Building a router based on Fedora IoT
I had enough of my old WiFi router that hangs randomly, and hijacks my traffic when it thinks the network is down (diagnostics page). So I decided to build one router on myself. Compared to Fedora Magazine article, I decided to do something new: use Fedora IoT instead of Fedora Server.
This guide is based on latest fedora iot edition and my setup is a multi ethernet small computer. Installing Fedora IoT is nothing special than a normal Fedora installation. So I will not explain the installation process here. I will only explain the router configuration.
Why Fedora IoT?
As described in this page, Fedora IoT is a new edition of Fedora based on OsTree and designed to work in IoT devices, providing an immutable operating system with atomic updates. And the shipped image is tested as a whole. It should be safe to do regular updates, following upstream and getting various security fixes quickly.
Setup lan bridge and assgin Firewall-zone
In my device I have
enp1s0 as wan port and
enp[2-4]s0 as lan ports. Those lan ports should be bridged to
Theoretically, If your ISP provides ipv6-PD, you can just set
shared and remove the
ipv6.addresses part, NetworkManager will do prefix delegation on lan network. If you are also setting
ipv4.method shared, you can even ignore the step setting up dhcp and route advertisement, NetworkManager will do it for you in this case.
Enable masquerading on wan
This allows masquerading for both ipv4 and ipv6.
Allow some services on lan
If you need more service just list them here.
Allow traffic to be forwarded from lan to wan
Disable SSH from wan (optional)
firewall-cmd --reload to apply the changes.
/etc/dnsmasq.d/router.conf and add the following lines:
I disabled the dns server on lan ports since I will be using AdGuard Home instead. If you want to enable, just remove
port=0 and add
server ... pointing to upstream dns server to the file. Also, you can specify
dns-dhcp-option=option:dns-server, ... to your upstream servers.
/etc/systemd/system/dnsmasq.service.d/override.conf and add the following lines:
Then, just run
systemctl daemon-reload and
systemctl enable --now dnsmasq to apply the changes and start dnsmasq.
AdGuard Home is a free and open source DNS filtering software. It is designed to block ads, malware, and other unwanted content. It is available via docker hub, we could use podman to run it. Create file
/etc/systemd/system/container-adguardhome.service and add the following lines:
mkdir -p /var/lib/adg/confdir /var/lib/adg/work
systemctl enable --now container-adguardhome.serviceto enable and start AdGuard Home. And you should go to
http://192.168.100.1:3000to configure your AdGuard Home.
At this point, you can find devices connected to lan ports can access network now, the router is mostly done, but we can do more bonus work to enable auto updating.
Auto-updating system image
rpm-ostree don't ship with a automatic update service that reboots for you, we can make a service on our own:
systemctl daemon-reload && systemctl enable --now os-update.timerThis will check updates on
4:00local time daily and reboot if there is any updates.
Auto update containers
systemctl enable --now podman-auto-update.timer to tell podman to check update for AdGuard Home periodically and apply updates automatically.
Allow podman containers to access ipv6 via nat
If you want to set ipv6 dns in AdGuard Home as upstream, it can fail since podman don't provide ipv6 for container by default, but you can enable by changing