- Ubuntu 24.04
- Orange Pi 5 Plus
- ISP router in bridge mode
- Ethernet from ISP router -> Orange Pi 5 Plus WAN port
- Ethernet from Orange Pi 5 Plus LAN port to switch
Install packages
1sudo apt install neovim firewalld fail2ban atop htop python3-dev nmap tcpdump rsync rsyslog iptraf-ng iftop sysstat conntrack logwatch unattended-upgrades byobu
2
3curl -fsSL https://tailscale.com/install.sh | shRegister router as Tailnet node.
1sudo systemctl enable --now tailscaled.service
2sudo tailscale upNetplan with DHCP WAN
/etc/netplan/01-netcfg.yaml:
1network:
2 version: 2
3 renderer: networkd
4 ethernets:
5 eth0: # WAN interface (connected to internet)
6 dhcp4: true
7 dhcp6: false
8 nameservers:
9 addresses:
10 - 9.9.9.9
11 - 149.112.112.112
12 eth1: # LAN interface (connected to local network)
13 dhcp4: false
14 dhcp6: false
15 addresses:
16 - 10.0.2.1/24
17 nameservers:
18 addresses:
19 - 9.9.9.9
20 - 149.112.112.112Bridged LAN+WiFi AP
1network:
2 version: 2
3 renderer: networkd
4 ethernets:
5 eth0:
6 dhcp4: true
7 dhcp6: false
8 nameservers:
9 addresses:
10 - 9.9.9.9
11 - 149.112.112.112
12 eth1:
13 dhcp4: false
14 dhcp6: false
15 addresses:
16 - 10.0.2.1/24
17 nameservers:
18 addresses:
19 - 9.9.9.9
20 - 149.112.112.112
21 wifis:
22 wlan0:
23 access-points:
24 coffeenet:
25 auth:
26 key-management: psk
27 password: "password"
28 bridges:
29 br0:
30 interfaces:
31 - eth1
32 - wlan0
33 addresses:
34 - 10.0.2.1/24
35 nameservers:
36 addresses:
37 - 9.9.9.9
38 - 149.112.112.112Netplan with static IP
1network:
2 version: 2
3 renderer: networkd
4 ethernets:
5 eth0: # WAN interface (connected to internet)
6 addresses:
7 - WAN public IP/prefix
8 nameservers:
9 addresses:
10 - 9.9.9.9
11 - 149.112.112.112
12 routes:
13 - to: default
14 via: WAN default gateway
15 metric: 100
16 eth1:
17 dhcp4: false
18 dhcp6: false
19 addresses:
20 - 10.0.2.1/24
21 nameservers:
22 addresses:
23 - 9.9.9.9
24 - 149.112.112.112Bridged LAN+WiFi AP
1network:
2 version: 2
3 renderer: networkd
4 ethernets:
5 eth0:
6 dhcp4: false
7 dhcp6: false
8 addresses:
9 - WAN public IP
10 nameservers:
11 addresses:
12 - 9.9.9.9
13 - 149.112.112.112
14 routes:
15 - to: default
16 via: WAN default gateway
17 metric: 100
18 eth1:
19 dhcp4: false
20 dhcp6: false
21 addresses:
22 - 10.0.2.1/24
23 nameservers:
24 addresses:
25 - 9.9.9.9
26 - 149.112.112.112
27 wifis:
28 wlan0:
29 access-points:
30 coffeenet:
31 auth:
32 key-management: psk
33 password: "password"
34 bridges:
35 br0:
36 interfaces:
37 - eth1
38 - wlan0
39 addresses:
40 - 10.0.2.1/24
41 nameservers:
42 addresses:
43 - 9.9.9.9
44 - 149.112.112.112Apply the netplan settings.
1sudo netplan applyIP forwarding
1echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
2sudo sysctl -pFirewalld
1sudo firewall-cmd --permanent --zone=home --add-interface=br0
2sudo firewall-cmd --permanent --zone=home --add-service={ssh,dns,http,https,dhcp}
3sudo firewall-cmd --permanent --zone=home --add-forward
4sudo firewall-cmd --permanent --zone=external --add-interface=eth0
5sudo firewall-cmd --permanent --zone=external --add-service=dhcpv6-client
6sudo firewall-cmd --permanent --zone=external --add-forwardCreate /etc/firewalld/policies/masquerade.xml to allow traffic to flow from LAN to WAN.
1<?xml version="1.0" encoding="utf-8"?>
2<policy target="ACCEPT">
3<masquerade/>
4<ingress-zone name="home"/>
5<egress-zone name="external"/>
6</policy>Reload the firewalld configuration.
1sudo firewall-cmd --reload