# Gentoo as home router

## weiypan_us

Does anyone use gentoo as a home router ?

I am going to build a linux home router to replace commercial one from the market.

My home router should have VPN and wifi

----------

## NeddySeagoon

weiypan_us,

I run Gentoo in a KVM as a router.

It manages 4 zones Internet, DMZ, WiFi and Wired.

Wifi is not permitted to connect to wired.

A VPN is on my todo list but I may spin up another KVM for that.

----------

## weiypan_us

Hi NeddySeagoon, 

Does gentoo community have "How to Guide" on it?

VPN is the main motivation for me to build my own router as the vpn routers on market are really suck.

----------

## NeddySeagoon

weiypan_us,

There is a home router guide

I use shorewall and shorewall6 as I have both IPv4 and IPv6.

VPN is not covered there

----------

## weiypan_us

NeddySeagoon 

Thank you for rich information. 

What is shorewall? is it a router including OS or just tool running on any linux OS to make router configuration easier?

----------

## Ant P.

I have a Gentoo router providing wifi, wireguard VPN to my phone/laptop, and a manual nftables setup doing NAT to the outside. It's stuck behind a dumb ISP/modem so it only gets IPv4 service, but everything on the LAN is IPv6.

I didn't use the wiki guide for mine, but it looks like a good starting point.

----------

## NeddySeagoon

weiypan_us,

Shorewall is a tool for writing IPv4 firewall rules so you don't have to learn iptables.

Shorewall6 is the same for IPv6.

IPv4 and IPv6 are totally separate. If you have both, you need to control both.

All IPv6 addresses beginning with a 2 are public

```
$ ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.100.20  netmask 255.255.255.0  broadcast 192.168.100.255

        inet6 fe80::2e0:4cff:fe69:1509  prefixlen 64  scopeid 0x20<link>

        inet6 2 ...  prefixlen 64  scopeid 0x0<global>
```

so my system in directly accessible from the internet on IPv6, or would be if my router did not prevent it.

If you don't have IPv6, its not a problem.

----------

## weiypan_us

Hi Neddy, 

Does shorewall6 has included in portage tree? I only can find net-firewall/shorewall. 

 *NeddySeagoon wrote:*   

> weiypan_us,
> 
> Shorewall is a tool for writing IPv4 firewall rules so you don't have to learn iptables.
> 
> Shorewall6 is the same for IPv6.
> ...

 

----------

## NeddySeagoon

weiypan_us,

Its still there.

```
 $ eix shorewall

* net-firewall/shorewall

     Available versions:  4.5.21.9[1] (~)4.5.21.10-r1[1] 4.6.10.1[1] (~)4.6.13[1] (~)4.6.13.1[1] (~)5.0.1[1] 5.2.0.4 {doc +init +ipv4 ipv6 lite4 lite6 selinux KERNEL="linux"}

     Homepage:            http://www.shorewall.net/

     Description:         A high-level tool for configuring Netfilter

* net-firewall/shorewall-core [1]

     Available versions:  4.5.21.9 (~)4.5.21.10-r1 {selinux}

     Homepage:            http://www.shorewall.net/

     Description:         Core libraries of shorewall / shorewall(6)-lite

* net-firewall/shorewall6 [1]

     Available versions:  4.5.21.9 (~)4.5.21.10-r1 {doc}

     Homepage:            http://www.shorewall.net/

     Description:         The Shoreline Firewall, commonly known as Shorewall, IPv6 component

```

----------

## weiypan_us

Hi Neddy, 

Looks it has been combined into one. here is my search for 6. It come out same as 4. 

 *Quote:*   

> blk161@asus ~ $ sudo emerge --search net-firewall/shorewall6
> 
> [ Results for search key : net-firewall/shorewall6 ]
> 
> Searching...
> ...

 

 *NeddySeagoon wrote:*   

> weiypan_us,
> 
> Its still there.
> 
> ```
> ...

 

----------

## NeddySeagoon

weiypan_us,

Looks like you are correct.

```
router ~ # emerge shorewall -pv

These are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild   R    ] net-firewall/shorewall-5.2.0.4::gentoo  USE="init ipv4 ipv6 -doc -lite4 -lite6 (-selinux)" 0 KiB

Total: 1 package (1 reinstall), Size of downloads: 0 KiB

 * IMPORTANT: 38 news items need reading for repository 'gentoo'.

 * Use eselect news read to view new items.

router ~ # emerge shorewall6 -pv

These are the packages that would be merged, in order:

Calculating dependencies... done!

emerge: there are no ebuilds to satisfy "shorewall6".

```

That's from my KVM router. 

I missed the [1] in my previous post, which means its an ebuild from my local overlay.   I did that a long time ago to delay updating to shorewall-5 because I though it might be a mess.

The rest of the household use the router. The update is done, so I can remove those ebuilds from my overlay.

Sorry for misleading you.

----------

## weiypan_us

Hi Neddy, Thank you for help.

 *NeddySeagoon wrote:*   

> weiypan_us,
> 
> Looks like you are correct.
> 
> ```
> ...

 

----------

## weiypan_us

Hi Ant, 

I used L2TP and heard openvpn, it is my first time know there is a wireguard VPN. 

Does wireguard is easy to setup one?

 *Ant P. wrote:*   

> I have a Gentoo router providing wifi, wireguard VPN to my phone/laptop, and a manual nftables setup doing NAT to the outside. It's stuck behind a dumb ISP/modem so it only gets IPv4 service, but everything on the LAN is IPv6.
> 
> I didn't use the wiki guide for mine, but it looks like a good starting point.

 

----------

## axl

 *weiypan_us wrote:*   

> Hi Ant, 
> 
> I used L2TP and heard openvpn, it is my first time know there is a wireguard VPN. 
> 
> Does wireguard is easy to setup one?

 

I bet if you were to describe in great detail what you are trying to accomplish, in your own words, it would go much faster. 

A router in linux is essentially a linux that has 1 in /proc/sys/net/ipv4/ip_forward

Everything else you build on top of that are services. Neddy mentioned zones (that is a dns server), dhcp, ant mentioned wifi (i think) that maybe just a simple network interface or something more complex like an AP. either way it's services. 

One of which you were preoccupied from post one. I don't exactly know how router and VPN go together, but ok. What exactly are you trying to accomplish? First tell us what you want, then each of us will probably suggest their own VPN  software and how to do it.

----------

## P.Kosunen

https://firehol.org/

I used to use FireHOL to set up firewall and routing, it's bit easier than dealing with iptables directly.

----------

## bunder

I've written my own iptables script twice over, but I've also had a look at net-firewall/fwbuilder which is a gui frontend for iptables and a few other *nix firewalls.  It reminds me a fair bit of the Checkpoint firewall console we use at work (except that iptables doesn't cost me a few grand).

----------

## NeddySeagoon

axl,

I used to run Smoothwall on its own hardware. When I couldn't make it install into a KVM I did my own thing with Gentoo and shorewall, mimicking Smoothwall but without the GUI.

The zones I was was referring to are trust zones rather than dns zones

The Internet is untrusted.

The DMZ is shielded from the ravages of the internet but some incoming connections are permitted.

WiFi is like the DMZ but incoming connections are not permitted. As wifi is not secure, its not trusted much more that the Internet.

Wired is the trusted zone.

Well it started out like that. Untrusted devices like DVD Players, TVs etc are in the WiFi zone regardless of how they are connected. 

The router also runs a dhcp server for those zones that are on three separate wired networks.

I'm tempted to add a VPN server, so I can use public wifi when I'm out and about but that really belongs on another system.

----------

