this post was submitted on 15 Feb 2024
12 points (92.9% liked)

Selfhosted

40809 readers
1321 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Hello All!

I just purchased a Intel Celeron box from AliExpress to replace (and hopefully improve) the functions of my raspberry pi running wg-easy and pihole. I'd like this new box to handle DHCP, firewalling/ad blocking, and act as my wireguard server.

Currently I'm connecting my Internet modem (thankfully not a router, so no NAT) to my TPlink Archer AX21's WAN port and then using the LAN ports to connect to my devices. I see that I can turn off NAT on the TPLink, but I assume I wouldn't be able to use the new device as a DHCP server if I do, right? I could put the TPLink in AP mode but I'm not sure if that shuts off the WAN or LAN ports.

Is the best move to leave the TPLink in router mode (I'm not sure this matters) and plug the firewall into one of the LAN ports? I can do this but it'll require some re-running of cables so I wanted to check first.

top 21 comments
sorted by: hot top controversial new old
[–] TheLordlessBard 11 points 10 months ago (1 children)

If you're comfortable running your own router, my suggestion would be to install Opnsense on the new celeron box (as long as it has multiple ports and all the drivers exist in FreeBSD) and keep the TPLink in AP mode so it only handles the wifi side of things Opnsense is incredibly powerful and should have no problem running as your DHCP/firewall/wg box. I don't run pihole anymore since it has an Adguard Home plugin you can set up, but I did find it a bit more challenging to configure than pihole was

[–] [email protected] 2 points 10 months ago* (last edited 10 months ago) (1 children)

I have thought about that, the issue is I'd need to re-run all but 1 of my Ethernet cables to a place where I can put the Celeron box. Once I start messing around with VLANs this is probably what I'll do, but it's going to be a big project.

I'm definitely going to give Adguard Home a shot.

Any thoughts on the best solution for now, basically putting the firewall in between the router and modem? If I plug it into a LAN port on the router and set up DHCP so it is the new gateway, that should work, right? I really wish I could plug it into the WAN port but I don't think DHCP will traverse the WAN to LAN ports on the router.

[–] TheLordlessBard 3 points 10 months ago (1 children)

Just to confirm, you don't have space next to your modem and/or router for the new Celeron box, correct?

I'm not sure how good of performance you would have if you run the firewall on the Celeron box connected to the LAN portion of your current router, but you could always give it a shot and if it doesn't work the way you'd like it to then you could try a different solution. From my understanding this setup would cause all traffic to go through your router at least 2x (even if it's only on layer 2 via the built-in switch.) it may not be that much of a drain though, I've never run a setup like that before

The best layout would be modem -> opnsense router -> Tplink device running in AP mode. From what you've said that doesn't sound feasible at this time. You might be able to utilize a bridge mode somehow, but at that point I'd be guessing since I don't remember much about the tplink consumer router capabilities

[–] doctorzeromd 1 points 10 months ago (1 children)

Sopuli seems to be down, so responding from a different account.

Yeah, it's actually that there isn't power for the Celeron box where all the other Ethernet currently is.

Just so I'm understanding, why would all traffic need to go to my router (do you mean the opnsense one or the tplink one) twice? Wouldn't it go Device -> Switch -> opnsense -> modem > internet? Or for my intranet communications, Device1 -> switch -> opnsense -> switch -> device2

[–] [email protected] 2 points 10 months ago

OPNsense is a gateway/firewall/DHCP/router my network looks like this

optical to Ethernet conversion (the isp's things) -> opnsense box -> network switch -> all other device (including wifi APs)

all traffic gets routed thru the opnsense box as it is the gateway to my network, runs the ipv4 nat and DHCP server

router in their comment refers to the the one that actually touches the Internet

[–] [email protected] 3 points 10 months ago (1 children)

Why don't you just plug your firewall directly in? Take your Internet and plug it into your Wan port.

[–] doctorzeromd 1 points 10 months ago (1 children)

Could you please explain in more detail? The goal is to plug my firewall directly in, as I understand it.

[–] [email protected] 3 points 10 months ago (1 children)

Take the cable coming out of the ISP modem and plug it straight into the firewall. Nothing inbetween

[–] doctorzeromd 1 points 10 months ago (1 children)

That is what I have been planning per my other comments.

[–] [email protected] 1 points 10 months ago

Yeah I just misunderstood

[–] [email protected] 2 points 10 months ago (1 children)

If I'm picturing the gear right, putting the TP into AP mode would just make it a client of the network that would then serve as your WiFi and the new box could be set up as the router/gateway for both the TP and the other clients formerly plugged into the TP.

Usually, changing the mode from router to AP would keep the LAN side active as an unmanaged switch, and may even add the wan port to it. So if all above holds true go modem, Celeron (opnsense), TP (LAN to LAN) and then plug the remaining Ethernet either into the TP or the other LAN ports on the Celeron box, both should be the same local network.

[–] doctorzeromd 1 points 10 months ago (1 children)

That would be great, and if the WAN port becomes a LAN port, even better. I don't see anything about that in the manual, but I'll cross my fingers

[–] [email protected] 2 points 10 months ago* (last edited 10 months ago) (1 children)

You could try OpenWRT

Edit: its not supported. You would need to go buy a device with support.

[–] doctorzeromd 1 points 10 months ago* (last edited 10 months ago) (1 children)

Worst case I'll just use the 4 LAN ports on the TPLink and leave the WAN on the TPLink unused

[–] [email protected] 1 points 10 months ago (2 children)

How will you get internet?

[–] doctorzeromd 1 points 10 months ago (1 children)

Modem to WAN port of firewall, LAN port of firewall to wireless router in AP mode, other lan ports to other devices?

[–] [email protected] 1 points 10 months ago (1 children)

It works so long as you're not trying to create separate networks. When/if you decide to start with some vlan madness and such the AP likely won't work for that, unless it's fancy and can do multiple SSID on separate clans, but most WiFi/router combos don't go that far.

Basically the new firewall/router box becomes the boss of everything done ng DHCP, likely DNS relaying, and all the monitoring. Simple and efficient, just wouldn't go hosting public services with the setup since there's no 'DMZ' to keep it separate from you personal devices.

[–] doctorzeromd 1 points 10 months ago

Cool, that's exactly what my plan is currently. I will eventually run all the cables but I want to drop in this firewall and start learning it in the meantime.

I may even go the route of some managed switches and WANs that do support multiple SSIDs on different VLANs, but first I want to get comfortable with my new single network.

[–] [email protected] 1 points 10 months ago

another roart of the thread suggested using the Celeron box as an OPNsense router

[–] doctorzeromd 1 points 10 months ago

Just wanted to update everyone that the wireless router does turn into a 5 port unmanaged switch when changed to AP mode, and that the topology of Modem -> AP's WAN (this is now a Lan port because it's a switch) -> devices is working great!

[–] [email protected] -1 points 10 months ago

New Lemmy Post: Installing a hardware firewall/DHCP/Wireguard Server (https://lemmy.world/post/11992597)
Tagging: #SelfHosted

(Replying in the OP of this thread (NOT THIS BOT!) will appear as a comment in the lemmy discussion.)

I am a FOSS bot. Check my README: https://github.com/db0/lemmy-tagginator/blob/main/README.md