While busy with a few other things, I did take a little time to poke at the new router.

Scrolling back through the posts will reveal I've cobbled together my Internet connection by repurposing an old WiFi router as my edge router, after finding out the wired router I purchased for that purpose could really only offer NAT despite being provided with a public IP subnet.

I recently went through the better part of a few days playing with a Firewalla Gold Plus I bought to replace the WiFi. Through no fault of the Firewalla, I was unable to configure it as something was awry with my ISP configuration, and the router couldn't reach the Internet. I wasn't able to get past that shortcoming (really the time you need to configure a router the most is if the Internet has gone away, right?), some of their decisions to store configurations in the cloud (without detailing where, why, or what other things could access it), and because it turns out it doesn't support IPv6 6in4 tunnels (my ISP's workaround for not offering native IPv6 service, yet). That box was performant and full of features, but missed a few of my important check marks. They seemed understanding, and issued an RMA without any fuss. Now I gotta remember to send it back...

I thought I'd go a little more DIY, and nabbed an appliance from Amazon. Not exactly this one, but one like it. I chose it mostly for the 6x2,5GBe connectors, but also because the RAM and storage are expandable. None of them have fantastic processors, but we're talking about routing here, and I got one with more than sufficient compute power compared to the recommended settings for the firewall (and underlying) OSs.

I figured I could work through pfsense or OPNsense, or lean on my Ubuntu experience and configure an Ubuntu server installation as a router. I've done routing, multi-homing, and firewall management on Ubuntu in a number of situations, just not on an appliance-level machine. Having said that, this is a decent speed, quad-core, 64-bit Intel processor, supporting up to 32GB of RAM, and one or more SSDs of TB size or more. I've made fully-functional servers with less. The box I purchased came with pfsense installed, so I figured I"d start there.

I opened the box that arrived today and found a unit that's just a little bigger and a little heavier than the Firewalla. Also in the box are a couple of cables, a fan, a mounting bracket, and some screw sets. Oh, and its power supply. Giving the box a once-over, there is a clear spot to mount the fan, which I'm guessing isn't installed because the unit does have a SATA connector, and there doesn't seem like there would be room for both a drive and the fans (I could be wrong--I haven't opened it). It's also constructed so the whole case is a heat-sink, which should be fine sitting on the rack shelf in the cool basement "data center."

I connected the box to an HDMI monitor and USB keyboard and plugged in the power. A quick tap of the power button, and it fired into action. A seemingly normal BIOS splash screen barely splashed by, and a slew of boot messages started scrolling up, stopping at the first offering to configure the box. I've read through the setup documents a little bit, but they're not written entirely step-by-step. It asked me to configure the WAN, then choose a LAN interface, and offered a set of other configuration options, like a DHCP server.

Once I had the WAN and LAN addressed, I connected my portable PC and hit the web GUI. A few of the terms are different, and some of the UI choices are different enough that it took some documentation searching to finish the configuration.

I spent a little time learning how to configure a number of the Ethernet ports together as a switch, using their bridge configuration. I turned off NAT to the LAN as part of the bridge building, and stepped through double-checking the public IP routing configuration based on the documentation.

Although the network isn't connected, I also worked to configure the IPv6 tunnel. I've configured the servers to have static IPv6 addresses, so I didn't step through and configure DHCP6 or RA for the moment. I do need to double-check the gateway configured, or change the address on the router to match.

Then I spent some time playing with the firewall rules. I'm not sure I need some of them, but until I'm certain, I figured I'd be explicit.

It isn't clear that the router itself doesn't accept connections from the Internet, and since it offers SSH and HTTP(S), I made a "source Internet, destination WAN" block. I need ping to work for the tunnel, so I made sure there's an "accept ICMP" rule before that block everything rule.

I added a "source LAN, destination anywhere" allow rule, so the LAN devices aren't blocked to the Internet or each other.

I learned about the firewall aliases to do multi-port rules, so I made one for each of the servers, and made an "allow alias" rule for each server. I then added a "source anywhere, destination LAN" deny rule to block all the other things.

I didn't add any firewall rules for the WiFi router, as it shouldn't need anything more than the LAN rules, as it doesn't accept Internet input anyway.

It isn't connected to anything else, but it does seem to work inasmuch as I can ping from the LAN node to the router LAN and (disconnected) WAN interfaces. I thought about configuring my mobile PC as the other node in the WAN, but I don't have any other convenient machines to act as LAN devices, so I'll test the rest later.

I wanted to poke at some of the plugins, to use Let's Encrypt get HTTPS working on the Web GUI, for example. I had to do some documentation scouring, because the plugins seem to need the Internet to load.I believe the router is all the current versions, but it seems to be based on a February build, so there are probably some configuration if not OS updates by now.

I shut down the device, and then thought about trying to find the place to add SSH keys, but I can do that later, too. I didn't think to connect to it via SSH at all, but I certainly will in the future.

I plan to do some more testing and maybe additional configuration before I try to replace the current edge router. I'll be away from the keys a bit tomorrow, but should have the whole day as the only LAN user on Wednesday.

So far, I like it and am confident that this will finally suit my needs.