efx
January 17, 2024, 3:33pm
1
I’m contemplating creating a NixOS router. I plan on leaving the fair country of pfsense.
I’m continuing the conversation from:
I’m thinking about using NixOS for a home router. (or vanlife)
Or use non declarative OPNsense?
Has anyone done this successfully before? or am I in uncharted waters?
What hardware did you use?
The things I’m thinking about
possibilities:
multiple rj45 1G
dual wifi 2.4 & 5
sims: 1 or 2 (1 or 2 modems)
x86 or aarch
low power
ecc memory (zfs)
open source
more advanced/future proof:
rj45 10G
sfp
software:
auto boot after power failure / unencrypted disk
firewall
forward some traffic to…
With a GNU/Linux system I need to decide what subsystem to use for packet filtering.
iptables historical, standard
nftables - successor to iptables
eBPF - paradigm shift for kernel interfacing. I read Cloudflare built a firewall service with it.
What subsystem do recent versions of NixOS use?manual doesn’t mention which. The wiki firewall page says it uses iptables but I don’t trust the wiki
Which subsystem do you use and why?
iptables and nftables are offered. eBPF can be used with both of the previous ones.
There are other options like writing your own XDP program, DPDK, using something like P4 and compiling to eBPF bytecode, etc.
The latter ones are more obscure and requires expertise, the former are trivial and are offered on the shelf.
I just use nftables except if I have a good reason to use something more complicated.
1 Like
ookhoi
January 22, 2024, 7:11am
3
Packet filtering can mean multiple things. For blocking ip addresses or network ranges entirely I use ip route add blackhole <ip address>
I used nftables before but with a few thousand rules on my router my internet connection slowed down considerably.
1 Like
misuzu
January 22, 2024, 11:22am
4
iptables and nftables are the same under the hood on NixOS, the difference is mainly in a cli frontend
1 Like
efx
January 22, 2024, 12:44pm
5
Neat idea! I’m curious and unfamiliar with ip. Do you know what subsystem ip uses? Or any beginner documentation for a noob like me
ookhoi
January 22, 2024, 1:14pm
6
ip is in the iproute2 package and is the default network tool for Linux. A good read is https://wiki.linuxfoundation.org/networking/iproute2 and iproute2 cheat sheet
Some basic commands:
ip address show
ip address show dev eno1
ip route show
ip -6 route show
ip route get 1.1.1.1
ip route get 127.0.0.1
Which can be shortened to:
ip a s
ip r s
ip -6 r s
ip r g 1.1.1.1
ip r g 127.0.0.1
1 Like
