Remember I mentioned in my last article:
This article does not address network issues, assuming that Docker images and others can connect to the internet. If not, please manually configure HTTP_PROXY and HTTPS_PROXY for the images.
Today's article will share my network configuration. After configuration, any device connected to the local area network via wired or wireless means can connect to the internet without any configuration, and DNS and traffic diversion can be achieved with very simple syntax.
The overall idea is to use the NAS as a bypass gateway, allowing the default gateway returned by DHCP to point to the NAS, and configuring proxy tools on the NAS side. As usual, I will write a few statements before we begin:
- The proxy tool dae mentioned in this article requires a kernel version >= 5.8; if not, please use other proxy tools;
- My NAS network is configured using Network Manager; please find alternative methods for other tools;
- Different families have different network configurations and structures, so it may not be copied exactly, but the basic principles are the same;
- ALL IN ONE, ALL IN BOOM!
Network Structure#
The network structure at home is shown in the figure below (forgive my poor drawing skills):
As you can see, I do not have a separate router; dialing, NAT, and wireless AP are all handled by the built-in router of the optical modem. All devices only need to be connected to the optical modem to access the internet.
Since all devices are in the same subnet, implementing the proxy is very simple, and overall it can be divided into three steps:
Bridge all network ports of the NAS (can be skipped, mainly to expand wired interfaces)- Fix the IP addresses of the optical modem and NAS
- Configure the proxy and IP forwarding on the NAS
- Modify the DHCP server to point the default gateway to the NAS
Let's elaborate on this.
Bridge All Network Ports of the NAS (Can Be Skipped)#
My NAS comes with a built-in network port, and since I was worried that the optical modem's ports might not be enough, I purchased a four-port PCIe network card for bridging:
After plugging it in, I executed ifconfig and found that my five network ports are numbered enp3s0, enp4s0, enp5s0, enp6s0, enp7s0. Using Network Manager, it is very convenient to bridge the network ports:
# Create a new bridge
sudo nmcli connection add type bridge ifname br0 stp no
# Add all physical ports to the bridge
sudo nmcli connection add type bridge-slave ifname enp3s0 master br0
sudo nmcli connection add type bridge-slave ifname enp4s0 master br0
sudo nmcli connection add type bridge-slave ifname enp5s0 master br0
sudo nmcli connection add type bridge-slave ifname enp6s0 master br0
sudo nmcli connection add type bridge-slave ifname enp7s0 master br0
Fix the IP Addresses of the Optical Modem and NAS#
The optical modem is not discussed here, as its IP is generally fixed (such as 192.168.0.1, 192.168.1.1). Here, we need to fix the IP address of the NAS.
Using sudo nmcli connection show, you can see all connections, with the active connection highlighted at the front:
As shown in the figure above, generally, the first connection can be used.
Note: If you have just bridged the network ports, the bridged bridge-xx will not be enabled by default. In this case, you should use bridge-xx instead of the first connection.
Taking bridge-br0 as an example, the command to fix the IP address is as follows:
# Fix your IP and gateway (needs to be in the same subnet as the optical modem)
sudo nmcli connection modify bridge-br0 ipv4.addresses 192.168.1.250/24 ipv4.gateway 192.168.1.1
# Use your desired DNS
sudo nmcli connection modify bridge-br0 ipv4.dns 119.29.29.29
# Change the IPv4 address allocation method to manual
sudo nmcli connection modify bridge-br0 ipv4.method manual
# Reload
sudo nmcli connection reload
Note: Similarly, for the case of just bridging, you also need to enable all bridged network ports, disable the existing connection, and enable the bridge:
# Enable all bridged network ports sudo nmcli connection up bridge-slave-enp3s0 sudo nmcli connection up bridge-slave-enp4s0 sudo nmcli connection up bridge-slave-enp5s0 sudo nmcli connection up bridge-slave-enp6s0 sudo nmcli connection up bridge-slave-enp7s0 # Disable the currently used connection sudo nmcli connection down Wired\ connection\ 6 # Enable the newly configured bridge sudo nmcli connection up bridge-br0
Configure Proxy and IP Forwarding on the NAS#
We have arrived at the most critical step, configuring the proxy and IP forwarding.
IP Forwarding#
First, enable IP forwarding, which will allow this device to act as a gateway to forward traffic from other devices:
sudo vim /etc/sysctl.d/30-ipforward.conf
# Write the following content and save
net.ipv4.ip_forward=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1
# Reload
sudo sysctl --system
Proxy#
The proxy tool used in this article is dae. In practice, for ease of operation, it is often used with a web UI called daed:
daed, a modern dashboard with dae.
Installing it on Arch Linux is very simple; use the following commands to install and enable it to start automatically:
sudo pacman -S daed
sudo systemctl enable --now daed.service
Open port 2023 on the NAS, enter the initial username and password, and you will see the main page:
The overall operation logic is very simple; add subscriptions in the lower right corner and drag the subscriptions or nodes into the group in the lower left corner. Click the edit button in the DNS and routing module to expand the configuration and write diversion rules.
The diversion rules of dae inherit from v2raya, with simple and clear syntax. Below are my DNS and routing rule examples:
# DNS rules
upstream {
googledns: 'tcp+udp://dns.google.com:53'
alidns: 'udp://dns.alidns.com:53'
}
routing {
request {
# Block ad DNS resolution
qname(geosite:category-ads) -> reject
qname(geosite:category-ads-all) -> reject
# Default to using alidns for queries
fallback: alidns
}
response {
# Upstream is googledns, directly pass through to avoid loops
upstream(googledns) -> accept
# If non-domestic websites resolve to local IP, consider it DNS pollution, and re-query googledns
!qname(geosite:cn) && ip(geoip:private) -> googledns
# In other cases, directly accept
fallback: accept
}
}
# Routing rules
# Added direct connection for qbittorrent based on default rules
pname(NetworkManager, systemd-resolved, qbittorrent-nox) -> direct
# Block ad connections
domain(geosite:category-ads, geosite:category-ads-all) -> block
# Generally, ladders do not support ipv6, go direct
ipversion(6) -> direct
# For chatgpt, go through fixed node group
domain(geosite:openai, regex: ".+\.openai$") -> chatgpt
# Broadcast addresses, local addresses, and domestic IPs go direct
dip(224.0.0.0/3, 'ff00::/8', geoip:private, geoip:cn) -> direct
# Steam and domestic domains go direct
domain(geosite:steam@cn, geosite:cn, geosite:geolocation-cn) -> direct
# If not matched, go through the proxy
fallback: proxy
After setting the diversion rules, you need to set the interfaces to bind in the configuration. In the scenario of using a bypass gateway, both LAN and WAN should add the currently active interface (for me, it is br0). Additionally, the LAN port can also add other interfaces that need proxying (such as docker0):
Other options generally do not need to be modified; click submit at the bottom, and then click start in the upper right corner of the homepage.
At this point, the traffic generated by the NAS and all devices pointing to the NAS as the gateway will be managed and diverted by dae, achieving transparent proxying.
Modify the DHCP Server to Point the Default Gateway to the NAS#
Although the gateway now points to the NAS for transparent proxying, the gateway returned by DHCP is still 192.168.1.1 (the address of the optical modem router), and devices connecting to the network need to manually change the gateway to successfully proxy. To change this situation, the DHCP server needs to be adjusted.
The DHCP server provided by the optical modem router cannot modify the returned gateway address, so a DHCP server needs to be started on the NAS to replace the DHCP server on the optical modem router.
Deploy DHCP Server on the NAS#
There are many DHCP servers available on Linux; I personally chose kea, the successor to dhcpd, and dnsmasq can also achieve the same purpose:
A modern, scalable, robust DHCPv4 and DHCPv6 server, with database (MySQL, PostgreSQL), hooks, multi-threading, RADIUS, NETCONF, Kerberos and more.
Install it on Arch Linux:
sudo pacman -S kea
Here, we only need to replace dhcp4 to meet the requirements. Refer to the official documentation to write the DHCP configuration as follows:
{ "Dhcp4":
{
"interfaces-config": {
"interfaces": [ "br0" ]
},
"lease-database": {
"type": "memfile",
"lfc-interval": 3600
},
"valid-lifetime": 4000,
"subnet4": [
{
"pools": [ { "pool": "192.168.1.2 - 192.168.1.254" } ],
"subnet": "192.168.1.0/24",
"interface": "br0",
"option-data": [
{
"name": "domain-name-servers",
"data": "119.29.29.29"
},
{
"name": "routers",
"data": "192.168.1.250"
},
]
}
],
"loggers": [
{
"name": "kea-dhcp4",
"output_options": [
{
"output": "stdout"
}
],
"severity": "INFO"
}
]
}
}
Write the above configuration into /etc/kea/kea-dhcp4.conf and start the kea-dhcp4 service:
sudo systemctl enable --now kea-dhcp4.service
Then log into the optical modem router's backend and turn off the built-in dhcp4 server:
Now, connect any wired or wireless device to the network and check if DHCP is working properly:
If the address displayed in the router position is the one we set, 192.168.1.250, it indicates that the DHCP deployed on the NAS is working properly.
With this, the configuration is complete, and the task is accomplished.