My Arch Router Setup
Just a memo for me, but a reference for you.
Prerequisites
- Arch Linux Box
- At least 2 NICs, I’ll refer to them as WAN and LAN interface
- WAN interface connects to local ISP
- LAN interface connects to switches and APs which provides services to clients
Target
- Full access to Internet (both domestic and international)
- Full speed TCP
- Support UDP, ICMP with best effort
- Support Full Cone NAT (for UDP)
- Switch international route in a command
Hierarchy
Built with several LXC containers without any ip rule or ipset
- Container A (only 1)
- the only container that connects to both WAN and LAN
- Connects to WAN as default gateway
- Provides NAT to clients in LAN (with FULLCONENAT)
- Provides port forwarding service on LAN for Container C’s to access their corresponding remote endpoint
- Container B (only 1)
- Connects to LAN only
- It’s the default gateway of all clients in LAN
- Runs a DHCP & RADVD server to assign IPs to clients in LAN
- Divert bandwidth to corresponding exit container (Container A and C’s)
- Based on
ip route
only, with chnroute or something - Runs a DNS Server
- Based on
- Container C (many)
- Connects to LAN only
- Act as a gateway to Internet via the specified exit
- Connects to Wireguard/OpenVPN forwarded by Container A
- As default gateway to provide Internet access (non-TCP)
- Provides NAT to clients in LAN (with FULLCONENAT)
iptables -t nat -A POSTROUTING -s *LAN*/24 -o *TUNIF* -j FULLCONENAT
- Connects to Shadowsocks/VMess forwarded by Container A
- Runs in TPROXY(REDIRECT) mode, which assure TCP performance
iptables -t nat -A PREROUTING -s *LAN*/24 ! -d *LAN*/24 -p tcp -m ttl --ttl-gt 40 -j REDIRECT --to-ports *TPROXYPORT*