If you're curious about how this rather unique project came about, I've written at length about it here: https://develmonk.com/2024/07/18/running-an-arch-linux-router-for-about-a-year/
This is a collection of the most important config files to set up a barebones router on Arch Linux. I add the laptop part, because I set it up on an old Thinkpad T520 I'd repurposed as an Active Directory domain server several years prior.
Actually, the configs are essentially distro-agnostic, but I like Arch, so I went with it. I put it together because throughput was garbage using pfSense no matter what hardware I used for it. Arch pushes 940Mbps (1Gbps line speed) without even breaking a sweat. NICs are a Broadcom NetXtreme BCM57762 PCMCIA card and the built-in Intel 82574L
- Thin-lvm snapshot taken at boot. Limit 5 + 1 (current). Boots
ro - initrd set is
kernel-install+sd-vconsole+mkinitcpio(KISS) - Uses
systemd-networkdfor routing. Includes linux bridge,br0, andVLAN 201tag for the phone/fiber WAN our provider Centurylink here in Seattle uses (notppp). firewalld+networkdare leveraged for basic filtering andNAT(masquerade).hostapdforIntel AX201wireless access point.
- Forgot to mention
dnsmasq- I've added mydnsmasq.conffor an example- dhcp reservations to assign clients to certain addresses via MAC
/etc/hostsis respository that defines all local hostnamesexpand-hostsoption appends domain name to local dns resolution
dnssecoption causesdnsmasq.serviceto fail. Not sure exactly why, but guessing Arch package built withoutdnssecsupport. Workaround: Setsystemd-resolvedas forwarder.
Was really easy to set up and has been surprisingly more reliable than I ever imagined, working without issue since June of 2023. Not bad for a rolling distro.
I wanted to keep the number of snapshots to a minimum to avoid affecting performance, while still providing decent resiliency + rollback options.
[root@router ~]# snapper get-config
Key │ Value
─────────────────────────┼──────────
ALLOW_GROUPS │
ALLOW_USERS │
BACKGROUND_COMPARISON │ yes
EMPTY_PRE_POST_CLEANUP │ yes
EMPTY_PRE_POST_MIN_AGE │ 3600
FREE_LIMIT │ 0.2
FSTYPE │ lvm(ext4)
NUMBER_CLEANUP │ yes
NUMBER_LIMIT │ 6
NUMBER_LIMIT_IMPORTANT │ 3
NUMBER_MIN_AGE │ 3600
QGROUP │
SPACE_LIMIT │ 0.5
SUBVOLUME │ /
SYNC_ACL │ no
TIMELINE_CLEANUP │ no
TIMELINE_CREATE │ no
TIMELINE_LIMIT_DAILY │ 2
TIMELINE_LIMIT_HOURLY │ 1
TIMELINE_LIMIT_MONTHLY │ 5
TIMELINE_LIMIT_QUARTERLY │ 5
TIMELINE_LIMIT_WEEKLY │ 3
TIMELINE_LIMIT_YEARLY │ 5
TIMELINE_MIN_AGE │ 3600
Update - 20240730: I've gotten this setup working on Ubuntu with some minor changes in the way the network is configured through netplan and some inconsistencies in the way firewalld is configured compared to Arch (spoiler: I found Arch to be much more user-friendly). However, running a system where maas is supported as a router means we can use maas instead of dnsmasq to hand out DHCP leases, combined with all its fun, extra features for device discovery, initialization, and definition, not to mention all the kvm and lxd integration, right on our LAN. Stay tuned, I'll do a write-up within the next few months.
-
Short-range plans include either forking the work they've been doing at OpenSUSE on rollback with
systemd-boot, or forkinggrub-btrfs, as a solution like either of those would certainly be helpful for disaster recovery. -
Medium-term would be adapting the network config for
NetworkManager(replacingsystemd-networkdand likelyhostapdthrough "internet sharing" feature) for many reasons, but one would be configuring through cockpit and the ease of transitioning to another OS eventually -
Long-term, I imagine I'll run one of those cool new immutable OS like OpenSUSE Leap Micro etc. to ensure a more resillient and hardened system. I've definitely got my eye on adapting it to this immutability OS-meta project already, mostly because then I wouldn't have to leave Arch (I love Arch)
I'm definitely trying all of these eventually, but the router's been working great, so not in any hurry.