Setting up a DIY router using Fedora 41 and an old PC

Hey all! I am currently using a spare PC I had lying around as a homeserver that was working phenomenally for me so far. Recently, I came up with an idea: if I’m already using a PC as a server, why not use the PC as a router as well? I’m living alone, so I don’t think I would overload the computer at all, and I think it’d make a fun experiment. So far, I’ve been trying to do it using this guide, but it’s outdated and doesn’t work anymore (I have issues with the DNS). Also, I believe it’s a bit opinionated. The ones that are up-to-date are not targetting Fedora, but Ubuntu, Debian, or other options. So far I believe these are the steps I’d have to follow:

1. Create a ppoe interface (not sure what for).
2. Set up the firewall.
3. Set up the DHCP server.
4. Set up the DNS server.
5. Set up the Wifi AP.

Given that Fedora ships with a Firewall already, I believe I can skip step 2. For the rest of the steps, though, I’m having trouble finding a proper guide. Is there any material for this?

Edit: I’d prefer it to be targetting Fedora Server.

Edit 2: I have opened a new thread here as suggested by the great @vgaetera. In the meanwhile, let me post (for anyone else who might find it useful) the instructions posted before.

Edit 3: Updated the instructions. Got it to work except for the firewall!

Edit 4: Full instructions. It works beautifully except for accessing the Cockpit (and maybe other internal services, I haven’t touched the firewall at all except for what is written here):

Direct PPPoE, no VLAN:

# WAN
WAN_DEV="enp0s31f6"
WAN_NAME="wanDIGIvlan20"
PPPOE_USER="test"
PPPOE_PASS="12345678"
sudo dnf install NetworkManager-ppp NetworkManager-adsl
sudo nmcli connection add \
    type pppoe \
    ifname "${WAN_NAME}" \
    pppoe.parent "${WAN_DEV}$" \
    username "${PPPOE_USER}" \
    password "${PPPOE_PASS}" \
    connection.zone external
sudo nmcli connection up "${WAN_NAME}" #this takes a few tries.


# WLAN5G
WIFI_SSID="test"
WIFI_PSK="12345678"
WIFI_DEV="wlp4s0"
sudo nmcli connection delete wlan
sudo nmcli connection add \
    type wifi \
    ifname  "${WIFI_DEV}" \
    con-name  wifi-"${WIFI_DEV}-5G" \
    wifi.mode ap \
    wifi.band a \
    wifi.ssid "${WIFI_SSID}" \
    wifi-sec.group ccmp \
    wifi-sec.pairwise ccmp \
    wifi-sec.proto rsn \
    wifi-sec.key-mgmt wpa-psk \
    wifi-sec.psk "${WIFI_PSK}" \
    ipv4.method shared \
    ipv4.addresses 192.168.1.1/24 \
    ipv6.method shared \
    ipv6.addresses 2001:db8:1::1/64 \
    connection.zone internal
sudo nmcli connection up wifi-"${WIFI_DEV}-5G"

# WLAN
WIFI_SSID="test"
WIFI_PSK="12345678"
WIFI_DEV="wlp4s0"
sudo nmcli connection delete wlan
sudo nmcli connection add \
    type wifi \
    ifname  "${WIFI_DEV}" \
    con-name  wifi-"${WIFI_DEV}" \
    wifi.mode ap \
    wifi.band bg \
    wifi.ssid "${WIFI_SSID}" \
    wifi-sec.group ccmp \
    wifi-sec.pairwise ccmp \
    wifi-sec.proto rsn \
    wifi-sec.key-mgmt wpa-psk \
    wifi-sec.psk "${WIFI_PSK}" \
    ipv4.method shared \
    ipv4.addresses 192.168.1.1/24 \
    ipv6.method shared \
    ipv6.addresses 2001:db8:1::1/64 \
    connection.zone internal
sudo nmcli connection up wifi-"${WIFI_DEV}"

PPPoE over VLAN:

# WAN
VLAN_DEV="enp0s31f6"
VLAN_NAME="vlanDIGI20"
WAN_NAME="wanDIGIvlan20"
VLAN_VID="20"
PPPOE_USER="test"
PPPOE_PASS="12345678"
sudo dnf install NetworkManager-ppp NetworkManager-adsl
sudo nmcli connection add \
    type vlan \
    ifname "${VLAN_NAME}" \
    vlan.parent "${VLAN_DEV}" \
    vlan.id "${VLAN_VID}" \
sudo nmcli connection add \
    type pppoe \
    ifname "${WAN_NAME}" \
    pppoe.parent "${VLAN_NAME}$" \
    username "${PPPOE_USER}" \
    password "${PPPOE_PASS}" \
    connection.zone external
#unneeded: sudo nmcli connection up "${VLAN_NAME}"
sudo nmcli connection up "${WAN_NAME}" #this takes a few tries.

# WLAN5G
WIFI_SSID="test"
WIFI_PSK="12345678"
WIFI_DEV="wlp4s0"
sudo nmcli connection delete wlan
sudo nmcli connection add \
    type wifi \
    ifname  "${WIFI_DEV}" \
    con-name  wifi-"${WIFI_DEV}-5G" \
    wifi.mode ap \
    wifi.band a \
    wifi.ssid "${WIFI_SSID}" \
    wifi-sec.group ccmp \
    wifi-sec.pairwise ccmp \
    wifi-sec.proto rsn \
    wifi-sec.key-mgmt wpa-psk \
    wifi-sec.psk "${WIFI_PSK}" \
    ipv4.method shared \
    ipv4.addresses 192.168.1.1/24 \
    ipv6.method shared \
    ipv6.addresses 2001:db8:1::1/64 \
    connection.zone internal
sudo nmcli connection up wifi-"${WIFI_DEV}-5G"

# WLAN
WIFI_SSID="test"
WIFI_PSK="12345678"
WIFI_DEV="wlp4s0"
sudo nmcli connection delete wlan
sudo nmcli connection add \
    type wifi \
    ifname  "${WIFI_DEV}" \
    con-name  wifi-"${WIFI_DEV}" \
    wifi.mode ap \
    wifi.band bg \
    wifi.ssid "${WIFI_SSID}" \
    wifi-sec.group ccmp \
    wifi-sec.pairwise ccmp \
    wifi-sec.proto rsn \
    wifi-sec.key-mgmt wpa-psk \
    wifi-sec.psk "${WIFI_PSK}" \
    ipv4.method shared \
    ipv4.addresses 192.168.1.1/24 \
    ipv6.method shared \
    ipv6.addresses 2001:db8:1::1/64 \
    connection.zone internal
sudo nmcli connection up wifi-"${WIFI_DEV}"

Firewall:
Doesn’t give me access to the Fedora Cockpit for some reason…

# Firewall
sudo tee /etc/NetworkManager/conf.d/99-local.conf << EOF > /dev/null
[main]
firewall-backend=none
EOF
sudo systemctl restart NetworkManager.service
sudo firewall-cmd --permanent --zone=internal --add-service=dhcp
sudo firewall-cmd --permanent --zone=internal --add-service=dns
sudo firewall-cmd --permanent --new-policy=internal-external
sudo firewall-cmd --permanent --policy=internal-external --set-target=ACCEPT
sudo firewall-cmd --permanent --policy=internal-external --add-ingress-zone=internal
sudo firewall-cmd --permanent --policy=internal-external --add-egress-zone=external
sudo firewall-cmd --permanent --policy=internal-external --add-rich-rule="rule tcp-mss-clamp value=pmtu"
sudo firewall-cmd --permanent --policy=internal-external --add-rich-rule="rule family=ipv4 masquerade"
sudo firewall-cmd --permanent --policy=internal-external --add-rich-rule="rule family=ipv6 masquerade"
sudo firewall-cmd --reload

Hi. I like the idea of Linux-based router+firewall. I just wonder if an atomic Fedora variant might be better for an appliance type of device, e.g., Core OS or IoT.

The magazine article you have linked refers to F28, though of course it is still very possible - but I would find some more recent guides.

The downsides (quoted from the magazine article)

The downside is related to time and knowledge.
You have to manage your own security
You need to have the knowledge to troubleshoot if an issue happens or find it through the web (no support calls)

So it is a cool idea but take the time to work it out and get it right.
Also consider the power use of the device. My TP-Link business class 4 port router uses 6 or 7 watts.

I have done what you are planning using Fedora Server as the base.

I use systemd-networkd not networkmanager for my router.
This gives me simpler and more explicit config.

Setting up PPPoE is a little bit tricky but can be done.
I wrote a systemd service that runs /use/sbin/pppd with lots of options that depend on my ISP.

Will your ISP give you the PPPoE credentials or do they force you to use their modem/router?

The other tricky config is setting up the IPv6 Routing and prefix deligation.
(I ended up asking for help on the systemd devel list to get this right).
If you ISP only supports IPv4 you have a simpler situation to configure.

I run bind9 for my DNS and integrate it with dhcpd. This means that the devices in the house can add themselves to the house DNS. I use the RFC compliant .internal domain.

Yes! I have the PPPoE credentials. As far as I know, my ISP supports IPv6.

Ok great you have enough to get started. Did you ISP allocate you a IPv6 /48?
You need /48 or /56 to be able to do prefix deligation.

for the fun of it, you could give it a try. the downside is that as soon as that server has issues (hardware failure, reboot, …) your entire LAN is down and disconnected from the internet. If your server is running 24/7 the extra electricity for routing isn’t an issue, but in general it’s a bit of waste running an x86 server as a router in home environment.

You can buy very cheap Wifi routers (TP-Link, Netgear, Unifi, …) and install Openwrt for all the tasks you are asking for including Wifi-AP. Typical power consumption is 3-9W.

Don’t get me wrong, your experiment is absolutely worth a try and for sure a great learning experience.

Several years ago I had centos set up as a router on an older computer and used a program called webmin.It was a pretty simple program to use and is still available.I had it running from the cable modem to an 8 port switch.With webmin I set up the firewall dhcp dns samba and a squid proxy server.

In my case I have the ISP’s router to fall back on.

I have been running Fedora as my router for 10+ years.
I always buy new hardware specifically to run the router so I have
reliable and low power solution.

I have not had a hardware failure with any of my routers (maybe lucky?).

It’s IPv6/128

I agree, it’s a waste of energy if you don’t have a server running…

But I do! So I wanted to unify everything and save electricity (and, to be fair, also for the fun of it ). And as said by @barryascott, I already have the ISP’s router to fall back on in case of emergencies.

That is, to use the technical term, useless!

You should have a /64 as a minimum for a single host.
The RFC recommend that each client gets at least a /48.
Without that you cannot run the algorithms of IPv6.

My ISP setup a /64 by default, but had allocated me a /48.
I used there management portal to turn on the /48 and turn off the /64.

It is worthy checking with your ISP if they can route a /48 to you.

I would like to learn more. Why is /128 useless? What are the advantages of /48 or /64 over /128?

Fedora is amazing to run as a router because no routers out there run SELinux! So it makes it to be potentially the most hardened router that can exist.

Having said that, some things are a lot more tested and durable for network servers of any kind. FreeBSD and OpenBSD are industrial-level security proven and tested for decades.

I personally run a FreeBSD server for my WiFi hotspot, and it literally is the most stable, powerful/configurable thing for network-related things. It literally runs like clockwork for months. And it allows to do very nifty things with the network interfaces.

There should be lots of documentation for FreeBSD setups, which might differ from Linux in technicalities but will give you an idea of what to do conceptually.

ChatGPT is nowadays a pretty good resources to get you going on projects like that.

There are IPv6 protocols that require a /48 to implement security features.
With a /128 you are limited to only one host on your network, the router itself.
That will force you to use NAT with IPv6. NAT causes all sorts of issues that we have to work with in the IPv4 world that are supposed to be sovled by IPv6.

I wonder if you do have a public IPv6 address.
Can you share the start of the IPv6 address?
No need to share the whole thing. Just the first two blocks.
For example my public address starts 2001:8b0:.
If yours starts with fe80: then it is not a public address, its a so called link-local address.

I used to use OpenBSD for my routers but there where too many problems that I could not workaround and that’s when I moved to using Fedora. No would hope that the problems have been addressed, but I’m very happy with using Fedora for my routers and see no advantage with going to FreeBSD or OpenBSB at this point.

OpenBSD is not as full-featured as FreeBSD at the expense of being super-hardcore security protected. OpenBSD’s network stack is not as developed as FreeBSD’s, for example. OpenBSD is good for some very, very basic network server things.

FreeBSD can do anything you dream of for server- and network- related things, but it sure lacks Fedora’s pretty solid SELinux and Linux’ crypto capabilities.

So it’s, like, you can’t have everything in one place, you gotta juggle OSs to get what you need. Or write your own.

I’ve been using Fedora as a router and Wi-Fi hotspot for years.

Both systemd-networkd and NetworkManager work great, but I recommend starting with NetworkManager as its CLI is more convenient and functional, which allows to easier edit and switch connection profiles and minimize human error.

In addition, NetworkManager is integrated with dnsmasq, so the basic DHCP/DNS functionality is provided out of the box.

Note that asymmetric IPv6 connectivity can also be useful, so NAT66 is natural and it’s sometimes the only option, e.g. Cloudflare WARP, Tor gateway, etc.

Based on the OP, assuming the following setup:

• The Ethernet interface used for WAN, configured for PPPoE.
• The Wi-Fi interface used for WLAN, configured for WPA2/3.
• Providing basic DHCP/DNS functionality on the WLAN.
• Forwarding IPv4/IPv6 traffic from WLAN to WAN with NAT/NAT66.

The instructions look more or less like this:

# WAN
VLAN_DEV="eth0"
VLAN_VID="1234"
PPPOE_USER="test"
PPPOE_PASS="12345678"
sudo dnf install NetworkManager-ppp NetworkManager-adsl
sudo nmcli connection delete wan-vlan
sudo nmcli connection add \
    type vlan \
    con-name wan-vlan \
    dev "${VLAN_DEV}" \
    id "${VLAN_VID}" \
    ipv4.method disabled \
    ipv6.method disabled
sudo nmcli connection delete wan
sudo nmcli connection add \
    type pppoe \
    con-name wan \
    ifname ppp0 \
    parent "${VLAN_DEV}.${VLAN_VID}" \
    username "${PPPOE_USER}" \
    password "${PPPOE_PASS}" \
    connection.zone external
sudo nmcli connection up wan-vlan
sudo nmcli connection up wan

# WLAN
WIFI_SSID="test"
WIFI_PSK="12345678"
sudo nmcli connection delete wlan
sudo nmcli connection add \
    type wifi \
    con-name wlan \
    wifi.mode ap \
    wifi.ssid "${WIFI_SSID}" \
    wifi-sec.group ccmp \
    wifi-sec.pairwise ccmp \
    wifi-sec.proto rsn \
    wifi-sec.key-mgmt wpa-psk \
    wifi-sec.psk "${WIFI_PSK}" \
    ipv4.method shared \
    ipv4.addresses 192.168.1.1/24 \
    ipv6.method shared \
    ipv6.addresses 2001:db8:1::1/64 \
    connection.zone internal
sudo nmcli connection up wlan

# Firewall
sudo tee /etc/NetworkManager/conf.d/99-local.conf << EOF > /dev/null
[main]
firewall-backend=none
EOF
sudo systemctl restart NetworkManager.service
sudo firewall-cmd --permanent --zone=internal --add-service=dhcp
sudo firewall-cmd --permanent --zone=internal --add-service=dns
sudo firewall-cmd --permanent --new-policy=internal-external
sudo firewall-cmd --permanent --policy=internal-external --set-target=ACCEPT
sudo firewall-cmd --permanent --policy=internal-external --add-ingress-zone=internal
sudo firewall-cmd --permanent --policy=internal-external --add-egress-zone=external
sudo firewall-cmd --permanent --policy=internal-external --add-rich-rule="rule tcp-mss-clamp value=pmtu"
sudo firewall-cmd --permanent --policy=internal-external --add-rich-rule="rule family=ipv4 masquerade"
sudo firewall-cmd --permanent --policy=internal-external --add-rich-rule="rule family=ipv6 masquerade"
sudo firewall-cmd --reload

See also:

• Solved: VLAN How to do pppoE with ISP "Deutsche Telekom" using ifname ppp1 pppoe.parent enp3s0.7 (#222) · Issues · NetworkManager / NetworkManager · GitLab
• Can I forward the WiFi hotspot to the local network to turn my PC into a WiFi access point? - #2 by vgaetera - Applications - GNOME Discourse

Documentation:

• pppoe: NetworkManager Reference Manual
• nm-settings-nmcli: NetworkManager Reference Manual
• NetworkManager.conf: NetworkManager Reference Manual
• Policy Objects: Introduction | firewalld
• TCP MSS Clamping in Firewalld | firewalld

Unfortunately, there are serious limitations to using Fedora as a Wifi Hotspot. You cannot have multiple SSIDs on one access point wireless card. Stuff like that.

Very interesting project.

Concerning the IPv6: A /128 is one address, corresponding with the WAN address in IPv4, so you need all IPv4 tricks to do something with it. Rather useless.

The recommended host part of IPv6 is a /64. This is the prefix length where SLAAC automatic address configuration, temporary addresses and so operate on.
All 2**64 addresses are globally accessible. Temporary addresses prevent tracking als long this is not done by cookies and co.

But you get stuck with one /64 if you setup a kind of router. Not only a router, but also e.g. a libvirt based virtual machine. To which /64 should the system route if there are multiple interfaces with the same /64? Then a /56 comes in with prefix delegation: the DHCP6 server gives 256 additional /64 subnets routed to the system asking for delegation, which can be distributed over NIC’s and VLANs.
An /48 extends this over an amount far beyond needs for home use.

What I’ve seen, both NetworkManager and systemd-networkd are possible options. With NetworkManager, do not set an iPv6 address on the “shared” interface. It will perform prefix delegation and sets an /64 subnet automatically based on the v6 address on the WAN interface.

Firewalld will be a bit of a challenge, because it’s normally used to protect the host itself and not the forwarding, which is controlled by policies. So I think for IPv6 you would need a block-all policy with rules for only the address/port combination you want to allow. For IPv4 you have to implement port forwarding in addition.
Be aware of nftables tables created by NetworkManager or systemd-networkd in addition to firewalld generated ones, which might block things allowed by firewalld.

Wireless: check “ip phy phy0 info” for

valid interface combinations:
* #{ AP, mesh point } <= 8,
total <= 8, #channels <= 1

This old USB Wifi adapter allows up to 8 SSID’s as access point. Not tested in detail. but multiple SSID’s on multiple interfaces on one stick worked, so in principle main and guest WiFi should be possible with this device.
Depends on adapter/firmware, my laptop gives “interface combinations are not supported”, so only one SSID possible.