I don’t like to cover “current events” very much, but the American government just revealed a truly bewildering policy effectively banning import of new consumer router models. This is ridiculous for many reasons, but if this does indeed come to pass it may be beneficial to learn how to “homebrew” a router.
Fortunately, you can make a router out of basically anything resembling a computer.
↫ Noah Bailey
I genuinely can’t believe making your own router with Linux or BSD might become a much more widespread thing in the US. I’m not saying it’s a bad thing – it’ll teach some people something new – but it just feels so absurd.
This sudden happening almost certainly means they’ve found another Chinese kill switch in something China makes. China accidentally flipped on the kill switch for power inverters on American solar power farms a while ago, and the U.S. government has not revealed how much damage was done, just that it happened.
I’m not saying you’re wrong, but I think it’s more insidious than that. I feel like it’s a way for the US government to force American technology companies to build in kill switches of their own, with the keys shared with the government, so they can remotely disable any router they want to if the person behind it is exercising their free speech on the Internet in a way the government doesn’t like.
Now, I’m not normally one for conspiracy theories, but this one has roots in reality given the current administration’s efforts to prevent non-MAGAts from voting by mail, ICE goons attacking and even killing peaceful protesters, and so on.
Yeah, but we’ve already seen this same scenario play out with 5G network infrastructure, so I guess see if every other western country follows suit after they share the intelligence with them like they did with 5G.
No clue on the possible connection you give. I did read a report from a guy who did research on political connections (money ‘donations’, PAC activity, congressional meetings, etc…) and he pointed to NETGEAR as a potential instigator working against the market dominance of TP-Link (and its obvious Chinese connections). Plenty of links to source material. /pwnhub sub if that tells you enough about where to look 🙂 I’m not sure about posting links here, so I’m avoiding that. Like many, I’m just waiting to see what comes out about it in the future, and potential lawsuits.
For those who would prefer an OpenBSD based setup rather than Linux: https://btxx.org/posts/diy-home-network/
Thanks for the article, but for those who just want a high level solution, try one of these:
* OpenWRT (modern DD-WRT alternative running on basically anything, including hacked TPLink):
https://openwrt.org/
* pfSense / opnSense (FreeBSD)
https://www.pfsense.org/, https://opnsense.org/
Extremely solid firewall choices loaded with features. Snort, network UPS, various VPNs, VLAN, … basically everything is supported. For “beefier” machines. Maybe prefer this if you have at least 8/16GB RAM. Also runs entirely from ramdisk for security.
* IPFire / VyOS
https://www.ipfire.org/, https://vyos.io/
Higher end Linux routers (if you prefer that over FreeBSD). VyOS is command line only, but similar to Unifi as a methodology
* FreshTomato
https://freshtomato.org/
Low end, similar to openWRT, smaller, but might be more for your tastes
There are many more, but I’ll keep the list short.
My personal recommendation
For low end devices, or repurposing existing routers: OpenWRT
For high end “old server” hardware: OPNSense
Half year ago I made router out of old Fujitsu Futro that I bought for about 15 usd , and usb realtek network card as lan connection , also ca. 15 usd ( this cheapest Futro doesn’t have expansion slot ) . With OPNSense it was reasonably easy to setup and works amazingly well and super stable
I’ve done the same with an HP T620 thin client, it has a mini-PCIe slot and you can remove the serial port and replace it with a Gigabit NIC, here’s pics of when I did that to mine:
https://imgur.com/a/hp-t620-dual-nic-6oXH9nb
With OpenBSD installed it makes for a great router and/or firewall. It also has two internal USB 2.0 sockets, full sockets not headers, that can be used to add Wi-Fi if needed.
Yeah, I also planned to go openbsd route (it works on this Futro, i checked) and follow some openbsd-router tutorial out there, but in the end life happened and “old router dead need new one asap”. I went with easy option and i am happy with opnsense and its web interface is cool!
The year of Linux router has come 🙂
This is very interesting as most ISP’s here in the US provide wireless routers, and extenders. For myself I have Verizon and the Internet facing router can not be replaced with a third party router.
In my case my Verizon router is just used as a firewall and bridge and I have TPLink wireless APs because Verizon’s extenders are too pricy. Most people just buy the Verizon ones though. (Same with Comcast)
The big push behind this came from companies like Netgear and the US government. Netgear makes stuff for twice the price of TPLink and less functionality. (Like the TPLink switch’s I have are easy smart switches that have a web interface and cost less than 100 USD where my old Netgear switches were dumb but cost 150 USD each.
I hope people fight back and build their own BSD or Linux based routers! I’m all for it!
If I understand the tale correctly, nothing much will change for you in the US. As far as I understand, the measure affects only domestic routers. But then if Verizon or Comcast buy gazillions of routers and distribute them to their customers, it is still a corporate purchase, so it is not affected, right? (maybe I am wrong)
At the end of the day, most will use what their providers hand over.
Here in Europe, Ive never used a carrier-provided router. For DSL, I buy my own modem and the provider that gives me access via an antenna on the roof, well, I just have a cable and set fixed IP. I am on pfsense for years. I know that the providers here give you/lease you routers, but I don’t think they force anything down your throat. (and I get reverse-DNS and fixed IPs on both carriers on a domestic line and domestic price)
Old guides like this that treat IPv6 as optional or don’t cover it at all are very bad for the user, and very bad for the Internet as a whole.
Here IPv6 traffic routes directly out, while legacy traffic goes through a CGNAT gateway. If you only configure legacy IP you’ll have much worse performance, as well as putting more load on the gateway to the detriment of other users.
Nothing happening in the US surprises me anymore.
Product idea:
– Sell a WiFi router with completely normal router hardware and call it a “bastion server” or even just a computer.
– Have it come with either Linux or FreeBSD installed
– Pre-configure a web server to offer an administration web page (behind authentication)
– Pre-configure it to offer a WiFi hotspot served on a known IP address (eg. 192.168.5.1)
– Connecting to the WiFi and authenticating will show some basic config including IP address of the WAN port
– Enable an SSH server out of the box (now it is a bastion server)
From there, you could go a few directions:
One
– Connecting through SSH, you could install a package from the CLI that converts the system into a router
– Router settings would appear in the web configuration pages (with defaults)
– This package(s) would be downloaded off the Internet and not part of what was shipped with the hardware
– You could have other packages too. Create a community project around the package repository.
Two
– Create a setting to be selected in the web UI that does the above when selected
– Perhaps “Enable Internet gateway” or something similar
– Better for non-technical users – more likely to run afoul of the law
Three
– Offer a firmware upgrade off your website that turns the device into a router
– May still attract political attention
In the above, you are not shipping a router. The hardware has a totally legitimate alternate purpose as shipped. It is also totally turn-key to turn it into a router without it having to be a hobby project for regular non-technical people.
Obviously SSH and install packages is the safest legally. There is no difference between that and doing the same thing with any Linux laptop or FreeBSD box. But the other two options would be more convenient for regular users.
–
(For some reason the original was stuck in review limbo too long. Posting again with less information)
Thanks for the article, but for those who just want a high level solution, try one of these:
* OpenWRT
(modern DD-WRT alternative running on basically anything, including hacked TPLink):
* pfSense / opnSense (FreeBSD)
Extremely solid firewall choices loaded with features. Snort, network UPS, various VPNs, VLAN, … basically everything is supported. For “beefier” machines. Maybe prefer this if you have at least 8/16GB RAM. Also runs entirely from ramdisk for security.
There are many more, but I’ll keep the list short.
My personal recommendation
For low end devices, or repurposing existing routers: OpenWRT
For high end “old server” hardware: OPNSense
I’m using HPE ProLiant MicroServer Gen10 Plus as router
The washing machine is on its way out, i might convert it to a mainframe
I run OpenWrt (amd64) in a VM with PCIe devices passed through. Don’t pass through USB devices, that’ll kill performance.
That leaves the rest of the machine available for other uses.
Ideally you have 2 USB buses so you pass one to openwrt, and the LAN ethernet device supports VFIO, so that a backup connection to the host machine is possible.