packetware logo
A

Lead Engineer @ Packetware

How to turn a Debian machine into a router

This guide is intended for home labs as its bottlenecked by the Linux networking stack, performance should easily reach common 1Gb/s networking capabilities but not much further without kernel bypass/acceleration technologies, you can assist by attaching a distribution layer switch to your LAN devices and access points. You will need to have modest Linux and networking skills to be able to follow this guide and troubleshoot your unique setup conditions.

Verify Network Interfaces

Ensure that your Debian machine has multiple network interfaces available. You will need at least two network interfaces—one to connect to the internet (WAN interface) and another to connect to the local network (LAN interface). You can verify the available network interfaces using the ifconfig or ip command.

Update the System

Before proceeding, it's always a good practice to update your Debian system to ensure you have the latest packages and security updates. Run the following commands to update your system:

sudo apt update
sudo apt upgrade

Enable IP Forwarding

IP forwarding needs to be enabled on your Debian machine so that it can route network traffic between the LAN and WAN interfaces. Open the sysctl configuration file using a text editor:

sudo nano /etc/sysctl.conf

Uncomment or add the following line to enable IP forwarding:

net.ipv4.ip_forward=1

Save the file and exit the text editor. Apply the changes by running the following command:

sudo sysctl -p

Configure Network Interfaces

You need to configure the network interfaces on your Debian machine.

WAN Interface:

Edit the network configuration file for your WAN interface. Replace eth0 with the actual name of your WAN interface. For example:

sudo nano /etc/network/interfaces

Add the following lines to configure the WAN interface:

auto eth0
iface eth0 inet dhcp

Save the file and exit the text editor.

LAN Interface:

Edit the network configuration file for your LAN interface. Replace eth1 with the actual name of your LAN interface. For example:

sudo nano /etc/network/interfaces

Add the following lines to configure the LAN interface:

auto eth1
iface eth1 inet static
    address 192.168.0.1
    netmask 255.255.255.0

Set the appropriate IP address and netmask for your LAN interface. Save the file and exit the text editor.

Configure DHCP Server

If you want your Debian machine to provide DHCP (Dynamic Host Configuration Protocol) service to your LAN, you can install and configure the isc-dhcp-server package. Run the following commands:

sudo apt install isc-dhcp-server
sudo nano /etc/dhcp/dhcpd.conf

Edit the dhcpd.conf file and configure the DHCP settings according to your requirements. For example, you can set the IP range, default gateway, DNS servers, etc. Save the file and exit the text editor.

Start the DHCP server:

sudo systemctl start isc-dhcp-server
sudo systemctl enable isc-dhcp-server

Configure NAT (Network Address Translation)

To enable NAT on your Debian machine, you can use iptables. Run the following commands:

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables-save | sudo tee /etc/iptables/rules.v4

These commands configure iptables to perform Network Address Translation for outbound traffic on the WAN interface.

Configure DNS

To configure DNS settings on your Debian machine, edit the /etc/resolv.conf file and set the appropriate DNS server addresses. For example:

sudo nano /etc/resolv.conf

Add the following lines:

nameserver 1.1.1.1
nameserver 1.0.0.1

Save the file and exit the text editor.

Restart Networking Services

Restart the networking services to apply the changes:

sudo systemctl restart networking

Test Connectivity

At this point, your Debian machine should be functioning as a router. Test the connectivity from devices connected to your LAN interface to ensure they can access the internet.

Port Forwarding

Identify the WAN interface

First, identify the name of your WAN interface. You can use the ifconfig or ip command to list the available network interfaces. Typically, the WAN interface is the one connected to the internet.

Configure Port Forwarding

Assuming you want to forward incoming traffic from the WAN interface to a specific IP address and port on your LAN, follow these steps:

Enable IP forwarding:

Ensure that IP forwarding is still enabled. If you have previously followed the steps in the previous response, it should already be enabled.

Configure the port forwarding rule:

Run the following command to add a port forwarding rule:

sudo iptables -t nat -A PREROUTING -i <WAN_INTERFACE> -p <PROTOCOL> --dport <WAN_PORT> -j DNAT --to <LAN_IP>:<LAN_PORT>

Replace the following placeholders with appropriate values:

  • <WAN_INTERFACE>: The name of your WAN interface.
  • <PROTOCOL>: The protocol of the traffic to be forwarded (e.g., "tcp" or "udp").
  • <WAN_PORT>: The port on the WAN interface that you want to forward.
  • <LAN_IP>: The IP address of the destination LAN machine where you want to forward the traffic.
  • <LAN_PORT>: The port on the LAN machine to which you want to forward the traffic. For example, if you want to forward incoming TCP traffic from the WAN interface's port 80 to an internal server with IP 192.168.0.10 on port 8080, the command would be:
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.0.10:8080
Enable IP masquerading:

To ensure that the LAN machine can send the response traffic back to the source, you need to enable IP masquerading. Run the following command:

sudo iptables -t nat -A POSTROUTING -o <WAN_INTERFACE> -j MASQUERADE

Replace <WAN_INTERFACE> with the name of your WAN interface.

Save the iptables rules:

Save the current iptables rules so they persist across reboots:

sudo sh -c "iptables-save > /etc/iptables/rules.v4"

Test the Port Forwarding

After configuring the port forwarding rules, you can test them by attempting to access the specified WAN port from an external network. The traffic should be forwarded to the appropriate LAN machine and port.

Preserve IPTables entries

To preserve the IP tables in Debian across reboots, you can follow these steps:

Install the iptables-persistent package

Debian provides a package called iptables-persistent that allows you to save and restore the IP tables rules automatically. Install it by running the following command:

sudo apt install iptables-persistent

During the installation process, you may be prompted to save the current IP tables rules. Choose "Yes" to save the existing rules.

Manually save the IP tables rules

In case the installation process didn't save the rules or you have made changes to the rules after installation, you can manually save the IP tables rules by running the following command:

sudo sh -c "iptables-save > /etc/iptables/rules.v4"

This command saves the current IP tables rules to the /etc/iptables/rules.v4 file.

Restore the IP tables rules at boot time

The iptables-persistent package automatically loads the IP tables rules during system startup.

To ensure that the rules are loaded on every boot, you can enable the netfilter-persistent service by running the following command:

sudo systemctl enable netfilter-persistent

This command enables the service that loads the IP tables rules during system startup.

From now on, your IP tables rules will be automatically preserved and restored across reboots in Debian. You will have to ensure you save again with sudo sh -c "iptables-save > /etc/iptables/rules.v4" each time changes are made such as new port forwarding rules.