Friday, 4 February 2011

HOWTO: Configure A Router

Now we get to turn our debian or ubuntu server into a router. Read on!

1) A server as per this guide.

2) A working PPPoE or PPPoA based Internet connection. Most consumer ADSL and Cable Internet is provided using one of these protocols, support for which is built into the consumer "router" I am assuming you are currently using.

3) The ISP provided username and password combo for your Internet connection. If you have a "router" that was provided by your ISP they sometimes print these on a label attached to the device, otherwise it will be written on the documentation you received when you signed up (and promptly lost I'm sure). You will have to call your ISP on the actual telephone to retrieve this information if you have lost it.

4) An Ethernet switch and sufficient cables to connect at least two devices. Your current Internet Gateway may currently have the Ethernet switch built in to it. Alternately, you may use a separate switch if you prefer.

5) If you are intending to use a discreet modem (cable or ADSL) and a separate switch then two LAN cards are required. Unless you are one of the incredibly lucky few who have access to FttH you will most likely have some form of ADSL or Cable service with speeds measured in single-figure MegaBits. This means that it is perfectly OK to reuse a discarded old 100baseT adapter (or indeed even a 10baseT if you still have one of those in the antiques cupboard) for your WAN interface. Even the slowest LAN card will be considerably faster than most current Internet connections. If you intend to go down the Router-in-bridged-mode road then a single Ethernet adapter will suffice.

OK, now that you have all the prerequisites in order, and a basic server up and running we can get on with bidness proper.

The first thing we need to do is install a few packages we will need before we disconnect ourselves from the Internet.

apt-get install pppoeconf ppp

Next we configure the LAN side of the network.

Note: I will assume that your LAN adapter is eth0 from this point onwards. If you are using two Ethernet adapters this would make your WAN interface eth1.

Because we are configuring a router, we must use a static IP address for our LAN adapter. If you followed my server guide then you have already done that, otherwise you should backtrack and configure a static IP address as per that guide.
Pro Tip: For testing purposes, I recommend that you configure some other PC on your LAN with a static IP in the 10.1.1.x subnet with a default gateway of We will be using this PC from time to time for testing. This can be either a Linux or Windows PC.

Plug both the server and client hosts into your LAN and check that you can ping the server at from the client.

OK. Once you can ping your server from the test PC we can continue.
The next step varies depending on whether you are using a single adapter and a router in "bridged mode" or a separate modem and 2 Ethernet adapters.

Separate modem and two adapters: You must configure eth1 as per the above instructions for eth0 using any old IP address you like. I suggest you use The address will not be used for anything on your network but is required so that the pppoeconf utility in the next section can locate your modem. Make sure you plug your modem into this interface

Consumer router in "bridged" mode: You will need to configure the router in "bridged" mode[1] according to the instructions provided by the manufacturer of the device. On my DG834G it is a simple matter of browsing to (where is the address of my gateway) and setting the drop-down box to "Modem Only". I found that info via a Google search here. You should do a Google search for something like my-gw-model-number +"bridged mode" or similar to find instructions on how to configure your particular router.

Once you have your router in bridge mode, we can use the pppoeconf utility to configure a PPP connection to our ISP;

sudo pppoeconf

Go through each screen choosing the default option until you get to the "ENTER USERNAME" screen. Enter the username for your ISP account here.

The next screen asks for your password, enter that too.

In the "USE PEER DNS" screen select "No"

Select the default option on all the remaining screens.

You should now have Internet connectivity on this host. You can check this with the ifconfig command;

ifconfig ppp0
ppp0 Link encap:Point-to-Point Protocol
inet addr: P-t-P: Mask:
RX packets:59687317 errors:0 dropped:0 overruns:0 frame:0
TX packets:50606162 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:2967668270 (2.9 GB) TX bytes:2950135549 (2.9 GB)

You should (hopefully) see a ppp0 adapter in the output similar to this. If you do, we should do a few more tests. First, lets check we can ping our DNS server. To find your DNS server type;

cat /etc/resolv.conf

There should be an entry "nameserver" with an IP address in the output.

Let's ping that IP address and see if it works;

ping -c 4
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=55 time=322 ms
64 bytes from icmp_seq=2 ttl=55 time=196 ms
64 bytes from icmp_seq=3 ttl=55 time=281 ms
64 bytes from icmp_seq=4 ttl=55 time=547 ms

--- ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 196.763/337.020/547.292/129.589 ms

(The IP above is for OpenDNS)

We can test that DNS is working by pinging by name;

ping -c 4
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=57 time=261 ms
64 bytes from icmp_seq=2 ttl=57 time=285 ms
64 bytes from icmp_seq=3 ttl=57 time=24.2 ms
64 bytes from icmp_seq=4 ttl=57 time=122 ms

If you got this far then that is great, but please be aware that although our Internet connection is now up and working, we have not done enough to get our LAN clients up and on the 'net. For that we need to configure routing, NAT and a firewall.

We can configure routing by issuing editing the following file;

sudo vi /etc/sysctl.conf

Find the following line and change it from 0 to 1;


To configure an extremely basic firewall, create a file in a suitable location such as /usr/sbin/ with the following contents;

sudo vi /usr/sbin/firewall
8< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


sudo /sbin/iptables --flush

# Accept ALL packets inbound from our local networks
sudo /sbin/iptables -A INPUT -i $LAN -j ACCEPT
sudo /sbin/iptables -A INPUT -i lo -j ACCEPT

# Do NAT for LAN clients
sudo /sbin/iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

# Allow ping packets
sudo /sbin/iptables -A INPUT -p icmp -j ACCEPT

# Allow returning packets for established sessions
sudo /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow all traffic out from this host and our LAN clients
sudo /sbin/iptables -A OUTPUT -j ACCEPT
sudo /sbin/iptables -A FORWARD -i $LAN -j ACCEPT

# Drop all other traffic inbound from the Internet
sudo /sbin/iptables -A INPUT -i $WAN -j DROP
sudo /sbin/iptables -A FORWARD -i $WAN -j DROP

8< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Note: This is not a particularly secure firewall, it basically allows any host on your LAN to send anything out and only drops unwanted packets coming in via the WAN interface (ppp0).

Make the firewall script executable;

chmod +x /usr/sbin/firewall

To make the firewall start at boot simply edit your rc.local file.

vi /etc/rc.local

Add this line to the end (but before the "exit 0" line)


You should reboot your router/server now and redo the ping tests as shown above.

Now that the router has been rebooted and assuming the ping tests have worked OK, you should be able to use your LAN client with the static IP address and ping/browse to the Internet.

That's great, but we don't want to be configuring all our clients with static addresses, so we probably should configure our router as a DHCP server as well.

And while we are at it, why don't you take the next step and turn your router into a funky caching DNS server too.

Or even better, connect your sites together with encrypted VPN's using this super easy Five Minute VPN Guide

[1] AKA "modem" or "modem only" mode.


No comments: