Planning my home network server.

HW is ordered should arrive soon and I’d like to start with the planning of setting it up.
Quad Core Mini PC Core i7 7820HK/HQ, Mini Computer,16G DDR4/,1T SSD,HDMI+DP Support 2 Monitors,Dual LAN NUC PC
I plan to attach 2 external USB SSD disks of 1 TB each for backup and maybe RAID1.

I plan to configure the server in 2 phases; (1) setup server as modem/router, and (2) setup services like media server, web server, etc…

HW has two Ethernet network devices. One will be used as internal (LAN) and the other as external (WAN)

        ------------------           ----------------------------------------
        | ISP/internet | ---------- | ISP modem, in bridge mode |
        ------------------           ----------------------------------------
                                                |
                                ------------------------------
                                |   Home Server          | 
                                |    ppp0/eth 0: WAN   | 
                                |     eth1: LAN             | 
                                ------------------------------
                                                |
                                                |    Internal private network
                                                |    Subnet: 192.168.0/24
                                                |
  -----------------------      --------------------------       -------
  | Network Printer |     | Workstation 1 .. x |                | TV  | 
  ------------------------     --------------------------       --------

1. Configuration: Rocky Linux 8 or 9. Not sure which is more suitable?

2. Disable NetworkManager and use network-scripts to setup static server connection

3. Network devices:
    1. install rp-pppoe 
    2. Configure eth0 (WAN), eth1 (LAN, static), ppp0
    3. run rp-pppoe

4. Configure package forwarding to allow data packets from one network to another by setting “net.ipv4.ip_forward = 1” in “/etc/sysctl.conf”

5. Firewall

I still prefer to use iptables. For once I have an old script I can use, the firewall is fairly simple for a small network and the other reason is that I feel firewalld is not as transparent.
Is there any security risk using iptables?

6. Install dnsmasq to provide DNS caching and a Dynamic DHCP server to my home network

I went through RAID manuals and understand that RAID1 is probably the most suitable for my configuration. Is RAID 1 feasible/doable with external SSD hard disks?

Which server monitoring tool (e.g. webmin) do you recommend?

Am I missing something?

Thanks for your insights.

Wolfgang

You seem to have decided on a somewhat out-of-date way of doing networking, might even be unsupported.

Insight taken, I am happy to learn. Though two questions:

• Is there any security risk to the config I propose?
• What would constitute a more up-to-date config? Can you propose alternatives or suggest some readings to understand what is more up to date?

Thanks, Wolfgang

Using network-scripts that were under /etc/sysconfig/network-scripts are deprecated, still in theory possible at least in Rocky 8. Therefore, best to do everything in Network Manager as that is the main way for doing things since at least RHEL7 was released.

It would be best for you to get used to using firewalld instead of iptables, it just depends on the complexity of your rules. If they are port-based mostly rather than source or destination based, then it makes sense. Source based are also easy enough with firewalld. Destination based can start getting complicated and require writing rich rules in firewalld, though still possible, I find that part a little more complicated than doing it with iptables. You can still use it however if you want, will just require you disabling firewalld first. You can also use nftables instead of firewalld as well. Firewalld uses nftables. You can also configure firewalld to utilise iptables but it is deprecated and will be removed in future releases.

With Rocky 9 only being released within the last year, it will run for a few more years than Rocky 8. Rocky 8 goes EOL around 2029. Rocky 9 in 2032.

The kernel (in EL8 and EL9) has nftables. The tool ‘iptables’ is a wrapper to tool ‘nft’ that communicates with nftables (just like firewalld does).
The wrapper translates iptables-syntax into nftables rules, but is not 100% complete. I don’t know what it cannot translate.

The nftables.service loads ruleset from file(s), just like iptables.service did load ruleset from file.
There is a helper script that con read iptables-rules and show corresponding nftables ruleset.

Red Hat’s RHEL-documentation describes both firewalld.service and nftables.service and implies that the latter is for “real work”. (They might have retconned it now that FirewallD finally supports router setup.)

NetworkManager can do “static config”. You probably want to install package ‘NetworkManager-config-server’ as it makes NM behave even more like “old school”.

We have a couple of documents regarding the use of firewalld and even one that takes into account your former use of iptables:

• firewalld from iptables
• firewalld for beginners

Let us know if you have further questions.

Thanks for the information.
I got a lot of readin to do it seems :).

Best regards,

I had a lot of reading to do. This is what I came up with. I’d like to get in front of my home server this weekend and start with configuration. First step is only configure the server to act as modem. In phase two then starts the fun with seting up chrony, SSH, LAMP stack, etc…
I’d like also to create a cookbook with all the different chapters that could get uploaded here if there is interest.
Anyway, thanks for helping

Phase 1

Network configuration

Network798×86 13 KB

Host configuration

Command

vi /etc/hosts, and add
127.0.0.1 <hostname> localhost.localdomain localhost

Gateway configuration

Command:

vi /etc/sysconfig/network, add
NETWORKING=yes
HOSTNAME=<hostname>
GATEWAY=192.168.1.1

NIC configuration

Still not certain what is better; using nmcli or edit directly files in /etc/sysconfig/network-scripts
I cannot find ipv4.method (=BOOTPROTO?) dialup anymore. What is the right value for the pppoe interface?

LAN NIC file /etc/sysconfig/network-scripts/ifcfg-enp3s0

DEVICE=enp3s0
TYPE=Ethernet
NAME=LAN
IPADDR=192.168.1.1
NETMASK=255.255.255.0
ONBOOT=yes
USERCTL=no
BOOTPROTO=static
PEERDNS=no
HWADDR=aa:bb:cc:dd:ee:ff.
IPV6INIT=no

Command:

nmcli con mod enp3s0 type ethernet ifname LAN ipv4.method static ipv4.addr 192.168.1.1 \
ignore-auto-dns yes connection.autoconnection yes userctl no

WAN NIC configuration file /etc/sysconfig/network-scripts/ifcfg-enp5s0

DEVICE=enp5s0
TYPE=Ethernet
NAME=WAN
IPADDR=
NETMASK=
ONBOOT=yes
USERCTL=no
BOOTPROTO=none
PEERDNS=no
HWADDR=aa:bb:cc:dd:ee:ff.
IPV6INIT=no

Command:

nmcli con mod enp5s0 type ethernet ifname WAN ipv4.method manual \
ignore-auto-dns yes connection.autoconnection yes userctl no

PPPOE configuration

Command:

dnf install ppp NetworkManager-ppp

Check that plugin rp-pppoe.so is set in /etc/ppp/options

PPPOE configuration file /etc/sysconfig/network-scripts/ifcfg-ppp0

DEVICE=ppp0
USER=ISP username
TYPE=pppoe
NAME=pppoe
DEMAND=no
USERCTL=no
PEERDNS=no
DEFROUTE=yes
PARENT=enp5s0
BOOTPROTO=dialup (value still exist?) FIREWALL=NONE
PING=.
PPPOE_TIMEOUT=80
LCP_INTERVAL=20
LCP_FAILURE=3
CONNECT_TIMEOUT=60
CONNECT_POLL=6
CLAMPMSS=1412
SYNCHRONOUS=no
IPV6INIT=no

Command:

nmcli con add type pppoe ifname ppp0 con-name ppp0 autoconnect yes save yes \ username <username> password <password> parent enp5s0 mtu 1492

nmcli connection reload

Set authentication details for the ISP account

Command:

vi /etc/ppp/pap-secrets, add
"adslppp@telefonicapa.com" "ppp0" " adslppp"

chmod 600 /etc/ppp/pap-secrets

vi /etc/ppp/pppoe-server-options, add
require-pap
login
lcp-echo-interval 10
lcp-echo-failure 2

Dynamic DNS

My ISP uses dynamic account addresses that change every time my server reconnects to the internet. DDNS service updates my home servers IP address and communicate it through the DNS world. As a result, the fully qualified domain name points to my home server.

Setup DDNS service provider

TBD

ISP modem

Set modem in bridge mode > virtual tunnel to ISP. Homer server dials ppp over that virtual link

Firewall

Packet forwarding

Allow data packets to pass from LAN to WAN and vice versa

Command:

sysctl -w net.ipv4.ip_forward=1

Define firewall

Users on LAN need to access internet.

Network Address Translation (NAT) changes a packets destination or source IP address. The packets look like if they came from a different address than the original. Packets from LAN get routed to internet and vice versa and keeps the LAN “hidden” from the internet (security details, workstations etc…)

Postrouting is a technique for changing packets as they are leave the LAN to the internet

Commands:

Do I need to set a default zone?

firewall-cmd --zone=internal --change-interface=enp3s0 --permanent
firewall-cmd --zone=external --change-interface=enp5s0 --permanent
firewall-cmd --zone=external –change-interface=ppp0 --permanent
firewall-cmd --permanent --zone=internal --add-source=[192.168.1.0/24](http://10.5.2.0/24)
firewall-cmd --zone=external --add-masquerade --permanent
firewall-cmd --zone=internal --add-service dns –permanent (required?)
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o ppp0 -j MASQUERADE -s [192.169.1.0/24](http://10.5.2.0/24)
firewall-cmd --zone=external --add-service ssh –permanent
firewall-cmd --zone=external --add-service https --permanent
firewall-cmd reload

Wolfgang

@Smoky Please use the post editors tools to format your posts properly it makes it easier reading for everyone else - and also means I don’t have to keep editing them and formatting them for you

Thanks

Hello @iwalker.
First of all thanks for doing the editing this time.
Going forward I will use the tools in the forum here.

Thanks, Wolfgang

No problem. For the bit you mentioned about putting a cookbook together. You could in theory put all of your configuration into ansible playbooks. That way, whenever you need to configure a system, including the network config, ppp config etc, you can use the playbook to reproduce it at ease. Ideal case when you need to rebuild the server again from zero, the playbook would get you back up and running again pretty quickly by installing all the packages you need, setting the /etc/hosts stuff, network config, etc, etc.

If you haven’t used ansible yet, I recommend it.

See man nm-settings.

For example, the ipv4.method is typically one of {auto, manual, disabled} and the equivalent ipv6.method are {auto, manual, ignore} . (There is no “static”, even though it might map to some option.)

Package rhel-system-roles has Ansible role rhel-system-roles.network. Alas, its documentation (or code) does not mention “pppoe”. It is not difficult to write Ansible tasks to do what the role does not.

(Ansible play has “facts” in some format. Ansible converts them into nmcli-calls. The nmcli converts given parameters into NetworkManager settings.)

Ok, so I started the journey. Rocky Linux is installed.
LAN NIC is set.
I am trying now to define the broadband connection.
ppp and NetworkManager-ppp are installed

• I created a new connection called pppoe
  nmcli connection add type pppoe ifname ppp0 con-name pppoe pppoe.parent enp3s0
  pppoe.user adslppp@telefonicapa pppoe.password adslppp \
  ppp.mtu 1492 ppp.lcp-echo-interval 10 ppp.lcp-echo-failure 2/

• /etc/ppp/pap-secrets is set

• Defined /etc/ppp/options the following way:
  #lock
  require-pap
  login

• Question I have are the following

1. Which ipv4.method do I need to set for pppoe.parent NIC enp3s0?

2. In the config file from my old server I had additional parameters defined and I am not sure how to set them with nmcli. I checked in the nmcli editor under pppoe and ppp and can’t find them anywhere. These are:
   PING=.
   PPPOE_TIMEOUT=80
   LCP_INTERVAL=20
   LCP_FAILURE=3
   CONNECT_TIMEOUT=60
   CONNECT_POLL=6
   CLAMPMSS=1412
   SYNCHRONOUS=no

Thanks in advance for your help.

Wolfgang

I guess I might be coming close.
I setup /etc/hosts/ /etc/, vi /etc/sysconfig/network, set packet forwarding in net.ipv4.ip_forward=1

• I setup a LAN NIC (enp2s0) with static IP
• setup the parent.pppoe (enp3s0) with status disabled
  I know this is odd, but I tried other ipv4.method too with same result.
• Next I created a new com pppoe

All three connections are active. I also defined the firewall as described above.
Result is that I do get an IP from my ISP, but I have no access to internet.

IMG-45001920×1440 238 KB

IMG-45011920×902 222 KB

Where do I need to look? What am I missing?

Thanks for your insight.
Wolfgang

Ok, so I started the journey. Rocky Linux is installed.
I defined the LAN NIC with the ipv4.method manual and an IP address and it is up and running. I can pin it
I am trying now to define the broadband connection.

• ppp and NetworkManager-ppp are installed

• I created a new connection called pppoe
  nmcli connection add type pppoe ifname ppp0 con-name pppoe pppoe.parent enp3s0
  pppoe.user adslppp@telefonicapa pppoe.password adslppp
  ppp.mtu 1492 ppp.lcp-echo-interval 10 ppp.lcp-echo-failure 2

• /etc/ppp/pap-secrets is set

• Defined /etc/ppp/options the following way:
  #lock
  require-pap
  login

• Question I have is the following; in the config file from my old server I had many more parameters set and I am not sure how to set them with nmcli. I checked in the nmcli editor under pppoe and ppp and can’t find them anywhere. These are:

  PING=. |

  • |
    PPPOE_TIMEOUT=80 |
    LCP_INTERVAL=20 |
    LCP_FAILURE=3 |
    CONNECT_TIMEOUT=60 |
    CONNECT_POLL=6 |
    CLAMPMSS=1412 |
    SYNCHRONOUS=no
    |

• Which ipv4.method do I need to set for pppoe.parent NIC enp3s0?
  Thanks in advance
  Wolfgang

I would presume (although I’ve seen pppoe) that if the pppoe connection has the IP address of the “link”, then the physical device has none. Therefore, “disabled”.

I finally had some time to try to get the server for my home network off the ground. Not with success.
Here again a summary:
Setup: Server with two NICs: enp3s0 (external) and enp2s0 (internal).

• net.ipv4.ip_forward set to 1 in /etc/sysctl.conf

• firewalld: created two zones, internal and external; internal and external set to forward=yes and external additionally masquerading set to yes

• zones in ifcfg-enp2s0 and ifcfg-enp3s0 set

• enp2s0 set with static IP

• enp3s0 set with ipv4.method= disabled (I tried also auto)

• pppoe set as
  nmcli conf add type pppoe ifname ppp0 con-name pppoe pppoe.parent enp3s0 pppoe.user ISP_user pppoe.password ISP_pswd ppp.mru 1492 ppp.mtu 1492 ppp-lcp-echo-interval 10 ppp.lcp-echo-failure 2

• firewalld. I followd iwalker’s script

firewall-cmd --zone=external --add-interface=enp3s0 --permanent
firewall-cmd --zone=internal --add-interface=enp2s0 --permanent
firewall-cmd --set-default-zone=external --permanent
firewall-cmd --reload
firewall-cmd --get-default-zone
firewall-cmd --new-policy internal-external --permanent
firewall-cmd --reload
firewall-cmd --policy internal-external --add-ingress-zone=internal --permanent
firewall-cmd --policy internal-external --add-egress-zone=external --permanent
firewall-cmd --policy internal-external --set-target=ACCEPT --permanent
firewall-cmd --reload
firewall-cmd --info-policy internal-external

Result:

• I can ssh to my server
• I can start pppoe connection and get an IP from my ISP
• I can ping the IPS’s IP address

For reference I add picture of the interfaces as well as the route information

• I have no internet connection; not from LAN and also not from console directly at server
  
  

  IMG-4531(1)2662×1532 391 KB

Thanks in advance for some tips and insights how I can best go from here.

Wolfgang

Well it won’t work if PPP is the internet connection, and you set external to be a network card that doesn’t have an IP address. You could try putting ppp0 as the external interface and remove the other one that you added. Remember my script was an idea of how to get two zones running, internal being my internal network, external being the one for my internet connection. So you cannot use it word-for-word, if you are not using the exact same setup as me. I don’t use PPP, so mine are all over PPPoE meaning I use the ethernet cards for my internet connection. Since yours uses PPP, then you need the external zone to have the ppp0 interface.

Also, your LAN interfaces don’t need a default gateway, since if this is your firewall/router to the internet, then it only needs one gateway which would be your PPP connection. So I would also delete the default gateway 10.5.2.1 which was added to one of the ethernet cards.

Thank you for your response.
As it comes to interface definition I need enp3s0 as it is a physical card. Connection pppoe is only a virtual one, for which I set pppoe.parent enp3s0.
This is exactly the same logic as under the good old network-scripts. Bootproto would be set to none and IP address set as blank.
In the ifcfg-pppoe one would reference enp3s0.

NM reference manual is not really clear to me: “ If given, specifies the parent interface name on which this PPPoE connection should be created. If this property is not specified, the connection is activated on the interface specified in “interface-name” of NMSettingConnection.”

What I can try is to replace in the firewall definitions enp3s0 by pppoe. It’s that what you mean?

Wolfgang

You can try and see if that helps. As I said never configured it, and haven’t a way to test such a connection.