We needed a router and wifi access point in the office, and simultaneously both I and my co-worker Ivan needed such a thing at our respective homes. After some discussion, and after reading articles in Ars Technica about building PCs to act as routers, we decided to do just that.
The PC solution seem to offer better performance, but this is actually not a major reason for us.
We want to have systems we understand and can hack. A standard x86 PC running Debian sounds ideal to use.
Why not a cheap commercial router? They tend to be opaque and mysterious, and can't be managed with standard tooling such as Ansible. They may or may not have good security support. Also, they may or may not have sufficient functionality to be nice things, such as DNS for local machines, or the full power if iptables for firewalling.
Why not OpenWRT? Some models of commercial routers are supported by OpenWRT. Finding good hardware that is also supported by OpenWRT is a task in itself, and not the kind of task especially I like to do. Even if one goes this route, the environment isn't quite a standard Linux system, because of various hardware limitations. (OpenWRT is a worthy project, just not our preference.)
We got some hardware:
|Barebone||Qotom Q190G4, VGA, 2x USB 2.0, 134x126x36mm, fanless||130€|
|CPU||Intel J1900, 2-2.4GHz quad-core||-|
|NIC||Intel WG82583, 4x 10/100/1000||-|
|Memory||Crucial CT102464BF160B, 8GB DDR3L-1600 SODIMM 1.35V CL11||40€|
|SSD||Kingston SSDNow mS200, 60GB mSATA||42€|
|WLAN||AzureWave AW-NU706H, Ralink RT3070L, 300M 802.11b/g/n, half mPCIe||17€|
|mPCIe adapter||Half to full mPCIe adapter||3€|
|Antennas||2x 2.4/5GHz 6dBi, RP-SMA, U.FL Cables||7€|
These were bought at various online shops, including AliExpress and verkkokauppa.com.
After assembling the hardware, we installed Debian on them:
Connect the PC to a monitor (VGA) and keyboard (USB), as well as power.
I built a "factory image" to be put on the SSD, and a USB stick installer image, which includes the factory one. Write the installer image on a USB stick, boot off that, then copy the factory image to the SSD and reboot off the SSD.
The router now runs a very bare-bones, stripped-down Debian system, which runs a DHCP server on eth3 (marked LAN4 on the box). You can log as root on the console (no password), or via ssh, but for ssh you need to replace the
/home/ansible/.ssh/authorized_keysfile with one that contains only your public ssh key.
Connect a laptop to the Ethernet port marked LAN4, and get an IP address with DHCP.
Log in with ssh to
firstname.lastname@example.org, and verify that
sudo idworks without password. Except you can't do this, unless you put in your ssh key in the authorized keys file above.
Git clone the ansible playbooks, adjust their parameters in
minipc-router.ymlas wanted, and run the playbook. Then reboot the router again.
You should now have wifi, routing (with NAT), and be generally speaking able to do networking.
There's a lot of limitations and problems:
There's no web UI for managing anything. If you're not comfortable doing sysadmin via ssh (with or without ansible), this isn't for you.
No IPv6. We didn't want to enable it yet, until we understand it better. You can, if you want to.
No real firewalling, but adjust
roles/router/files/ferm.confas you wish.
The router factory image is 4 GB in size, and our SSD is 60 GB. That's a lot of wasted space.
The router factory image embeds our public keys in the
ansibleuser's authorized keys file for ssh. This is because we built this for ourselves first. If there's interest by others in using the images, we'll solve this.
Probably a lot of stupid things. Feel free to tell us what it is (email@example.com would be a good address for that).
If you'd like to use the images and Ansible playbooks, please do. We'd be happy to get feedback, bug reports, and patches. Send them to me (firstname.lastname@example.org) or my ticketing system (email@example.com).