my chromebook.

Actually now that I've looked it up, why not have a pure USB 3.0 (or 3.1) network (7.2Gbps effective) but that's a different topic.

----------

