Home Lab

Building My Own Router

Home Grown Router, Introduction

Introduction to a three part series on building my bespoke network router.

A decade ago, during our home renovation an IT subcontractor recommended commercial equipment for our network. He promised to help me set it up, and then promptly disappeared leaving me to my own devices. One painful learning curve later and we had a solid home network backed by a 48 port PoE switch supporting virtual LANs and multiple WiFi access points. After a couple of years I built my own home automation system from scratch. Over time, I upgraded my cable modem to one that supports 1Gbps download speed and assigned most of our IoT equipment to internal only VLANs. It’s a complex system and my end-of-life, no longer supported router has buckled under the weight of it all. The other day I checked download speed—it was 118Mbps, 1/8th of what I should have.

It’s time to upgrade. But, to what? More importantly, what do I need?

Requirements

1. A router capable of at least 1Gbps with full security enabled.
2. Easy security management for devices, VLANs, and people.
3. Reliable upgrade and patching.
4. Current router feature coverage : DHCP, DNS, NTP, VLANs, etc.

There are plenty of prosumer routers out there that meet this list of requirements and picking one would save me plenty of time and possibly money. However, buying one means I have to live with other people’s decisions. Invariably, no matter how good something is, it’s design is a compromise to meet a certain need. Most SMB networking equipment abstracts away complexity and simplifies operations. I don’t want that. I want the complexity. Learning new things sparks joy.

So, I have a fifth requirement:

5. Understand and have expert level control over router behavior.

Options

Packaged prosumer hardware routers are out. I’m not going to buy a five figure Cisco or Juniper firewall/router. Enter software on a box.

There are plenty of software-based router/firewalls available for purchase or through open source. I could even run one on an old machine sitting around my house. Choices for open source-ish solutions include: pfSense, OPNsense, OpenWRT. With these packages, however, I’m still buying into someone else’s design choices (violates Req 5). They do make things easier for system management through their GUIs and their well tested releases (meets Req 2 & 3).

Digging further, I found out two things. One, pfSense and OPNsense are based upon BSD’s pf library (Packet Filter). Two, they are packaged to run on “bare metal” just like an operating system. In fact, their release includes the operating system FreeBSD and they run on top of it. The name pfSense comes from “Making sense of pf”. Rather than commit to a packaged software router, I can install FreeBSD on any piece of equipment, run a handful of services and have my bespoke router. Why eat someone else’s dog food when I can make and eat my own?

One last twist: I want to run my bespoke software router as a Virtual Machine. Why? First, the early learning phase for this project means I’m going to be playing with a lot of knobs and levers (meets Req 5). Installing and re-installing software including an operating system takes time. Speeding up the reinstallation process means faster learning cycles, more freedom to fail, and ultimately a shorter time to stand up the final router. Second, an operational router requires patching and upgrading. With a VM I can snapshot or fully clone the current running configuration, apply the changes to the copy and test before I deploy once it all looks good. If I find a problem after I’ve deployed, two button clicks and I’ve rolled back to the previous working version (meets Req 3).

Small Form Factor (SFF) computer with USB console cable attached. Photo by Author.

Final Configuration

If I must eat my own dog food, can it at least be gourmet?

Here’s my planned build:

1. Fanless SFF computer with 1TB SSD & 6 NICs (room to expand)
2. Proxmox Virtual Environment running VM(s)
3. FreeBSD for the router’s operating system
4. pf for the firewall and router
5. dnsmasq for DHCP and DNS (we can talk about Pi-hole later)
6. Other required services come with the OS (ntp, etc.)
7. Tailscale VPN running in a FreeBSD Jail for remote management

The SFF will have enough processing power to handle the hypervisor, the VM(s), the software router and still run at 1Gbps (Req 1). As discussed earlier, this build meets all of the other requirements. Most importantly, it meets Requirement 5 allowing me to dig in deep, learn and have complete control over my system.

I’m excited to build this router. It’s a significant upgrade to the current one. It also provides a platform facilitating experiments with new software and hardware—a home lab, something I hadn’t appreciated the value of until now. That said, my primary goal is a drop in replacement for my current router and that’s what I’m focused on. Expanding features comes later.

Next up—Part I: A Desktop Lab & setting up Protectli, Proxmox, and FreeBSD