====== Networking - Router - Build a Router ======

A router is defined as a system that performs the following duties:

  * Network Address Translation (NAT).
  * Handing out IP addresses to clients via DHCP.
  * Allowing incoming connections to a local web server.
  * Doing DNS caching for the LAN.
  * Providing wireless connectivity (requires a supported card).

The following interfaces are needed:

  * WAN
  * LAN
  * WiFi (Optional)

----

===== Networking =====

==== Enable IP Forwarding ====

<code bash>
echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf
</code>

----

==== Configure IP Address ====

Set an IP Address for the device.

Either DHCP or a Static IP.

----

Configure the WiFi Network.

----

===== DHCP =====

The DHCP resolver should be started at boot time to provide client machines with local IP addresses.

Example for DHCP servers include:

  * dhcpd.

----

===== Configure Primary IP Addresses =====

<WRAP info>
**NOTE:**  Any RFC 1918 address space may be specified here.

Usually there is an option to point to the local DNS server.  

  * This will be configured later.
  * For now, enter an IP for this if known.

</WRAP>

----

===== Firewall =====

Configure Firewall with:

  * Default policy:  **drop**.
  * Block any connections in on the WAN to unroutable addresses.  Only incoming and outgoing connections which have been explicitly put in the firewall rules will be allowed.
  * Block any return connections to unroutable addresses.
  * Allow outgoing IPv4 traffic from both the gateway itself and the LAN clients.
  * Allow internal LAN traffic.

<WRAP info>
**NOTE:**  Unroutable addresses include:

<code>
0.0.0.0/8
10.0.0.0/8
127.0.0.0/8
169.254.0.0/16
172.16.0.0/12
192.168.0.0/16
<code>

</WRAP>

----

===== DNS =====

==== Use Unbound ====

A DNS cache is recommended.

An example configuration would include:

<file bash unbound.conf>
server:
  interface: 192.168.1.1
  interface: 192.168.2.1
  interface: 127.0.0.1
  access-control: 192.168.1.0/24 allow
  access-control: 192.168.2.0/24 allow
  do-not-query-localhost: no
  hide-identity: yes
  hide-version: yes

forward-zone:
  name: "."
  forward-addr: 1.2.3.4  # IP of the upstream resolver.
</file>

<WRAP info>
**NOTE:**  The above configuration assumes that the 192.168.1.0/24 subnet is used for the wired clients and 192.168.2.0/24 for the wireless.
</WRAP>

----

===== Configure /etc/resolv.conf =====

<file bash /etc/resolv.conf>
nameserver 127.0.0.1
nameserver 1.2.3.4
search localdomain
</file>

<WRAP info>
**NOTE:** 

  * **nameserver 127.0.0.1**:  Needed as the router is using the caching resolver.
  * **nameserver 1.2.3.4**:  The IP of the DNS Resolver.

</WRAP>

----

Reboot the system.