Intel NUC router with nftables

Intel NUC

This post is mainly documentation for myself, but is left public in case someone else finds it helpful. I’m using Archlinux, but the configuration should be similar for other distros using systemd. An overview over all configuration files referenced in the text can be found here.

Altibox internet

Altibox FMG router

My ISP is Altibox and I have their FMG router. The first thing we have to do is to set the router in bridge mode which can be done via their administration site. This will allow us to connect to the lan3 port and get a WAN address via DHCP.

Switch VLAN configuration

Cisco SLM2008 switch

The NUC only has one network port so I’m using a VLAN to get two separate networks over one physical cable. I create a VLAN for WAN traffic with the tag 102 (the tag can be any number) and assign it to port 1 and 2 on the switch (left image below). Port 1 on the switch is where I connect lan3 from the altibox router. I set PVID to 102 on this port so that the traffic from altibox is tagged with 102 (this will also remove the 102 tag on traffic that goes back to altibox from the switch). The NUC is connected to port 2 on the switch which has access to both the WAN and LAN networks.

SLM2008 VLAN configuration

Linux VLAN configuration

On the linux side we need to add a virtual interface to handle the VLAN traffic. eno1 is my LAN interface, and I named the WAN interface eno1.102. To add the the vlan interface I followed the archwiki guide and ended up with the following configuration files:

To activate the network configuration just start the systemd-networkd service (and enable it so that it starts on reboot):

  • systemctl start systemd-networkd.service
  • systemctl enable systemd-networkd.service

Routing and basic firewall with nftables

Now we are ready to set up routing. First we need to enable ip forwarding in the kernel. The following file will enable forwarding for both ipv4 and ipv6. The file is loaded on boot, but can be loaded manually with sysctl -p /etc/sysctl.d/30-ipforward.conf.

NAT and firewall rules are handled by nftables and the following configuration:

The table ip nat section handles NAT and the table inet filter section has the firewall rules. There are comments in the file, but as a short summary:

  • Everything is allowed on the local interface
  • Only port 22 is open on the external interface for inbound connections
  • Everything is open for outbound connections
  • Rules apply to both ipv4 and ipv6 (NAT is ipv4 only)

Start and enable the nftables service to activate the rules:

  • systemctl start nftables.service
  • systemctl enable nftables.service

DNS configuration

Add dns servers to resolv.conf

DHCP server with dnsmasq

I use dnsmasq to give out ipv4 addresses for LAN clients with the following configuration:

Start and enable the dnsmasq service to begin giving out addresses:

  • systemctl start dnsmasq.service
  • systemctl enable dnsmasq.service

All done, you should now have a working linux router.