This is a great writeup! Perhaps I can put in a plug for the create_ap script which I have been maintaining for many years (http://github.com/dlenski/create_ap).
It's a shell script that allows you to turn any ol' Linux computer into a WiFi router in one quick command-line:
By default, it will setup your WiFi card as an access point (allows WPA2/3, MAC filtering, etc), setup packet forwarding and routing, and run a DHCP and DNS server. It will generally pick sensible defaults, but it's also highly customizable. If your WiFi card supports simultaneous AP and client mode, it will allow that.
Its requirements are extremely minimal: basically just Linux, a compatible wireless card, and a few common configuration packages (hostapd, iw, iproute2, iptables, dnsmasq). No NetworkManager needed.
I used it as my own home Internet gateway for many years, running on an ancient fanless Atom mini-PC.
Because it can quickly setup and teardown WiFi networks on-the-fly, it's also a valuable tool for setting up test networks when reverse-engineering IoT devices. I use it frequently for this purpose (see https://snowpatch.org/posts/i-can-completely-control-your-sm...).
If you're okay with old, battle-tested, cheap (and about 2-3 generations back in terms of performance)…
Any ath10k card is great. They support up to 802.11ac, cost about $10 (e.g. amazon.com/dp/B07HDXP9R4), and can run AP in either the 2.4 GHz or 5 GHz bands.
The firmware and driver are very stable and they in terms of regulatory constraints they defer entirely to the Linux kernel (which means you can use https://github.com/singe/wifi-frequency-hacker or similar for frequency hacking).
I don't have much personal experience with ath11k (802.11ax) or ath12k (802.11be), but I've heard good things about them generally.
For use in a real, practical access point, you want to avoid Intel cards. Intel's firmware completely locks down the ability to run a 5 GHz AP. For whatever reason, Intel takes a maddeningly conservative view of regulatory restrictions. They clearly don't want their cards to be used in APs. On the other hand, Intel's cards have a nice feature that they support dual-channel operation with a single radio (e.g. iw list shows channels <= 2), which is extremely handy for running a quick-and-dirty 2.4 GHz access point while staying connected to a WiFi network.
Which bands and capabilities did you have in mind? For a basic 2.4 GHz, almost anything at this point. Intel and some iteris chipsets are well supported.
mt7996 is good for wifi 7. You can also check the suggested hardware list on the kismet project for good recommendations for older bands and protocol versions
> > Intel and some iteris chipsets are well supported.
> Intel chipsets categorically do not support AP mode
This is not true.
Intel chipsets do support AP mode; what they don't support is 5 GHz AP.
You wouldn't want to run a 2.4-GHz-only router for any kind of real-world long-term use, but if you just want to start a quick-and-dirty 2.4 GHz AP for testing/hacking/reverse-engineering, Intel chipsets are very good for this because they have out-of-the-box support for channel-hopping to support simultaneous client+AP operation.
I have had good luck with intel in the past but it was only a very specific version. Don’t recall the exact specifics as it was a little while ago now.
Lots of "just use X" comments but the article is about showing the bare minimum/how easy the core part of routing actually is.
Also, if you have ever used docker or virtual machines with NAT routing (often the default), you've done exactly the same things.
If you have ever enabled the wifi hotspot on an android phone also, you've done pretty much what the article describes on your phone.
All of these use the same Linux kernel features under the hood. In fact there is a good chance this message traversed more than one Linux soft router to get to your screen.
Yeah I find it more interesting to see how it's built from scratch, then I can decide if it's worth doing myself or just using X. I think this is a good software principle in general.
Basically any computer is a router if you're brave enough.
Windows PCs had (have?) that Internet connection sharing feature for a long time. It was really just a checkbox to enable NAT too.
Sometimes I think combining a firewall/router/switch/AP/file server/etc into a device called a "router" really confuses people. Even people who should know better.
It is much, much easier than it used to be. The documentation and videos alone available make something like this a very welcoming learning experience that anyone can complete step by step by pausing a video and replaying it.
Like most things, really. I used to build routers from old PCs, but eventually those tiny appliances caught up with the performance/functionality I need.
You can do a lot of routing on a $70 Mikrotik, although they might not be "easy".
For sure, it's a path and passage towards devices like that.
Everyone has a starting point, starting with soemone has lying around is one thing.. the quicker they can get going the more they can get to leveraging the real power in most devices.
the naming is part of the confusion. consumer "routers" are really NAT gateway + DHCP server + DNS cache + WiFi AP + maybe a firewall, all in one box. separating them makes each piece clearer.
This really takes me back. My first actual 'use' for Linux was making routers out of leftover computers.
The perfect machine back then was a 100MHz Pentium, in a slimline desktop case. At the time, the Pentium III was the current desktop chip, so you'd have a pile of early Pentium-class machines to use. And even a 10mb ISA network card (3Com if possible) would have plenty of power for the internet connections of the day. But 100mb PCI cards were still fairly cheap.
Install two NICs, load your favorite Linux distro, and then follow the IP-Masquerading HOWTO and you've got internet access for the whole apartment building, office, or LAN party.
Eventually I moved on to Linux Firewalls by Robert Ziegler for a base to build on.
After that I started piling other services on, like a spam filter, Squid cache, it was amazing to get so much use out of hardware that was going to just get thrown out.
I’ve been using OpnSense/pfsense [0] for years and would highly recommend it. It has a great automatic update experience, config backups, builtin wireguard tunnels and advanced features like packet filtering options via suricata.
When I am doing network management on my weekends, I’m so glad I’m not stuck in the Linux terminal learning about networking internals and can instead just go to a webui and configure my router.
I've got one of those N100+10Gbit router devices with a handful of ports. It seems a pretty reasonable device with one of the router distros running on it, but it doesn't seem nearly as efficient as my ucg-fiber/route10 devices, and that wouldn't bother me except that I suspect the packet latency is significantly higher too. Those devices AFAIK have hardware programmable router chips, which means the forwarding is done 100% without the interaction of the main CPU, so there isn't any interrupt/polling/etc delays when a packet arrives, the header gets rewritten, the checksum verified and off it goes.
Anyone actually measured this? I see a lot of bandwidth/etc style tests but few that can show the actual impact of enabling disabling deep packet inspection and a few of the other metrics that I actually care about. Serve the home seems to have gotten some fancy test HW but they don't seem to be running these kinds of tests yet.
You actually don't even need two interfaces on the box if you have a managed switch. It's not too difficult to configure your only interface as an 802.11q trunk port, and then you can use the managed switch as a sort of "interface expander". This is referred to as a "router on a stick" configuration, and it's how my home network is configured. Plus, if it's a PoE managed switch, you can install some cheap enterprise surplus Aruba IAPs around the house for Wi-Fi which is a lot higher quality than a consumer router or a mesh setup.
My home router was an old Thinkpad for a while, but then I switched over to a slightly newer Dell Optiplex that my work was throwing out. The plus side of that is that the i7 is total overkill for routing so I can also have my "router" run some VMs for network services and cut down on the number of boxen in my homelab rack.
I'm curious about the policy rationale behind banning router imports. If a government were considering legislation like that, what would the primary concern usually be? Given that so much internet traffic is now protected by TLS/SSL and other encryption, why would it still matter if citizens were using routers that might be backdoored?
Is the concern mainly things like botnets and DDoS activity, weak default credentials on network equipment, or compromised business networks where poorly secured routers or attached NAS devices could expose sensitive or proprietary data? In other words, is the concern less about decrypting traffic and more about using the router as a foothold for surveillance, disruption, or access to poorly secured internal systems?
“Just use OPNsense” is great advice for production, but terrible advice for learning.
This article is valuable precisely because it shows how little magic is actually involved in routing.
in /etc/sysctl.d/10_router.conf to slightly reduce overhead when being used primarily as a router. There are many other router related knobs but those I would always set especially if trying to reduce overhead for VoIP/Gaming setups. There are many other knobs I tune such as gro_flush_timeout and napi_defer_hard_irqs, sch_cake tuning, lowat and output limits and hundreds more but those rabbit holes would require a large write-up. My overall goal is to give family members latency, jitter and throughput numbers that improve their quality of life and gaming scores of course.
Such things do not preclude additional tuning on the client and server sides as well but those are even bigger topics.
This seems like it might be a good place to ask: does anyone know of a low-cost, readily-available SBC box with built-in dual Ethernet interfaces?
I've been very interested in some of Radxa's boards in the ~$30-70 range, like the E52C [0] and the E20C [1], but they don't have many distributors and seem to have stocking issues [2].
I live in the SF Bay Area, and ended up with Sonic Internet, and a 10gbe connection. Routing this with anything off the shelf was going to be "very expensive".
I ended up with an Opnsense box. It's an m920q (i5-8500), with riser card and a dual SFP+ nic in it. All in, it was less than 200 bucks (now it would be closer to three). I ended up with a cheap, Chinese "media converter" (from aliexpress because the same thing on amazon is 3x the price) that just had two SFP+ ports on it. That let me go from an SPF+ copper ethernet module to a DAC and not dump a bunch of heat into the 1L pc.
I have to say that the functionality made it a worth while investment: traffic shaping, wireguard and the like have been mostly a joy. And the documentation for Opnsense made the setup and use (mostly) easy.
Hmm I've always had a manually configured low power generic box as router.
But I've never even tried to set up my own access point, I just pay Unifi for that [1]. The software part is doable but I don't want to learn to handle the signal issues.
[1] Switched to Unifi in anger after my first consumer level 5 Ghz wifi needed reboots weekly because it was overheating. Do yourself a favour and get the semi pro stuff, Unifi or others.
261 comments
It's a shell script that allows you to turn any ol' Linux computer into a WiFi router in one quick command-line:
By default, it will setup your WiFi card as an access point (allows WPA2/3, MAC filtering, etc), setup packet forwarding and routing, and run a DHCP and DNS server. It will generally pick sensible defaults, but it's also highly customizable. If your WiFi card supports simultaneous AP and client mode, it will allow that.
Its requirements are extremely minimal: basically just Linux, a compatible wireless card, and a few common configuration packages (hostapd, iw, iproute2, iptables, dnsmasq). No NetworkManager needed.
I used it as my own home Internet gateway for many years, running on an ancient fanless Atom mini-PC.
Because it can quickly setup and teardown WiFi networks on-the-fly, it's also a valuable tool for setting up test networks when reverse-engineering IoT devices. I use it frequently for this purpose (see https://snowpatch.org/posts/i-can-completely-control-your-sm...).
Any ath10k card is great. They support up to 802.11ac, cost about $10 (e.g. amazon.com/dp/B07HDXP9R4), and can run AP in either the 2.4 GHz or 5 GHz bands.
The firmware and driver are very stable and they in terms of regulatory constraints they defer entirely to the Linux kernel (which means you can use https://github.com/singe/wifi-frequency-hacker or similar for frequency hacking).
I don't have much personal experience with ath11k (802.11ax) or ath12k (802.11be), but I've heard good things about them generally.
For use in a real, practical access point, you want to avoid Intel cards. Intel's firmware completely locks down the ability to run a 5 GHz AP. For whatever reason, Intel takes a maddeningly conservative view of regulatory restrictions. They clearly don't want their cards to be used in APs. On the other hand, Intel's cards have a nice feature that they support dual-channel operation with a single radio (e.g.
iw listshowschannels <= 2), which is extremely handy for running a quick-and-dirty 2.4 GHz access point while staying connected to a WiFi network.mt7996 is good for wifi 7. You can also check the suggested hardware list on the kismet project for good recommendations for older bands and protocol versions
> Intel and some iteris chipsets are well supported.
Intel chipsets categorically do not support AP mode
> > Intel and some iteris chipsets are well supported.
> Intel chipsets categorically do not support AP mode
This is not true.
Intel chipsets do support AP mode; what they don't support is 5 GHz AP.
You wouldn't want to run a 2.4-GHz-only router for any kind of real-world long-term use, but if you just want to start a quick-and-dirty 2.4 GHz AP for testing/hacking/reverse-engineering, Intel chipsets are very good for this because they have out-of-the-box support for channel-hopping to support simultaneous client+AP operation.
More details in my previous comment: https://news.ycombinator.com/item?id=47581204
I have had good luck with intel in the past but it was only a very specific version. Don’t recall the exact specifics as it was a little while ago now.
Mediatek is still the best bet, though.
Also, if you have ever used docker or virtual machines with NAT routing (often the default), you've done exactly the same things.
If you have ever enabled the wifi hotspot on an android phone also, you've done pretty much what the article describes on your phone.
All of these use the same Linux kernel features under the hood. In fact there is a good chance this message traversed more than one Linux soft router to get to your screen.
Windows PCs had (have?) that Internet connection sharing feature for a long time. It was really just a checkbox to enable NAT too.
Sometimes I think combining a firewall/router/switch/AP/file server/etc into a device called a "router" really confuses people. Even people who should know better.
You can do a lot of routing on a $70 Mikrotik, although they might not be "easy".
Too bad I can't fill it with old spinning rust.
Everyone has a starting point, starting with soemone has lying around is one thing.. the quicker they can get going the more they can get to leveraging the real power in most devices.
The perfect machine back then was a 100MHz Pentium, in a slimline desktop case. At the time, the Pentium III was the current desktop chip, so you'd have a pile of early Pentium-class machines to use. And even a 10mb ISA network card (3Com if possible) would have plenty of power for the internet connections of the day. But 100mb PCI cards were still fairly cheap.
Install two NICs, load your favorite Linux distro, and then follow the IP-Masquerading HOWTO and you've got internet access for the whole apartment building, office, or LAN party.
Eventually I moved on to Linux Firewalls by Robert Ziegler for a base to build on.
After that I started piling other services on, like a spam filter, Squid cache, it was amazing to get so much use out of hardware that was going to just get thrown out.
When I am doing network management on my weekends, I’m so glad I’m not stuck in the Linux terminal learning about networking internals and can instead just go to a webui and configure my router.
0: https://opnsense.org/
Anyone actually measured this? I see a lot of bandwidth/etc style tests but few that can show the actual impact of enabling disabling deep packet inspection and a few of the other metrics that I actually care about. Serve the home seems to have gotten some fancy test HW but they don't seem to be running these kinds of tests yet.
My home router was an old Thinkpad for a while, but then I switched over to a slightly newer Dell Optiplex that my work was throwing out. The plus side of that is that the i7 is total overkill for routing so I can also have my "router" run some VMs for network services and cut down on the number of boxen in my homelab rack.
Alpine is a great distro for this.
Is the concern mainly things like botnets and DDoS activity, weak default credentials on network equipment, or compromised business networks where poorly secured routers or attached NAS devices could expose sensitive or proprietary data? In other words, is the concern less about decrypting traffic and more about using the router as a foothold for surveillance, disruption, or access to poorly secured internal systems?
Such things do not preclude additional tuning on the client and server sides as well but those are even bigger topics.
I've been very interested in some of Radxa's boards in the ~$30-70 range, like the E52C [0] and the E20C [1], but they don't have many distributors and seem to have stocking issues [2].
[0] https://radxa.com/products/network-computer/e52c/
[1] https://radxa.com/products/network-computer/e20c/
[2] https://shop.allnetchina.cn/products/radxa-e52c?variant=5034...
I ended up with an Opnsense box. It's an m920q (i5-8500), with riser card and a dual SFP+ nic in it. All in, it was less than 200 bucks (now it would be closer to three). I ended up with a cheap, Chinese "media converter" (from aliexpress because the same thing on amazon is 3x the price) that just had two SFP+ ports on it. That let me go from an SPF+ copper ethernet module to a DAC and not dump a bunch of heat into the 1L pc.
I have to say that the functionality made it a worth while investment: traffic shaping, wireguard and the like have been mostly a joy. And the documentation for Opnsense made the setup and use (mostly) easy.
But I've never even tried to set up my own access point, I just pay Unifi for that [1]. The software part is doable but I don't want to learn to handle the signal issues.
[1] Switched to Unifi in anger after my first consumer level 5 Ghz wifi needed reboots weekly because it was overheating. Do yourself a favour and get the semi pro stuff, Unifi or others.