Wiki

Outils pour utilisateurs

Outils du site

Piste : use_raspberry_4_as_router
public:use_raspberry_4_as_router

Ceci est une ancienne révision du document !

Table des matières

Use Raspberry pi 4 as router

Why ?

Why not use the router provided by the ISP ?

The problem has arised for a QOS problem : the need to give some priority to some services like SIP for asterisk PABX.

How ?

Use tutorial to install you pi4. For this use, as the pi4 is fully dedicated to the router function, we work as root, disable any password communication and connect with ssh keys.

Stop DHCPCd

DHCPCD is standard on raspbian, but for this use it is not clear that it has advantages over good old networking service. So it is disabled (source here). 

systemctl stop dhcpcd
systemctl disable dhcpcd
apt remove dhcpcd5

Basic network/interface is set : 

auto lo
iface lo inet loopback


auto eth0
iface eth0 inet static
        address 192.168.163.252
        netmask 255.255.255.0
        gateway 192.168.163.254
        network 192.168.163.0
        broadcast 192.168.163.255
        dns-nameservers 192.168.163.30 8.8.8.8
        dns-search couderc.eu

After : 

ifup eth0

the old and the new IP addresses should ping…

Connect to internet

You need to connect your box configured to pass all traffic to the pi. This done with an additional physical adapter from USB3 to RJ45 (maybe USB2, but to spare what…?). Here we use a subnetwork, but PPPOE could be used for a simple modem.

So we add a second interface : 

auto eth1
iface eth1 inet static
        address 192.168.153.2
        netmask 255.255.255.0
        gateway 192.168.153.254
        network 192.168.153.0
        broadcast 192.168.153.255
        dns-nameservers 192.168.153.1 212.27.40 8.8.8.8
        dns-search couderc.eu
        up /usr/local/bin/wondershaper eth1 14000 1000

The last line will be explained later.

Routing

Routing is done by iptable and iptables-persistent

Here is an exemple for /etc/iptables/rules.v4 

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# eth1 is WAN interface, #eth0 is LAN interface
-A POSTROUTING -o eth1 -j MASQUERADE

#******************* PREROUTING from WAN to LAN : see too below
# bin
-A PREROUTING -p udp -i eth1 --dport 53 -j DNAT --to-destination 192.168.163.30:53
-A PREROUTING -p tcp -m tcp -i eth1 --dport 53 -j DNAT --to-destination 192.168.163.30:53
# www
-A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j DNAT --to-destination 192.168.163.32:80
-A PREROUTING -p tcp -m tcp -i eth1 --dport 443 -j DNAT --to-destination 192.168.163.32:443
# mail
-A PREROUTING -p tcp -m tcp -i eth1 --dport 25 -j DNAT --to-destination 192.168.163.36:25
-A PREROUTING -p tcp -m tcp -i eth1 --dport 66 -j DNAT --to-destination 192.168.163.36:66
-A PREROUTING -p tcp -m tcp -i eth1 --dport 143  -j DNAT --to-destination 192.168.163.36:143
-A PREROUTING -p tcp -m tcp -i eth1 --dport 587 -j DNAT --to-destination 192.168.163.36:587
-A PREROUTING -p tcp -m tcp -i eth1 --dport 993 -j DNAT --to-destination 192.168.163.36:993
# psql
-A PREROUTING -p tcp -m tcp -i eth1 --dport 5432 -j DNAT --to-destination 192.168.163.35:5432
#sip
-A PREROUTING -p tcp -m tcp -i eth1 --dport 5060  -j DNAT --to-destination 192.168.163.33:5060

COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

### Service rules : ce que l'on accepte sur piIVrouter

# basic global accept rules - ICMP, loopback, traceroute, established all accepted
-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT

# enable traceroute rejections to get sent out
-A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable


# SSH - accept from LAN
-A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
# SSH - accept from WAN
-A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT



# drop all other inbound traffic
-A INPUT -j DROP

### Forwarding rules : ce qui sort

# forward packets along established/related connections
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# forward from LAN (eth0) to WAN (eth1)
-A FORWARD -i eth0 -o eth1 -j ACCEPT

# allow traffic from our NAT pinhole
#******************* FORWARD from WAN to LAN
# bin
-A FORWARD -p udp -d 192.168.163.30 --dport 53 -j ACCEPT
-A FORWARD -p tcp -d 192.168.163.30 --dport 53 -j ACCEPT
# www
-A FORWARD -p tcp -d 192.168.163.32 --dport 80 -j ACCEPT
-A FORWARD -p tcp -d 192.168.163.32 --dport 443 -j ACCEPT
# mail
-A FORWARD -p tcp -d 192.168.163.36 --dport 25 -j ACCEPT
-A FORWARD -p tcp -d 192.168.163.36 --dport 66 -j ACCEPT
-A FORWARD -p tcp -d 192.168.163.36 --dport 143 -j ACCEPT
-A FORWARD -p tcp -d 192.168.163.36 --dport 587 -j ACCEPT
-A FORWARD -p tcp -d 192.168.163.36 --dport 993 -j ACCEPT
# psql
-A FORWARD -p tcp -d 192.168.163.35 --dport  5432 -j ACCEPT
#sip
-A FORWARD -p tcp -d 192.168.163.33 --dport 5060 -j ACCEPT

# drop all other forwarded traffic
-A FORWARD -j DROP

COMMIT

Note that for incoming traffic, each port appears twice, one in PREROUTING table and the other one in FORWARD table.

QOS

Catégories de flux

( d'après ici)

  • 1 interactif (DNS…)
  • 2 TCP ACKs
  • 3 SSH
  • 4 SIP/RTP
  • 5 HTTP
  • 6 Divers dont sauvegarde sur serveur de secours.

Procédure de secours par smartphone

Cas de panne de DSLAM

Hormis peut-être certains contrats hors de prix, si le DSLAM tombe en panne, on est en rade pour plusieurs jours. Il peut être intéressant d'utiliser un dépannage par le modem wifi intégré à un smartphone.

Si besoin est (mais souvent sera), vérifier et valider le wifi par 

rfkill

et éventuellement : 

rfkill unblock 0 (ou 1...)

Trouver le nom de son wifi (normalement wlan0). et rajouter un 

auto wlan0
iface wlan0 inet dhcp

dans /etc/network/interface

Préparer un /etc/ wpa_supplicant/wpa_supplicant-wlan0.conf 

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
network={
    ssid="momwifi"
    psk="monpassw"
}

Et un lien : 

ln -s /lib/systemd/system/wpa_supplicant@.service wpa_supplicant@wlan0.service

Rebooter pout tout initialiser.

Le ping de l'interface, ainsi que celui du routeur du USP devrait fonctionner. Maintenant, il faut router.

La table de routage doit ressembler à : 

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.153.254 0.0.0.0         UG    0      0        0 eth1
192.168.43.0    0.0.0.0         255.255.255.0   U     0      0        0 wlan0
192.168.153.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.163.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0

Modifions le routage par défaut (gateway 192.168.41.1 chez free.fr) : 

route del default
route add default gw 192.168.43.1 wlan0
route -n

Il faudra rendre ce routage permanent. A tester dans /etc/network/interface : 

up ip route add...
public/use_raspberry_4_as_router.1628371376.txt.gz · Dernière modification : 2021/08/07 21:22 de pcouderc
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki