My Overly Engineered Router

My Overly Engineered Router

Two years ago I decided that enough was enough. No more routers with hacked firmware. Instead I bought an x86 router with four LAN ports and added a very competent wifi card along with some antennas. That would be my new hardware for what was about to come.

The choice for a firewall was simple. Even though I have no problem navigating in a terminal and have tweaked settings in both iptables and ufw, I wanted something more hands and a full solution for anything that could come my way. That's why the choice fell on opnsense.

There is a problem with that choice though. opnsense is based on BSD, which in turn would mean an elevated complexity in running stuff like Docker with containers. The best solution would be to encapsulate opnsense and run it as a module somehow. That's where the wonderful life of hypervisors enter the chat.

If I run Proxmox on the router instead, that would mean that I could run whatever I choose as virtual machines inside it. Also, a fantastic thing about kvm is that you can pass actual hardware down to a virtual machine. This would be an absolute necessity if I want to stay safe while running opnsense as a virtual machine, since that means that I can pass the LAN ports down and give opnsense complete control over them. One of them is reserved for Proxmox as a backdoor though, so that means that I can pass three of the ports down, and then virtually pass down a port that is connected to the fourth one, if needed.

Also, I noticed that it's easy to manage vlans in Proxmox, which allows for passing traffic down to the opnsense kvm without problems. This allows for quite a complex setup where I have opnsense exposed to the internet while keeping the other virtual machines, and Proxmox itself, safe behind the firewall. It means that I can have wireless and home automation in separate kvms, as well as anything else I want, like game servers et cetera.

For the wireless configuration I spun up an Arch kvm which I also passed the WIFI hardware down into. I then used hostapd as the software that communicates with the WIFI card. Most of the installation is straightforward, with the most difficult part being when to get the frequency and country code correct. There is a multitude of laws and regulation surrounding what frequencies you are allowed to use in wireless radio, and even more when setting up a WIFI access point.

At first I got the default country, which is none. That configuration is heavily restricted, with most of the frequencies locked down, and none of the open ones allows for use as an access point. A lot of troubleshooting later I managed to get it to work and got my wireless up and running.

The next part was to get the wifi access point to communicate with opnsense. I set up a bridge between the wifi card and a virtual network port which had a vlan tag set up. I then configured a new vlan network in opnsense and added a DHCP server along with a bunch of other configuration.

I also had a separate kvm for home automation with all my lamps, with a zigbee-to-USB adapter passed down to the virtual machine and used zigbee2mqtt to get some form of mediate communication protocol, and used Home Assistant to control my lamps.

So that's about it. Since I live in a campervan for the time being, I don't use this router anymore, but I still wanted to jot down a few words about it. I learned a LOT while setting it up and tweaking stuff. I spent many hours hacking around with other stuff such as an ELK stack to get statistics out of opnsense. That made me realize that most of the brute force breach attempts I had on my network originated from Russia. Fun times.