My Router and Access Point

EdgeRouter X

EdgeRouter X is the main router for my home network.

WAN

I have a symmetric 100Mbps optical fiber link to Internet that provides both IPv4 and IPv6 through a Huawei HG8040H ONT/modem. This Huawei device has four RJ-45 ports and can function as a router. My ISP deploys it in bridge mode. I hook EdgeRouter X to one of the RJ-45 ports. If I hook one more router to another RJ-45 port, I could get a second public IPv4 - a little known secret about my ISP!

Firewall

Consider EdgeRouter X a Linux based edge router. I have firewall for IPv4/IPv6 and NAT for IPv4. Under the hood, it's all about netfilter. Also use ipset to add a blacklist of IPv4 addresses to the firewall. I want the blacklist mainly for blocking possible outbound connections. Such connections are rare and I get less than a hundred everyday. With the blacklist, I also need a whitelist as the inevitably some IPv4 are wrongly included. The firewall is configured using Vyatta CLI. I then populate ipset objects with IP addresses by a script on boot and daily refresh.

IPv4

EdgeRouter X gets public IPv4 addresses using ISC's DHCP client. I set it up for getting two from my ISP. LAN clients get their private IPv4 from Dnsmasq. Dnsmasq acts as both DHCP server and DNS resolver for local devices. As DHCP server, Dnsmasq is way more resource efficient than ISC's DHCP server (hundred KiB vs a few MiB memory usage).

IPv6

My ISP distributes IPv6 /56 prefixes through DHCPv6-PD. To negotiate and get a prefix, EdgeRouter X uses WIDE-DHCPv6 daemon. Then uses radvd to broadcast a /64 prefix to LAN clients. radvd is a router advertisement daemon running on switch0 interface of EdgeRouter X. In addition, I also have a Hurricane Electric 6in4 tunnel as live-live backup to the native IPv6 link.

VPN

EdgeRouter X is also my IPsec VPN server when I'm out and about. IPsec is mainly a job of Linux kernel assisted by user-space daemon, strongSwan) to create and maintain connections on demand. I have it running in IKEv2 mode which is still not officially supported in Edgerouters. I've to edit strongSwan's configration file directly. One benefit of running IKEv2 is Mobility and Multihoming (MOBIKE) that allows hopping between cellular and WiFi hotspots without interruption to my VPN connection back to home. This feature is one of the highlights of WireGuard but IKEv2 users have it many years ago. Personally I started using IKEv2 IPsec VPN on my custom built firmware on Asus 56U. Later I simply transplanted the configuration to EdgeRouter X - the easiest to have IKEv2 running on Edgerouters.

DDNS

I have a few services exposed to Internet. Reliable DDNS updates are essential. EdgeRouter X uses ddclient for this task. I have one domain in NO-IP and one in Cloudflare. ddclient can also update Hurricane Electrical 6in4 tunnel endpoints! The one domain in Cloudflare also supports IPv6 that I've to update through a script.

Other functionalities

SSH deamon and strongSwan use lots of cryptography. It's essential to maintain a healthy level of 'entropy' in kernel to guarantee randomness in cryptographic operations. This task is performed by haveged - a package not included in EdgeOS but people can easily get it from Debian.

My EdgeRouter X also runs NTP daemon, pixelserv-tls, NET-SNMP's SNMP deamon and miniupnpd for UPNP. I run newer PCP & NAT-PMP only. EdgeRouters comes with other cool features that I rarely use. For example, DPI based traffic analysis and ZebOS's routing stack that network guys might have to deal with everyday.

Current status

My EdgeRouter X has been up for day hour. Historical uptime is available for the [past year]((/mrtg/mrtg.fcgi/erx/erx-up-year.png). You could also checkout its current CPU load.

Asus RT-AC56U

My 56U performs two roles. As a WiFi access point, it runs a strip-down and custom built firmware derived from AsusWRT-Merlin. As an always-on home server, it runs Entware which is amazingly useful!

WAP

I have 5GHz enabled and 2.4Ghz disabled. That reduces 56U's CPU temperature by a few degree C. In case, you're interested about its wireless capabiity. It's Broadcom BCM4352 and BCM43217.

Always-on server

  • DNS resolver (Unbound)
  • DNS adblock using stripped down Dnsmasq - two instances
  • Haproxy for layer-7 routing to remote machines in other continents
  • shadowsocks server
  • Traffic and system monitor (MRTG)
  • Network latency monitor (SmokePing)
  • Webserver with FastCGI (lighttpd)
  • Linux entropy enhancement (haveged)
  • Better syslog with syslog-ng
  • incron, mini_snmpd, Vixie-cron, ZiProxy, OpenVPN, Privoxy,
  • Samba server for a 64GB USB stick
  • Transmission but rarely used
  • NTP daemon (get my slim build; use only 900KB RAM)

The original write-up about my build of the RT-AC56U firmware is moved to here.

Initially published on Nov 1, 2016

comments powered by Disqus