blog/_posts/2016-11-19-set-up-a-router-with-archlinux-arm.md

---
title: "Set up a router with ArchLinux ARM"
date: 2016-11-19
url: set-up-a-router-with-archlinux-arm
layout: post
category: Hacking
---

[![A missing blog post image](/img/blog/set-up-a-router-with-archlinux-arm.png)](/img/blog/set-up-a-router-with-archlinux-arm.png)

The goal of this article is to set up completely a router with a Raspberry Pi running on ArchLinux. The procedure may be easily adapted to the Raspbian OS.  

Let's assume that you have an interface **wlan0** connected to Internet, and on another interface **eth0** some computers ready to reach it !  
If your configuration is not exactly this, don't hesitate to modify the interfaces names with your case.

For the beginning, we have to enable the IP forwarding on the Pi. Edit this file :

`# nano /etc/sysctl.d/30-ipforward.conf`

... add in there the following content :

> net.ipv4.ip_forward=1  
> net.ipv6.conf.default.forwarding=1  
> net.ipv6.conf.all.forwarding=1

Since this step, let's assume that your router will create a subnetwork **192.168.42.0/24**. Change this information in the future as the one you need.

We've to set up the "devices" interface, and assign an IP address to your router, on this subnetwork :

`# ip link set up dev eth0`  
`# ip addr add 192.168.42.1/24 dev eth0`

In order to load this interface at boot, with a static IP, you'll need to edit this file :

`# nano /etc/netctl/eth0-router`

... and paste this (apply some changes on it if you have to) :

> Description='A basic static configuration for the subnetwork interface'  
> Interface=eth0  
> Connection=ethernet  
> IP=static  
> Address=('192.168.42.1/24')

**:warning: You may experience some issues if `systemd-networkd` service (managed with `networkctl`) tries to mess with your network interfaces (particularly `eth0` in this case). You'd want to remove the corresponding profile from `/etc/systemd/network/` folder to avoid that ! :warning:**

We've to make this configuration loaded on boot :

`# netctl enable eth0-router`

Now, let's configure the firewall to secure the router, and enable the connection forwarding for the devices, and in order to allow DHCP and DNS requests :

`# iptables -X`  
`# iptables -F`  
`# iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE`  
`# iptables -P FORWARD DROP`  
`# iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT`  
`# iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT`  
`# iptables -I INPUT -p udp --dport 67 -i eth0 -j ACCEPT`  
`# iptables -I INPUT -p udp --dport 53 -s 192.168.42.0/24 -j ACCEPT`  
`# iptables -I INPUT -p tcp --dport 53 -s 192.168.42.0/24 -j ACCEPT`

Let's here save the rules within the backup file :

`# iptables-save  > /etc/iptables/iptables.rules`

Now let's make `iptables` starting on boot automatically :

`# systemctl enable --now iptables`

---

At this point, your router is supposed to _route_, but your devices won't have an IP automatically, let's install and set up a DHCP server on your router :

`# pacman -S dhcp`

Now let's configure this server (you may wanna change the DNS server IPs by yours or some others) :

`# nano /etc/dhcpd.conf`

... add the following (don't forget to change the addresses if you have to) :

> option domain-name-servers 9.9.9.9, 208.67.222.222;  
> option subnet-mask 255.255.255.0;  
> option routers 192.168.42.1;  
> subnet 192.168.42.0 netmask 255.255.255.0 {  
>   range 192.168.42.2 192.168.42.253;  
> }  
>  
> \# Don't listen to the other interface !  
> subnet 192.168.1.0 netmask 255.255.255.0 {  
> }

With these lines, the DHCP server won't listen to the other subnetwork (**192.168.1.0** in this example), and should give addresses between **192.168.42.2** and **192.168.42.253**.

Identically as above, let's make DHCPD running on boot :

`# systemctl enable --now dhcpd4`

---

That's all ! Your devices should have access to Internet through your little router **after a reboot**. You are now able to build your own firewall rules, and do some others things easily :wink: