Here is a quick rundown on how to make a simple Debian box into a router


Removed un-needed items

apt purge iptables


Install required items

apt install bridge-utils firewalld dnsmasq


Enable IP Forwarding

sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf


Find NICs

ip a to find the NICs


Now we create the bridge. This is assuming your device has three NICs and you want two for LAN and one for WAN

nano /etc/network/interfaces

allow-hotplug eth0
auto eth0
iface eth0 inet dhcp

auto eth1
allow-hotplug eth1
iface eth0 inet manual

auto eth2
allow-hotplug eth2
iface eth2 inet manual

auto br0
iface br0 inet static
        address 192.168.5.1
        netmask 255.255.255.0
        bridge_ports eth1 eth2
        bridge_fd 0
        bridge_stp off
  1. It probably wouldn’t hurt to reboot now. Hopefully all is working. The LAN IP will be 192.168.5.1 and the WAN IP will be picked up via DHCP.

Add firewalld rules

firewall-cmd --zone=home --add-interface=br0
firewall-cmd --zone=public --add-interface=eth0
firewall-cmd --zone=public --add-masquerade
firewall-cmd --zone=home --add-service=ssh
firewall-cmd --runtime-to-permanent

Configure DNS Masq (This assumes you want to use it for DHCP and DNS)

sed -i 's/#interface=/interface=br0/g' /etc/dnsmasq.conf

Find dhcp-range and make if what you’d like. I did the following

sed -i 's/#dhcp-range=192.168.0.50,192.168.0.150,12h/dhcp-range=192.168.5.50,192.168.5.150,4h/g'

Now we can allow DNS Masq thru the firewall for DNS and DHCP

firewall-cmd --zone=home --add-service=dns
firewall-cmd --zone=home --add-service=dhcp

Now we can enable all services

systemctl enable dnsmasq


If you want SSH from the WAN you can do the following

firewall-cmd --zone=public --add-service=ssh


We can can reboot again and hopefully it’s going to be working

reboot


YOU SHOULD NOW HAVE AN AWESOME WORKING ROUTER


If you want to do port forwarding you can use the following.

192.168.9.99: Internal Device IP 8888: Internal Port 5555: External Port tcp: Protocol (tcp/udp)

firewall-cmd --permanent --add-forward-port=port=5555:proto=tcp:toaddr=192.168.9.99:toport=8888