- Ubuntu 24.04
- Orange Pi 5 Plus
- ISP router in bridge mode
- Ethernet from ISP router -> Orange Pi 5 Plus WAN port
- Ethernet from Orange Pi 5 Plus LAN port to switch
Install packages
sudo apt install neovim firewalld fail2ban atop htop python3-dev nmap tcpdump rsync rsyslog iptraf-ng iftop sysstat conntrack logwatch unattended-upgrades byobu
curl -fsSL https://tailscale.com/install.sh | shRegister router as Tailnet node.
sudo systemctl enable --now tailscaled.service
sudo tailscale upNetplan with DHCP WAN
/etc/netplan/01-netcfg.yaml:
network:
version: 2
renderer: networkd
ethernets:
eth0: # WAN interface (connected to internet)
dhcp4: true
dhcp6: false
nameservers:
addresses:
- 9.9.9.9
- 149.112.112.112
eth1: # LAN interface (connected to local network)
dhcp4: false
dhcp6: false
addresses:
- 10.0.2.1/24
nameservers:
addresses:
- 9.9.9.9
- 149.112.112.112Bridged LAN+WiFi AP
network:
version: 2
renderer: networkd
ethernets:
eth0:
dhcp4: true
dhcp6: false
nameservers:
addresses:
- 9.9.9.9
- 149.112.112.112
eth1:
dhcp4: false
dhcp6: false
addresses:
- 10.0.2.1/24
nameservers:
addresses:
- 9.9.9.9
- 149.112.112.112
wifis:
wlan0:
access-points:
coffeenet:
auth:
key-management: psk
password: "password"
bridges:
br0:
interfaces:
- eth1
- wlan0
addresses:
- 10.0.2.1/24
nameservers:
addresses:
- 9.9.9.9
- 149.112.112.112Netplan with static IP
network:
version: 2
renderer: networkd
ethernets:
eth0: # WAN interface (connected to internet)
addresses:
- WAN public IP/prefix
nameservers:
addresses:
- 9.9.9.9
- 149.112.112.112
routes:
- to: default
via: WAN default gateway
metric: 100
eth1:
dhcp4: false
dhcp6: false
addresses:
- 10.0.2.1/24
nameservers:
addresses:
- 9.9.9.9
- 149.112.112.112Bridged LAN+WiFi AP
network:
version: 2
renderer: networkd
ethernets:
eth0:
dhcp4: false
dhcp6: false
addresses:
- WAN public IP
nameservers:
addresses:
- 9.9.9.9
- 149.112.112.112
routes:
- to: default
via: WAN default gateway
metric: 100
eth1:
dhcp4: false
dhcp6: false
addresses:
- 10.0.2.1/24
nameservers:
addresses:
- 9.9.9.9
- 149.112.112.112
wifis:
wlan0:
access-points:
coffeenet:
auth:
key-management: psk
password: "password"
bridges:
br0:
interfaces:
- eth1
- wlan0
addresses:
- 10.0.2.1/24
nameservers:
addresses:
- 9.9.9.9
- 149.112.112.112Apply the netplan settings.
sudo netplan applyIP forwarding
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -pFirewalld
sudo firewall-cmd --permanent --zone=home --add-interface=br0
sudo firewall-cmd --permanent --zone=home --add-service={ssh,dns,http,https,dhcp}
sudo firewall-cmd --permanent --zone=home --add-forward
sudo firewall-cmd --permanent --zone=external --add-interface=eth0
sudo firewall-cmd --permanent --zone=external --add-service=dhcpv6-client
sudo firewall-cmd --permanent --zone=external --add-forwardCreate /etc/firewalld/policies/masquerade.xml to allow traffic to flow from LAN to WAN.
<?xml version="1.0" encoding="utf-8"?>
<policy target="ACCEPT">
<masquerade/>
<ingress-zone name="home"/>
<egress-zone name="external"/>
</policy>Reload the firewalld configuration.
sudo firewall-cmd --reload