home internet access over-engineering #1: replacing your router
As stated in the title of this post, I consider replacing your home router as “over-engineering”: more than 99% of the people out there don’t care what’s providing them Wi-Fi to scroll through their Instagram® or TikTok® feeds.
But since you are reading these lines, it probably means that you belong to the 1% that do care, or maybe want to have some “fun” by customizing your home setup.
There are many reasons of using your own hardware instead of the one provided by your ISP1:
- performance: some boxes provided by ISPs might not perform as well as you would like. Their Wi-Fi performance could be poor, or they can lack 1G ports while you want a 1G home network.
- cost: I have seen that some ISPs actually rent the router, hence costing you a few more bucks every month.
- custom (or tricky) setups: you might want to do some advanced (and/or weird) stuff at the router level, having our own set of hardware and software might be a requirement to do so
- fun: don’t worry, I won’t judge you if you just to it for fun and in the sake of learning new stuff, I am just like you 😅
Depending on what your priorities are, you will either chose the software first then the hardware, or the other way around. For example, you might have an old PC lying around and want to play with it by using it as a router, then you’ll chose the software depending on what you have. In my case, I chose the software first: I wanted to have a system that has native Wireguard support and some “advanced” routing features (static and dynamic routing, PBR…). For now I am using VyOS as it covers all those needs.
If you have low needs and not so powerful hardware, you should go with a small Linux distro. Some of the most famous network-oriented Linux distributions are OpenWrt, pfSense, Smoothwall and OPNSense. I would say that the last 3 of the list are a bit more security oriented and your device will more look like a firewall. Other distributions are a little bit more “routing” oriented, they will not necessarily have a GUI and will be a bit less “firewall-y”: Cumulus Linux and VyOS are good examples.
You should refer to Wikipedia and your favorite search engine to find the distribution that fits your needs the best.
Since you are going to replace an hardware device, you will need to choose some hardware. Depending on the type of connection you have (xDSL, optical fiber, coaxial cable…) and how your current ISP router is equipped with (for example, is there an equipment converting the optical signal to copper, or does it have an integrated SFP2).
Since there are a lot of possibilities - which will vary per country, provider, type of connection… - I won’t go much into details and will just quickly talk about my home setup later in this post and share some links with complete examples.
This is the quick and easy choice, it will work perfectly if you choose the right router depending on your setup. If you are using ADSL, then get an ADSL compatible router (makes sense, right?); if you have FTTH and your ISP router needs an SFP, then you must get a router with an SFP port and a compatible SFP (be careful, there are a lot of different SFP types).
When you don’t want (or need) something very custom and special, then it’s definitely a good alternative for you.
As I don’t know much about home router vendors and it is not the most interesting (at least to me) part of replacing the ISP router, I will just throw a few names of (more or less) cool vendors that would probably work for you:
- Ubiquity EdgeMAX® routers good hardware and software, will (obviously) integrate quite well with UnNiFi® access-points which are quite good for the price.
- MikroTik Ethernet routers maybe for a little more advanced users, they have a lot of features for a really good price.
Note that you can buy a vendor router/switch and use a compatible open-source firmware if that’s your thing!
This is the solution I went with, I did not know that some “specialized” boxes are sold on some famous Chinese website (name starts with Ali if that helps…) before a colleague told me about that kind of machines. Basically, they are rather small fanless machines with multiple RJ45 ports, a port to plug a screen, sometimes a console port and sometimes Wi-Fi with external antenna.
I chose to acquire a “fanless mini pc” (or “fanless router” if you want to look for them on this “Ali” website) because I wanted to install either Linux or any other network-oriented open source software, but also because I find it really fun and interesting to configure the whole stuff from scratch, rather than clicking a few buttons and fillings a few inputs and forms on a web UI.
Remember, my goal was to overengineer some parts of my home network infrastructure, for (more or less) good reasons - as you will see in the upcoming articles (stay tuned!!). Here are some specs about the machine I went with:
router-home:~$ cat /proc/cpuinfo model name : Intel(R) Core(TM) i5-4300Y CPU @ 1.60GHz stepping : 1 microcode : 0x24 cpu MHz : 742.977 cache size : 3072 KB
router-home:~$ sudo dmidecode --type 17 # dmidecode 3.2 Getting SMBIOS data from sysfs. SMBIOS 2.8 present. Handle 0x0044, DMI type 17, 34 bytes Memory Device Total Width: 64 bits Data Width: 64 bits Size: 8192 MB Form Factor: SODIMM Type: DDR3 Type Detail: Synchronous Speed: 1600 MT/s Configured Memory Speed: 1600 MT/s
router-home:~$ fdisk -l Disk /dev/sda: 238.5 GiB, 256060514304 bytes, 500118192 sectors Disk model: Hoodisk SSD
This is not the cheapest choice, and to be honest I did not care that much about electrical consumption so it is probably not great in that area either, but I got to say that it works really well for what I want to do (again, more on that later 🙃).
build your own
Top of the excitement, you can either use some old hardware or buy new and/or used parts to build your router from scratch! I did not go with this so I cannot really share my experience, but here are some nice links if you want to go full custom:
my setup (aka using Youfone FTTH with your own router)
as stated earlier, your setup will depend on your provider and the type of connection: this part will be very specific to my own case (and every Youfone FTTH subscriber looking to replace the default router)
We moved in January 2020 to the Netherlands in a brand new house and we were quite lucky that it was already fibered by KPN. We subscribed to Youfone (which uses KPN network) with an “Internet only” offer (we don’t need landline or Dutch TV). To be fair, it was a bit hard to find the definitive answer on what has to be done on the router to connect to my ISP (surprisingly, a lot of results were in Dutch). The answer was really simple after all: no authentication needed: just run DHCPv4 (no IPv6 yet, but that’s an other subject…) on the right VLAN (34) and you are good to go!
On VyOS, the configuration looks like this (I plugged the ONT3 to the first port of my machine, hence
set interfaces ethernet eth0 description 'WAN' set interfaces ethernet eth0 mtu '1512' set interfaces ethernet eth0 vif 34 address 'dhcp' set interfaces ethernet eth0 vif 34 mtu '1500'
and… that’s it! Easy, right? VyOS will make a DHCP request, get a lease (if the ONT is connected) and install a “static” route:
[email protected]:~$ show dhcp client leases interface : eth0.34 ip address : 82.169.x.y [Active] subnet mask: 255.255.255.128 router : 82.169.x.1 name server: 18.104.22.168 22.214.171.124 dhcp server: 82.169.x.1 lease time : 600 last update: Thu Sep 24 17:05:15 UTC 2020 expiry : Thu Sep 24 17:15:14 UTC 2020 reason : RENEW [email protected]:~$ show ip route Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP, F - PBR, f - OpenFabric, > - selected route, * - FIB route, q - queued route, r - rejected route S>* 0.0.0.0/0 [210/0] via 82.169.x.1, eth0.34, 03w3d04h C>* 82.169.x.0/25 is directly connected, eth0.34, 04w0d16h
Your WAN is all good and you should be able to ping something (just like search engines, everyone has its personal preferences here):
[email protected]:~$ ping 126.96.36.199 interface eth0.34 PING 188.8.131.52 (184.108.40.206) from 82.169.x.y eth0.34: 56(84) bytes of data. 64 bytes from 220.127.116.11: icmp_seq=1 ttl=61 time=5.13 ms 64 bytes from 18.104.22.168: icmp_seq=2 ttl=61 time=5.19 ms 64 bytes from 22.214.171.124: icmp_seq=3 ttl=61 time=5.15 ms 64 bytes from 126.96.36.199: icmp_seq=4 ttl=61 time=5.14 ms 64 bytes from 188.8.131.52: icmp_seq=5 ttl=61 time=5.15 ms
Once you successfully pinged something on the Internet from the router, some configuration has to be done on the LAN side so that your machines can access the Internet, I will only cover a very basic setup here (NAT, no DMZ).
There are 2 simple steps
- configure the LAN interface: choose a (private) subnet (192.168.1.0/24 in this example) and configure it on your LAN interface
- add a source NAT rule towards your WAN interface: all traffic from the LAN to Internet towards the WAN (thanks to the default route will be NATed)
set interfaces ethernet eth3 address '192.168.1.1/24' set nat source rule 100 outbound-interface 'eth0.34' set nat source rule 100 source address '192.168.1.0/24' set nat source rule 100 translation address 'masquerade'
Watchout: there is absolutely no security applied at this point, your router is probably reachable over the Internet! You should really consider configuring some firewalling. In my case, I went with the following configuration:
set firewall name FROM-INTERNET default-action 'reject' set firewall name FROM-INTERNET rule 10 action 'accept' set firewall name FROM-INTERNET rule 10 state established 'enable' set firewall name FROM-INTERNET rule 10 state related 'enable' set firewall name FROM-INTERNET rule 20 action 'accept' set firewall name FROM-INTERNET rule 20 icmp type-name 'echo-request' set firewall name FROM-INTERNET rule 20 protocol 'icmp' set firewall name FROM-INTERNET rule 30 action 'accept' set firewall name FROM-INTERNET rule 30 destination port '80,443' set firewall name FROM-INTERNET rule 30 protocol 'tcp_udp' set interfaces ethernet eth0 vif 34 firewall in name 'FROM-INTERNET'
At that point your machines should be able to reach the outside world, provided they have are properly configured with an IP address in the correct range and with your router as default gateway (note that we do not have any DHCP server running yet).
- In France, Orange is one of the biggest ISP. In his awesome blog, Vincent Bernat talks about replacing the Livebox. All French readers that want to know more about replacing home routers should definitely have a look at the 'Routeurs' section on lafibre.info forums.
ISP: Internet Service Provider ↩︎
SFP: A Small Form-factor Pluggable plugs into a router to convert an optical signal to an electrical one, see Wikipedia (or your favorite search engine) for an actual explanation. ↩︎
ONT: The Optical Network Terminal terminates the optical fiber connection on the subscriber’s side, it generally converts the optical signal (light) to electricity ↩︎