====== Use Raspberry pi 4 as router ======
==== Why ? ====
Why not use the router provided by the ISP ?
The problem has arised for a QOS problem : the need to give some priority to some services like SIP for asterisk PABX.
==== How ? ====
Use tutorial to install you pi4. For this use, as the pi4 is fully dedicated to the router function, we work as root, disable any password communication and connect with ssh keys.
=== Stop DHCPCd ===
DHCPCD is standard on raspbian, but for this use it is not clear that it has advantages over good old networking service. So it is disabled (source [[https://raspberrypi.stackexchange.com/questions/78510/disable-dhcpcd-service-for-static-ip|here]]).
systemctl stop dhcpcd
systemctl disable dhcpcd
apt remove dhcpcd5
Basic network/interface is set :
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.163.252
netmask 255.255.255.0
gateway 192.168.163.254
network 192.168.163.0
broadcast 192.168.163.255
dns-nameservers 192.168.163.30 8.8.8.8
dns-search couderc.eu
After :
ifup eth0
the old and the new IP addresses should ping...
=== Connect to internet ===
You need to connect your box configured to pass all traffic to the pi. This done with an additional physical adapter from USB3 to RJ45 (maybe USB2, but to spare what...?). Here we use a subnetwork, but PPPOE could be used for a simple modem.
So we add a second interface :
auto eth1
iface eth1 inet static
address 192.168.153.2
netmask 255.255.255.0
gateway 192.168.153.254
network 192.168.153.0
broadcast 192.168.153.255
dns-nameservers 192.168.153.1 212.27.40 8.8.8.8
dns-search couderc.eu
up /usr/local/bin/wondershaper eth1 14000 1000
The last line will be explained later.
=== Routing ===
First routing must be enabled, by uncommenting in /etc/sysctl.conf the line :
net.ipv4.ip_forward=1
Routing is done by iptable and iptables-persistent
Here is an exemple for /etc/iptables/rules.v4
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# eth1 is WAN interface, #eth0 is LAN interface
-A POSTROUTING -o eth1 -j MASQUERADE
#******************* PREROUTING from WAN to LAN : see too below
# bin
-A PREROUTING -p udp -i eth1 --dport 53 -j DNAT --to-destination 192.168.163.30:53
-A PREROUTING -p tcp -m tcp -i eth1 --dport 53 -j DNAT --to-destination 192.168.163.30:53
# www
-A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j DNAT --to-destination 192.168.163.32:80
-A PREROUTING -p tcp -m tcp -i eth1 --dport 443 -j DNAT --to-destination 192.168.163.32:443
# mail
-A PREROUTING -p tcp -m tcp -i eth1 --dport 25 -j DNAT --to-destination 192.168.163.36:25
-A PREROUTING -p tcp -m tcp -i eth1 --dport 66 -j DNAT --to-destination 192.168.163.36:66
-A PREROUTING -p tcp -m tcp -i eth1 --dport 143 -j DNAT --to-destination 192.168.163.36:143
-A PREROUTING -p tcp -m tcp -i eth1 --dport 587 -j DNAT --to-destination 192.168.163.36:587
-A PREROUTING -p tcp -m tcp -i eth1 --dport 993 -j DNAT --to-destination 192.168.163.36:993
# psql
-A PREROUTING -p tcp -m tcp -i eth1 --dport 5432 -j DNAT --to-destination 192.168.163.35:5432
#sip
-A PREROUTING -p tcp -m tcp -i eth1 --dport 5060 -j DNAT --to-destination 192.168.163.33:5060
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
### Service rules : ce que l'on accepte sur piIVrouter
# basic global accept rules - ICMP, loopback, traceroute, established all accepted
-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# enable traceroute rejections to get sent out
-A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable
# SSH - accept from LAN
-A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
# SSH - accept from WAN
-A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
# drop all other inbound traffic
-A INPUT -j DROP
### Forwarding rules : ce qui sort
# forward packets along established/related connections
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# forward from LAN (eth0) to WAN (eth1)
-A FORWARD -i eth0 -o eth1 -j ACCEPT
# allow traffic from our NAT pinhole
#******************* FORWARD from WAN to LAN
# bin
-A FORWARD -p udp -d 192.168.163.30 --dport 53 -j ACCEPT
-A FORWARD -p tcp -d 192.168.163.30 --dport 53 -j ACCEPT
# www
-A FORWARD -p tcp -d 192.168.163.32 --dport 80 -j ACCEPT
-A FORWARD -p tcp -d 192.168.163.32 --dport 443 -j ACCEPT
# mail
-A FORWARD -p tcp -d 192.168.163.36 --dport 25 -j ACCEPT
-A FORWARD -p tcp -d 192.168.163.36 --dport 66 -j ACCEPT
-A FORWARD -p tcp -d 192.168.163.36 --dport 143 -j ACCEPT
-A FORWARD -p tcp -d 192.168.163.36 --dport 587 -j ACCEPT
-A FORWARD -p tcp -d 192.168.163.36 --dport 993 -j ACCEPT
# psql
-A FORWARD -p tcp -d 192.168.163.35 --dport 5432 -j ACCEPT
#sip
-A FORWARD -p tcp -d 192.168.163.33 --dport 5060 -j ACCEPT
# drop all other forwarded traffic
-A FORWARD -j DROP
COMMIT
Note that for incoming traffic, each port appears twice, one in PREROUTING table and the other one in FORWARD table.
===== QOS =====
==== Catégories de flux ====
(en cours de rédaction)
Tests de rapidité de la ligne (avec apt install speedtest-cli) : 14.5 / 1.25 Mbit/s
( d'après [[https://connect.ed-diamond.com/GNU-Linux-Magazine/GLMF-127/QoS-et-gestion-du-trafic-avec-Traffic-Control|ici]])
* 1 interactif (DNS udp,DNS tcp, other )
* 2 TCP ACKs
* 3 SSH
* 4 SIP/RTP
* 5 HTTP
* 6 mail
* 7 sauvegarde (en fait tout trafic de 192.168.163.1)
* 8 Divers .
Premiers tests : implémenté comme dans la référence (sans SIP, masi maj debits et eth1)
#-nettoyage
tc qdisc del dev eth1 root
#-root
tc qdisc add dev eth1 root handle 1: htb default 99 r2q 5
#--------uplink internet
tc class add dev eth1 parent 1:0 classid 1:1 htb rate 1250kbit ceil 1250kbit
#--------gigabit local
tc class add dev eth1 parent 1:0 classid 1:1000 htb rate 1gbit ceil 1gbit
# == filtre lan
tc filter add dev eth1 parent 1:0 protocol ip prio 1000 handle 1000 fw flowid 1:1000
#----------------interactive
tc class add dev eth1 parent 1:1 classid 1:10 htb rate 128kbit ceil 200kbit burst 5k prio 1 linklayer atm
#----------------------------sub interactive: pfifo
tc qdisc add dev eth1 parent 1:10 handle 110: pfifo limit 1000
# == filtre interactive
tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle 10 fw flowid 1:10
#-----------------tcp acks
tc class add dev eth1 parent 1:1 classid 1:20 htb rate 64kbit ceil 1250kbit burst 300 prio 2 linklayer atm
#----------------------------sub tcp acks: pfifo
tc qdisc add dev eth1 parent 1:20 handle 120: pfifo limit 1000
# == filtre tcp acks
tc filter add dev eth1 parent 1:0 protocol ip prio 2 handle 20 fw flowid 1:20
#----------------ssh
tc class add dev eth1 parent 1:1 classid 1:30 htb rate 64kbit ceil 300kbit burst 2k prio 3 linklayer atm
#----------------------------sub ssh: sfq
tc qdisc add dev eth1 parent 1:30 handle 130: sfq perturb 10
# == filtre ssh
tc filter add dev eth1 parent 1:0 protocol ip prio 3 handle 30 fw flowid 1:30
#----------------http/s
tc class add dev eth1 parent 1:1 classid 1:40 htb rate 256kbit ceil 1250kbit burst 2k prio 4
#####################
#----------------------------http/s sub 1
tc class add dev eth1 parent 1:40 classid 1:41 htb rate 100kbit ceil 1250kbit burst 2k prio 4 linklayer atm
#---------------------------------------------sub http1: sfq
tc qdisc add dev eth1 parent 1:41 handle 141: sfq perturb 10
# == filtre http/s sub 1
tc filter add dev eth1 parent 1:0 protocol ip prio 4 handle 41 fw flowid 1:41
#####################
#----------------------------http/s sub 2
tc class add dev eth1 parent 1:40 classid 1:42 htb rate 100kbit ceil 1250kbit burst 2k prio 4 linklayer atm
#---------------------------------------------sub http2: sfq
tc qdisc add dev eth1 parent 1:42 handle 142: sfq perturb 10
# == filtre http/s sub 2
tc filter add dev eth1 parent 1:0 protocol ip prio 5 handle 42 fw flowid 1:42
#####################
#----------------------------http/s sub 9
tc class add dev eth1 parent 1:40 classid 1:49 htb rate 56kbit ceil 1250kbit burst 2k prio 4 linklayer atm
#---------------------------------------------sub http 9: sfq
tc qdisc add dev eth1 parent 1:49 handle 149: sfq perturb 10
# == filtre http/s sub 3
tc filter add dev eth1 parent 1:0 protocol ip prio 6 handle 49 fw flowid 1:49
#####################
#----------------torrent
tc class add dev eth1 parent 1:1 classid 1:50 htb rate 128kbit ceil 1250kbit burst 2k prio 5 linklayer atm
#----------------------------sub ssh: sfq
tc qdisc add dev eth1 parent 1:50 handle 150: sfq perturb 10
# == filtre bittorrent
tc filter add dev eth1 parent 1:0 protocol ip prio 7 handle 50 fw flowid 1:50
#----------------default
tc class add dev eth1 parent 1:1 classid 1:99 htb rate 128kbit ceil 1250kbit burst 2k prio 5 linklayer atm
#----------------------------sub ssh: sfq
tc qdisc add dev eth1 parent 1:99 handle 199: sfq perturb 10
# == filtre default
tc filter add dev eth1 parent 1:0 protocol ip prio 99 handle 99 fw flowid 1:99
===== Procédure de secours par smartphone =====
Cas de panne de DSLAM
Hormis peut-être certains contrats hors de prix, si le DSLAM tombe en panne, on est en rade pour plusieurs jours. Il peut être intéressant d'utiliser un dépannage par le modem wifi intégré à un smartphone.
Si besoin est (mais souvent sera), vérifier et valider le wifi par
rfkill
et éventuellement :
rfkill unblock 0 (ou 1...)
Trouver le nom de son wifi (normalement wlan0).
et rajouter un
auto wlan0
iface wlan0 inet dhcp
dans /etc/network/interface
Préparer un /etc/ wpa_supplicant/wpa_supplicant-wlan0.conf
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
network={
ssid="momwifi"
psk="monpassw"
}
Et un lien :
ln -s /lib/systemd/system/wpa_supplicant@.service wpa_supplicant@wlan0.service
Rebooter pout tout initialiser.
Le ping de l'interface, ainsi que celui du routeur du USP devrait fonctionner. Maintenant, il faut router.
La table de routage doit ressembler à :
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.153.254 0.0.0.0 UG 0 0 0 eth1
192.168.43.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
192.168.153.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.163.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
Modifions le routage par défaut (gateway 192.168.41.1 chez free.fr) :
route del default
route add default gw 192.168.43.1 wlan0
route -n
Il faudra rendre ce routage permanent. A tester dans /etc/network/interface :
up ip route add...