Thursday, August 4, 2016

Using Arch Linux as router/firewall on the Raspberry Pi3


The last post I explained how I got a Raspberry Pi3 to work as a wifi router/firewall using Gentoo Linux. So this post I will explain how to configure Arch Linux on the RPI3.

OS Install

There is no downloadable images for the RPI at the official Arch Linux site. The ARM port for Arch is maintained independently at the Arch Linux ARM site. The instructions for setting the SD card for the RPI3 are pretty simple and straightforward. The only addition there is needed is to add the following lines to the /boot/config.txt file if you want to use a serial console.

core_freq=250
dtoverlay=pi3-miniuart-bt

The RPI3 should boot normally and if you are using a serial console there should be no issues. Once Arch boots update your system by entering pacman -Syu. It should not take long then proceed to setting up the interfaces.

Interface Configuration

The documentation to set up the network interfaces can be found here. These are the steps.

First cd to the /etc/systemd/network directory. There you see a file called eth0.network. This file controls how the interface is set up. Remember that the RPI3 changes its MAC address after every reboot. So this part needs to be added to the file to prevent this.

[Link]
MACAddress=current mac address

The current mac address can be found with the command ip link. Then to set up the wlan0 interface, make a copy of the eth0.network file and call it wlan0.network with cp eth0.network wlan0.network. Next make the following changes.

[Match]
Name=wlan0

[Network]
Address=192.168.0.1/24 or whatever ip scheme you choose

[Link]
MACAddress=current mac address

Finally reload the systemd-networkd servivce with the command systemctl restart systemd-networkd and the wlan0 interface will come up.

Networking, DHCP, and DNS Configuration

In order to enable networking copy the /usr/lib/sysctl.d/50-default.conf file to /etc/sysctl.d/ directory. Then add these lines at the end.

# Enable routing
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1

Restart sysctl with sysctl -p /etc/sysctl.d/50-default.conf and routing is enabled.

I used dnsmasq for both DHCP and as a local DNS resolver. Install the package by entering pacman -S dnsmasq. Then take the default /etc/dnsmasq.conf file and back it up with mv /etc/dnsmasq.conf /etc/dnsmasq.conf.bak. Create a new /etc/dnsmasq.conf file and add the following.

dhcp-range=wlan0,192.168.0.10,192.168.0.250,72h
interface=wlan0

If you try to start the service now it will fail. This is because systemd has it own resolver that will conflict with dnsmasq. This needs to be disabled before you proceed by doing this.

systemctl stop systemd-resolvd
systemctl disable systemd-resolvd

Afterwards add these lines or similar to /etc/resolv.conf

nameserver 208.67.220.220
nameserver 208.67.222.222

Finally you can enable dnsmasq.

systemctl enable dnsmasq
systemctl start dnsmasq

Hostapd Configuration

Install hostapd with  pacman -S hostapd. Then like with dnsmasq make a backup of the default config file and create a blank one and add the following.

interface=wlan0
hw_mode=g
channel=6
ieee80211n=1
wmm_enabled=1
country_code=US
ssid=ssid
auth_algs=1
rsn_pairwise=CCMP
wpa=2
wpa_key_mgmt=WPA-PSK  
rsn_pairwise=CCMP
wpa_passphrase=password

Then enable the service.

systemctl enable hostapd
systemctl start hostapd

iptables Configuration

The setup of iptables is pretty similar to what was done on the Gentoo post with some differences. Here are my rules.

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i wlan0 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -i wlan0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

These rules need to added to the /etc/iptables/iptables.rules file or systemd will not start the service. This is done with the command iptables-save > /etc/iptables/iptables.rules. Then enable the service.

systemctl enable iptables
systemctl start iptables

This should be all you need to get the RPI3 working as a wifi router with Arch Linux.

Final thoughts on systemd

Arch Linux uses systemd as its init system. It is a significant change from the init systems found in other Unix operating Systems (ie the BSDs) as well OpenRC that Gentoo Linux uses. A lot has been written over the change to systemd and the benefit or hurt it has brought to Linux. If you want to read more on it a simple google search will suffice. Here are some of  my thoughts. I have set up routers/firewalls both physical and virtual using Gentoo, FreeBSD, NetBSD, and OpenBSD. In everyone of these OSs the init system did not get in my way. Setting up the services was straightforward, the documentation was easy to find and digest. I did not have that experience with systemd. As a Linux user when the Distros I used moved to systemd, I really did not see what all the fuss was about. I heard how some sysadmins were just not happy at how systemd was in their words 'taking over everything'. It wasn't until I tried to set networking on a distro that used systemd that I began to see their point. Systemd really does reach into a lot. It has its own local resolver that you need to disable if you want to set dnsmasq. The Arch Linux Router page on the wiki does not tell you this or at least let you know how to check beforehand. Setting up the interfaces was not straight forward. Should I use netctl or systemd-networkd? I want to be fair. Once I sifted through the docs I was able to get everything work. Now if I need to do this again I can go through the steps fairly quickly. However with other init systems there was very little sifting needed (if any) and I did not run into the gotchas that I did with systemd. I am not trying to be a systemd hater, what I am saying is that is very different. As systemd grows in adoption makers and administrators of Linux based network appliances will probably need relearn how to set up their systems. 

2 comments:

  1. Thanks for your work ...
    And good dilemma ...
    My point of view is super KISS.
    Whatever is simple.
    But it must be up to date
    So if you do not choose systemd
    Why not use Gentoo (or Sabayon) instead of arch, and where I put Gentoo (Sabayon) any other distro that would use and update whatever you like more than systemd.

    I hope this can help you to solve your dilemma.

    ReplyDelete
    Replies
    1. I am trying it out different distros as networking devices. In my last post I walked through how to set up Gentoo.

      Delete