Linux Router with VPN on a Raspberry Pi: Difference between revisions

From Alpine Linux
(Mention dhcpcd)
(48 intermediate revisions by 5 users not shown)
Line 1: Line 1:
[[Category:Networking]]
{{TOC right}}
 
= Rationale =
= Rationale =


This guide demonstrates how to set up a Raspberry Pi as an open source Linux router with a VPN tunnel. You will need a USB ethernet adaptor. I chose the [http://store.apple.com/us/product/MC704LL/A/apple-usb-ethernet-adapter Apple USB Ethernet Adapter] as it contains a ASIX AX88772 which has good Linux support. Be sure to not buy a cheap [https://projectgus.com/2013/03/anatomy-of-a-cheap-usb-ethernet-adapter/ counterfeit] one as they do exist. You may choose to also buy an [http://www.element14.com/community/docs/DOC-68907/l/shim-rtc-realtime-clock-accessory-board-for-raspberry-pi RTC clock]. If you don't have an RTC clock, the time is lost when your Pi is shut down. When it is rebooted, the time will be set back to Thursday, 1 January 1970. As this is earlier than the creation time of your VPN certificates OpenVPN will refuse to start, which may mean you cannot do DNS lookups over VPN.
This guide demonstrates how to set up a Linux router with a VPN tunnel. You will need a second ethernet adapter. If you are using a Raspberry Pi like I did, then you can use something like this [http://store.apple.com/us/product/MC704LL/A/apple-usb-ethernet-adapter Apple USB Ethernet Adapter] as it contains a ASIX AX88772 which has good Linux support.
 
You may choose to also buy an [http://www.element14.com/community/docs/DOC-68907/l/shim-rtc-realtime-clock-accessory-board-for-raspberry-pi RTC clock]. If you don't have an RTC clock, the time is lost when your Pi is shut down. When it is rebooted, the time will be set back to Thursday, 1 January 1970. As this is earlier than the creation time of your VPN certificates OpenVPN will refuse to start, which may mean you cannot do DNS lookups over VPN.
 
For wireless, a separate access point was purchased ([http://wiki.openwrt.org/toh/ubiquiti/unifi Ubiquiti UniFi AP]) because it contains a Atheros AR9287 which is supported by [https://wireless.wiki.kernel.org/en/users/drivers/ath9k ath9k].
 
I only chose a Raspberry Pi due to the fact it was inexpensive. My WAN link is pathetic so I was not concerned with getting high PPS ([https://en.wikipedia.org/wiki/Throughput Packets Per Second]). You could choose to use an old x86/amd64 system instead. If I had better internet I'd probably go with an offering from [https://soekris.com Soekris] such as the [https://soekris.com/products/net6501-1.html net6501] as it would have a much lower power consumption than a generic x86_64 desktop processor.


For wireless, a separate access point was purchased ([http://wiki.openwrt.org/toh/ubiquiti/unifi Ubiquiti UniFi AP]) because it contains a Atheros AR9287 which is supported by [https://wireless.wiki.kernel.org/en/users/drivers/ath9k ath9k] and I was keen to avoid blob drivers.
If you want to route speeds above 100 Mbit/s you'll want to make use of hardware encryption like [https://en.wikipedia.org/wiki/AES_instruction_set AES-NI]. The [https://soekris.com Soekris] offerings have the option of an additional hardware encryption module ([https://soekris.com/products/vpn-1411.html vpn1411]). Another option is to use a [https://en.wikipedia.org/wiki/Mini-ITX Mini ITX motherboard], with a managed switch. I chose the [https://www.ubnt.com/edgemax/edgeswitch Ubiquiti ES-16-150W].


You could choose to use an old x86/amd64 system instead. This may be a more attractive option if you want to route high speeds. If you want to route speeds above 100 Mbit/s you'll want to make use of hardware encryption like AES-NI.
If you wish to use IPv6 you should consider looking at [[Linux Router with VPN on a Raspberry Pi (IPv6)]] as the implementation does differ slightly to this tutorial.


The network in this tutorial looks like this:  
The network in this tutorial looks like this:  
Line 22: Line 29:
The modem I am using is a [http://www.cisco.com/c/en/us/products/routers/877-integrated-services-router-isr/index.html Cisco 877 Integrated Services Router]. It has no web interface and is controlled over SSH. More information can be found [[Configuring a Cisco 877 in full bridge mode]].
The modem I am using is a [http://www.cisco.com/c/en/us/products/routers/877-integrated-services-router-isr/index.html Cisco 877 Integrated Services Router]. It has no web interface and is controlled over SSH. More information can be found [[Configuring a Cisco 877 in full bridge mode]].


= Configuring PPP =
= Network =
Next up we need to configure our router to be able to dial a PPP connection with our modem.


{{cmd|apk add ppp-pppoe}}
== /etc/hostname ==
Set this to your hostname eg:


Check that the interface between your router and modem is eth1, or change it. Enter your credentials at the bottom of the file or use /etc/ppp/chap-secrets
<pre><HOST_NAME></pre>


== /etc/ppp/peers/yourISP ==
== /etc/hosts ==
<pre>#
Set your host and hostname
# PPP Configuration file
<pre>127.0.0.1 <HOST_NAME> <HOST_NAME>.<DOMAIN_NAME>
#


nolog
::1 <HOST_NAME> ipv6-gateway ipv6-loopback
ff00::0 ipv6-localnet
ff00::0 ipv6-mcastprefix
ff02::1 ipv6-allnodes
ff02::2 ipv6-allrouters
ff02::3 ipv6-allhosts</pre>


# Try to get the IP address from the ISP
== /etc/network/interfaces ==
noipdefault
Configure your network interfaces. Change "yourISP" to the file name of the file in /etc/ppp/peers/yourISP


# Try to get the name server addresses from the ISP
<pre>#
usepeerdns
# Network Interfaces
#


# Use this connection as the default route.
# Loopback interfaces
defaultroute
auto lo
defaultroute-metric 300
iface lo inet loopback
  address 127.0.0.1
  netmask 255.0.0.0


# detatch after ppp0 interface is created
# Internal Interface - facing LAN
updetach
auto eth0
iface eth0 inet static
  address 192.168.1.1
  netmask 255.255.255.0
  broadcast 192.168.1.255</pre>


# Replace previous default route
# This requires a special patch to ppp
# https://sources.debian.net/src/ppp/2.4.7-1%2B1~exp1/debian/patches/cifdefroute.dif/
# replacedefaultroute


# rp-pppoe plug-in makes PPPoE connection so rp-pppoe package is not needed
=== PPP ===
# Possibly, you may need to change interface according your configuration
Next up we need to configure our router to be able to dial a PPP connection with our modem.
plugin rp-pppoe.so eth1


# Uncomment if you need on-demand connection
If your ISP uses [https://en.wikipedia.org/wiki/Point-to-Point_Protocol PPP] you may need to configure it. See [[PPP]].
#demand


# Disconnect after 300 seconds (5 minutes) of idle time.
You will want to make sure you set your WAN interface, in this example we used eth1.
#idle 300


# Hide password from log entries
<pre># External Interface - facing Modem
hide-password
allow-hotplug eth1
auto eth1
iface eth1 inet static
  address 192.168.0.2
  netmask 255.255.255.252
  broadcast 192.168.0.3
  pre-up /sbin/ip link set eth1 up
  up ifup ppp0=yourISP
  down ifdown ppp0=yourISP
  post-down /sbin/ip link set eth1 up


# Send echo requests
# Link to ISP
lcp-echo-interval 20
iface yourISP inet ppp
lcp-echo-failure 3
  provider yourISP</pre>


# Do not authenticate ISP peer
=== IPoE ===
noauth
Alternatively it's quite common for ISPs to use [https://en.wikipedia.org/wiki/IPoE IPoE]. IPoE is much simpler and only runs DHCP on the external interface. It should look something like:


# Control connection consistency
<pre># External interface to ISP
persist
allow-hotplug eth1
maxfail 0
auto eth1
iface eth1 inet dhcp


# Control MTU size if your ISP does not force it
iface eth1 inet static
#mtu 1492
    address 192.168.0.2
    netmask 255.255.255.252
    broadcast 192.168.0.3


user "username@yourISP.tld"
iface eth1 inet6 manual</pre>


# Compression
==== DHCP from ISP ====
bsdcomp 15
deflate 15</pre>


== /etc/ppp/chap-secrets ==
Above we set DHCP and we set a static IP. The purpose of this is so we can still forward packets through to the modem to be able to access the web interface or ssh.
Enter in your login credentials


<pre># Secrets for authentication using CHAP
We do still need DHCP to get an IP address form our ISP though. I like to use dhcpcd instead of udhcp (the default in Alpine Linux), because it allows for [https://en.wikipedia.org/wiki/Prefix_delegation Prefix Delegation], which is used in IPv6 networks.
# client server secret IP addresses
"username@yourISP.tld"         * "<your password>"</pre>


== /etc/modules ==
My /etc/dhcpcd.conf looks like this:
Update modules to include pppoe:
<pre>pppoe</pre>


= Network =
<pre># Enable extra debugging
# debug
# logfile /var/log/dhcpcd.log


== /etc/hostname ==
# Allow users of this group to interact with dhcpcd via the control
Set this to your hostname eg:
# socket.
#controlgroup wheel


<pre><HOST_NAME></pre>
# Inform the DHCP server of our hostname for DDNS.
hostname gateway


== /etc/hosts ==
# Use the hardware address of the interface for the Client ID.
Set your host and hostname
# clientid
<pre>127.0.0.1 <HOST_NAME> <HOST_NAME>.<DOMAIN_NAME>
# or
# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as
# per RFC4361. Some non-RFC compliant DHCP servers do not reply with
# this set. In this case, comment out duid and enable clientid above.
duid


::1 <HOST_NAME> ipv6-gateway ipv6-loopback
# Persist interface configuration when dhcpcd exits.
ff00::0 ipv6-localnet
persistent
ff00::0 ipv6-mcastprefix
ff02::1 ipv6-allnodes
ff02::2 ipv6-allrouters
ff02::3 ipv6-allhosts</pre>


== /etc/network/interfaces ==
# Rapid commit support.
Configure your network interfaces:
# Safe to enable by default because it requires the equivalent option
# set on the server to actually work.
option rapid_commit


<pre>#
# A list of options to request from the DHCP server.
# Network Interfaces
option domain_name_servers, domain_name, domain_search, host_name
#
option classless_static_routes


auto lo
# Most distributions have NTP support.
auto eth0
option ntp_servers
auto eth1


# Loopback interfaces
# Respect the network MTU.
iface lo inet loopback
# Some interface drivers reset when changing the MTU so disabled by
  address 127.0.0.1
# default.
  netmask 255.0.0.0
#option interface_mtu 1586


# Internal Interface - facing LAN
# A ServerID is required by RFC2131.
iface eth0 inet static
require dhcp_server_identifier
  address 192.168.1.1
  netmask 255.255.255.0
  broadcast 192.168.1.255


# External Interface - facing Modem
# Generate Stable Private IPv6 Addresses instead of hardware based
iface eth1 inet static
# ones
  address 192.168.0.2
slaac private
  netmask 255.255.255.252
  broadcast 192.168.0.3


# Internet Connection
# A hook script is provided to lookup the hostname if not set by the
iface ppp0 inet ppp
# DHCP server, but it should not be run by default.
  pre-up /sbin/ip link set eth1 up
nohook lookup-hostname
  provider <yourISP> # Make sure this is the same as /etc/ppp/peers/yourISP</pre>


== Basic IPtables firewall with routing ==
# Disable solicitations on all interfaces
This demonstrates how to set up basic routing with a permissive outgoing firewall. Incoming packets are blocked. The rest is commented in the rule set.
noipv6rs


First install iptables:
# Wait for IP before forking to background
waitip 6
 
# Don't touch DNS
nohook resolv.conf
 
allowinterfaces eth1 eth0.2
# Use the interface connected to WAN
interface eth1
    waitip 4
    noipv4ll
    ipv6rs # enable routing solicitation get the default IPv6 route
    iaid 1
    ia_pd 1/::/56 eth0.2/2/64
    timeout 30
 
interface eth0.2
    ipv6only</pre>
 
== Basic IPtables firewall with routing ==
This demonstrates how to set up basic routing with a permissive outgoing firewall. Incoming packets are blocked. The rest is commented in the rule set.
 
First install iptables:


{{cmd|apk add iptables ip6tables}}
{{cmd|apk add iptables ip6tables}}
Line 276: Line 313:
* [http://inai.de/documents/Perfect_Ruleset.pdf Towards the perfect ruleset]
* [http://inai.de/documents/Perfect_Ruleset.pdf Towards the perfect ruleset]


== /etc/sysctl.conf ==
== /etc/sysctl.d/local.conf ==
These sysctl settings harden a few things and were mostly borrowed from the [https://wiki.archlinux.org/index.php/Sysctl#TCP.2FIP_stack_hardening ArchLinux wiki]. This particular config was based on [https://www.lisenet.com/2015/kernel-sysctl-configuration-for-linux Kernel Sysctl Configuration for Linux from lisenet.]
<pre># Controls IP packet forwarding
net.ipv4.ip_forward = 1


<pre># https://www.lisenet.com/2015/kernel-sysctl-configuration-for-linux/
# Needed to use fwmark, only required if you want to set up the VPN subnet later in this article
net.ipv4.conf.all.rp_filter = 2


# Kernel sysctl configuration file for Linux
# Disable IPv6
#
net.ipv6.conf.all.disable_ipv6 = 1
# By: www.lisenet.com
net.ipv6.conf.lo.disable_ipv6 = 1
#
net.ipv6.conf.default.disable_ipv6 = 1</pre>
# Tested on a Red Hat server with physical memory of 2GB
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.
#
# References
# https://www.suse.com/documentation/sles-12/book_hardening/data/sec_sec_prot_general_kernel.html
# https://wiki.archlinux.org/index.php/Sysctl
# https://rtcamp.com/tutorials/linux/sysctl-conf/
# http://seriousbirder.com/blogs/centos-6-setting-shmmax-and-shmall-kernel-paramaters/
# http://kaivanov.blogspot.co.uk/2010/09/linux-tcp-tuning.html


# Any process which has changed privilege levels
Note IPv6 is disabled here if you want that see the other tutorial [[Linux Router with VPN on a Raspberry Pi (IPv6)]]. You may also wish to look at [https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt ip-sysctl.txt] to read about the other keys.
# or is execute only will not be dumped (default)
fs.suid_dumpable = 0


# File handle limit
= DHCP =
fs.file-max = 6577347
{{cmd|apk add dhcp}}


########################################
== /etc/conf.d/dhcpd ==
###          Memory Tuning          ###
Specify the configuration file location, interface to run on and that you want DHCPD to run in IPv4 mode.
########################################


# Use swap file when RAM usage is around 40 percent
<pre># /etc/conf.d/dhcpd: config file for /etc/init.d/dhcpd
vm.swappiness = 60


# Controls the maximum number of shared memory segments, in pages (not bytes)
# If you require more than one instance of dhcpd you can create symbolic
# It is almost always 4K which is the recommended size
# links to dhcpd service like so
# To be safe, run the following command:
#   cd /etc/init.d
# getconf PAGE_SIZE => 4096
#   ln -s dhcpd dhcpd.foo
# Allocating 1GB below (1*1024*1024*1024/4096=262144)
#   cd ../conf.d
kernel.shmall = 262144
#  cp dhcpd dhcpd.foo
# Now you can edit dhcpd.foo and specify a different configuration file.
# You'll also need to specify a pidfile in that dhcpd.conf file.
# See the pid-file-name option in the dhcpd.conf man page for details.


# Control the maximum size of a single shared memory segment, in bytes
# If you wish to run dhcpd in a chroot, uncomment the following line
# Setting to half (1GB) of our physical memory
# DHCPD_CHROOT="/var/lib/dhcp/chroot"
kernel.shmmax = 1073741824


########################################
# All file paths below are relative to the chroot.
###        Kernel Hardening        ###
# You can specify a different chroot directory but MAKE SURE it's empty.
########################################


# Reboot a system after 10 seconds of kernel panic
# Specify a configuration file - the default is /etc/dhcp/dhcpd.conf
kernel.panic = 10
DHCPD_CONF="/etc/dhcp/dhcpd.conf"


# Controls the System Request debugging functionality of the kernel
# Configure which interface or interfaces to for dhcpd to listen on.
kernel.sysrq = 0
# List all interfaces space separated. If this is not specified then
# we listen on all interfaces.
DHCPD_IFACE="eth0"


# Controls whether core dumps will append the PID to the core filename.
# Insert any other dhcpd options - see the man page for a full list.
# Useful for debugging multi-threaded applications.
DHCPD_OPTS="-4"</pre>
kernel.core_uses_pid = 1


# Restricting access to kernel logs
== /etc/dhcp/dhcpd.conf ==
kernel.dmesg_restrict = 1
Configure your DHCP configuration server. For my DHCP server I'm going to have three subnets. Each has a specific purpose. You may choose to have any number of subnets like below. The broadcast-address would be different if you used VLANs. However in this case we are not.


# If you're compiling your own kernel, then
<pre>authoritative;
# this can help mitigating local root exploits
ddns-update-style interim;
kernel.kptr_restrict = 1


# Controls the default maxmimum size of a mesage queue
shared-network home {
# kernel.msgmnb = 65536
  subnet 192.168.1.0 netmask 255.255.255.0 {
 
    range 192.168.1.10 192.168.1.240;
# Controls the maximum size of a message, in bytes
    option subnet-mask 255.255.255.0;
# kernel.msgmax = 65536
    option broadcast-address 192.168.1.255;
 
    option routers 192.168.1.1;
# Enable ExecShield protection
    option ntp-servers 192.168.1.1;
kernel.exec-shield = 1
    option domain-name-servers 192.168.1.1;
    allow unknown-clients;
  }


# Enable by default, except if the application bits are set to "disable"
  subnet 192.168.2.0 netmask 255.255.255.0 {
kernel.randomize_va_space = 2
    range 192.168.2.10 192.168.2.240;
    option subnet-mask 255.255.255.0;
    option broadcast-address 192.168.2.255;
    option routers 192.168.2.1;
    option ntp-servers 192.168.2.1;
    option domain-name-servers 192.168.1.1;
    ignore unknown-clients;
  }


# Default
  subnet 192.168.3.0 netmask 255.255.255.0 {
kernel.pid_max = 32768
    range 192.168.3.10 192.168.3.240;
    option subnet-mask 255.255.255.0;
    option broadcast-address 192.168.3.255;
    option routers 192.168.3.1;
    option ntp-servers 192.168.3.1;
    option domain-name-servers 192.168.1.1;
    ignore unknown-clients;
  }
}


# Increase the length of the processor input queue
host Gaming_Computer {
net.core.netdev_max_backlog = 5000
  hardware ethernet 00:53:00:FF:FF:11;
 
  fixed-address 192.168.1.20;
# The maximum number of "backlogged sockets". Default
  option subnet-mask 255.255.255.0;
net.core.somaxconn = 128
  option broadcast-address 192.168.1.255;
  option routers 192.168.1.1;
  option host-name "gaming_computer";
}


# Disable netfilter on bridges.
host Linux_Workstation {
#net.bridge.bridge-nf-call-ip6tables = 0
  hardware ethernet 00:53:00:FF:FF:22;
#net.bridge.bridge-nf-call-iptables = 0
  fixed-address 192.168.2.21;
#net.bridge.bridge-nf-call-arptables = 0
  option subnet-mask 255.255.255.0;
  option broadcast-address 192.168.2.255;
  option routers 192.168.2.1;
  option host-name "linux_workstation";
}


########################################
host printer {
###      TCP/IP Stack Hardening      ###
  hardware ethernet 00:53:00:FF:FF:33;
########################################
  fixed-address 192.168.3.9;
  option subnet-mask 255.255.255.0;
  option broadcast-address 192.168.3.255;
  option routers 192.168.3.1;
}</pre>


# Controls IP packet forwarding
Make sure to add this to the default run level once configured:
net.ipv4.ip_forward = 1
{{cmd|rc-update add dhcpd default}}


# Disable fast recycling of TIME_WAIT sockets
= Synchronizing the clock =
net.ipv4.tcp_tw_recycle = 0


# Do not allow reuse of sockets in TIME_WAIT state for new connections
You can choose to use BusyBox's ntpd or you can choose a more fully fledged option like [http://www.openntpd.org OpenNTPD] or [https://chrony.tuxfamily.org Chrony]
net.ipv4.tcp_tw_reuse = 0


# Help prevent against SYN flood attacks
== Busybox /etc/conf.d/ntpd ==
net.ipv4.tcp_syncookies = 1
Allow clients to synchronize their clocks with the router.


# If set to 0, protect against wrapping sequence numbers
<pre># By default ntpd runs as a client. Add -l to run as a server on port 123.
# Turning off timestamps may do more harm than good
NTPD_OPTS="-l -N -p <REMOTE TIME SERVER>"</pre>
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_sack = 1


# Enable windows scaling
Make sure to add this to the default run level once configured:
net.ipv4.tcp_window_scaling = 1
{{cmd|rc-update add ntpd default}}
# Maximum receive and send window size 16MB
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
# Increase the read-buffer and write-buffer space allocatable
# Autotuning TCP buffer limit 16MB
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216


# Do not accept source routing
Or if you prefer to synchronize with multiple servers...
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0


# Disable redirects, not a router
== Chrony /etc/chrony.conf ==
net.ipv4.conf.all.send_redirects = 0
{{cmd|apk add chrony}}
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0


# Enable source validation by reversed path
<pre>logdir /var/log/chrony
# Protects from attackers that are using ip spoofing methods to do harm
log measurements statistics tracking
net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.rp_filter = 2


# Log packets with impossible addresses to kernel log
allow 192.168.0.0/30
net.ipv4.conf.all.log_martians = 0     # Disabled to avoid spam
allow 192.168.1.0/24
net.ipv4.conf.default.log_martians = 0 # Disabled to avoid spam
allow 192.168.2.0/24
allow 192.168.3.0/24
allow 192.168.4.0/24
broadcast 30 192.168.0.3
broadcast 30 192.168.1.255
broadcast 30 192.168.2.255
broadcast 30 192.168.3.255
broadcast 30 192.168.4.255


# Ignore all ECHO broadcast requests
server 0.pool.ntp.org iburst
# Prevent being part of smurf attacks
server 1.pool.ntp.org iburst
net.ipv4.icmp_echo_ignore_broadcasts = 1
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst


# Ignore bogus ICMP errors
initstepslew 10 pool.ntp.org
net.ipv4.icmp_ignore_bogus_error_responses = 1
driftfile /var/lib/chrony/chrony.drift
net.ipv4.icmp_ignore_bogus_error_messages = 1
hwclockfile /etc/adjtime
rtcdevice /dev/rtc0
rtcsync</pre>


# Allowed local port range
== OpenNTPD /etc/ntpd.conf ==
net.ipv4.ip_local_port_range = 9000 65535


# The minimum time sockets will stay in TIME_WAIT state
Install OpenNTPD
net.ipv4.tcp_fin_timeout = 60
{{cmd|apk add openntpd}}


# protect against tcp time-wait assassination hazards
Add to default run level.
# drop RST packets for sockets in the time-wait state
{{cmd|rc-update add openntpd default}}
# (not widely supported outside of linux, but conforms to RFC)
net.ipv4.tcp_rfc1337 = 1


########################################
=== /etc/ntpd.conf ===
###              IPv6                ###
<pre># sample ntpd configuration file, see ntpd.conf(5)
########################################


# Disable IPv6
# Addresses to listen on (ntpd does not listen by default)
net.ipv6.conf.all.disable_ipv6 = 1
listen on 192.168.1.1
net.ipv6.conf.lo.disable_ipv6 = 1
listen on 192.168.2.1
net.ipv6.conf.default.disable_ipv6 = 1</pre>


= DHCP =
# sync to a single server
{{cmd|apk add dhcp}}
#server ntp.example.org


== /etc/conf.d/dhcpd ==
# use a random selection of NTP Pool Time Servers
Specify the configuration file location, interface to run on and that you want DHCPD to run in IPv4 mode.
# see http://support.ntp.org/bin/view/Servers/NTPPoolServers
 
server 0.pool.ntp.org
<pre># /etc/conf.d/dhcpd: config file for /etc/init.d/dhcpd
server 1.pool.ntp.org
server 2.pool.ntp.org
server 3.pool.ntp.org</pre>
 
== tlsdate ==
The time can also be extracted from a https handshake. If the certificate is self-signed you will need to use skip-verification:


# If you require more than one instance of dhcpd you can create symbolic
{{cmd|apk add tlsdate}}
# links to dhcpd service like so
{{cmd|tlsdate -V --skip-verification -p 80 -H example.com}}
#  cd /etc/init.d
#  ln -s dhcpd dhcpd.foo
#  cd ../conf.d
#  cp dhcpd dhcpd.foo
# Now you can edit dhcpd.foo and specify a different configuration file.
# You'll also need to specify a pidfile in that dhcpd.conf file.
# See the pid-file-name option in the dhcpd.conf man page for details.


# If you wish to run dhcpd in a chroot, uncomment the following line
== timezone ==
# DHCPD_CHROOT="/var/lib/dhcp/chroot"
You might also want to set a timezone, see [[Setting the timezone]].


# All file paths below are relative to the chroot.
= Saving Time =
# You can specify a different chroot directory but MAKE SURE it's empty.
There are two ways to do this. If you didn't buy an RTC clock see [[Saving time with Software Clock]]. If you did like the PiFace Real Time Clock see [[Saving time with Hardware Clock]]


# Specify a configuration file - the default is /etc/dhcp/dhcpd.conf
= Unbound DNS forwarder with dnscrypt =
DHCPD_CONF="/etc/dhcp/dhcpd.conf"
We want to be able to do our lookups using [https://dnscrypt.info/ dnscrypt] without installing DNSCrypt on every client on the network. DNSCrypt can use it's [https://dnscrypt.info/protocol own protocol] or [https://en.wikipedia.org/wiki/DNS_over_HTTPS DNS over HTTPS].


# Configure which interface or interfaces to for dhcpd to listen on.
The router will also run a DNS forwarder and request unknown domains over DNSCrypt for our clients. Borrowed from the ArchLinux wiki article on [https://wiki.archlinux.org/index.php/dnscrypt-proxy dnscrypt-proxy].
# List all interfaces space separated. If this is not specified then
 
# we listen on all interfaces.
== Unbound ==
DHCPD_IFACE="eth0"
First install {{cmd|apk add unbound}}
 
=== /etc/unbound/unbound.conf ===
<pre>server:
    # Use this to include other text into the file.
    include: "/etc/unbound/filter.conf"
 
    # verbosity number, 0 is least verbose. 1 is default.
    verbosity: 1
 
    # specify the interfaces to answer queries from by ip-address.
    # The default is to listen to localhost (127.0.0.1 and ::1).
    # specify 0.0.0.0 and ::0 to bind to all available interfaces.
    # specify every interface[@port] on a new 'interface:' labelled line.
    # The listen interfaces are not changed on reload, only on restart.
    interface: 192.168.2.1
    interface: 192.168.3.1


# Insert any other dhcpd options - see the man page for a full list.
    # Enable IPv4, "yes" or "no".
DHCPD_OPTS="-4"</pre>
    do-ip4: yes


== /etc/dhcp/dhcpd.conf ==
    # Enable IPv6, "yes" or "no".
Configure your DHCP configuration server. For my DHCP server I'm going to have three subnets. Each has a specific purpose. You may choose to have any number of subnets like below. The broadcast-address would be different if you used VLANs. However in this case we are not.
    do-ip6: yes


<pre>authoritative;
    # Enable UDP, "yes" or "no".
ddns-update-style interim;
    do-udp: yes


shared-network home {
     # Enable TCP, "yes" or "no".
  subnet 192.168.1.0 netmask 255.255.255.0 {
     do-tcp: yes
     range 192.168.1.10 192.168.1.240;
     option subnet-mask 255.255.255.0;
    option broadcast-address 192.168.1.255;
    option routers 192.168.1.1;
    option ntp-servers 192.168.1.1;
    option domain-name-servers 192.168.1.1;
    allow unknown-clients;
  }


  subnet 192.168.2.0 netmask 255.255.255.0 {
    # control which clients are allowed to make (recursive) queries
     range 192.168.2.10 192.168.2.240;
    # to this server. Specify classless netblocks with /size and action.
     option subnet-mask 255.255.255.0;
    # By default everything is refused, except for localhost.
     option broadcast-address 192.168.2.255;
    # Choose deny (drop message), refuse (polite error reply),
     option routers 192.168.2.1;
    # allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),
     option ntp-servers 192.168.2.1;
    # allow_snoop (recursive and nonrecursive ok)
     option domain-name-servers 192.168.1.1;
    # deny_non_local (drop queries unless can be answered from local-data)
     ignore unknown-clients;
    # refuse_non_local (like deny_non_local but polite error reply).
  }
    # access-control: 0.0.0.0/0 refuse
     # access-control: 127.0.0.0/8 allow
    # access-control: ::0/0 refuse
    # access-control: ::1 allow
    # access-control: ::ffff:127.0.0.1 allow
     access-control: 192.168.1.0/24 allow
     access-control: 192.168.2.0/24 allow
     access-control: 192.168.3.0/24 allow
 
    # the log file, "" means log to stderr.
     # Use of this option sets use-syslog to "no".
    logfile: "/var/log/unbound/unbound.log"
 
    # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
    # log to. If yes, it overrides the logfile.
     use-syslog: no
 
    # print one line with time, IP, name, type, class for every query.
     # log-queries: no


  subnet 192.168.3.0 netmask 255.255.255.0 {
     # print one line per reply, with time, IP, name, type, class, rcode,
     range 192.168.3.10 192.168.3.240;
     # timetoresolve, fromcache and responsesize.
    option subnet-mask 255.255.255.0;
     # log-replies: no
    option broadcast-address 192.168.3.255;
    option routers 192.168.3.1;
    option ntp-servers 192.168.3.1;
     option domain-name-servers 192.168.1.1;
     ignore unknown-clients;
  }
}


host Gaming_Computer {
    # enable to not answer id.server and hostname.bind queries.
  hardware ethernet 00:53:00:FF:FF:11;
    hide-identity: yes
  fixed-address 192.168.1.20;
  option subnet-mask 255.255.255.0;
  option broadcast-address 192.168.1.255;
  option routers 192.168.1.1;
  option host-name "gaming_computer";
}


host Linux_Workstation {
    # enable to not answer version.server and version.bind queries.
  hardware ethernet 00:53:00:FF:FF:22;
    # hide-version: yes
  fixed-address 192.168.2.21;
  option subnet-mask 255.255.255.0;
  option broadcast-address 192.168.2.255;
  option routers 192.168.2.1;
  option host-name "linux_workstation";
}


host printer {
    # enable to not answer trustanchor.unbound queries.
  hardware ethernet 00:53:00:FF:FF:33;
    hide-trustanchor: yes
  fixed-address 192.168.3.9;
  option subnet-mask 255.255.255.0;
  option broadcast-address 192.168.3.255;
  option routers 192.168.3.1;
}</pre>


Make sure to add this to the default run level once configured:
{{cmd|rc-update add dhcp default}}


= Synchronizing the clock =
    # Harden against very small EDNS buffer sizes.
    harden-short-bufsize: yes


You can choose to use BusyBox's ntpd or you can choose a more fully fledged option like [http://www.openntpd.org OpenNTPD]
    # Harden against unseemly large queries.
    harden-large-queries: yes


== Busybox /etc/conf.d/ntpd ==
    # Harden against out of zone rrsets, to avoid spoofing attempts.
Allow clients to synchronize their clocks with the router.
    harden-glue: yes


<pre># By default ntpd runs as a client. Add -l to run as a server on port 123.
    # Harden against receiving dnssec-stripped data. If you turn it
NTPD_OPTS="-l -N -p <REMOTE TIME SERVER>"</pre>
    # off, failing to validate dnskey data for a trustanchor will
    # trigger insecure mode for that zone (like without a trustanchor).
    # Default on, which insists on dnssec data for trust-anchored zones.
    harden-dnssec-stripped: yes


Make sure to add this to the default run level once configured:
    # Harden against queries that fall under dnssec-signed nxdomain names.
{{cmd|rc-update add ntpd default}}
    harden-below-nxdomain: yes


Or if you prefer to synchronize with multiple servers...
    # Harden the referral path by performing additional queries for
    # infrastructure data.  Validates the replies (if possible).
    # Default off, because the lookups burden the server. Experimental
    # implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
    # harden-referral-path: no


== OpenNTPD /etc/ntpd.conf ==
    # Harden against algorithm downgrade when multiple algorithms are
    # advertised in the DS record. If no, allows the weakest algorithm
    # to validate the zone.
    harden-algo-downgrade: yes


Install OpenNTPD
    # Use 0x20-encoded random bits in the query to foil spoof attempts.
{{cmd|apk add openntpd}}
    # This feature is an experimental implementation of draft dns-0x20.
    use-caps-for-id: yes


Add to default run level.
    # Allow the domain (and its subdomains) to contain private addresses.
{{cmd|rc-update add openntpd default}}
    # local-data statements are allowed to contain private addresses too.
    private-domain: "<HOSTNAME>"


=== /etc/ntpd.conf ===
    # if yes, the above default do-not-query-address entries are present.
<pre># sample ntpd configuration file, see ntpd.conf(5)
    # if no, localhost can be queried (for testing and debugging).
    do-not-query-localhost: no


# Addresses to listen on (ntpd does not listen by default)
    # File with trusted keys, kept uptodate using RFC5011 probes,
listen on 192.168.1.1
    # initial file like trust-anchor-file, then it stores metadata.
listen on 192.168.2.1
    # Use several entries, one per domain name, to track multiple zones.
    #
    # If you want to perform DNSSEC validation, run unbound-anchor before
    # you start unbound (i.e. in the system boot scripts).  And enable:
    # Please note usage of unbound-anchor root anchor is at your own risk
    # and under the terms of our LICENSE (see that file in the source).
    # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
    auto-trust-anchor-file: "/etc/unbound/root.key"
 
    # If unbound is running service for the local host then it is useful
    # to perform lan-wide lookups to the upstream, and unblock the
    # long list of local-zones above. If this unbound is a dns server
    # for a network of computers, disabled is better and stops information
    # leakage of local lan information.
    unblock-lan-zones: no


# sync to a single server
    # If you configure local-data without specifying local-zone, by
#server ntp.example.org
    # default a transparent local-zone is created for the data.
    #
    # You can add locally served data with
    # local-zone: "local." static
    # local-data: "mycomputer.local. IN A 192.0.2.51"
    # local-data: 'mytext.local TXT "content of text record"'


# use a random selection of NTP Pool Time Servers
    # request upstream over TLS (with plain DNS inside the TLS stream).
# see http://support.ntp.org/bin/view/Servers/NTPPoolServers
    # Default is no. Can be turned on and off with unbound-control.
server 0.pool.ntp.org
    # tls-upstream: no
server 1.pool.ntp.org
server 2.pool.ntp.org
server 3.pool.ntp.org</pre>


== tlsdate ==
    # Forward zones
The time can also be extracted from a https handshake. If the certificate is self-signed you will need to use skip-verification:
    # Create entries like below, to make all queries for 'example.com' and
    # 'example.org' go to the given list of servers. These servers have to handle
    # recursion to other nameservers. List zero or more nameservers by hostname
    # or by ipaddress. Use an entry with name "." to forward all queries.
    # If you enable forward-first, it attempts without the forward if it fails.
    # forward-zone:
    #    name: "example.com"
    #    forward-addr: 192.0.2.68
    #    forward-addr: 192.0.2.73@5355  # forward to port 5355.
    #    forward-first: no
    #    forward-tls-upstream: no
    #    forward-no-cache: no
    # forward-zone:
    #    name: "example.org"
    #    forward-host: fwd.example.com


{{cmd|apk add tlsdate}}
forward-zone:
{{cmd|tlsdate -V --skip-verification -p 80 -H example.com}}
    name: "."
    forward-addr: 172.16.32.1@53
    forward-addr: ::1@53000
    forward-addr: 127.0.0.1@53000</pre>


== timezone ==
== Blocking Microsoft Telemetry on the network by domain ==
You might also want to set a timezone, see [[Setting the timezone]].
Microsoft has added telemetry analytics to Windows which you may want to block at a network level. More information about that can be found [https://www.privacytools.io/operating-systems/#win10 here].


= Saving Time =
This script takes in a list of domains and produces a filter file. We are directing all lookups to "0.0.0.1" which is an invalid IP and should fail immediately, unlike localhost. There are lists of the addresses in various places such as the tools people use to do this locally on Windows, ie [https://github.com/Nummer/Destroy-Windows-10-Spying/blob/master/DWS/DWSResources.cs#L210 Destroy-Windows-10-Spying], [https://github.com/10se1ucgo/DisableWinTracking/blob/master/dwt.py#L333 DisableWinTracking], [https://github.com/W4RH4WK/Debloat-Windows-10/blob/master/scripts/block-telemetry.ps1#L19 Debloat-Windows-10] and [https://github.com/pragmatrix/Dominator/blob/master/Dominator.Windows10/Settings/telemetry.txt Dominator.Windows10]. I have prepared the list further down: [[Linux Router with VPN on a Raspberry Pi#/etc/unbound/filter.conf]].
There are two ways to do this. If you didn't buy an RTC clock see [[Saving time with Software Clock]]. If you did like the PiFace Real Time Clock see [[Saving time with Hardware Clock]]


= Unbound DNS forwarder with dnscrypt =
You could also use this to block advertising, but that's probably easier to do in a web browser with something like [https://en.wikipedia.org/wiki/uBlock_Origin uBlock Origin].
We want to be able to do our lookups using [http://dnscrypt.org dnscrypt] without installing dnscrypt on every client on the network. Therefore the router will also run a DNS forwarder and request unknown domains over dnscrypt for our clients.


== Unbound ==
Another way is to disable this stuff with a group policy see [https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services Manage connections from Windows operating system components to Microsoft services] only for Windows 10 Enterprise, version 1607 and newer and Windows Server 2016.
First install {{cmd|apk add unbound}}


=== /etc/unbound/unbound.conf ===
=== /etc/unbound/unbound.conf ===
<pre># unbound.conf(5) man page.
In your main unbound configuration add
#
<pre>include: /etc/unbound/filter.conf</pre>
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.


server:
=== Script to prepare/sort domains for Unbound  ===
    # The following line will configure unbound to perform cryptographic
    # DNSSEC validation using the root trust anchor.
    # auto-trust-anchor-file: "/var/lib/unbound/root.key"
server:
verbosity: 1
num-threads: 4                                                       
interface: 192.168.1.1
do-ip4: yes
do-udp: yes
do-tcp: yes
access-control: 192.168.1.0/24 allow  # Specify the subnets you want to listen on
access-control: 192.168.2.0/24 allow
do-not-query-localhost: no
chroot: ""     
logfile: "/var/log/unbound.log"           
use-syslog: no
hide-identity: yes
hide-version: yes
harden-glue: yes
harden-dnssec-stripped: yes
use-caps-for-id: yes     
private-domain: "<HOSTNAME>"     
#local-zone: "localhost." static
#local-data: "freebox.localhost. IN A 192.168.0.254"                                             
#local-data-ptr: "192.168.0.254 freebox.localhost"
python:
remote-control:
forward-zone:
  name: "."
  forward-addr: 127.0.0.2@53</pre>
 
=== /etc/network/interfaces ===
You'll need a second loopback device, put it under the already existing one. Remember to add auto lo:1 to the top to bring it up on boot.
 
<pre>#
# Network Interfaces
#
 
auto lo
auto eth0
auto eth1
auto lo:1
 
# Loopback interfaces
iface lo inet loopback
  address 127.0.0.1
  netmask 255.0.0.0
 
iface lo:1 inet static
  address 127.0.0.2
  netmask 255.0.0.0</pre>
 
== Blocking nasties on the network by domain ==
It seems Microsoft has added a whole bunch of telemetry (spyware) analytics to Windows itself, whereby the OS now calls home with various information regarding it's usage. Back porting to previous versions of Windows is not an option, because the telemetry patches have also been back ported to 7/8.1.
 
Changing the knobs in Windows to stop this activity doesn't silence it completely, and they can always be reset with another update from Microsoft. It is however unlikely they will change the domains that are looked up. More information about that can be found [https://www.privacytools.io/#win10 here]. You should also consider ditching Windows entirely and using a proper operating system that does not contain intrusive malware [https://www.privacytools.io/#os here are a few choices to consider].
 
As this is a network router, it might be prudent to block those domains.
 
This script takes in a list of domains and produces a filter file. We are directing all lookups to "0.0.0.1" which is an invalid IP and should fail immediately, unlike localhost. There are lists of the addresses in various places such as [https://www.reddit.com/r/privacy/comments/3htei2/stop_windows_10_from_phoning_home_by_blocking/cuafuvg here] and in this [https://github.com/10se1ucgo/DisableWinTracking/blob/master/run.py#L188 script].
 
You could also use this to block advertising, but that's probably easier to do in a web browser with something like [https://en.wikipedia.org/wiki/UBlock UBlock/UBlock Origin].
 
=== /etc/unbound/unbound.conf ===
In your main unbound configuration add
<pre>include: /etc/unbound/filter.conf</pre>
 
=== Script to prepare/sort domains for Unbound  ===
<pre>#!/bin/sh
<pre>#!/bin/sh


Line 727: Line 737:
<pre>local-zone: "a-0001.a-msedge.net" redirect
<pre>local-zone: "a-0001.a-msedge.net" redirect
local-data: "a-0001.a-msedge.net A 0.0.0.1"
local-data: "a-0001.a-msedge.net A 0.0.0.1"
local-zone: "a-0001.dc-msedge.net" redirect
local-data: "a-0001.dc-msedge.net A 0.0.0.1"
local-zone: "a-0002.a-msedge.net" redirect
local-zone: "a-0002.a-msedge.net" redirect
local-data: "a-0002.a-msedge.net A 0.0.0.1"
local-data: "a-0002.a-msedge.net A 0.0.0.1"
Line 743: Line 755:
local-zone: "a-0009.a-msedge.net" redirect
local-zone: "a-0009.a-msedge.net" redirect
local-data: "a-0009.a-msedge.net A 0.0.0.1"
local-data: "a-0009.a-msedge.net A 0.0.0.1"
local-zone: "a-msedge.net" redirect
local-zone: "a-0010.a-msedge.net" redirect
local-data: "a-msedge.net A 0.0.0.1"
local-data: "a-0010.a-msedge.net A 0.0.0.1"
local-zone: "a-0011.a-msedge.net" redirect
local-data: "a-0011.a-msedge.net A 0.0.0.1"
local-zone: "a-0012.a-msedge.net" redirect
local-data: "a-0012.a-msedge.net A 0.0.0.1"
local-zone: "a.ads1.msn.com" redirect
local-zone: "a.ads1.msn.com" redirect
local-data: "a.ads1.msn.com A 0.0.0.1"
local-data: "a.ads1.msn.com A 0.0.0.1"
Line 751: Line 767:
local-zone: "a.ads2.msn.com" redirect
local-zone: "a.ads2.msn.com" redirect
local-data: "a.ads2.msn.com A 0.0.0.1"
local-data: "a.ads2.msn.com A 0.0.0.1"
local-zone: "a.rad.msn.com" redirect
local-zone: "ac3.msn.com" redirect
local-data: "a.rad.msn.com A 0.0.0.1"
local-zone: "ac3.msn.com" redirect
local-data: "ac3.msn.com A 0.0.0.1"
local-data: "ac3.msn.com A 0.0.0.1"
local-zone: "ad.doubleclick.net" redirect
local-zone: "activity.windows.com" redirect
local-data: "ad.doubleclick.net A 0.0.0.1"
local-data: "activity.windows.com A 0.0.0.1"
local-zone: "adnexus.net" redirect
local-zone: "adnexus.net" redirect
local-data: "adnexus.net A 0.0.0.1"
local-data: "adnexus.net A 0.0.0.1"
local-zone: "adnxs.com" redirect
local-zone: "adnxs.com" redirect
local-data: "adnxs.com A 0.0.0.1"
local-data: "adnxs.com A 0.0.0.1"
local-zone: "ads.msn.com" redirect
local-data: "ads.msn.com A 0.0.0.1"
local-zone: "ads1.msads.net" redirect
local-zone: "ads1.msads.net" redirect
local-data: "ads1.msads.net A 0.0.0.1"
local-data: "ads1.msads.net A 0.0.0.1"
local-zone: "ads1.msn.com" redirect
local-zone: "ads1.msn.com" redirect
local-data: "ads1.msn.com A 0.0.0.1"
local-data: "ads1.msn.com A 0.0.0.1"
local-zone: "ads.msn.com" redirect
local-data: "ads.msn.com A 0.0.0.1"
local-zone: "aidps.atdmt.com" redirect
local-zone: "aidps.atdmt.com" redirect
local-data: "aidps.atdmt.com A 0.0.0.1"
local-data: "aidps.atdmt.com A 0.0.0.1"
local-zone: "aka-cdn-ns.adtech.de" redirect
local-zone: "aka-cdn-ns.adtech.de" redirect
local-data: "aka-cdn-ns.adtech.de A 0.0.0.1"
local-data: "aka-cdn-ns.adtech.de A 0.0.0.1"
local-zone: "apps.skype.com" redirect
local-zone: "a-msedge.net" redirect
local-data: "apps.skype.com A 0.0.0.1"
local-data: "a-msedge.net A 0.0.0.1"
local-zone: "a.rad.msn.com" redirect
local-data: "a.rad.msn.com A 0.0.0.1"
local-zone: "array101-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array102-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array102-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array103-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array103-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array104-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array104-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array201-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array202-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array202-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array203-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array203-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array204-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array204-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array401-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array402-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array402-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array403-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array403-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array404-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array404-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array405-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array405-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array406-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array406-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array407-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array407-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array408-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array408-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "ars.smartscreen.microsoft.com" redirect
local-data: "ars.smartscreen.microsoft.com A 0.0.0.1"
local-zone: "az361816.vo.msecnd.net" redirect
local-zone: "az361816.vo.msecnd.net" redirect
local-data: "az361816.vo.msecnd.net A 0.0.0.1"
local-data: "az361816.vo.msecnd.net A 0.0.0.1"
Line 781: Line 831:
local-zone: "b.ads2.msads.net" redirect
local-zone: "b.ads2.msads.net" redirect
local-data: "b.ads2.msads.net A 0.0.0.1"
local-data: "b.ads2.msads.net A 0.0.0.1"
local-zone: "bingads.microsoft.com" redirect
local-data: "bingads.microsoft.com A 0.0.0.1"
local-zone: "bl3301-a.1drv.com" redirect
local-data: "bl3301-a.1drv.com A 0.0.0.1"
local-zone: "bl3301-c.1drv.com" redirect
local-data: "bl3301-c.1drv.com A 0.0.0.1"
local-zone: "bl3301-g.1drv.com" redirect
local-data: "bl3301-g.1drv.com A 0.0.0.1"
local-zone: "blob.weather.microsoft.com" redirect
local-data: "blob.weather.microsoft.com A 0.0.0.1"
local-zone: "bn1304-e.1drv.com" redirect
local-data: "bn1304-e.1drv.com A 0.0.0.1"
local-zone: "bn1306-a.1drv.com" redirect
local-data: "bn1306-a.1drv.com A 0.0.0.1"
local-zone: "bn1306-e.1drv.com" redirect
local-data: "bn1306-e.1drv.com A 0.0.0.1"
local-zone: "bn1306-g.1drv.com" redirect
local-data: "bn1306-g.1drv.com A 0.0.0.1"
local-zone: "bn2b-cor001.api.p001.1drv.com" redirect
local-data: "bn2b-cor001.api.p001.1drv.com A 0.0.0.1"
local-zone: "bn2b-cor002.api.p001.1drv.com" redirect
local-data: "bn2b-cor002.api.p001.1drv.com A 0.0.0.1"
local-zone: "bn2b-cor003.api.p001.1drv.com" redirect
local-data: "bn2b-cor003.api.p001.1drv.com A 0.0.0.1"
local-zone: "bn2b-cor004.api.p001.1drv.com" redirect
local-data: "bn2b-cor004.api.p001.1drv.com A 0.0.0.1"
local-zone: "bn2wns1.wns.windows.com" redirect
local-data: "bn2wns1.wns.windows.com A 0.0.0.1"
local-zone: "bn3p-cor001.api.p001.1drv.com" redirect
local-data: "bn3p-cor001.api.p001.1drv.com A 0.0.0.1"
local-zone: "bn3sch020022328.wns.windows.com" redirect
local-data: "bn3sch020022328.wns.windows.com A 0.0.0.1"
local-zone: "b.rad.msn.com" redirect
local-zone: "b.rad.msn.com" redirect
local-data: "b.rad.msn.com A 0.0.0.1"
local-data: "b.rad.msn.com A 0.0.0.1"
local-zone: "bs.serving-sys.com" redirect
local-zone: "bs.serving-sys.com" redirect
local-data: "bs.serving-sys.com A 0.0.0.1"
local-data: "bs.serving-sys.com A 0.0.0.1"
local-zone: "by3301-a.1drv.com" redirect
local-data: "by3301-a.1drv.com A 0.0.0.1"
local-zone: "by3301-c.1drv.com" redirect
local-data: "by3301-c.1drv.com A 0.0.0.1"
local-zone: "by3301-e.1drv.com" redirect
local-data: "by3301-e.1drv.com A 0.0.0.1"
local-zone: "c-0001.dc-msedge.net" redirect
local-data: "c-0001.dc-msedge.net A 0.0.0.1"
local-zone: "cache.datamart.windows.com" redirect
local-data: "cache.datamart.windows.com A 0.0.0.1"
local-zone: "candycrushsoda.king.com" redirect
local-data: "candycrushsoda.king.com A 0.0.0.1"
local-zone: "c.atdmt.com" redirect
local-zone: "c.atdmt.com" redirect
local-data: "c.atdmt.com A 0.0.0.1"
local-data: "c.atdmt.com A 0.0.0.1"
local-zone: "c.msn.com" redirect
local-zone: "ca.telemetry.microsoft.com" redirect
local-data: "c.msn.com A 0.0.0.1"
local-data: "ca.telemetry.microsoft.com A 0.0.0.1"
local-zone: "cdn.atdmt.com" redirect
local-zone: "cdn.atdmt.com" redirect
local-data: "cdn.atdmt.com A 0.0.0.1"
local-data: "cdn.atdmt.com A 0.0.0.1"
local-zone: "cdn.content.prod.cms.msn.com" redirect
local-data: "cdn.content.prod.cms.msn.com A 0.0.0.1"
local-zone: "cdn.onenote.net" redirect
local-data: "cdn.onenote.net A 0.0.0.1"
local-zone: "cds1204.lon.llnw.net" redirect
local-data: "cds1204.lon.llnw.net A 0.0.0.1"
local-zone: "cds1293.lon.llnw.net" redirect
local-data: "cds1293.lon.llnw.net A 0.0.0.1"
local-zone: "cds20417.lcy.llnw.net" redirect
local-data: "cds20417.lcy.llnw.net A 0.0.0.1"
local-zone: "cds20431.lcy.llnw.net" redirect
local-data: "cds20431.lcy.llnw.net A 0.0.0.1"
local-zone: "cds20450.lcy.llnw.net" redirect
local-data: "cds20450.lcy.llnw.net A 0.0.0.1"
local-zone: "cds20457.lcy.llnw.net" redirect
local-data: "cds20457.lcy.llnw.net A 0.0.0.1"
local-zone: "cds20475.lcy.llnw.net" redirect
local-data: "cds20475.lcy.llnw.net A 0.0.0.1"
local-zone: "cds21244.lon.llnw.net" redirect
local-data: "cds21244.lon.llnw.net A 0.0.0.1"
local-zone: "cds26.ams9.msecn.net" redirect
local-zone: "cds26.ams9.msecn.net" redirect
local-data: "cds26.ams9.msecn.net A 0.0.0.1"
local-data: "cds26.ams9.msecn.net A 0.0.0.1"
local-zone: "cds425.lcy.llnw.net" redirect
local-data: "cds425.lcy.llnw.net A 0.0.0.1"
local-zone: "cds459.lcy.llnw.net" redirect
local-data: "cds459.lcy.llnw.net A 0.0.0.1"
local-zone: "cds494.lcy.llnw.net" redirect
local-data: "cds494.lcy.llnw.net A 0.0.0.1"
local-zone: "cds965.lon.llnw.net" redirect
local-data: "cds965.lon.llnw.net A 0.0.0.1"
local-zone: "ch1-cor001.api.p001.1drv.com" redirect
local-data: "ch1-cor001.api.p001.1drv.com A 0.0.0.1"
local-zone: "ch1-cor002.api.p001.1drv.com" redirect
local-data: "ch1-cor002.api.p001.1drv.com A 0.0.0.1"
local-zone: "ch3301-c.1drv.com" redirect
local-data: "ch3301-c.1drv.com A 0.0.0.1"
local-zone: "ch3301-e.1drv.com" redirect
local-data: "ch3301-e.1drv.com A 0.0.0.1"
local-zone: "ch3301-g.1drv.com" redirect
local-data: "ch3301-g.1drv.com A 0.0.0.1"
local-zone: "ch3302-c.1drv.com" redirect
local-data: "ch3302-c.1drv.com A 0.0.0.1"
local-zone: "ch3302-e.1drv.com" redirect
local-data: "ch3302-e.1drv.com A 0.0.0.1"
local-zone: "choice.microsoft.com" redirect
local-zone: "choice.microsoft.com" redirect
local-data: "choice.microsoft.com A 0.0.0.1"
local-data: "choice.microsoft.com A 0.0.0.1"
local-zone: "choice.microsoft.com.nsatc.net" redirect
local-zone: "choice.microsoft.com.nsatc.net" redirect
local-data: "choice.microsoft.com.nsatc.net A 0.0.0.1"
local-data: "choice.microsoft.com.nsatc.net A 0.0.0.1"
local-zone: "clientconfig.passport.net" redirect
local-data: "clientconfig.passport.net A 0.0.0.1"
local-zone: "client-s.gateway.messenger.live.com" redirect
local-data: "client-s.gateway.messenger.live.com A 0.0.0.1"
local-zone: "client.wns.windows.com" redirect
local-data: "client.wns.windows.com A 0.0.0.1"
local-zone: "c.msn.com" redirect
local-data: "c.msn.com A 0.0.0.1"
local-zone: "compatexchange1.trafficmanager.net" redirect
local-data: "compatexchange1.trafficmanager.net A 0.0.0.1"
local-zone: "compatexchange.cloudapp.net" redirect
local-zone: "compatexchange.cloudapp.net" redirect
local-data: "compatexchange.cloudapp.net A 0.0.0.1"
local-data: "compatexchange.cloudapp.net A 0.0.0.1"
local-zone: "continuum.dds.microsoft.com" redirect
local-data: "continuum.dds.microsoft.com A 0.0.0.1"
local-zone: "corpext.msitadfs.glbdns2.microsoft.com" redirect
local-data: "corpext.msitadfs.glbdns2.microsoft.com A 0.0.0.1"
local-zone: "corp.sts.microsoft.com" redirect
local-zone: "corp.sts.microsoft.com" redirect
local-data: "corp.sts.microsoft.com A 0.0.0.1"
local-data: "corp.sts.microsoft.com A 0.0.0.1"
local-zone: "corpext.msitadfs.glbdns2.microsoft.com" redirect
local-zone: "cp101-prod.do.dsp.mp.microsoft.com" redirect
local-data: "corpext.msitadfs.glbdns2.microsoft.com A 0.0.0.1"
local-data: "cp101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "cp201-prod.do.dsp.mp.microsoft.com" redirect
local-data: "cp201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "cp401-prod.do.dsp.mp.microsoft.com" redirect
local-data: "cp401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "cs1.wpc.v0cdn.net" redirect
local-zone: "cs1.wpc.v0cdn.net" redirect
local-data: "cs1.wpc.v0cdn.net A 0.0.0.1"
local-data: "cs1.wpc.v0cdn.net A 0.0.0.1"
local-zone: "db3aqu.atdmt.com" redirect
local-zone: "db3aqu.atdmt.com" redirect
local-data: "db3aqu.atdmt.com A 0.0.0.1"
local-data: "db3aqu.atdmt.com A 0.0.0.1"
local-zone: "db3wns2011111.wns.windows.com" redirect
local-data: "db3wns2011111.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101100122.wns.windows.com" redirect
local-data: "db5sch101100122.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101100127.wns.windows.com" redirect
local-data: "db5sch101100127.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101100831.wns.windows.com" redirect
local-data: "db5sch101100831.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101100835.wns.windows.com" redirect
local-data: "db5sch101100835.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101100917.wns.windows.com" redirect
local-data: "db5sch101100917.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101100925.wns.windows.com" redirect
local-data: "db5sch101100925.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101100928.wns.windows.com" redirect
local-data: "db5sch101100928.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101100938.wns.windows.com" redirect
local-data: "db5sch101100938.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101001.wns.windows.com" redirect
local-data: "db5sch101101001.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101022.wns.windows.com" redirect
local-data: "db5sch101101022.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101024.wns.windows.com" redirect
local-data: "db5sch101101024.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101031.wns.windows.com" redirect
local-data: "db5sch101101031.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101034.wns.windows.com" redirect
local-data: "db5sch101101034.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101042.wns.windows.com" redirect
local-data: "db5sch101101042.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101044.wns.windows.com" redirect
local-data: "db5sch101101044.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101122.wns.windows.com" redirect
local-data: "db5sch101101122.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101123.wns.windows.com" redirect
local-data: "db5sch101101123.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101125.wns.windows.com" redirect
local-data: "db5sch101101125.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101128.wns.windows.com" redirect
local-data: "db5sch101101128.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101129.wns.windows.com" redirect
local-data: "db5sch101101129.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101133.wns.windows.com" redirect
local-data: "db5sch101101133.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101145.wns.windows.com" redirect
local-data: "db5sch101101145.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101209.wns.windows.com" redirect
local-data: "db5sch101101209.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101221.wns.windows.com" redirect
local-data: "db5sch101101221.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101228.wns.windows.com" redirect
local-data: "db5sch101101228.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101231.wns.windows.com" redirect
local-data: "db5sch101101231.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101237.wns.windows.com" redirect
local-data: "db5sch101101237.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101317.wns.windows.com" redirect
local-data: "db5sch101101317.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101324.wns.windows.com" redirect
local-data: "db5sch101101324.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101329.wns.windows.com" redirect
local-data: "db5sch101101329.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101333.wns.windows.com" redirect
local-data: "db5sch101101333.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101334.wns.windows.com" redirect
local-data: "db5sch101101334.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101338.wns.windows.com" redirect
local-data: "db5sch101101338.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101419.wns.windows.com" redirect
local-data: "db5sch101101419.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101424.wns.windows.com" redirect
local-data: "db5sch101101424.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101426.wns.windows.com" redirect
local-data: "db5sch101101426.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101427.wns.windows.com" redirect
local-data: "db5sch101101427.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101430.wns.windows.com" redirect
local-data: "db5sch101101430.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101445.wns.windows.com" redirect
local-data: "db5sch101101445.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101511.wns.windows.com" redirect
local-data: "db5sch101101511.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101519.wns.windows.com" redirect
local-data: "db5sch101101519.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101529.wns.windows.com" redirect
local-data: "db5sch101101529.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101535.wns.windows.com" redirect
local-data: "db5sch101101535.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101541.wns.windows.com" redirect
local-data: "db5sch101101541.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101543.wns.windows.com" redirect
local-data: "db5sch101101543.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101608.wns.windows.com" redirect
local-data: "db5sch101101608.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101618.wns.windows.com" redirect
local-data: "db5sch101101618.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101629.wns.windows.com" redirect
local-data: "db5sch101101629.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101631.wns.windows.com" redirect
local-data: "db5sch101101631.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101633.wns.windows.com" redirect
local-data: "db5sch101101633.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101640.wns.windows.com" redirect
local-data: "db5sch101101640.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101711.wns.windows.com" redirect
local-data: "db5sch101101711.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101722.wns.windows.com" redirect
local-data: "db5sch101101722.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101739.wns.windows.com" redirect
local-data: "db5sch101101739.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101745.wns.windows.com" redirect
local-data: "db5sch101101745.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101813.wns.windows.com" redirect
local-data: "db5sch101101813.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101820.wns.windows.com" redirect
local-data: "db5sch101101820.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101826.wns.windows.com" redirect
local-data: "db5sch101101826.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101835.wns.windows.com" redirect
local-data: "db5sch101101835.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101837.wns.windows.com" redirect
local-data: "db5sch101101837.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101844.wns.windows.com" redirect
local-data: "db5sch101101844.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101907.wns.windows.com" redirect
local-data: "db5sch101101907.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101914.wns.windows.com" redirect
local-data: "db5sch101101914.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101929.wns.windows.com" redirect
local-data: "db5sch101101929.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101939.wns.windows.com" redirect
local-data: "db5sch101101939.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101941.wns.windows.com" redirect
local-data: "db5sch101101941.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101102015.wns.windows.com" redirect
local-data: "db5sch101102015.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101102017.wns.windows.com" redirect
local-data: "db5sch101102017.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101102019.wns.windows.com" redirect
local-data: "db5sch101102019.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101102023.wns.windows.com" redirect
local-data: "db5sch101102023.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101102025.wns.windows.com" redirect
local-data: "db5sch101102025.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101102032.wns.windows.com" redirect
local-data: "db5sch101102032.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101102033.wns.windows.com" redirect
local-data: "db5sch101102033.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110108.wns.windows.com" redirect
local-data: "db5sch101110108.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110109.wns.windows.com" redirect
local-data: "db5sch101110109.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110114.wns.windows.com" redirect
local-data: "db5sch101110114.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110135.wns.windows.com" redirect
local-data: "db5sch101110135.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110142.wns.windows.com" redirect
local-data: "db5sch101110142.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110204.wns.windows.com" redirect
local-data: "db5sch101110204.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110206.wns.windows.com" redirect
local-data: "db5sch101110206.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110214.wns.windows.com" redirect
local-data: "db5sch101110214.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110225.wns.windows.com" redirect
local-data: "db5sch101110225.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110232.wns.windows.com" redirect
local-data: "db5sch101110232.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110245.wns.windows.com" redirect
local-data: "db5sch101110245.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110315.wns.windows.com" redirect
local-data: "db5sch101110315.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110323.wns.windows.com" redirect
local-data: "db5sch101110323.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110325.wns.windows.com" redirect
local-data: "db5sch101110325.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110328.wns.windows.com" redirect
local-data: "db5sch101110328.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110331.wns.windows.com" redirect
local-data: "db5sch101110331.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110341.wns.windows.com" redirect
local-data: "db5sch101110341.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110343.wns.windows.com" redirect
local-data: "db5sch101110343.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110345.wns.windows.com" redirect
local-data: "db5sch101110345.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110403.wns.windows.com" redirect
local-data: "db5sch101110403.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110419.wns.windows.com" redirect
local-data: "db5sch101110419.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110438.wns.windows.com" redirect
local-data: "db5sch101110438.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110442.wns.windows.com" redirect
local-data: "db5sch101110442.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110501.wns.windows.com" redirect
local-data: "db5sch101110501.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110527.wns.windows.com" redirect
local-data: "db5sch101110527.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110533.wns.windows.com" redirect
local-data: "db5sch101110533.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110618.wns.windows.com" redirect
local-data: "db5sch101110618.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110622.wns.windows.com" redirect
local-data: "db5sch101110622.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110624.wns.windows.com" redirect
local-data: "db5sch101110624.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110626.wns.windows.com" redirect
local-data: "db5sch101110626.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110634.wns.windows.com" redirect
local-data: "db5sch101110634.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110705.wns.windows.com" redirect
local-data: "db5sch101110705.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110724.wns.windows.com" redirect
local-data: "db5sch101110724.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110740.wns.windows.com" redirect
local-data: "db5sch101110740.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110810.wns.windows.com" redirect
local-data: "db5sch101110810.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110816.wns.windows.com" redirect
local-data: "db5sch101110816.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110821.wns.windows.com" redirect
local-data: "db5sch101110821.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110822.wns.windows.com" redirect
local-data: "db5sch101110822.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110825.wns.windows.com" redirect
local-data: "db5sch101110825.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110828.wns.windows.com" redirect
local-data: "db5sch101110828.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110835.wns.windows.com" redirect
local-data: "db5sch101110835.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110919.wns.windows.com" redirect
local-data: "db5sch101110919.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110921.wns.windows.com" redirect
local-data: "db5sch101110921.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110923.wns.windows.com" redirect
local-data: "db5sch101110923.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110929.wns.windows.com" redirect
local-data: "db5sch101110929.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103081814.wns.windows.com" redirect
local-data: "db5sch103081814.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103082011.wns.windows.com" redirect
local-data: "db5sch103082011.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103082111.wns.windows.com" redirect
local-data: "db5sch103082111.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103082308.wns.windows.com" redirect
local-data: "db5sch103082308.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103082406.wns.windows.com" redirect
local-data: "db5sch103082406.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103082409.wns.windows.com" redirect
local-data: "db5sch103082409.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103082609.wns.windows.com" redirect
local-data: "db5sch103082609.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103082611.wns.windows.com" redirect
local-data: "db5sch103082611.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103082709.wns.windows.com" redirect
local-data: "db5sch103082709.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103082712.wns.windows.com" redirect
local-data: "db5sch103082712.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103082806.wns.windows.com" redirect
local-data: "db5sch103082806.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103090115.wns.windows.com" redirect
local-data: "db5sch103090115.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103090415.wns.windows.com" redirect
local-data: "db5sch103090415.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103090513.wns.windows.com" redirect
local-data: "db5sch103090513.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103090515.wns.windows.com" redirect
local-data: "db5sch103090515.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103090608.wns.windows.com" redirect
local-data: "db5sch103090608.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103090806.wns.windows.com" redirect
local-data: "db5sch103090806.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103090814.wns.windows.com" redirect
local-data: "db5sch103090814.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103090906.wns.windows.com" redirect
local-data: "db5sch103090906.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103091011.wns.windows.com" redirect
local-data: "db5sch103091011.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103091012.wns.windows.com" redirect
local-data: "db5sch103091012.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103091106.wns.windows.com" redirect
local-data: "db5sch103091106.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103091108.wns.windows.com" redirect
local-data: "db5sch103091108.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103091212.wns.windows.com" redirect
local-data: "db5sch103091212.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103091311.wns.windows.com" redirect
local-data: "db5sch103091311.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103091414.wns.windows.com" redirect
local-data: "db5sch103091414.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103091511.wns.windows.com" redirect
local-data: "db5sch103091511.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103091617.wns.windows.com" redirect
local-data: "db5sch103091617.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103091715.wns.windows.com" redirect
local-data: "db5sch103091715.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103091817.wns.windows.com" redirect
local-data: "db5sch103091817.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103091908.wns.windows.com" redirect
local-data: "db5sch103091908.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103091911.wns.windows.com" redirect
local-data: "db5sch103091911.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103092010.wns.windows.com" redirect
local-data: "db5sch103092010.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103092108.wns.windows.com" redirect
local-data: "db5sch103092108.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103092109.wns.windows.com" redirect
local-data: "db5sch103092109.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103092209.wns.windows.com" redirect
local-data: "db5sch103092209.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103092210.wns.windows.com" redirect
local-data: "db5sch103092210.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103092509.wns.windows.com" redirect
local-data: "db5sch103092509.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103100117.wns.windows.com" redirect
local-data: "db5sch103100117.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103100121.wns.windows.com" redirect
local-data: "db5sch103100121.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103100221.wns.windows.com" redirect
local-data: "db5sch103100221.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103100313.wns.windows.com" redirect
local-data: "db5sch103100313.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103100314.wns.windows.com" redirect
local-data: "db5sch103100314.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103100510.wns.windows.com" redirect
local-data: "db5sch103100510.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103100511.wns.windows.com" redirect
local-data: "db5sch103100511.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103100611.wns.windows.com" redirect
local-data: "db5sch103100611.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103100712.wns.windows.com" redirect
local-data: "db5sch103100712.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103101105.wns.windows.com" redirect
local-data: "db5sch103101105.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103101208.wns.windows.com" redirect
local-data: "db5sch103101208.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103101212.wns.windows.com" redirect
local-data: "db5sch103101212.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103101314.wns.windows.com" redirect
local-data: "db5sch103101314.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103101411.wns.windows.com" redirect
local-data: "db5sch103101411.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103101413.wns.windows.com" redirect
local-data: "db5sch103101413.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103101513.wns.windows.com" redirect
local-data: "db5sch103101513.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103101610.wns.windows.com" redirect
local-data: "db5sch103101610.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103101611.wns.windows.com" redirect
local-data: "db5sch103101611.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103101705.wns.windows.com" redirect
local-data: "db5sch103101705.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103101711.wns.windows.com" redirect
local-data: "db5sch103101711.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103101909.wns.windows.com" redirect
local-data: "db5sch103101909.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103101914.wns.windows.com" redirect
local-data: "db5sch103101914.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103102009.wns.windows.com" redirect
local-data: "db5sch103102009.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103102112.wns.windows.com" redirect
local-data: "db5sch103102112.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103102203.wns.windows.com" redirect
local-data: "db5sch103102203.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103102209.wns.windows.com" redirect
local-data: "db5sch103102209.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103102310.wns.windows.com" redirect
local-data: "db5sch103102310.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103102404.wns.windows.com" redirect
local-data: "db5sch103102404.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103102609.wns.windows.com" redirect
local-data: "db5sch103102609.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103102610.wns.windows.com" redirect
local-data: "db5sch103102610.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103102805.wns.windows.com" redirect
local-data: "db5sch103102805.wns.windows.com A 0.0.0.1"
local-zone: "db5wns1d.wns.windows.com" redirect
local-data: "db5wns1d.wns.windows.com A 0.0.0.1"
local-zone: "db5.wns.windows.com" redirect
local-data: "db5.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090104.wns.windows.com" redirect
local-data: "db6sch102090104.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090112.wns.windows.com" redirect
local-data: "db6sch102090112.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090116.wns.windows.com" redirect
local-data: "db6sch102090116.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090122.wns.windows.com" redirect
local-data: "db6sch102090122.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090203.wns.windows.com" redirect
local-data: "db6sch102090203.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090206.wns.windows.com" redirect
local-data: "db6sch102090206.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090208.wns.windows.com" redirect
local-data: "db6sch102090208.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090209.wns.windows.com" redirect
local-data: "db6sch102090209.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090211.wns.windows.com" redirect
local-data: "db6sch102090211.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090305.wns.windows.com" redirect
local-data: "db6sch102090305.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090306.wns.windows.com" redirect
local-data: "db6sch102090306.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090308.wns.windows.com" redirect
local-data: "db6sch102090308.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090311.wns.windows.com" redirect
local-data: "db6sch102090311.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090313.wns.windows.com" redirect
local-data: "db6sch102090313.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090410.wns.windows.com" redirect
local-data: "db6sch102090410.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090412.wns.windows.com" redirect
local-data: "db6sch102090412.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090504.wns.windows.com" redirect
local-data: "db6sch102090504.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090510.wns.windows.com" redirect
local-data: "db6sch102090510.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090512.wns.windows.com" redirect
local-data: "db6sch102090512.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090513.wns.windows.com" redirect
local-data: "db6sch102090513.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090514.wns.windows.com" redirect
local-data: "db6sch102090514.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090519.wns.windows.com" redirect
local-data: "db6sch102090519.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090613.wns.windows.com" redirect
local-data: "db6sch102090613.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090619.wns.windows.com" redirect
local-data: "db6sch102090619.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090810.wns.windows.com" redirect
local-data: "db6sch102090810.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090811.wns.windows.com" redirect
local-data: "db6sch102090811.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090902.wns.windows.com" redirect
local-data: "db6sch102090902.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090905.wns.windows.com" redirect
local-data: "db6sch102090905.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090907.wns.windows.com" redirect
local-data: "db6sch102090907.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090908.wns.windows.com" redirect
local-data: "db6sch102090908.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090910.wns.windows.com" redirect
local-data: "db6sch102090910.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090911.wns.windows.com" redirect
local-data: "db6sch102090911.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091003.wns.windows.com" redirect
local-data: "db6sch102091003.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091007.wns.windows.com" redirect
local-data: "db6sch102091007.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091008.wns.windows.com" redirect
local-data: "db6sch102091008.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091009.wns.windows.com" redirect
local-data: "db6sch102091009.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091011.wns.windows.com" redirect
local-data: "db6sch102091011.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091103.wns.windows.com" redirect
local-data: "db6sch102091103.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091105.wns.windows.com" redirect
local-data: "db6sch102091105.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091204.wns.windows.com" redirect
local-data: "db6sch102091204.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091209.wns.windows.com" redirect
local-data: "db6sch102091209.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091305.wns.windows.com" redirect
local-data: "db6sch102091305.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091307.wns.windows.com" redirect
local-data: "db6sch102091307.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091308.wns.windows.com" redirect
local-data: "db6sch102091308.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091309.wns.windows.com" redirect
local-data: "db6sch102091309.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091314.wns.windows.com" redirect
local-data: "db6sch102091314.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091412.wns.windows.com" redirect
local-data: "db6sch102091412.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091503.wns.windows.com" redirect
local-data: "db6sch102091503.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091507.wns.windows.com" redirect
local-data: "db6sch102091507.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091602.wns.windows.com" redirect
local-data: "db6sch102091602.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091603.wns.windows.com" redirect
local-data: "db6sch102091603.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091606.wns.windows.com" redirect
local-data: "db6sch102091606.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091607.wns.windows.com" redirect
local-data: "db6sch102091607.wns.windows.com A 0.0.0.1"
local-zone: "deploy.static.akamaitechnologies.com" redirect
local-data: "deploy.static.akamaitechnologies.com A 0.0.0.1"
local-zone: "device.auth.xboxlive.com" redirect
local-data: "device.auth.xboxlive.com A 0.0.0.1"
local-zone: "dev.virtualearth.net" redirect
local-data: "dev.virtualearth.net A 0.0.0.1"
local-zone: "df.telemetry.microsoft.com" redirect
local-zone: "df.telemetry.microsoft.com" redirect
local-data: "df.telemetry.microsoft.com A 0.0.0.1"
local-data: "df.telemetry.microsoft.com A 0.0.0.1"
local-zone: "diagnostics.support.microsoft.com" redirect
local-zone: "diagnostics.support.microsoft.com" redirect
local-data: "diagnostics.support.microsoft.com A 0.0.0.1"
local-data: "diagnostics.support.microsoft.com A 0.0.0.1"
local-zone: "disc101-prod.do.dsp.mp.microsoft.com" redirect
local-data: "disc101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "disc201-prod.do.dsp.mp.microsoft.com" redirect
local-data: "disc201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "disc401-prod.do.dsp.mp.microsoft.com" redirect
local-data: "disc401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "dmd.metaservices.microsoft.com" redirect
local-data: "dmd.metaservices.microsoft.com A 0.0.0.1"
local-zone: "dns.msftncsi.com" redirect
local-data: "dns.msftncsi.com A 0.0.0.1"
local-zone: "ec.atdmt.com" redirect
local-zone: "ec.atdmt.com" redirect
local-data: "ec.atdmt.com A 0.0.0.1"
local-data: "ec.atdmt.com A 0.0.0.1"
local-zone: "fe2.update.microsoft.com.akadns.net" redirect
local-zone: "ecn.dev.virtualearth.net" redirect
local-data: "fe2.update.microsoft.com.akadns.net A 0.0.0.1"
local-data: "ecn.dev.virtualearth.net A 0.0.0.1"
local-zone: "eu.vortex.data.microsoft.com" redirect
local-data: "eu.vortex.data.microsoft.com A 0.0.0.1"
local-zone: "feedback.microsoft-hohm.com" redirect
local-zone: "feedback.microsoft-hohm.com" redirect
local-data: "feedback.microsoft-hohm.com A 0.0.0.1"
local-data: "feedback.microsoft-hohm.com A 0.0.0.1"
Line 823: Line 1,481:
local-zone: "flex.msn.com" redirect
local-zone: "flex.msn.com" redirect
local-data: "flex.msn.com A 0.0.0.1"
local-data: "flex.msn.com A 0.0.0.1"
local-zone: "fs.microsoft.com" redirect
local-data: "fs.microsoft.com A 0.0.0.1"
local-zone: "geo-prod.do.dsp.mp.microsoft.com" redirect
local-data: "geo-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "geover-prod.do.dsp.mp.microsoft.com" redirect
local-data: "geover-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "g.msn.com" redirect
local-zone: "g.msn.com" redirect
local-data: "g.msn.com A 0.0.0.1"
local-data: "g.msn.com A 0.0.0.1"
Line 833: Line 1,497:
local-zone: "i1.services.social.microsoft.com.nsatc.net" redirect
local-zone: "i1.services.social.microsoft.com.nsatc.net" redirect
local-data: "i1.services.social.microsoft.com.nsatc.net A 0.0.0.1"
local-data: "i1.services.social.microsoft.com.nsatc.net A 0.0.0.1"
local-zone: "i-bl6p-cor001.api.p001.1drv.com" redirect
local-data: "i-bl6p-cor001.api.p001.1drv.com A 0.0.0.1"
local-zone: "i-by3p-cor001.api.p001.1drv.com" redirect
local-data: "i-by3p-cor001.api.p001.1drv.com A 0.0.0.1"
local-zone: "i-by3p-cor002.api.p001.1drv.com" redirect
local-data: "i-by3p-cor002.api.p001.1drv.com A 0.0.0.1"
local-zone: "i-ch1-cor001.api.p001.1drv.com" redirect
local-data: "i-ch1-cor001.api.p001.1drv.com A 0.0.0.1"
local-zone: "i-ch1-cor002.api.p001.1drv.com" redirect
local-data: "i-ch1-cor002.api.p001.1drv.com A 0.0.0.1"
local-zone: "img-s-msn-com.akamaized.net" redirect
local-data: "img-s-msn-com.akamaized.net A 0.0.0.1"
local-zone: "inference.location.live.net" redirect
local-data: "inference.location.live.net A 0.0.0.1"
local-zone: "insiderppe.cloudapp.net" redirect
local-data: "insiderppe.cloudapp.net A 0.0.0.1"
local-zone: "i-sn2-cor001.api.p001.1drv.com" redirect
local-data: "i-sn2-cor001.api.p001.1drv.com A 0.0.0.1"
local-zone: "i-sn2-cor002.api.p001.1drv.com" redirect
local-data: "i-sn2-cor002.api.p001.1drv.com A 0.0.0.1"
local-zone: "kv101-prod.do.dsp.mp.microsoft.com" redirect
local-data: "kv101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "kv201-prod.do.dsp.mp.microsoft.com" redirect
local-data: "kv201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "kv401-prod.do.dsp.mp.microsoft.com" redirect
local-data: "kv401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "lb1.www.ms.akadns.net" redirect
local-zone: "lb1.www.ms.akadns.net" redirect
local-data: "lb1.www.ms.akadns.net A 0.0.0.1"
local-data: "lb1.www.ms.akadns.net A 0.0.0.1"
local-zone: "licensing.mp.microsoft.com" redirect
local-data: "licensing.mp.microsoft.com A 0.0.0.1"
local-zone: "live.rads.msn.com" redirect
local-zone: "live.rads.msn.com" redirect
local-data: "live.rads.msn.com A 0.0.0.1"
local-data: "live.rads.msn.com A 0.0.0.1"
local-zone: "ls2web.redmond.corp.microsoft.com" redirect
local-data: "ls2web.redmond.corp.microsoft.com A 0.0.0.1"
local-zone: "m.adnxs.com" redirect
local-zone: "m.adnxs.com" redirect
local-data: "m.adnxs.com A 0.0.0.1"
local-data: "m.adnxs.com A 0.0.0.1"
local-zone: "m.hotmail.com" redirect
local-zone: "mediaredirect.microsoft.com" redirect
local-data: "m.hotmail.com A 0.0.0.1"
local-data: "mediaredirect.microsoft.com A 0.0.0.1"
local-zone: "mobile.pipe.aria.microsoft.com" redirect
local-data: "mobile.pipe.aria.microsoft.com A 0.0.0.1"
local-zone: "msedge.net" redirect
local-zone: "msedge.net" redirect
local-data: "msedge.net A 0.0.0.1"
local-data: "msedge.net A 0.0.0.1"
local-zone: "msftncsi.com" redirect
local-zone: "msftncsi.com" redirect
local-data: "msftncsi.com A 0.0.0.1"
local-data: "msftncsi.com A 0.0.0.1"
local-zone: "msnbot-65-55-108-23.search.msn.com" redirect
local-data: "msnbot-65-55-108-23.search.msn.com A 0.0.0.1"
local-zone: "msntest.serving-sys.com" redirect
local-zone: "msntest.serving-sys.com" redirect
local-data: "msntest.serving-sys.com A 0.0.0.1"
local-data: "msntest.serving-sys.com A 0.0.0.1"
Line 853: Line 1,547:
local-zone: "oca.telemetry.microsoft.com.nsatc.net" redirect
local-zone: "oca.telemetry.microsoft.com.nsatc.net" redirect
local-data: "oca.telemetry.microsoft.com.nsatc.net A 0.0.0.1"
local-data: "oca.telemetry.microsoft.com.nsatc.net A 0.0.0.1"
local-zone: "officeclient.microsoft.com" redirect
local-data: "officeclient.microsoft.com A 0.0.0.1"
local-zone: "oneclient.sfx.ms" redirect
local-data: "oneclient.sfx.ms A 0.0.0.1"
local-zone: "pre.footprintpredict.com" redirect
local-zone: "pre.footprintpredict.com" redirect
local-data: "pre.footprintpredict.com A 0.0.0.1"
local-data: "pre.footprintpredict.com A 0.0.0.1"
local-zone: "preview.msn.com" redirect
local-zone: "preview.msn.com" redirect
local-data: "preview.msn.com A 0.0.0.1"
local-data: "preview.msn.com A 0.0.0.1"
local-zone: "pricelist.skype.com" redirect
local-zone: "pti.store.microsoft.com" redirect
local-data: "pricelist.skype.com A 0.0.0.1"
local-data: "pti.store.microsoft.com A 0.0.0.1"
local-zone: "rad.live.com" redirect
local-zone: "query.prod.cms.rt.microsoft.com" redirect
local-data: "rad.live.com A 0.0.0.1"
local-data: "query.prod.cms.rt.microsoft.com A 0.0.0.1"
local-zone: "rad.msn.com" redirect
local-zone: "rad.msn.com" redirect
local-data: "rad.msn.com A 0.0.0.1"
local-data: "rad.msn.com A 0.0.0.1"
local-zone: "redir.metaservices.microsoft.com" redirect
local-zone: "redir.metaservices.microsoft.com" redirect
local-data: "redir.metaservices.microsoft.com A 0.0.0.1"
local-data: "redir.metaservices.microsoft.com A 0.0.0.1"
local-zone: "register.cdpcs.microsoft.com" redirect
local-data: "register.cdpcs.microsoft.com A 0.0.0.1"
local-zone: "reports.wes.df.telemetry.microsoft.com" redirect
local-zone: "reports.wes.df.telemetry.microsoft.com" redirect
local-data: "reports.wes.df.telemetry.microsoft.com A 0.0.0.1"
local-data: "reports.wes.df.telemetry.microsoft.com A 0.0.0.1"
local-zone: "s.gateway.messenger.live.com" redirect
local-data: "s.gateway.messenger.live.com A 0.0.0.1"
local-zone: "s0.2mdn.net" redirect
local-zone: "s0.2mdn.net" redirect
local-data: "s0.2mdn.net A 0.0.0.1"
local-data: "s0.2mdn.net A 0.0.0.1"
local-zone: "schemas.microsoft.akadns.net" redirect
local-zone: "schemas.microsoft.akadns.net" redirect
local-data: "schemas.microsoft.akadns.net A 0.0.0.1"
local-data: "schemas.microsoft.akadns.net A 0.0.0.1"
local-zone: "search.msn.com" redirect
local-data: "search.msn.com A 0.0.0.1"
local-zone: "secure.adnxs.com" redirect
local-zone: "secure.adnxs.com" redirect
local-data: "secure.adnxs.com A 0.0.0.1"
local-data: "secure.adnxs.com A 0.0.0.1"
Line 879: Line 1,579:
local-zone: "services.wes.df.telemetry.microsoft.com" redirect
local-zone: "services.wes.df.telemetry.microsoft.com" redirect
local-data: "services.wes.df.telemetry.microsoft.com A 0.0.0.1"
local-data: "services.wes.df.telemetry.microsoft.com A 0.0.0.1"
local-zone: "settings.data.glbdns2.microsoft.com" redirect
local-data: "settings.data.glbdns2.microsoft.com A 0.0.0.1"
local-zone: "settings.data.microsoft.com" redirect
local-data: "settings.data.microsoft.com A 0.0.0.1"
local-zone: "settings-sandbox.data.microsoft.com" redirect
local-zone: "settings-sandbox.data.microsoft.com" redirect
local-data: "settings-sandbox.data.microsoft.com A 0.0.0.1"
local-data: "settings-sandbox.data.microsoft.com A 0.0.0.1"
local-zone: "settings-ssl.xboxlive.com" redirect
local-data: "settings-ssl.xboxlive.com A 0.0.0.1"
local-zone: "settings-win.data.microsoft.com" redirect
local-zone: "settings-win.data.microsoft.com" redirect
local-data: "settings-win.data.microsoft.com A 0.0.0.1"
local-data: "settings-win.data.microsoft.com A 0.0.0.1"
local-zone: "sls.update.microsoft.com.akadns.net" redirect
local-zone: "settings-win-ppe.data.microsoft.com" redirect
local-data: "sls.update.microsoft.com.akadns.net A 0.0.0.1"
local-data: "settings-win-ppe.data.microsoft.com A 0.0.0.1"
local-zone: "sn3301-c.1drv.com" redirect
local-data: "sn3301-c.1drv.com A 0.0.0.1"
local-zone: "sn3301-e.1drv.com" redirect
local-data: "sn3301-e.1drv.com A 0.0.0.1"
local-zone: "sn3301-g.1drv.com" redirect
local-data: "sn3301-g.1drv.com A 0.0.0.1"
local-zone: "so.2mdn.net" redirect
local-zone: "so.2mdn.net" redirect
local-data: "so.2mdn.net A 0.0.0.1"
local-data: "so.2mdn.net A 0.0.0.1"
local-zone: "spynet2.microsoft.com" redirect
local-data: "spynet2.microsoft.com A 0.0.0.1"
local-zone: "spynetalt.microsoft.com" redirect
local-data: "spynetalt.microsoft.com A 0.0.0.1"
local-zone: "spyneteurope.microsoft.akadns.net" redirect
local-data: "spyneteurope.microsoft.akadns.net A 0.0.0.1"
local-zone: "sqm.df.telemetry.microsoft.com" redirect
local-zone: "sqm.df.telemetry.microsoft.com" redirect
local-data: "sqm.df.telemetry.microsoft.com A 0.0.0.1"
local-data: "sqm.df.telemetry.microsoft.com A 0.0.0.1"
Line 895: Line 1,613:
local-zone: "static.2mdn.net" redirect
local-zone: "static.2mdn.net" redirect
local-data: "static.2mdn.net A 0.0.0.1"
local-data: "static.2mdn.net A 0.0.0.1"
local-zone: "statsfe1.ws.microsoft.com" redirect
local-zone: "storecatalogrevocation.storequality.microsoft.com" redirect
local-data: "statsfe1.ws.microsoft.com A 0.0.0.1"
local-data: "storecatalogrevocation.storequality.microsoft.com A 0.0.0.1"
local-zone: "statsfe2.update.microsoft.com.akadns.net" redirect
local-zone: "storeedgefd.dsx.mp.microsoft.com" redirect
local-data: "statsfe2.update.microsoft.com.akadns.net A 0.0.0.1"
local-data: "storeedgefd.dsx.mp.microsoft.com A 0.0.0.1"
local-zone: "statsfe2.ws.microsoft.com" redirect
local-zone: "store-images.s-microsoft.com" redirect
local-data: "statsfe2.ws.microsoft.com A 0.0.0.1"
local-data: "store-images.s-microsoft.com A 0.0.0.1"
local-zone: "support.microsoft.com" redirect
local-data: "support.microsoft.com A 0.0.0.1"
local-zone: "survey.watson.microsoft.com" redirect
local-zone: "survey.watson.microsoft.com" redirect
local-data: "survey.watson.microsoft.com A 0.0.0.1"
local-data: "survey.watson.microsoft.com A 0.0.0.1"
local-zone: "t0.ssl.ak.dynamic.tiles.virtualearth.net" redirect
local-data: "t0.ssl.ak.dynamic.tiles.virtualearth.net A 0.0.0.1"
local-zone: "t0.ssl.ak.tiles.virtualearth.net" redirect
local-data: "t0.ssl.ak.tiles.virtualearth.net A 0.0.0.1"
local-zone: "telecommand.telemetry.microsoft.com" redirect
local-zone: "telecommand.telemetry.microsoft.com" redirect
local-data: "telecommand.telemetry.microsoft.com A 0.0.0.1"
local-data: "telecommand.telemetry.microsoft.com A 0.0.0.1"
Line 909: Line 1,633:
local-zone: "telemetry.appex.bing.net" redirect
local-zone: "telemetry.appex.bing.net" redirect
local-data: "telemetry.appex.bing.net A 0.0.0.1"
local-data: "telemetry.appex.bing.net A 0.0.0.1"
local-zone: "telemetry.appex.bing.net:443" redirect
local-data: "telemetry.appex.bing.net:443 A 0.0.0.1"
local-zone: "telemetry.microsoft.com" redirect
local-zone: "telemetry.microsoft.com" redirect
local-data: "telemetry.microsoft.com A 0.0.0.1"
local-data: "telemetry.microsoft.com A 0.0.0.1"
local-zone: "telemetry.urs.microsoft.com" redirect
local-zone: "telemetry.urs.microsoft.com" redirect
local-data: "telemetry.urs.microsoft.com A 0.0.0.1"
local-data: "telemetry.urs.microsoft.com A 0.0.0.1"
local-zone: "ui.skype.com" redirect
local-zone: "test.activity.windows.com" redirect
local-data: "ui.skype.com A 0.0.0.1"
local-data: "test.activity.windows.com A 0.0.0.1"
local-zone: "tile-service.weather.microsoft.com" redirect
local-data: "tile-service.weather.microsoft.com A 0.0.0.1"
local-zone: "time.windows.com" redirect
local-data: "time.windows.com A 0.0.0.1"
local-zone: "tk2.plt.msn.com" redirect
local-data: "tk2.plt.msn.com A 0.0.0.1"
local-zone: "tsfe.trafficshaping.dsp.mp.microsoft.com" redirect
local-data: "tsfe.trafficshaping.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "urs.smartscreen.microsoft.com" redirect
local-data: "urs.smartscreen.microsoft.com A 0.0.0.1"
local-zone: "v10.vortex-win.data.metron.live.com.nsatc.net" redirect
local-data: "v10.vortex-win.data.metron.live.com.nsatc.net A 0.0.0.1"
local-zone: "v10.vortex-win.data.microsoft.com" redirect
local-data: "v10.vortex-win.data.microsoft.com A 0.0.0.1"
local-zone: "version.hybrid.api.here.com" redirect
local-data: "version.hybrid.api.here.com A 0.0.0.1"
local-zone: "view.atdmt.com" redirect
local-zone: "view.atdmt.com" redirect
local-data: "view.atdmt.com A 0.0.0.1"
local-data: "view.atdmt.com A 0.0.0.1"
Line 923: Line 1,661:
local-zone: "vortex-cy2.metron.live.com.nsatc.net" redirect
local-zone: "vortex-cy2.metron.live.com.nsatc.net" redirect
local-data: "vortex-cy2.metron.live.com.nsatc.net A 0.0.0.1"
local-data: "vortex-cy2.metron.live.com.nsatc.net A 0.0.0.1"
local-zone: "vortex.data.glbdns2.microsoft.com" redirect
local-data: "vortex.data.glbdns2.microsoft.com A 0.0.0.1"
local-zone: "vortex.data.metron.live.com.nsatc.net" redirect
local-data: "vortex.data.metron.live.com.nsatc.net A 0.0.0.1"
local-zone: "vortex.data.microsoft.com" redirect
local-data: "vortex.data.microsoft.com A 0.0.0.1"
local-zone: "vortex-db5.metron.live.com.nsatc.net" redirect
local-data: "vortex-db5.metron.live.com.nsatc.net A 0.0.0.1"
local-zone: "vortex-hk2.metron.live.com.nsatc.net" redirect
local-data: "vortex-hk2.metron.live.com.nsatc.net A 0.0.0.1"
local-zone: "vortex-sandbox.data.microsoft.com" redirect
local-zone: "vortex-sandbox.data.microsoft.com" redirect
local-data: "vortex-sandbox.data.microsoft.com A 0.0.0.1"
local-data: "vortex-sandbox.data.microsoft.com A 0.0.0.1"
local-zone: "vortex-win.data.metron.live.com.nsatc.net" redirect
local-data: "vortex-win.data.metron.live.com.nsatc.net A 0.0.0.1"
local-zone: "vortex-win.data.microsoft.com" redirect
local-zone: "vortex-win.data.microsoft.com" redirect
local-data: "vortex-win.data.microsoft.com A 0.0.0.1"
local-data: "vortex-win.data.microsoft.com A 0.0.0.1"
local-zone: "vortex.data.microsoft.com" redirect
local-data: "vortex.data.microsoft.com A 0.0.0.1"
local-zone: "watson.live.com" redirect
local-data: "watson.live.com A 0.0.0.1"
local-zone: "watson.microsoft.com" redirect
local-zone: "watson.microsoft.com" redirect
local-data: "watson.microsoft.com A 0.0.0.1"
local-data: "watson.microsoft.com A 0.0.0.1"
Line 939: Line 1,685:
local-zone: "watson.telemetry.microsoft.com.nsatc.net" redirect
local-zone: "watson.telemetry.microsoft.com.nsatc.net" redirect
local-data: "watson.telemetry.microsoft.com.nsatc.net A 0.0.0.1"
local-data: "watson.telemetry.microsoft.com.nsatc.net A 0.0.0.1"
local-zone: "wdcpalt.microsoft.com" redirect
local-data: "wdcpalt.microsoft.com A 0.0.0.1"
local-zone: "wdcp.microsoft.com" redirect
local-data: "wdcp.microsoft.com A 0.0.0.1"
local-zone: "web.vortex.data.microsoft.com" redirect
local-data: "web.vortex.data.microsoft.com A 0.0.0.1"
local-zone: "wes.df.telemetry.microsoft.com" redirect
local-zone: "wes.df.telemetry.microsoft.com" redirect
local-data: "wes.df.telemetry.microsoft.com A 0.0.0.1"
local-data: "wes.df.telemetry.microsoft.com A 0.0.0.1"
local-zone: "win10.ipv6.microsoft.com" redirect
local-data: "win10.ipv6.microsoft.com A 0.0.0.1"
local-zone: "win10-trt.msedge.net" redirect
local-data: "win10-trt.msedge.net A 0.0.0.1"
local-zone: "win1710.ipv6.microsoft.com" redirect
local-data: "win1710.ipv6.microsoft.com A 0.0.0.1"
local-zone: "wscont.apps.microsoft.com" redirect
local-data: "wscont.apps.microsoft.com A 0.0.0.1"
local-zone: "www.msedge.net" redirect
local-data: "www.msedge.net A 0.0.0.1"
local-zone: "www.msftconnecttest.com" redirect
local-data: "www.msftconnecttest.com A 0.0.0.1"
local-zone: "www.msftncsi.com" redirect
local-zone: "www.msftncsi.com" redirect
local-data: "www.msftncsi.com A 0.0.0.1"</pre>
local-data: "www.msftncsi.com A 0.0.0.1"</pre>


== DNSCrypt ==
== DNSCrypt ==
You'll need to pin the testing repository. See: [[Alpine Linux package management#Repository pinning]]
Configuring DNSCrypt to send it's lookups through the VPN and not directly out your ppp interface is done using a socks proxy.


Then install:
You can test that you're not getting DNS leaks by using [https://www.dnsleaktest.com dnsleak.com] or this one from [https://www.grc.com/dns/dns.htm GRC]. Providers like CloudFlare and Google (1.1.1.1, 8.8.8.8) use [https://en.wikipedia.org/wiki/Anycast anycast] which should be pointing to a server located to where your VPN exits.


{{cmd|apk add dnscrypt-proxy@testing}}
=== /etc/dnscrypt-proxy/dnscrypt-proxy.toml ===
Using the sample dnscrypt config is fine, you will need to make these changes:


=== /etc/conf.d/dnscrypt-proxy ===
<pre>listen_addresses = ['127.0.0.1:53000', '[::1]:53000']
Enter a dnscrypt server, it should look something like this:
proxy = "socks5://127.0.0.1:1080"</pre>


<pre># DNSCRYPT_LOGFILE=/var/log/dnscrypt-proxy/dnscrypt-proxy.log
== Dante ==
First install dante, you'll need to pin the testing repository. See: [[Alpine Linux package management#Repository pinning]].


# override listen address where DNSCRYPT listen
{{cmd|apk add dante-server@testing}}
DNSCRYPT_LOCALIP=127.0.0.2:53


RESOLVER=208.67.220.220:443                                                       
Configure it like so:
PROVIDER=2.dnscrypt-cert.opendns.com                                             
PUBKEY=B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79</pre>


Finally add both to the default run level
=== /etc/sockd.conf ===
{{cmd|rc-update add unbound default}}
<pre>logoutput: stderr
{{cmd|rc-update add dnscrypt-proxy default}}
internal: 127.0.0.1 port = 1080
external: tun0
clientmethod: none
socksmethod: none
user.unprivileged: sockd


= WiFi 802.1x EAP and FreeRadius =
# Allow connections from localhost to any host
A more secure way than using pre-shared keys (WPA2) is to use [https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP-TLS EAP-TLS] and use separate certificates for each device. See [[FreeRadius EAP-TLS configuration]]
client pass {
        from: 127.0.0.1/8 to: 0.0.0.0/0
log: error # connect/disconnect
}


= VPN Tunnel on specific subnet =
# Generic pass statement - bind/outgoing traffic
As mentioned earlier in this article it might be useful to have a VPN subnet and a non-VPN subnet. Typically gaming consoles or computers might want low-latency connections. For this exercise we use fwmark.
socks pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        command: bind connect udpassociate
        log: error # connect disconnect iooperation
}
 
# Generic pass statement for incoming connections/packets
socks pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        command: bindreply udpreply
        log: error # connect disconnect iooperation
}</pre>


We expand the network to look like this:
Finally the services to the the default run level:
{{cmd|rc-update add sockd default}}
{{cmd|rc-update add unbound default}}
{{cmd|rc-update add dnscrypt-proxy default}}


[[File:Network diagram ipv4 tunnel.svg|900px|center|Network Diagram with IPv4 tunnel]]
= Random number generation =
There are two ways to assist with random number generation [[Entropy and randomness]]. This can be particularly useful if you're generating your own Diffie-Hellman nonce file, used in the [[FreeRadius EAP-TLS configuration]] section. Or for that matter any process which requires lots of random number generation such as generating certificates or public private keys.


Install the necessary packages:
== Haveged ==
{{cmd|apk add openvpn iproute2 iputils}}
[http://www.issihosts.com/haveged Haveged] is a great way to improve random number generation speed. It uses the unpredictable random number generator based upon an adaptation of the [http://www.irisa.fr/caps/projects/hipsor/ HAVEGE] algorithm.


== /etc/modules ==
Install haveged:
You'll want to add the tun module
{{cmd|apk add haveged}}
<pre>tun</pre>


== /etc/iproute2/rt_tables ==
Start haveged service:
Add the two routing tables to the bottom of rt_tables. It should look something like this:
{{cmd|service haveged start}}
<pre>#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
1 ISP
2 VPN</pre>


== /etc/network/interfaces ==
Add service to boot
Next up add the virtual interface: eth0:2, just under eth0 will do, remember to add an auto command to the top.
{{cmd|rc-update add haveged default}}


<pre>auto eth0
Start rngd service:
auto eth0:2
{{cmd|service haveged start}}
auto eth1
 
auto lo
Add service to boot:
auto ppp0
{{cmd|rc-update add haveged default}}
 
== rng-tools with bcm2708-rng ==


# Route to ISP subnet
=== Pre Alpine Linux 3.8 (which includes rngd 5) ===
iface eth0 inet static
All Raspberry Pis come with the bcm2708-rng random number generator on board. If you are doing this project on a Raspberry Pi then you may choose to use this also.
  address 192.168.1.1
  netmask 255.255.255.0
  broadcast 192.168.1.255


# Route to VPN subnet
Add the kernel module to /etc/modules:
iface eth0:2 inet static
{{cmd|echo "bcm2708-rng" > /etc/modules}}
  address 192.168.2.1
  netmask 255.255.255.0
  broadcast 192.168.2.255
  post-up /etc/network/fwmark_rules</pre>


== /etc/sysctl.conf ==
Insert module:
If you want to use fwmark rules you need to change this setting. It causes the router to still do source validation.
{{cmd|modprobe bcm2708-rng}}


<pre>net.ipv4.conf.all.rp_filter = 2</pre>
Install rng-tools:
{{cmd|apk add rng-tools}}


fwmark won't work if you have this set to 1.
Set the random device (/dev/random) and rng device (/dev/hwrng) in /etc/conf.d/rngd
{{cmd|<nowiki>RNGD_OPTS="--no-drng=1 --no-tpm=1 -o /dev/random -r /dev/hwrng"</nowiki>}}


== /etc/network/fwmark_rules ==
=== Post Alpine Linux 3.8 (which includes rngd 6) ===
In this file we want to put the fwmark rules and set the correct priorities.


<pre>#!/bin/sh
With AlpineLinux 3.8 you don't have to insert the module as it is already built in the kernel.


# Normal packets to go direct out WAN
Additionally the syntax has changed for rngd so for /etc/conf.d/rngd you'll need
/sbin/ip rule add fwmark 1 table ISP prio 100


# Put packets destined into VPN when VPN is up
{{cmd|<nowiki>RNGD_OPTS="-x1 -o /dev/random -r /dev/hwrng"</nowiki>}}
/sbin/ip rule add fwmark 2 table VPN prio 200


# Prevent packets from being routed out when VPN is down.
Start rngd service:
# This prevents packets from falling back to the main table
{{cmd|service rngd start}}
# that has a priority of 32766
/sbin/ip rule add prohibit fwmark 2 prio 300</pre>


== /etc/ppp/ip-up ==
Add service to boot:
Next up we want to create the routes that should be run when PPP comes online. There are special hooks we can use in ip-up and ip-down to refer to the IP address, [https://ppp.samba.org/pppd.html#sect13 ppp man file - Scripts ] You can also read about them in your man file if you have ppp-doc installed.
{{cmd|rc-update add rngd default}}


<pre>#!/bin/sh
You can test it with:
#
{{cmd|<nowiki>cat /dev/hwrng | rngtest -c 1000</nowiki>}}
# This script is run by pppd when there's a successful ppp connection.
 
#
You should see something like:


# Flush out any old rules that might be there
<pre>rngtest 5
/sbin/ip route flush table ISP
Copyright (c) 2004 by Henrique de Moraes Holschuh
This is free software; see the source for copying conditions.  There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.


# Add route to table from subnets on LAN
rngtest: starting FIPS tests...
/sbin/ip route add 192.168.1.0/24 dev eth0 table ISP
rngtest: bits received from input: 20000032
/sbin/ip route add 192.168.2.0/24 dev eth0 table ISP
rngtest: FIPS 140-2 successes: 1000
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=117.709; avg=808.831; max=3255208.333)Kibits/s
rngtest: FIPS tests speed: (min=17.199; avg=22.207; max=22.653)Mibits/s
rngtest: Program run time: 25178079 microseconds</pre>


# Add route from IP given by ISP to the table
It's possible you might have a some failures. That's okay, two runs I did previously had a failure each.
/sbin/ip rule add from ${IPREMOTE} table ISP prio 100


# Add a default route
= WiFi 802.1x EAP and FreeRadius =
/sbin/ip route add table ISP default via ${IPREMOTE} dev ${IFNAME}</pre>
A more secure way than using pre-shared keys (WPA2) is to use [https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP-TLS EAP-TLS] and use separate certificates for each device. See [[FreeRadius EAP-TLS configuration]]


== /etc/ppp/ip-down ==
= VPN Tunnel on specific subnet =
<pre>#!/bin/sh
As mentioned earlier in this article it might be useful to have a VPN subnet and a non-VPN subnet. Typically gaming consoles or computers might want low-latency connections. For this exercise we use fwmark.
#
# This script is run by pppd after the connection has ended.
#


# Delete the rules when we take the interface down
We expand the network to look like this:
/sbin/ip rule del from ${IPREMOTE} table ISP prio 100</pre>


== /etc/openvpn/route-up-fwmark.sh ==
[[File:Network diagram ipv4 tunnel.svg|900px|center|Network Diagram with IPv4 tunnel]]
OpenVPN needs similar routing scripts and it also has it's own special hooks that allow you to specify particular values. A full list is here [https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html#lbAS OpenVPN man file - Environmental Variables]


<pre>#!/bin/sh
Install the necessary packages:
{{cmd|apk add openvpn iproute2 iputils}}
 
== /etc/modules ==
You'll want to add the tun module
<pre>tun</pre>
 
== /etc/iproute2/rt_tables ==
Add the two routing tables to the bottom of rt_tables. It should look something like this:
<pre>#
# reserved values
#
#
# This script is run by OpenVPN when there's a successful VPN connection.
255 local
254 main
253 default
0 unspec
#
# local
#
#
#1 inr.ruhep
1 ISP
2 VPN</pre>


# Flush out any old rules that might be there
== /etc/network/interfaces ==
/sbin/ip route flush table VPN
Next up add the virtual interface (really just a IP address to eth0) eth0:2, just under eth0 will do.


# Add route to table from 192.168.2.0/24 subnet on LAN
<pre># Route to VPN subnet
/sbin/ip route add 192.168.2.0/24 dev eth0 table VPN
auto eth0:2
iface eth0:2 inet static
  address 192.168.2.1
  netmask 255.255.255.0
  broadcast 192.168.2.255
  post-up /etc/network/fwmark_rules</pre>
 
== /etc/sysctl.d/local.conf ==
If you want to use fwmark rules you need to change this setting. It causes the router to still do source validation.


# Add route from VPN interface IP to the VPN table
<pre># Needed to use fwmark
/sbin/ip rule add from ${ifconfig_local} table VPN prio 200
net.ipv4.conf.all.rp_filter = 2
</pre>


# Add a default route
fwmark won't work if you have this set to 1.
/sbin/ip route add default via ${ifconfig_local} dev ${dev} table VPN</pre>


== /etc/openvpn/route-pre-down-fwmark.sh ==
== /etc/network/fwmark_rules ==
In this file we want to put the fwmark rules and set the correct priorities.


<pre>#!/bin/sh
<pre>#!/bin/sh
#
# This script is run by OpenVPN after the connection has ended
#


# Delete the rules when we take the interface down
# Normal packets to go direct out WAN
/sbin/ip rule del from ${ifconfig_local} table VPN prio 200</pre>
/sbin/ip rule add fwmark 1 table ISP prio 100


What I did find was when starting and stopping the OpenVPN service if you used:
# Put packets destined into VPN when VPN is up
/sbin/ip rule add fwmark 2 table VPN prio 200


{{cmd|service openvpn stop}}
# Prevent packets from being routed out when VPN is down.
# This prevents packets from falling back to the main table
# that has a priority of 32766
/sbin/ip rule add prohibit fwmark 2 prio 300</pre>


The rules in route-pre-down-fwmark.sh were not executed.
== /etc/ppp/ip-up ==
Next up we want to create the routes that should be run when PPP comes online. There are special hooks we can use in ip-up and ip-down to refer to the IP address, [https://ppp.samba.org/pppd.html#sect13 ppp man file - Scripts ] You can also read about them in your man file if you have ppp-doc installed.


However:
<pre>#!/bin/sh
#
# This script is run by pppd when there's a successful ppp connection.
#


{{cmd|/etc/init.d/openvpn stop}}
# Flush out any old rules that might be there
/sbin/ip route flush table ISP


seemed to work correctly.
# Add route to table from subnets on LAN
/sbin/ip route add 192.168.1.0/24 dev eth0 table ISP
/sbin/ip route add 192.168.2.0/24 dev eth0 table ISP


== Advanced IPtables rules that allow us to route into our two routing tables ==
# Add route from IP given by ISP to the table
This is an expansion of the previous set of rules. It sets up NAT masquerading for the 192.168.2.0 to go through the VPN using marked packets.
/sbin/ip rule add from ${IPREMOTE} table ISP prio 100


I used these guides to write complete this:
# Add a default route
/sbin/ip route add table ISP default via ${IPREMOTE} dev ${IFNAME}</pre>


* [http://nerdboys.com/2006/05/05/conning-the-mark-multiwan-connections-using-iptables-mark-connmark-and-iproute2 Conning the Mark: Multiwan connections using IPTables, MARK, CONNMARK and iproute2 ]
== /etc/ppp/ip-down ==
* [http://nerdboys.com/2006/05/08/multiwan-connections-addendum Multiwan connections addendum]
<pre>#!/bin/sh
* [http://inai.de/images/nf-packet-flow.png Netfilter packet flow]
#
# This script is run by pppd after the connection has ended.
#
 
# Delete the rules when we take the interface down
/sbin/ip rule del from ${IPREMOTE} table ISP prio 100</pre>


<pre>#########################################################################
== /etc/openvpn/route-up-fwmark.sh ==
# Advanced routing rule set
OpenVPN needs similar routing scripts and it also has it's own special hooks that allow you to specify particular values. A full list is here [https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html#lbAS OpenVPN man file - Environmental Variables]
# Uses 192.168.1.0 via ISP
#      192.168.2.0 via VPN
#
# Packets to/from 192.168.1.0/24 are marked with 0x1 and routed to ISP
# Packets to/from 192.168.2.0/24 are marked with 0x2 and routed to VPN
#
#########################################################################


<pre>#!/bin/sh
#
#
# NAT Table
# This script is run by OpenVPN when there's a successful VPN connection.
# This is where translation of packets happens and "forwarding" of ports
# to specific hosts.
#
#
*nat


# Set default policies for table
# Flush out any old rules that might be there
:PREROUTING ACCEPT [0:0]
/sbin/ip route flush table VPN
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]


# Port forwarding for Bittorrent
# Add route to table from 192.168.2.0/24 subnet on LAN
-A PREROUTING -i tun0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20
/sbin/ip route add 192.168.2.0/24 dev eth0 table VPN
-A PREROUTING -i tun0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20


# Allows routing to our modem subnet so we can access the web interface
# Add route from VPN interface IP to the VPN table
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE
/sbin/ip rule add from ${ifconfig_local} table VPN prio 200
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE


# Allows hosts of the network to use the VPN tunnel
# Add a default route
-A POSTROUTING -o tun0 -j MASQUERADE
/sbin/ip route add default via ${ifconfig_local} dev ${dev} table VPN</pre>


# Allows hosts of the network to use the PPP tunnel
== /etc/openvpn/route-pre-down-fwmark.sh ==
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT


<pre>#!/bin/sh
#
#
# Filter Table
# This script is run by OpenVPN after the connection has ended
# This is where we decide to ACCEPT, DROP or REJECT things
#
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]


# Create rule chain per input interface for forwarding packets
# Delete the rules when we take the interface down
:FWD_ETH0 - [0:0]
/sbin/ip rule del from ${ifconfig_local} table VPN prio 200</pre>
:FWD_ETH1 - [0:0]
 
:FWD_PPP0 - [0:0]
What I did find was when starting and stopping the OpenVPN service if you used:
:FWD_TUN0 - [0:0]


# Create rule chain per input interface for input packets (for host itself)
{{cmd|service openvpn stop}}
:IN_ETH0 - [0:0]
:IN_ETH1 - [0:0]
:IN_PPP0 - [0:0]
:IN_TUN0 - [0:0]


# Create a log drop chain
The rules in route-pre-down-fwmark.sh were not executed.
:LOG_DROP - [0:0]


# Create a reject chain
However:
:LOG_REJECT - [0:0]


# Pass input packet to corresponding rule chain
{{cmd|/etc/init.d/openvpn stop}}
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j IN_ETH0
-A INPUT -i eth1 -j IN_ETH1
-A INPUT -i ppp0 -j IN_PPP0
-A INPUT -i tun0 -j IN_TUN0


# Track forwarded packets
seemed to work correctly.
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT


# Pass forwarded packet to corresponding rule chain
== Advanced IPtables rules that allow us to route into our two routing tables ==
-A FORWARD -i eth0 -j FWD_ETH0
This is an expansion of the previous set of rules. It sets up NAT masquerading for the 192.168.2.0 to go through the VPN using marked packets.
-A FORWARD -i eth1 -j FWD_ETH1
-A FORWARD -i ppp0 -j FWD_PPP0
-A FORWARD -i tun0 -j FWD_TUN0


# Forward traffic to ISP
I used these guides to write complete this:
-A FWD_ETH0 -s 192.168.1.0/24 -j ACCEPT


# Forward traffic to VPN
* [http://nerdboys.com/2006/05/05/conning-the-mark-multiwan-connections-using-iptables-mark-connmark-and-iproute2 Conning the Mark: Multiwan connections using IPTables, MARK, CONNMARK and iproute2 ]
-A FWD_ETH0 -s 192.168.2.0/24 -j ACCEPT
* [http://nerdboys.com/2006/05/08/multiwan-connections-addendum Multiwan connections addendum]
* [http://inai.de/images/nf-packet-flow.png Netfilter packet flow]


# Allow excepted server to be FORWARD to ppp0
<pre>#########################################################################
#-A FWD_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT
# Advanced routing rule set
# Uses 192.168.1.0 via ISP
#      192.168.2.0 via VPN
#
# Packets to/from 192.168.1.0/24 are marked with 0x1 and routed to ISP
# Packets to/from 192.168.2.0/24 are marked with 0x2 and routed to VPN
#
#########################################################################


# Forward SSH packets from network to modem
#
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# NAT Table
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# This is where translation of packets happens and "forwarding" of ports
# to specific hosts.
#
*nat


# Forward HTTP packets from network to modem
# Set default policies for table
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
:PREROUTING ACCEPT [0:0]
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]


# Forward Bittorrent Port to workstation
# Port forwarding for Bittorrent
-A FWD_TUN0 -d 192.168.2.20/32 -p tcp -m tcp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A PREROUTING -i tun0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20
-A FWD_TUN0 -d 192.168.2.20/32 -p udp -m udp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A PREROUTING -i tun0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20


# SSH to Router
# Allows routing to our modem subnet so we can access the web interface
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE
-A IN_ETH0 -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE


# DNS to Router
# Allows hosts of the network to use the VPN tunnel
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A POSTROUTING -o tun0 -j MASQUERADE
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT


# FreeRadius Client (eg a UniFi AP)
# Allows hosts of the network to use the PPP tunnel
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A POSTROUTING -o ppp0 -j MASQUERADE
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
COMMIT


# Ubiquiti UAP Device Discovery Broadcast
#
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# Filter Table
# This is where we decide to ACCEPT, DROP or REJECT things
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]


# NTP to Router
# Create rule chain per input interface for forwarding packets
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
:FWD_ETH0 - [0:0]
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
:FWD_ETH1 - [0:0]
:FWD_PPP0 - [0:0]
:FWD_TUN0 - [0:0]


# Accept traffic to router on both subnets
# Create rule chain per input interface for input packets (for host itself)
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
:IN_ETH0 - [0:0]
-A IN_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
:IN_ETH1 - [0:0]
:IN_PPP0 - [0:0]
:IN_TUN0 - [0:0]


# Allow excepted server to be INPUT to eth0 from LAN
# Create a log drop chain
#-A IN_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT
:LOG_DROP - [0:0]


# SSH To Modem from Router
# Create a reject chain
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
:LOG_REJECT - [0:0]


# HTTP To Modem from Router
# Pass input packet to corresponding rule chain
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j IN_ETH0
-A INPUT -i eth1 -j IN_ETH1
-A INPUT -i ppp0 -j IN_PPP0
-A INPUT -i tun0 -j IN_TUN0


# Accept incoming tracked PPP0 connection
# Track forwarded packets
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT


# Log dropped packets coming in on PPP0
# Pass forwarded packet to corresponding rule chain
-A IN_PPP0 -j LOG --log-prefix "DROP:INPUT " --log-level 6
-A FORWARD -i eth0 -j FWD_ETH0
-A IN_PPP0 -j LOG_DROP
-A FORWARD -i eth1 -j FWD_ETH1
-A FORWARD -i ppp0 -j FWD_PPP0
-A FORWARD -i tun0 -j FWD_TUN0


# Accept incoming tracked TUN0 connection
# Forward traffic to ISP
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FWD_ETH0 -s 192.168.1.0/24 -j ACCEPT


# Log dropped packets coming in on TUN0
# Forward traffic to VPN
-A IN_TUN0 -j LOG --log-prefix "DROP:INPUT " --log-level 6
-A FWD_ETH0 -s 192.168.2.0/24 -j ACCEPT
-A IN_TUN0 -j LOG_DROP
COMMIT


#
# Allow excepted server to be FORWARD to ppp0
# Mangle Table
#-A FWD_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT
# This is the place where our markings happen, whether they be 0x1 or 0x2
#
*mangle


# Set default policies for table
# Forward SSH packets from network to modem
:PREROUTING ACCEPT [0:0]
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
:INPUT ACCEPT [0:0]
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]


# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)
# Forward HTTP packets from network to modem
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT


# If packet MARK is 2, then it means there is already a connection mark and the
# Forward Bittorrent Port to workstation
# original packet came in on VPN
-A FWD_TUN0 -d 192.168.2.20/32 -p tcp -m tcp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x2 -j ACCEPT
-A FWD_TUN0 -d 192.168.2.20/32 -p udp -m udp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT


# Check exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) are 0x1
# SSH to Router
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -m mark --mark 0x1 -j ACCEPT
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_ETH0 -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT


# Mark packets coming from 192.168.2.0/24 are 0x2
# DNS to Router
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x2/0xffffffff
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT


# If packet MARK is 1, then it means there is already a connection mark and the
# FreeRadius Client (eg a UniFi AP)
# original packet came in on ISP
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A PREROUTING -s 192.168.1.0/24 -m mark --mark 0x1 -j ACCEPT
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT


# Mark packets 192.168.1.0/24 are 0x1
# Ubiquiti UAP Device Discovery Broadcast
-A PREROUTING -s 192.168.1.0/24 -j MARK --set-xmark 0x1/0xffffffff
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT


# Mark exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) as 0x1
# NTP to Router
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -j MARK --set-xmark 0x1/0xffffffff
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT


# Set mark to 0 - This is for the modem. Otherwise it will mark with 0x1 or 0x2
# Accept traffic to router on both subnets
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT


# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)
# Allow excepted server to be INPUT to eth0 from LAN
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
#-A IN_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT
COMMIT</pre>


You may want to delete certain rules here that do not apply to you, eg the FreeRadius rules. That is covered later in this article.
# SSH To Modem from Router
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT


== OpenVPN Routing ==
# HTTP To Modem from Router
Usually when you connect with OpenVPN the remote VPN server will push routes down to your system. We don't want this as we still want to be able to access the internet without the VPN. We have also created our own routes that we want to use earlier in this guide.
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT


You'll need to add this to the bottom of your OpenVPN configuration file:
# Accept incoming tracked PPP0 connection
<pre># Prevents default gateway from being set on the default routing table
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
route-noexec


# Allows route-up script to be executed
# Log dropped packets coming in on PPP0
script-security 2
-A IN_PPP0 -j LOG --log-prefix "DROP:INPUT " --log-level 6
-A IN_PPP0 -j LOG_DROP


# Calls custom shell script after connection to add necessary routes
# Accept incoming tracked TUN0 connection
route-up /etc/openvpn/route-up-fwmark.sh
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh</pre>


My VPNs are arranged like this in /etc/openvpn:
# Log dropped packets coming in on TUN0
-A IN_TUN0 -j LOG --log-prefix "DROP:INPUT " --log-level 6
-A IN_TUN0 -j LOG_DROP
COMMIT


OpenVPN configuration file for that server:
#
<pre>countrycode.serverNumber.openvpn.conf</pre>
# Mangle Table
# This is the place where our markings happen, whether they be 0x1 or 0x2
#
*mangle


OpenVPN certs for that server:
# Set default policies for table
<pre>countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.crt
:PREROUTING ACCEPT [0:0]
countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.key
:INPUT ACCEPT [0:0]
countrycode.serverNumber.openvpn/myKey.crt
:FORWARD ACCEPT [0:0]
countrycode.serverNumber.openvpn/myKey.key</pre>
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
 
# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff


So I use this helpful script to automate the process of changing between servers:
# If packet MARK is 2, then it means there is already a connection mark and the
# original packet came in on VPN
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x2 -j ACCEPT


<pre>#!/bin/sh
# Check exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) are 0x1
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -m mark --mark 0x1 -j ACCEPT


vpn_server_filename=$1
# Mark packets coming from 192.168.2.0/24 are 0x2
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x2/0xffffffff


rm /etc/openvpn/openvpn.conf
# If packet MARK is 1, then it means there is already a connection mark and the
ln -s $vpn_server_filename /etc/openvpn/openvpn.conf
# original packet came in on ISP
chown -R openvpn:openvpn /etc/openvpn
-A PREROUTING -s 192.168.1.0/24 -m mark --mark 0x1 -j ACCEPT
chmod -R a=-rwx,u=+rX /etc/openvpn
chmod u=x /etc/openvpn/*.sh*


# Mark packets 192.168.1.0/24 are 0x1
-A PREROUTING -s 192.168.1.0/24 -j MARK --set-xmark 0x1/0xffffffff


if grep -Fxq "#CustomStuffHere" openvpn.conf
# Mark exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) as 0x1
then
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -j MARK --set-xmark 0x1/0xffffffff
    echo "Not adding custom routes, this server has been used previously"
else
    echo "Adding custom route rules"
   
    echo -e "#CustomStuffHere\
\n# Prevents default gateway from being set on the default routing table\
\nroute-noexec\
\n# Allows route-up script to be executed\
\nscript-security 2 \
\n# Calls custom shell script after connection to add necessary routes\
\nroute-up /etc/openvpn/route-up-fwmark.sh\
\nroute-pre-down /etc/openvpn/route-pre-down-fwmark.sh\
\n# Logging of OpenVPN to file\
\n#log /etc/openvpn/openvpn.log"\
>> /etc/openvpn/openvpn.conf
fi


echo "Remember to set BitTorrent port forward in vcp.ovpn.to control panel"</pre>
# Set mark to 0 - This is for the modem. Otherwise it will mark with 0x1 or 0x2
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff


That way I can simply change between servers by running:
# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)
{{cmd|changevpn.sh countrycode.serverNumber.openvpn}}
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT</pre>


and then restart openvpn. I am also reminded to put the port forward through on the VPN control panel so my BitTorrent client is connectable:
You may want to delete certain rules here that do not apply to you, eg the FreeRadius rules. That is covered later in this article.


{{cmd|service openvpn restart}}
== OpenVPN Routing ==
Usually when you connect with OpenVPN the remote VPN server will push routes down to your system. We don't want this as we still want to be able to access the internet without the VPN. We have also created our own routes that we want to use earlier in this guide.


Finally add openvpn to the default run level
You'll need to add this to the bottom of your OpenVPN configuration file:
{{cmd|rc-update add openvpn default}}
<pre># Prevents default gateway from being set on the default routing table
route-noexec


= Creating a LAN only Subnet =
# Allows route-up script to be executed
In this section, we'll be creating a LAN only subnet. This subnet will be 192.168.3.0/24. The idea of this subnet is nodes in it cannot have their packets forwarded to the Internet, however they can be accessed via the other LAN subnets 192.168.1.0/24 and 192.168.2.0/24. This approach doesn't use VLANs although that would be recommended if you had a managed switch. The idea of this subnet is for things like WiFi access points, IP Phones which contact a local Asterisk server and of course printers.
script-security 2


At the end of this section we will have something like:
# Calls custom shell script after connection to add necessary routes
route-up /etc/openvpn/route-up-fwmark.sh
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh</pre>


[[File:Network diagram ipv4 tunnel LANONLY ROUTE.svg|900px|center|Network Diagram LAN ONLY Route with IPv4]]
My VPNs are arranged like this in /etc/openvpn:


== /etc/iproute2/rt_tables ==
OpenVPN configuration file for that server:
First up we'll add a third routing table:
<pre>countrycode.serverNumber.openvpn.conf</pre>


<pre>3 LAN</pre>
OpenVPN certs for that server:
<pre>countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.crt
countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.key
countrycode.serverNumber.openvpn/myKey.crt
countrycode.serverNumber.openvpn/myKey.key</pre>


== /etc/network/interfaces ==
So I use this helpful script to automate the process of changing between servers:
Add a an extra interface.


<pre>auto eth0
<pre>#!/bin/sh
auto eth0:2
auto eth0:3
auto eth1
auto lo
auto ppp0


# LAN Only
vpn_server_filename=$1
iface eth0:3 inet static
  address 192.168.3.1
  netmask 255.255.255.0
  broadcast 192.168.3.255
  post-up /etc/network/route_LAN</pre>


== /etc/network/route_LAN ==
rm /etc/openvpn/openvpn.conf
This file will have our route added to it
ln -s $vpn_server_filename /etc/openvpn/openvpn.conf
chown -R openvpn:openvpn /etc/openvpn
chmod -R a=-rwx,u=+rX /etc/openvpn
chmod u=x /etc/openvpn/*.sh*


<pre>#!/bin/sh
if grep -Fxq "#CustomStuffHere" openvpn.conf
then
    echo "Not adding custom routes, this server has been used previously"
else
    echo "Adding custom route rules"
cat <<EOF >> /etc/openvpn/openvpn.conf


# Add routes from ISP to LAN
#CustomStuffHere
/sbin/ip route add 192.168.1.0/24 dev eth0 table LAN
# Prevents default gateway from being set on the default routing table
route-noexec


# Add route from VPN to LAN
# Allows route-up script to be executed
/sbin/ip route add 192.168.2.0/24 dev eth0 table LAN
script-security 2


# Add route from LAN to it's own table
# Calls custom shell script after connection to add necessary routes
/sbin/ip route add 192.168.3.0/24 dev eth0 table LAN</pre>
route-up /etc/openvpn/route-up-fwmark.sh
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh


== /etc/ppp/ip-up ==
# Logging of OpenVPN to file
Append a route from the LAN subnet to the ISP table
#log /etc/openvpn/openvpn.log
EOF


<pre># Add route to LAN subnet
fi
/sbin/ip route add 192.168.3.0/24 dev eth0 table ISP</pre>
echo "Remember to set BitTorrent port forward in VPN control panel"</pre>


== /etc/openvpn/route-up-fwmark.sh ==
That way I can simply change between servers by running:
Append a route from the LAN subnet to the VPN table
{{cmd|changevpn.sh countrycode.serverNumber.openvpn}}


<pre># Add route to LAN only subnet
and then restart openvpn. I am also reminded to put the port forward through on the VPN control panel so my BitTorrent client is connectable:
/sbin/ip route add 192.168.3.0/24 dev eth0 table VPN</pre>


== /etc/ntpd.conf ==
{{cmd|service openvpn restart}}
Add a listen address for ntp (OpenNTPD).


You should now have:
Finally add openvpn to the default run level
{{cmd|rc-update add openvpn default}}


<pre># Addresses to listen on (ntpd does not listen by default)
= Creating a LAN only Subnet =
listen on 192.168.1.1
In this section, we'll be creating a LAN only subnet. This subnet will be 192.168.3.0/24. The idea of this subnet is nodes in it cannot have their packets forwarded to the Internet, however they can be accessed via the other LAN subnets 192.168.1.0/24 and 192.168.2.0/24. This approach doesn't use VLANs although that would be recommended if you had a managed switch. The idea of this subnet is for things like WiFi access points, IP Phones which contact a local Asterisk server and of course printers.
listen on 192.168.2.1
listen on 192.168.3.1</pre>


Devices needing the correct time will need to use this NTP server because they will not be able to get it from the Internet.
At the end of this section we will have something like:


== Blocking bogons ==
[[File:Network diagram ipv4 tunnel LANONLY ROUTE.svg|900px|center|Network Diagram LAN ONLY Route with IPv4]]
Our LAN now has 4 subnets in total that are possible:


* 192.168.0.0/30 (connection between modem and router)
== /etc/iproute2/rt_tables ==
* 192.168.1.0/24 (ISP table, directly routed out WAN)
First up we'll add a third routing table:
* 192.168.2.0/24 (VPN table, routed out VPN)
* 192.168.3.0/24 (Null routed subnet for LAN only hosts)
* 172.16.32.0/20 (VPN provider's network, so we can access things on the VPN's network).


Everything else should be rejected. No packets should ever be forwarded on 192.168.5.2 or 10.0.0.5 for example.
<pre>3 LAN</pre>
 
== /etc/network/interfaces ==
Add a an extra virtual interface (really just a IP address to eth0).


=== Installing ipset ===
<pre># LAN Only
Install ipset:
auto eth0:3
iface eth0:3 inet static
  address 192.168.3.1
  netmask 255.255.255.0
  broadcast 192.168.3.255
  post-up /etc/network/route_LAN</pre>


{{cmd|apk add ipset}}
== /etc/network/route_LAN ==
This file will have our route added to it


Add it to start up:
<pre>#!/bin/sh
{{cmd|rc-update add ipset default}}


Now we need to load the lists of addresses into ipset [http://blog.ls20.com/securing-your-server-using-ipset-and-dynamic-blocklists Securing Your Server using IPset and Dynamic Blocklists] mentions a [https://gist.github.com/hwdsl2/6dce75072274abfd2781 script] which was particularly useful. This script could be run on a cron job if you wanted to regularly update it and for the full bogon list you should as they change when that address space has been allocated.
# Add routes from ISP to LAN
/sbin/ip route add 192.168.1.0/24 dev eth0 table LAN


For the purpose of this we will be using just the [https://files.pfsense.org/lists/bogon-bn-nonagg.txt bogon-bn-nonagg.txt] list.
# Add route from VPN to LAN
/sbin/ip route add 192.168.2.0/24 dev eth0 table LAN


<pre>0.0.0.0/8
# Add route from LAN to it's own table
10.0.0.0/8
/sbin/ip route add 192.168.3.0/24 dev eth0 table LAN</pre>
100.64.0.0/10
 
127.0.0.0/8
== /etc/ppp/ip-up ==
169.254.0.0/16
Append a route from the LAN subnet to the ISP table
172.16.0.0/12
192.0.0.0/24
192.0.2.0/24
192.168.0.0/16
198.18.0.0/15
198.51.100.0/24
203.0.113.0/24
224.0.0.0/4
240.0.0.0/4</pre>


This is unlikely to change as it's the IPV4 [https://en.wikipedia.org/wiki/Reserved_IP_addresses Reserved IP addresses] space. The script:
<pre># Add route to LAN subnet
/sbin/ip route add 192.168.3.0/24 dev eth0 table ISP</pre>


<pre>#! /bin/bash
== /etc/openvpn/route-up-fwmark.sh ==
Append a route from the LAN subnet to the VPN table


# /usr/local/sbin/fullbogons-ipv4
<pre># Add route to LAN only subnet
# BoneKracker
/sbin/ip route add 192.168.3.0/24 dev eth0 table VPN</pre>
# Rev. 11 October 2012
# Tested with ipset 6.13


# Purpose: Periodically update an ipset used in a running firewall to block
== /etc/ntpd.conf ==
# bogons. Bogons are addresses that nobody should be using on the public
Add a listen address for ntp (OpenNTPD).
# Internet because they are either private, not to be assigned, or have
# not yet been assigned.
#
# Notes: Call this from crontab. Feed updated every 4 hours.


# target="http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt"
You should now have:
# Use alternative URL from pfSense, due to 404 error with URL above
target="https://files.pfsense.org/lists/bogon-bn-nonagg.txt"
ipset_params="hash:net"


filename=$(basename ${target})
<pre># Addresses to listen on (ntpd does not listen by default)
firewall_ipset=${filename%.*}          # ipset will be filename minus ext
listen on 192.168.1.1
data_dir="/var/tmp/${firewall_ipset}"  # data directory will be same
listen on 192.168.2.1
data_file="${data_dir}/${filename}"
listen on 192.168.3.1</pre>


# if data directory does not exist, create it
Devices needing the correct time will need to use this NTP server because they will not be able to get it from the Internet.
mkdir -pm 0750 ${data_dir}


# function to get modification time of the file in log-friendly format
== Blocking bogons ==
get_timestamp() {
Our LAN now has 4 subnets in total that are possible:
    date -r $1 +%m/%d' '%R
}


# file modification time on server is preserved during wget download
* 192.168.0.0/30 (connection between modem and router)
[ -w ${data_file} ] && old_timestamp=$(get_timestamp ${data_file})
* 192.168.1.0/24 (ISP table, directly routed out WAN)
* 192.168.2.0/24 (VPN table, routed out VPN)
* 192.168.3.0/24 (Null routed subnet for LAN only hosts)
* 172.16.32.0/20 (VPN provider's network, so we can access things on the VPN's network).


# fetch file only if newer than the version we already have
Everything else should be rejected. No packets should ever be forwarded on 192.168.5.2 or 10.0.0.5 for example.
wget -qNP ${data_dir} ${target}


if [ "$?" -ne "0" ]; then
=== Installing ipset ===
    logger -p cron.err "IPSet: ${firewall_ipset} wget failed."
Install ipset:
    exit 1
fi


timestamp=$(get_timestamp ${data_file})
{{cmd|apk add ipset}}


# compare timestamps because wget returns success even if no newer file
Add it to start up:
if [ "${timestamp}" != "${old_timestamp}" ]; then
{{cmd|rc-update add ipset default}}


    temp_ipset="${firewall_ipset}_temp"
Now we need to load the lists of addresses into ipset [http://blog.ls20.com/securing-your-server-using-ipset-and-dynamic-blocklists Securing Your Server using IPset and Dynamic Blocklists] mentions a [https://gist.github.com/hwdsl2/6dce75072274abfd2781 script] which was particularly useful. This script could be run on a cron job if you wanted to regularly update it and for the full bogon list you should as they change when that address space has been allocated.
    ipset create ${temp_ipset} ${ipset_params}


    #sed -i '/^#/d' ${data_file}            # strip comments
For the purpose of this we will be using just the [https://files.pfsense.org/lists/bogon-bn-nonagg.txt bogon-bn-nonagg.txt] list.
    sed -ri '/^[#< \t]|^$/d' ${data_file}  # occasionally the file has been xhtml


    while read network; do
<pre>0.0.0.0/8
        ipset add ${temp_ipset} ${network}
10.0.0.0/8
    done < ${data_file}
100.64.0.0/10
127.0.0.0/8
169.254.0.0/16
172.16.0.0/12
192.0.0.0/24
192.0.2.0/24
192.168.0.0/16
198.18.0.0/15
198.51.100.0/24
203.0.113.0/24
224.0.0.0/4
240.0.0.0/4</pre>


    # if ipset does not exist, create it
This is unlikely to change as it's the IPV4 [https://en.wikipedia.org/wiki/Reserved_IP_addresses Reserved IP addresses] space. The script:
    ipset create -exist ${firewall_ipset} ${ipset_params}


    # swap the temp ipset for the live one
<pre>#! /bin/bash
    ipset swap ${temp_ipset} ${firewall_ipset}
    ipset destroy ${temp_ipset}


    # log the file modification time for use in minimizing lag in cron schedule
# /usr/local/sbin/fullbogons-ipv4
    logger -p cron.notice "IPSet: ${firewall_ipset} updated (as of: ${timestamp})."
# BoneKracker
# Rev. 11 October 2012
# Tested with ipset 6.13


fi</pre>
# Purpose: Periodically update an ipset used in a running firewall to block
# bogons. Bogons are addresses that nobody should be using on the public
# Internet because they are either private, not to be assigned, or have
# not yet been assigned.
#
# Notes: Call this from crontab. Feed updated every 4 hours.


Now you should see the list loaded into memory when you do:
# target="http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt"
# Use alternative URL from pfSense, due to 404 error with URL above
target="https://files.pfsense.org/lists/bogon-bn-nonagg.txt"
ipset_params="hash:net"


{{cmd|ipset list}}
filename=$(basename ${target})
firewall_ipset=${filename%.*}          # ipset will be filename minus ext
data_dir="/var/tmp/${firewall_ipset}"  # data directory will be same
data_file="${data_dir}/${filename}"


We want to save it so our router can refer to it next time it starts up so for that:
# if data directory does not exist, create it
mkdir -pm 0750 ${data_dir}


{{cmd|/etc/init.d/ipset save}}
# function to get modification time of the file in log-friendly format
get_timestamp() {
    date -r $1 +%m/%d' '%R
}


=== Adding our allowed networks ===
# file modification time on server is preserved during wget download
[ -w ${data_file} ] && old_timestamp=$(get_timestamp ${data_file})


==== IPv4 ====
# fetch file only if newer than the version we already have
{{cmd|ipset create allowed-nets-ipv4 hash:net,iface family inet}}
wget -qNP ${data_dir} ${target}


Then you can add each of your allowed networks:
if [ "$?" -ne "0" ]; then
    logger -p cron.err "IPSet: ${firewall_ipset} wget failed."
    exit 1
fi


<pre>ipset add allowed-nets-ipv4 192.168.0.0/30,eth1
timestamp=$(get_timestamp ${data_file})
ipset add allowed-nets-ipv4 192.168.1.0/24,eth0
ipset add allowed-nets-ipv4 192.168.2.0/24,eth0
ipset add allowed-nets-ipv4 192.168.3.0/24,eth0
ipset add allowed-nets-ipv4 127.0.0.0/8,lo
ipset add allowed-nets-ipv4 172.16.32.0/20,tun0</pre>


==== IPv6 ====
# compare timestamps because wget returns success even if no newer file
For IPv6 if you've got any [https://en.wikipedia.org/wiki/Unique_local_address Unique local address] ranges you may choose to add them:
if [ "${timestamp}" != "${old_timestamp}" ]; then


{{cmd|ipset create allowed-nets-ipv6 hash:net,iface family inet6}}
    temp_ipset="${firewall_ipset}_temp"
    ipset create ${temp_ipset} ${ipset_params}


<pre>ipset add allowed-nets-ipv6 fde4:8dba:82e1::/48,tun0
    #sed -i '/^#/d' ${data_file}            # strip comments
ipset add allowed-nets-ipv6 fde4:8dba:82e1:ffff::/64,eth0</pre>
    sed -ri '/^[#< \t]|^$/d' ${data_file}  # occasionally the file has been xhtml


    while read network; do
        ipset add ${temp_ipset} ${network}
    done < ${data_file}


Finally save the sets with this command so they can be loaded next boot:
    # if ipset does not exist, create it
    ipset create -exist ${firewall_ipset} ${ipset_params}


{{cmd|/etc/init.d/ipset save}}
    # swap the temp ipset for the live one
    ipset swap ${temp_ipset} ${firewall_ipset}
    ipset destroy ${temp_ipset}


== Restricting our LAN subnet with iptables, and blocking the bogons ==
    # log the file modification time for use in minimizing lag in cron schedule
Finally we can apply our iptables rules, to filter both 192.168.3.0/24 and make sure that subnets like 192.168.5.0/24 are not forwarded or accessible by our router. You will need to review these rules, and remove the ones that do not apply to you.
    logger -p cron.notice "IPSet: ${firewall_ipset} updated (as of: ${timestamp})."


Don't forget to change your RADIUS rules if you moved your WiFi APs into the 192.168.3.0/24 subnet. You'll also need to edit /etc/raddb/clients.conf
fi</pre>


I used a new table here called "raw". This table is more primitive than the filter table. It cannot have FORWARD rules or INPUT rules. Therefore you will still need a FORWARD rule in your filter table to block bogons originating from your LAN.
Now you should see the list loaded into memory when you do:


The only kind of rules we may use here are PREROUTING and OUTPUT. The OUTPUT rules will only filter traffic originating from our router's local processes, such as if we ran the ping command to a bogon range on the router's command prompt.
{{cmd|ipset list}}


Traffic passes over the raw table, before connecting marking as indicated by this packet flow map: [http://inai.de/images/nf-packet-flow.png Netfilter packet flow graph] this means we don't have to strip the mark off the bogon range in the mangle table anymore.
We want to save it so our router can refer to it next time it starts up so for that:


<pre>#########################################################################
{{cmd|/etc/init.d/ipset save}}
# Advanced routing rule set
# Uses 192.168.1.0 via ISP
#      192.168.2.0 via VPN
#      192.168.3.0 via LAN
#
# Packets to/from 192.168.1.0/24 are marked with 0x1 and routed to ISP
# Packets to/from 192.168.2.0/24 are marked with 0x2 and routed to VPN
# Packets to/from 192.168.3.0/24 are routed to LAN and not forwarded onto
#                                    the internet
#
#########################################################################


#
=== Adding our allowed networks ===
# Raw Table
# This table is the place where we drop all illegal packets from networks that
# do not exist
#
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]


# Create a log drop chain
==== IPv4 ====
:LOG_DROP_BOGON - [0:0]
{{cmd|ipset create allowed-nets-ipv4 hash:net,iface family inet}}


# Create an output chain
Then you can add each of your allowed networks:
:OUT_PPP0 - [0:0]
:OUT_TUN0 - [0:0]


# Allows traffic from VPN tunnel
<pre>ipset add allowed-nets-ipv4 192.168.0.0/30,eth1
-A PREROUTING -s 172.16.32.0/20 -i tun0 -j ACCEPT
ipset add allowed-nets-ipv4 192.168.1.0/24,eth0
ipset add allowed-nets-ipv4 192.168.2.0/24,eth0
ipset add allowed-nets-ipv4 192.168.3.0/24,eth0
ipset add allowed-nets-ipv4 127.0.0.0/8,lo
ipset add allowed-nets-ipv4 172.16.32.0/20,tun0</pre>


# Allows traffic to VPN tunnel
==== IPv6 ====
-A PREROUTING -d 172.16.32.0/20 -j ACCEPT
For IPv6 if you've got any [https://en.wikipedia.org/wiki/Unique_local_address Unique local address] ranges you may choose to add them:


# Block specified bogons coming in from ISP and VPN
{{cmd|ipset create allowed-nets-ipv6 hash:net,iface family inet6}}
# (unlikely to happen as they filter them on their router)
 
-A PREROUTING -i ppp0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON
<pre>ipset add allowed-nets-ipv6 fde4:8dba:82e1::/48,tun0
-A PREROUTING -i tun0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON
ipset add allowed-nets-ipv6 fde4:8dba:82e1:ffff::/64,eth0</pre>


# Allows my excepted ranges.
-A PREROUTING -m set --match-set allowed-nets-ipv4 src,src -j ACCEPT


# Pass output interface to corresponding chain
Finally save the sets with this command so they can be loaded next boot:
-A OUTPUT -o ppp0 -j OUT_PPP0
-A OUTPUT -o tun0 -j OUT_TUN0


# Log drop chain
{{cmd|/etc/init.d/ipset save}}
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon (ipv4) : " --log-level 6
-A LOG_DROP_BOGON -j DROP


# Block packets originating from the router destined to bogon ranges
== Restricting our LAN subnet with iptables, and blocking the bogons ==
-A OUT_PPP0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON
Finally we can apply our iptables rules, to filter both 192.168.3.0/24 and make sure that subnets like 192.168.5.0/24 are not forwarded or accessible by our router. You will need to review these rules, and remove the ones that do not apply to you.


# Blocks packets originating from the router destined to bogon ranges
Don't forget to change your RADIUS rules if you moved your WiFi APs into the 192.168.3.0/24 subnet. You'll also need to edit /etc/raddb/clients.conf
-A OUT_TUN0 -d 172.16.32.0/20 -j ACCEPT
-A OUT_TUN0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON
COMMIT


I used a new table here called "raw". This table is more primitive than the filter table. It cannot have FORWARD rules or INPUT rules. Therefore you will still need a FORWARD rule in your filter table to block bogons originating from your LAN.
The only kind of rules we may use here are PREROUTING and OUTPUT. The OUTPUT rules will only filter traffic originating from our router's local processes, such as if we ran the ping command to a bogon range on the router's command prompt.
Traffic passes over the raw table, before connecting marking as indicated by this packet flow map: [http://inai.de/images/nf-packet-flow.png Netfilter packet flow graph] this means we don't have to strip the mark off the bogon range in the mangle table anymore.
<pre>#########################################################################
# Advanced routing rule set
# Uses 192.168.1.0 via ISP
#      192.168.2.0 via VPN
#      192.168.3.0 via LAN
#
# Packets to/from 192.168.1.0/24 are marked with 0x1 and routed to ISP
# Packets to/from 192.168.2.0/24 are marked with 0x2 and routed to VPN
# Packets to/from 192.168.3.0/24 are routed to LAN and not forwarded onto
#                                    the internet
#
#########################################################################
#
# Raw Table
# This table is the place where we drop all illegal packets from networks that
# do not exist
#
#
# NAT Table
*raw
# This is where translation of packets happens and "forwarding" of ports
# to specific hosts.
#
*nat
:PREROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]


# Port forwarding for Bittorrent
# Create a log drop chain
-A PREROUTING -i tun0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20
:LOG_DROP_BOGON - [0:0]
-A PREROUTING -i tun0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20
 
# Create an output chain
:OUT_PPP0 - [0:0]
:OUT_TUN0 - [0:0]


# Allows routing to our modem subnet so we can access the web interface
# Allows traffic from VPN tunnel
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE
-A PREROUTING -s 172.16.32.0/20 -i tun0 -j ACCEPT
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE


# Allows hosts of the network to use the VPN tunnel
# Allows traffic to VPN tunnel
-A POSTROUTING -o tun0 -j MASQUERADE
-A PREROUTING -d 172.16.32.0/20 -j ACCEPT


# Allows hosts of the network to use the PPP tunnel
# Block specified bogons coming in from ISP and VPN
-A POSTROUTING -o ppp0 -j MASQUERADE
# (unlikely to happen as they filter them on their router)
COMMIT
-A PREROUTING -i ppp0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON
-A PREROUTING -i tun0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON


#
# Allows my excepted ranges.
# Filter Table
-A PREROUTING -m set --match-set allowed-nets-ipv4 src,src -j ACCEPT
# This is where we decide to ACCEPT, DROP or REJECT things
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]


# Create rule chain per input interface for forwarding packets
# Pass output interface to corresponding chain
:FWD_ETH0 - [0:0]
-A OUTPUT -o ppp0 -j OUT_PPP0
:FWD_ETH1 - [0:0]
-A OUTPUT -o tun0 -j OUT_TUN0
:FWD_PPP0 - [0:0]
:FWD_TUN0 - [0:0]


# Create rule chain per input interface for input packets (for host itself)
# Log drop chain
:IN_ETH0 - [0:0]
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon (ipv4) : " --log-level 6
:IN_ETH1 - [0:0]
-A LOG_DROP_BOGON -j DROP
:IN_PPP0 - [0:0]
:IN_TUN0 - [0:0]


# Create a drop chain
# Block packets originating from the router destined to bogon ranges
:LOG_DROP - [0:0]
-A OUT_PPP0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON


# Create a log drop chain
# Blocks packets originating from the router destined to bogon ranges
:LOG_DROP_BOGON - [0:0]
-A OUT_TUN0 -d 172.16.32.0/20 -j ACCEPT
-A OUT_TUN0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON
COMMIT
 
#
# NAT Table
# This is where translation of packets happens and "forwarding" of ports
# to specific hosts.
#
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]


# Create a reject chain
# Port forwarding for Bittorrent
:LOG_REJECT_LANONLY - [0:0]
-A PREROUTING -i tun0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20
-A PREROUTING -i tun0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20


# Create an output chain
# Allows routing to our modem subnet so we can access the web interface
:OUT_PPP0 - [0:0]
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE
:OUT_TUN0 - [0:0]
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE


# Pass input packet to corresponding rule chain
# Allows hosts of the network to use the VPN tunnel
-A INPUT -i lo -j ACCEPT
-A POSTROUTING -o tun0 -j MASQUERADE
-A INPUT -i eth0 -j IN_ETH0
-A INPUT -i eth1 -j IN_ETH1
-A INPUT -i ppp0 -j IN_PPP0
-A INPUT -i tun0 -j IN_TUN0


# Track forwarded packets
# Allows hosts of the network to use the PPP tunnel
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT


# Pass forwarded packet to corresponding rule chain
#
-A FORWARD -i eth0 -j FWD_ETH0
# Filter Table
-A FORWARD -i eth1 -j FWD_ETH1
# This is where we decide to ACCEPT, DROP or REJECT things
-A FORWARD -i ppp0 -j FWD_PPP0
#
-A FORWARD -i tun0 -j FWD_TUN0
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]


# Pass output interface to corresponding chain
# Create rule chain per input interface for forwarding packets
-A OUTPUT -o ppp0 -j OUT_PPP0
:FWD_ETH0 - [0:0]
-A OUTPUT -o tun0 -j OUT_TUN0
:FWD_ETH1 - [0:0]
:FWD_PPP0 - [0:0]
:FWD_TUN0 - [0:0]


# Forward traffic to Modem
# Create rule chain per input interface for input packets (for host itself)
-A FWD_ETH0 -d 192.168.0.1/32 -j ACCEPT
:IN_ETH0 - [0:0]
:IN_ETH1 - [0:0]
:IN_PPP0 - [0:0]
:IN_TUN0 - [0:0]


# Allow routing to remote address on VPN
# Create a drop chain
-A FWD_ETH0 -s 192.168.1.0/24 -d 172.16.32.1/32 -o tun0 -j ACCEPT
:LOG_DROP - [0:0]
-A FWD_ETH0 -s 192.168.2.0/24 -d 172.16.32.1/32 -o tun0 -j ACCEPT


# Allow forwarding from LAN hosts to LAN ONLY subnet
# Create a log drop chain
-A FWD_ETH0 -s 192.168.1.0/24 -d 192.168.3.0/24 -j ACCEPT
:LOG_DROP_BOGON - [0:0]
-A FWD_ETH0 -s 192.168.2.0/24 -d 192.168.3.0/24 -j ACCEPT


# Allow LAN ONLY subnet to contact other LAN hosts
# Create a reject chain
-A FWD_ETH0 -s 192.168.3.0/24 -d 192.168.1.0/24 -j ACCEPT
:LOG_REJECT_LANONLY - [0:0]
-A FWD_ETH0 -s 192.168.3.0/24 -d 192.168.2.0/24 -j ACCEPT


# Refuse to forward bogons to the internet!
# Create an output chain
-A FWD_ETH0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON
:OUT_PPP0 - [0:0]
:OUT_TUN0 - [0:0]


# Forward traffic to ISP
# Pass input packet to corresponding rule chain
-A FWD_ETH0 -s 192.168.1.0/24 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j IN_ETH0
-A INPUT -i eth1 -j IN_ETH1
-A INPUT -i ppp0 -j IN_PPP0
-A INPUT -i tun0 -j IN_TUN0


# Forward traffic to VPN
# Track forwarded packets
-A FWD_ETH0 -s 192.168.2.0/24 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT


# Prevent 192.168.3.0/24 from accessing internet
# Pass forwarded packet to corresponding rule chain
-A FWD_ETH0 -s 192.168.3.0/24 -j LOG_REJECT_LANONLY
-A FORWARD -i eth0 -j FWD_ETH0
-A FORWARD -i eth1 -j FWD_ETH1
-A FORWARD -i ppp0 -j FWD_PPP0
-A FORWARD -i tun0 -j FWD_TUN0


# Allow excepted server to be FORWARD to ppp0
# Pass output interface to corresponding chain
#-A FWD_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT
-A OUTPUT -o ppp0 -j OUT_PPP0
-A OUTPUT -o tun0 -j OUT_TUN0


# Forward SSH packets from network to modem
# Forward traffic to Modem
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_ETH0 -d 192.168.0.1/32 -j ACCEPT
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT


# Forward HTTP packets from network to mode
# Allow routing to remote address on VPN
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_ETH0 -s 192.168.1.0/24 -d 172.16.32.1/32 -o tun0 -j ACCEPT
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_ETH0 -s 192.168.2.0/24 -d 172.16.32.1/32 -o tun0 -j ACCEPT


# Forward Bittorrent Port to workstation
# Allow forwarding from LAN hosts to LAN ONLY subnet
-A FWD_TUN0 -d 192.168.2.20/32 -p tcp -m tcp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_ETH0 -s 192.168.1.0/24 -d 192.168.3.0/24 -j ACCEPT
-A FWD_TUN0 -d 192.168.2.20/32 -p udp -m udp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_ETH0 -s 192.168.2.0/24 -d 192.168.3.0/24 -j ACCEPT


# SSH to Router
# Allow LAN ONLY subnet to contact other LAN hosts
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_ETH0 -s 192.168.3.0/24 -d 192.168.1.0/24 -j ACCEPT
-A IN_ETH0 -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_ETH0 -s 192.168.3.0/24 -d 192.168.2.0/24 -j ACCEPT


# DNS to Router
# Refuse to forward bogons to the internet!
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A FWD_ETH0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT


# FreeRadius Client (eg a UniFi AP)
# Forward traffic to ISP
-A IN_ETH0 -s 192.168.3.10/32 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_ETH0 -s 192.168.1.0/24 -j ACCEPT
-A IN_ETH0 -s 192.168.3.10/32 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT


# Ubiquiti UAP Device Discovery Broadcast
# Forward traffic to VPN
-A IN_ETH0 -s 192.168.3.10/32 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_ETH0 -s 192.168.2.0/24 -j ACCEPT


# NTP to Router
# Prevent 192.168.3.0/24 from accessing internet
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_ETH0 -s 192.168.3.0/24 -j LOG_REJECT_LANONLY
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_ETH0 -s 192.168.3.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT


# Accept traffic to router on both subnets
# Allow excepted server to be FORWARD to ppp0
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
#-A FWD_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT
-A IN_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT


# Allow excepted server to be INPUT to eth0 from LAN
# Forward SSH packets from network to modem
#-A IN_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT


# SSH To Modem from Router
# Forward HTTP packets from network to mode
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT


# HTTP To Modem from Router
# Forward Bittorrent Port to workstation
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_TUN0 -d 192.168.2.20/32 -p tcp -m tcp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_TUN0 -d 192.168.2.20/32 -p udp -m udp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT


# Accept incoming tracked PPP0 connection
# SSH to Router
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_ETH0 -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT


# Log dropped packets coming in on PPP0
# DNS to Router
-A IN_PPP0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A IN_PPP0 -j LOG_DROP
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT


# Accept incoming tracked TUN0 connection
# FreeRadius Client (eg a UniFi AP)
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A IN_ETH0 -s 192.168.3.10/32 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_ETH0 -s 192.168.3.10/32 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT


# Log dropped packets coming in on TUN0
# Ubiquiti UAP Device Discovery Broadcast
-A IN_TUN0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6
-A IN_ETH0 -s 192.168.3.10/32 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_TUN0 -j LOG_DROP


# Log dropped bogons that never got forwarded
# NTP to Router
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon forward (ipv4) " --log-level 6
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A LOG_DROP_BOGON -j DROP
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_ETH0 -s 192.168.3.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT


# Log rejected packets
# Accept traffic to router on both subnets
-A LOG_REJECT_LANONLY -j LOG --log-prefix "Rejected packet from LAN only range : " --log-level 6
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A LOG_REJECT_LANONLY -j REJECT --reject-with icmp-port-unreachable
-A IN_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
COMMIT


#
# Allow excepted server to be INPUT to eth0 from LAN
# Mangle Table
#-A IN_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT
# This is the place where our markings happen, whether they be 0x1 or 0x2
#
*mangle


# Set default policies for table
# SSH To Modem from Router
:PREROUTING ACCEPT [0:0]
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]


# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)
# HTTP To Modem from Router
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT


# If packet MARK is 2, then it means there is already a connection mark and the
# Accept incoming tracked PPP0 connection
# original packet came in on VPN
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x2 -j ACCEPT


# Check exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) are 0x1
# Log dropped packets coming in on PPP0
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -m mark --mark 0x1 -j ACCEPT
-A IN_PPP0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6
-A IN_PPP0 -j LOG_DROP


# Mark packets coming from 192.168.2.0/24 are 0x2
# Accept incoming tracked TUN0 connection
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x2/0xffffffff
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT


# If packet MARK is 1, then it means there is already a connection mark and the
# Log dropped packets coming in on TUN0
# original packet came in on ISP
-A IN_TUN0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6
-A PREROUTING -s 192.168.1.0/24 -m mark --mark 0x1 -j ACCEPT
-A IN_TUN0 -j LOG_DROP


# Mark packets 192.168.1.0/24 are 0x1
# Log dropped bogons that never got forwarded
-A PREROUTING -s 192.168.1.0/24 -j MARK --set-xmark 0x1/0xffffffff
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon forward (ipv4) " --log-level 6
-A LOG_DROP_BOGON -j DROP


# Mark exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) as 0x1
# Log rejected packets
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -j MARK --set-xmark 0x1/0xffffff
-A LOG_REJECT_LANONLY -j LOG --log-prefix "Rejected packet from LAN only range : " --log-level 6
-A LOG_REJECT_LANONLY -j REJECT --reject-with icmp-port-unreachable
COMMIT


# Strip mark if packet is destined for modem
#
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff
# Mangle Table
# This is the place where our markings happen, whether they be 0x1 or 0x2
#
*mangle


# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)
# Set default policies for table
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
:PREROUTING ACCEPT [0:0]
COMMIT</pre>
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]


= IPv6 =
# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)
IPv6 introduces a number of new complexities into our network. To begin with we're going to build a basic IPv6 network without the VPN tunnel ie 192.168.2.0/24 subnet or tun0 interface. If you've completed previous parts of this guide, you can leave that part as is.
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff


If your VPN provider only offers you a single stack connection (no IPv6) then you've got nothing there to worry about.
# If packet MARK is 2, then it means there is already a connection mark and the
# original packet came in on VPN
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x2 -j ACCEPT


In this section we will implement IPv6 dual stack. We do at this point only have dual stack, prefix delegation. If you know nothing about IPv6, then you should have a look at these helpful pages:
# Check exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) are 0x1
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -m mark --mark 0x1 -j ACCEPT


* [http://tldp.org/HOWTO/Linux+IPv6-HOWTO Linux IPv6 HOWTO (en)] - in particular the "basics" and "address types".
# Mark packets coming from 192.168.2.0/24 are 0x2
* [https://en.wikipedia.org/wiki/IPv6 IPv6]
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x2/0xffffffff
* [https://en.wikipedia.org/wiki/IPv6_address IPv6 Address]
* [https://en.wikipedia.org/wiki/Prefix_delegation Prefix delegation] we use this with dhcpcd when doing DHCPv6-PD to inform our ISP of our network devices.
* [https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol Neighbor Discovery Protocol] we use this with radvd to distribute our routes.
* [https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol_version_6 Internet Control Message Protocol version 6] ICMPv6 differs from ICMPv4 and is used for many critical parts of IPv6 infrastructure.
* [http://ipv6-test.com IPv6-test.com] Useful for diagnosing if IPv6 is working.


# If packet MARK is 1, then it means there is already a connection mark and the
# original packet came in on ISP
-A PREROUTING -s 192.168.1.0/24 -m mark --mark 0x1 -j ACCEPT


[[File:Network diagram ipv6 basic.svg|900px|center|Network Diagram Single IPv6]]
# Mark packets 192.168.1.0/24 are 0x1
-A PREROUTING -s 192.168.1.0/24 -j MARK --set-xmark 0x1/0xffffffff


== Enabling IPv6 support ==
# Mark exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) as 0x1
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -j MARK --set-xmark 0x1/0xffffff


Assuming you're using the Alpine Linux kernel, IPv6 support is available separately as a module.
# Strip mark if packet is destined for modem
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff


{{cmd|modprobe ipv6}}
# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)
To add the module to our startup configuration.
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
{{cmd|echo "ipv6" >> /etc/modules}}
COMMIT</pre>


=== /etc/sysctl.conf ===
= Other Tips =
Modify the sysctl section to include IPv6 support:


<pre>########################################
== Diagnosing firewall problems ==
###              IPv6                ###
########################################


# http://vk5tu.livejournal.com/37206.html
=== netcat, netcat6 ===
# What's this special value "2"? Originally the value was "1", but this
Netcat can be useful for testing if a port is open or closed or filtered.
# disabled autoconfiguration on all interfaces. That is, you couldn't appear
# to be a router on some interfaces and appear to be a host on other
# interfaces. But that's exactly the mental model of a ADSL router.  


# Controls IP packet forwarding
{{cmd|apk add netcat-openbsd}}
net.ipv6.conf.all.forwarding = 2
net.ipv6.conf.default.forwarding = 2


# Enable source validation by reversed path
After installing netcat we can use it like this:
# Protects from attackers that are using ip spoofing methods to do harm
net.ipv6.conf.all.rp_filter = 1


net.ipv6.conf.all.accept_ra = 2
Say we wanted to test for IPv6, UDP, Port 547 we would do this on the router:
net.ipv6.conf.default.accept_ra = 2


# Disable redirects, not a router
{{cmd|nc -6 -u -l 547}}
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0</pre>


===  /etc/ppp/peers/yourISP ===
and then this on the client to connect to it:
Add this to your ppp configuration. This tells PPP to get an ipv6 address. Note the comma is needed.


<pre># Enable IPV6
{{cmd|nc -u -v -6 2001:0db8:1234:0001::1 547}}
+ipv6 ipv6cp-use-ipaddr
ipv6 ,</pre>


=== Check system log ===
=== tcpdump ===
Restart ppp.


{{cmd|poff yourISP}}
tcpdump can also be useful for dumping the contents of packets coming in on an interface:
{{cmd|pon yourISP}}


In /var/log/messages you should see something like
{{cmd|apk add tcpdump}}


<pre>pppd[]: Plugin rp-pppoe.so loaded.
Then we can run it. This example captures all DNS traffic originating from 192.168.2.20.
pppd[]: RP-PPPoE plugin version 3.8p compiled against pppd 2.4.7
pppd[]: pppd 2.4.7 started by root, uid 0
pppd[]: PPP session is 49969
pppd[]: Connected to 00:53:00:ff:ff:f0 via interface eth1
pppd[]: Using interface ppp0
pppd[]: Connect: ppp0 <--> eth1
pppd[]: CHAP authentication succeeded
pppd[]: CHAP authentication succeeded
pppd[]: peer from calling number 00:53:00:FF:FF:F0 authorized
pppd[]: local  LL address fe80::0db8:ffff:ffff:fff1
pppd[]: remote LL address fe80::0db8:ffff:ffff:fff0
pppd[]: local  IP address 192.0.2.1
pppd[]: remote IP address 192.0.2.0
pppd[]: primary  DNS address 192.0.2.10
pppd[]: secondary DNS address 192.0.2.20</pre>


You should be able to now ping things such as
{{cmd|tcpdump -i eth0 udp and src 192.168.2.20 and port 53}}


{{cmd|ping6 ipv6.google.com}}
You can write the file out with the -w option, and view it in Wireshark locally on your computer. You can increase the verbosity with the -v option. Using -vv will be even more verbose. -vvv will show even more.


from your router.
== lbu cache ==
Configure lbu cache so that you don't need to download packages when you restart your router eg [[Local APK cache]]


== Prefix Delegation ==
This is particularly important as some of the images do not contain ppp-pppoe. This might mean you're unable to get an internet connection to download the other packages on boot.


The next step will be to configure DHCPv6 Prefix Delegation with your ISP. Install dhcpcd. While many guides do use the wide-dhcpv6-client [http://bugs.alpinelinux.org/issues/564 it should be noted this is unmaintained] and not included in Alpine Linux.
== lbu encryption /etc/lbu/lbu.conf ==
In /etc/lbu/lbu.conf you might want to enable encryption to protect your VPN keys.


Don't use the ISC's dhclient either as [https://bugs.gentoo.org/show_bug.cgi?id=432652 this does not support Prefix Delegations on PPP links] without a patch.
<pre># what cipher to use with -e option
DEFAULT_CIPHER=aes-256-cbc


{{cmd|apk add dhcpcd}}
# Uncomment the row below to encrypt config by default
ENCRYPTION=$DEFAULT_CIPHER


You can check out the manual for [http://roy.marples.name/man/html5/dhcpcd.conf.html dhcpcd.conf]. Installing dhcpcd-doc will allow you to read the man file. Eg:
# Uncomment below to avoid <media> option to 'lbu commit'
# Can also be set to 'floppy'
LBU_MEDIA=mmcblk0p1


{{cmd|apk add dhcpcd-doc}}
# Set the LBU_BACKUPDIR variable in case you prefer to save the apkovls
# in a normal directory instead of mounting an external media.
# LBU_BACKUPDIR=/root/config-backups


=== /etc/dhcpcd.conf ===
# Uncomment below to let lbu make up to 3 backups
# BACKUP_LIMIT=3</pre>


{{cmd|apk add dhcpcd}}
Remember to set a root password, by default Alpine Linux's root account is passwordless.
{{cmd|passwd root}}


<pre># Enable extra debugging
== Backup apkprov ==
# debug
It's a good idea to back up your apk provision file. You can pull it off your router to your local workstation with:
 
{{cmd|scp -r root@192.168.2.1:/media/mmcblk0p1/<YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc ./}}


# Allow users of this group to interact with dhcpcd via the control
And decrypt it with:
# socket.
{{cmd|openssl enc -d -aes-256-cbc -in <YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc -out <YOUR HOST NAME>.apkovl.tar.gz}}
#controlgroup wheel


# Inform the DHCP server of our hostname for DDNS.
It can be encrypted with:
hostname gateway
{{cmd|openssl aes-256-cbc -salt -in <YOUR HOST NAME>.apkovl.tar.gz -out <YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc}}


# Use the hardware address of the interface for the Client ID.
== Harden SSH ==
#clientid
# or
# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as
# per RFC4361. Some non-RFC compliant DHCP servers do not reply with
# this set. In this case, comment out duid and enable clientid above.
duid


# Persist interface configuration when dhcpcd exits.
=== Generate a SSH key ===
persistent
{{cmd|ssh-keygen -t rsa -b 4096}}


# Rapid commit support.
You will want to put the contents of id_rsa.pub in /etc/ssh/authorized_keys
# Safe to enable by default because it requires the equivalent option
# set on the server to actually work.
option rapid_commit


# A list of options to request from the DHCP server.
You can put multiple public keys on multiple lines if more than one person has access to the router.
option domain_name_servers, domain_name, domain_search, host_name
option classless_static_routes


# Most distributions have NTP support.
=== /etc/ssh/sshd_config ===
option ntp_servers
A couple of good options to set in here can be:
# Respect the network MTU.
# Some interface drivers reset when changing the MTU so disabled by
# default.
#option interface_mtu


# A ServerID is required by RFC2131.
<pre>ListenAddress 192.168.1.1
require dhcp_server_identifier
ListenAddress 192.168.2.1</pre>


# Generate Stable Private IPv6 Addresses instead of hardware based
While this isn't usually a good idea, a router doesn't need more than one user.
# ones
<pre>PermitRootLogin yes</pre>
slaac private


# A hook script is provided to lookup the hostname if not set by the
The most important options:
# DHCP server, but it should not be run by default.
<pre>RSAAuthentication yes
nohook lookup-hostname
PubkeyAuthentication yes
AuthorizedKeysFile  /etc/ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords no
AllowTcpForwarding no
X11Forwarding no</pre>


# IPv6 Only
=== /etc/conf.d/sshd ===
ipv6only
You will want to add <pre>rc_need="net"</pre>


# Disable solicitations on all interfaces
This instructs OpenRC to make sure the network is up before starting ssh.
noipv6rs


# Wait for IP before forking to background
Finally add sshd to the default run level
waitip 6
{{cmd|rc-update add sshd default}}


# Don't install any default routes.
# PPP has already set a default route
nogateway


# Don't touch DNS
Additionally you may want to look at [https://stribika.github.io/2015/01/04/secure-secure-shell.html Secure Secure Shell] and tighten OpenSSH's cryptography options.
nohook resolv.conf


# Use the interface connected to WAN
= References =
interface ppp0
* https://wiki.gentoo.org/wiki/Home_Router
    ipv6rs # enable routing solicitation get the default IPv6 route
* https://help.ubuntu.com/community/ADSLPPPoE
    iaid 1
    ia_pd 1/::/64 eth0/1/64 # Assign a prefix delegated route to our LAN</pre>
 
Add dhcpcd to the default run level:
 
{{cmd|rc-update add dhcpcd default}}
 
== Configure ip6tables with a basic ruleset ==
 
A basic rule set for ip6tables. It is commented so feel free to read it.
 
You'll need to modify your prefix in one of the rules.
 
<pre>#########################################################################
# Basic iptables IPv6 routing rule set
#
# 2001:0db8:1234:0001::/64 hosts  routed directly to ppp0
#
#########################################################################
 
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
 
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
 
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
 
#
# Filter Table
# This is where we decide to ACCEPT, DROP or REJECT things
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
 
# Create rule chain per input interface for forwarding packets
:FWD_ETH0 - [0:0]
:FWD_ETH1 - [0:0]
:FWD_PPP0 - [0:0]
:FWD_TUN0 - [0:0]
 
# Create ICMPFLOOD chain
:ICMPFLOOD - [0:0]
 
# Create rule chain per input interface for input packets (for host itself)
:IN_ETH0 - [0:0]
:IN_ETH1 - [0:0]
:IN_PPP0 - [0:0]
 
# Create a drop chain
:LOG_DROP - [0:0]
 
# Accept all from localhost
-A INPUT -i lo -j ACCEPT
 
# Create rule chain per input interface for input packets (for host itself)
-A INPUT -i eth0 -j IN_ETH0
-A INPUT -i eth1 -j IN_ETH1
-A INPUT -i ppp0 -j IN_PPP0
 
# Block remote packets claiming to be from a loopback address
-A INPUT -s ::1/128 ! -i lo -j DROP
 
# Permit needed ICMP packet types for IPv6 per RFC 4890
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 137 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 141 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 142 -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 148 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 149 -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 151 -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 152 -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 153 -j ACCEPT
 
# Permit ICMP echo requests (ping) and use ICMPFLOOD chain for preventing ping flooding.
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ICMPFLOOD
 
# Track forwarded packets
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
# Pass forwarded packet to corresponding rule chain
-A FORWARD -i eth0 -j FWD_ETH0
-A FORWARD -i eth1 -j FWD_ETH1
-A FORWARD -i ppp0 -j FWD_PPP0
 
# Permit needed ICMP packet types for IPv6 per RFC 4890
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 137 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 141 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 142 -j ACCEPT
-A FORWARD -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j ACCEPT
-A FORWARD -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j ACCEPT
-A FORWARD -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j ACCEPT
-A FORWARD -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 148 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 149 -j ACCEPT
-A FORWARD -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 151 -j ACCEPT
-A FORWARD -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 152 -j ACCEPT
-A FORWARD -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 153 -j ACCEPT
 
# Permit ICMP echo requests (ping) and use ICMPFLOOD chain for preventing ping flooding.
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ICMPFLOOD
 
# Forward LAN subnet
-A FWD_ETH0 -s 2001:0db8:1234:0001::/64 -j ACCEPT
 
# Chain for preventing ping flooding - up to 6 pings per second from a single
# source, again with log limiting.
-A ICMPFLOOD -m hashlimit --hashlimit-name ICMP --hashlimit-above 6/second --hashlimit-mode srcip -j DROP
-A ICMPFLOOD -j ACCEPT
 
# DHCPv6 to Router
-A IN_ETH0 -p udp -m udp --dport 547 -m conntrack --ctstate NEW -j ACCEPT
 
# LAN traffic out
-A IN_ETH0 -s 2001:0db8:1234:0001::/64 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
 
# Accept tracked connections from outside
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
# Drop and log everything else
-A IN_PPP0 -j LOG --log-prefix "DROP:INPUT (ipv6) " --log-level 6
-A IN_PPP0 -j LOG_DROP
COMMIT</pre>
 
Add ip6tables to the default run level:
 
{{cmd|rc-update add ip6tables default}}
 
== Router Advertisements ==
 
{{cmd|apk add radvd}}
 
Once radvd is installed, you may configure it:
 
=== /etc/radvd.conf ===
Note this will cause an IPv6 address to be routed to your systems. Those '''systems will now leak via IPv6 to the Internet''' if you're on a subnet like 192.168.2.0/24 using an aliased connection.
 
To mitigate this we would use VLANs, which behave as separate network interfaces. For that you need to replaced the unmanaged switch with a managed one, and each interface, eg eth0:2 with eth0.2.
 
<pre>interface eth0 {
 
  # We are sending advertisements (route)
  AdvSendAdvert on;
 
  # Suggested Maximum Transmission setting for using the
  # Hurricane Electric Tunnel Broker.
  # AdvLinkMTU 1480;
 
  # We have native Dual Stack IPv6 so we can use the regular MTU
  # http://blogs.cisco.com/enterprise/ipv6-mtu-gotchas-and-other-icmp-issues
  AdvLinkMTU 1500;
 
  prefix 2001:0db8:1234:b001::/64 {
    AdvOnLink on;
    AdvAutonomous on; # SLAAC based on EUI
    AdvRouterAddr on;
  };
 
  RDNSS 2001:0db8:1234:0001::1 {
  };
  # DNSSL example.id.au {
  # };
};</pre>
 
Add radvd to the default run level:
 
{{cmd|rc-update add radvd default}}
 
== Enable Privacy extensions in /etc/sysctl.conf ==
 
When a client acquires an address through SLAAC its IPv6 address is derived from the advertised prefix and the MAC address of the network interface of the client. This may raise security concerns as the MAC address of the computer can be easily derived by the IPv6 address. In order to tackle this problem the ''IPv6 Privacy Extensions'' standard ([https://tools.ietf.org/html/rfc4941 RFC 4941]) has been developed. With privacy extensions the kernel generates a ''temporary'' address that is mangled from the original autoconfigured address. Private addresses are preferred when connecting to a remote server so the original address is hidden. To enable Privacy Extensions reproduce the following steps:
 
<pre># Enable IPv6 Privacy Extensions
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.nic0.use_tempaddr = 2
...
net.ipv6.conf.nicN.use_tempaddr = 2</pre>
 
== Using DHCPv6 ==
You may decide you want more control over your network address assignment. For this you'll need to use DHCPv6. DHCPv4 and DHCPv6 need to run on separate instances of DHCPD.
 
Make a symlink for the init script:
{{cmd|ln -s /etc/init.d/dhcpd /etc/init.d/dhcpdv6}}
 
Include it in the router provision file:
{{cmd|lbu include /etc/init.d/dhcpdv6}}
 
Copy the DHCP Daemon configuration file:
{{cmd|cp /etc/conf.d/dhcpd /etc/conf.d/dhcpdv6}}
 
Enable it to run on IPv6. DHCPD can only run on one IP protocol at a time. By default it defaults to IPv4.
{{cmd|<nowiki>sed -i 's/# DHCPD_OPTS=""/DHCPD_OPTS="-6"/g' /etc/conf.d/dhcpdv6</nowiki>}}
 
Copy the DHCP configuration file:
{{cmd|cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpdv6.conf}}
 
Change the owner of the configurations to the dhcp user and group
{{cmd|chown -R dhcp:dhcp /etc/dhcp}}
 
=== /etc/dhcp/dhcpdv6.conf ===
You will want to edit your MAC address in the host declarations. The client-id or DUID can be found in /etc/dhcpcd.duid when you've installed dhcpcd on your client.
 
You can also see it in /var/log/messages on your router when a client tries to authenticate on your network eg:
 
<pre>dhcpd: Advertise NA: address 2001:0db8:1234:0001::240 to client with duid <DEVICE DUID> iaid = <DEVICE IAID> valid for 43200 seconds</pre>
 
Currently [https://code.google.com/p/android/issues/detail?id=32621 Android does not have DHCPv6 support] and Google seem unwilling to add it.
 
If you're using a version of dhcpcd below 6.9.3 you may need to set "ipv6ra_accept_nopublic" in your /etc/dhcpcd.conf.
 
<pre>authoritative;
ddns-update-style interim;
 
shared-network home {
  subnet6 2001:0db8:1234:0001::/64 {
    range6 2001:0db8:1234:0001::10 2001:0db8:1234:0001::240;
    range6 2001:0db8:1234:0001:: temporary;
    option dhcp6.name-servers 2001:0db8:1234:0001::1;
    option dhcp6.sntp-servers 2001:0db8:1234:0001::1;
    allow unknown-clients;
  }
 
  subnet6 fde4:8dba:82e1:ffff::/64 {
    range6 fde4:8dba:82e1:ffff::10 fde4:8dba:82e1:ffff::240;
    range6 fde4:8dba:82e1:ffff:: temporary;
    option dhcp6.name-servers 2001:0db8:1234:0001::1;
    option dhcp6.sntp-servers 2001:0db8:1234:0001::1;
    ignore unknown-clients;
  }
}
 
host Gaming_Computer {
  hardware ethernet 00:53:00:FF:FF:11;;
  host-identifier option dhcp6.client-id <YOUR_DUID>;
  fixed-address6 2001:0db8:1234:0001::20;
  fixed-prefix6 2001:0db8:1234:0001::/64;
  option dhcp6.name-servers 2001:0db8:1234:0001::1;
  option dhcp6.sntp-servers 2001:0db8:1234:0001::1;
}
 
host Linux Workstation {
  hardware ethernet 00:53:00:FF:FF:22;;
  host-identifier option dhcp6.client-id <YOUR_DUID>;
  fixed-address6 fde4:8dba:82e1:ffff::21;
  fixed-prefix6 2001:0db8:1234:0001::/64;
  option dhcp6.name-servers 2001:0db8:1234:0001::1;
  option dhcp6.sntp-servers 2001:0db8:1234:0001::1;
}</pre>
 
=== /etc/radvd.conf ===
Finally you'll want to change add "AdvManagedFlag", and "AdvOtherConfigFlag". You will also want to toggle "AdvAutonomous" to off if you do not want IPs generated by SLAAC based on EUI.
 
<pre>interface eth0 {
 
  # We are sending advertisements (route)
  AdvSendAdvert on;
 
  # When set, host use the administered (stateful) protocol
  # for address autoconfiguration. The use of this flag is
  # described in RFC 4862
  AdvManagedFlag on;
 
  # When set, host use the administered (stateful) protocol
  # for address autoconfiguration. For other (non-address)
  # information.
  # The use of this flag is described in RFC 4862
  AdvOtherConfigFlag on;
 
  # Suggested Maximum Transmission setting for using the
  # Hurricane Electric Tunnel Broker.
  # AdvLinkMTU 1480;
 
  # We have native Dual Stack IPv6 so we can use the regular MTU
  # http://blogs.cisco.com/enterprise/ipv6-mtu-gotchas-and-other-icmp-issues
  AdvLinkMTU 1500;
 
  prefix 2001:0db8:1234:0001::/64 {
    AdvOnLink on;
    AdvAutonomous off;
    AdvRouterAddr on;
  };
 
  # RDNSS 2001:0db8:1234:0001::1 {
  # };
  # DNSSL example.id {
  # };
};</pre>
 
= Other Tips =
 
== Diagnosing firewall problems ==
 
=== netcat, netcat6 ===
Netcat can be useful for testing if a port is open or closed or filtered.
 
{{cmd|apk add netcat-openbsd}}
 
After installing netcat we can use it like this:
 
Say we wanted to test for IPv6, UDP, Port 547 we would do this on the router:
 
{{cmd|nc -6 -u -l 547}}
 
and then this on the client to connect to it:
 
{{cmd|nc -u -v -6 2001:0db8:1234:0001::1 547}}
 
=== tcpdump ===
 
tcpdump can also be useful for dumping the contents of packets coming in on an interface:
 
{{cmd|apk add tcpdump}}
 
Then we can run it. This example captures all DNS traffic originating from 192.168.2.20.
 
{{cmd|tcpdump -i eth0 udp and src 192.168.2.20 and port 53}}
 
You can write the file out with the -w option, and view it in Wireshark locally on your computer. You can increase the verbosity with the -v option. Using -vv will be even more verbose. -vvv will show even more.
 
== lbu cache ==
Configure lbu cache so that you don't need to download packages when you restart your router eg [[Local APK cache]]
 
This is particularly important as some of the images do not contain ppp-pppoe. This might mean you're unable to get an internet connection to download the other packages on boot.
 
== lbu encryption /etc/lbu/lbu.conf ==
In /etc/lbu/lbu.conf you might want to enable encryption to protect your VPN keys.
 
<pre># what cipher to use with -e option
DEFAULT_CIPHER=aes-256-cbc
 
# Uncomment the row below to encrypt config by default
ENCRYPTION=$DEFAULT_CIPHER
 
# Uncomment below to avoid <media> option to 'lbu commit'
# Can also be set to 'floppy'
LBU_MEDIA=mmcblk0p1
 
# Set the LBU_BACKUPDIR variable in case you prefer to save the apkovls
# in a normal directory instead of mounting an external media.
# LBU_BACKUPDIR=/root/config-backups
 
# Uncomment below to let lbu make up to 3 backups
# BACKUP_LIMIT=3</pre>
 
Remember to set a root password, by default Alpine Linux's root account is passwordless.
{{cmd|passwd root}}
 
== Backup apkprov ==
It's a good idea to back up your apk provision file. You can pull it off your router to your local workstation with:
 
{{cmd|scp -r root@192.168.2.1:/media/mmcblk0p1/<YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc ./}}
 
And decrypt it with:
{{cmd|openssl enc -d -aes-256-cbc -in <YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc -out <YOUR HOST NAME>.apkovl.tar.gz}}
 
It can be encrypted with:
{{cmd|openssl aes-256-cbc -salt -in <YOUR HOST NAME>.apkovl.tar.gz -out <YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc}}
 
== Harden SSH ==
 
=== Generate a SSH key ===
{{cmd|ssh-keygen -t rsa -b 4096}}
 
You will want to put the contents of id_rsa.pub in /etc/ssh/authorized_keys
 
You can put multiple public keys on multiple lines if more than one person has access to the router.
 
=== /etc/ssh/sshd_config ===
A couple of good options to set in here can be:
 
<pre>ListenAddress 192.168.1.1
ListenAddress 192.168.2.1</pre>
 
While this isn't usually a good idea, a router doesn't need more than one user.
<pre>PermitRootLogin yes</pre>
 
The most important options:
<pre>RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile  /etc/ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords no
AllowTcpForwarding no
X11Forwarding no</pre>
 
=== /etc/conf.d/sshd ===
You will want to add <pre>rc_need="net"</pre>
 
This instructs OpenRC to make sure the network is up before starting ssh.
 
 
Finally add sshd to the default run level
{{cmd|rc-update add sshd default}}
 
= References =
* https://wiki.gentoo.org/wiki/Home_Router
* https://help.ubuntu.com/community/ADSLPPPoE
* https://wiki.archlinux.org/index.php/Router
* https://wiki.archlinux.org/index.php/Router
* https://wiki.gentoo.org/wiki/IPv6_router_guide
* https://wiki.gentoo.org/wiki/IPv6_router_guide
* [https://vk5tu.livejournal.com/37206.html IPv6 at home, under the hood with Debian Wheezy and Internode]
* [https://vk5tu.livejournal.com/37206.html IPv6 at home, under the hood with Debian Wheezy and Internode]
* [http://vk5tu.livejournal.com/43059.html Raspberry Pi random number generator]
* [https://www.raspberrypi.org/forums/viewtopic.php?f=56&t=60569 rng-tools post by ktb]
[[category: VPN]]
[[category: Raspberry]]

Revision as of 10:03, 25 February 2020

Rationale

This guide demonstrates how to set up a Linux router with a VPN tunnel. You will need a second ethernet adapter. If you are using a Raspberry Pi like I did, then you can use something like this Apple USB Ethernet Adapter as it contains a ASIX AX88772 which has good Linux support.

You may choose to also buy an RTC clock. If you don't have an RTC clock, the time is lost when your Pi is shut down. When it is rebooted, the time will be set back to Thursday, 1 January 1970. As this is earlier than the creation time of your VPN certificates OpenVPN will refuse to start, which may mean you cannot do DNS lookups over VPN.

For wireless, a separate access point was purchased (Ubiquiti UniFi AP) because it contains a Atheros AR9287 which is supported by ath9k.

I only chose a Raspberry Pi due to the fact it was inexpensive. My WAN link is pathetic so I was not concerned with getting high PPS (Packets Per Second). You could choose to use an old x86/amd64 system instead. If I had better internet I'd probably go with an offering from Soekris such as the net6501 as it would have a much lower power consumption than a generic x86_64 desktop processor.

If you want to route speeds above 100 Mbit/s you'll want to make use of hardware encryption like AES-NI. The Soekris offerings have the option of an additional hardware encryption module (vpn1411). Another option is to use a Mini ITX motherboard, with a managed switch. I chose the Ubiquiti ES-16-150W.

If you wish to use IPv6 you should consider looking at Linux Router with VPN on a Raspberry Pi (IPv6) as the implementation does differ slightly to this tutorial.

The network in this tutorial looks like this:

Network Diagram Single IPv4
Network Diagram Single IPv4

Installation

This guide assumes you're using Alpine Linux from a micro SD card in ramdisk mode. It assumes you've read the basics of how to use Alpine local backup. The Raspberry Pi article contains information on how to install Alpine Linux on a Raspberry Pi.

Modem in full bridge mode

This particular page uses an example where you have a modem that uses PPPoE. You will need to modify parts which do not apply to you.

In this example I have a modem which has been configured in full bridge mode. PPP sessions are initiated on the router.

The modem I am using is a Cisco 877 Integrated Services Router. It has no web interface and is controlled over SSH. More information can be found Configuring a Cisco 877 in full bridge mode.

Network

/etc/hostname

Set this to your hostname eg:

<HOST_NAME>

/etc/hosts

Set your host and hostname

127.0.0.1	<HOST_NAME> <HOST_NAME>.<DOMAIN_NAME>

::1		<HOST_NAME> ipv6-gateway ipv6-loopback
ff00::0		ipv6-localnet
ff00::0		ipv6-mcastprefix
ff02::1		ipv6-allnodes
ff02::2		ipv6-allrouters
ff02::3		ipv6-allhosts

/etc/network/interfaces

Configure your network interfaces. Change "yourISP" to the file name of the file in /etc/ppp/peers/yourISP

#
# Network Interfaces
#

# Loopback interfaces
auto lo
iface lo inet loopback
  address 127.0.0.1
  netmask 255.0.0.0

# Internal Interface - facing LAN
auto eth0
iface eth0 inet static
  address 192.168.1.1
  netmask 255.255.255.0
  broadcast 192.168.1.255


PPP

Next up we need to configure our router to be able to dial a PPP connection with our modem.

If your ISP uses PPP you may need to configure it. See PPP.

You will want to make sure you set your WAN interface, in this example we used eth1.

# External Interface - facing Modem
allow-hotplug eth1
auto eth1
iface eth1 inet static
  address 192.168.0.2
  netmask 255.255.255.252
  broadcast 192.168.0.3
  pre-up /sbin/ip link set eth1 up
  up ifup ppp0=yourISP
  down ifdown ppp0=yourISP
  post-down /sbin/ip link set eth1 up

# Link to ISP
iface yourISP inet ppp
  provider yourISP

IPoE

Alternatively it's quite common for ISPs to use IPoE. IPoE is much simpler and only runs DHCP on the external interface. It should look something like:

# External interface to ISP
allow-hotplug eth1
auto eth1
iface eth1 inet dhcp

iface eth1 inet static
    address 192.168.0.2
    netmask 255.255.255.252
    broadcast 192.168.0.3

iface eth1 inet6 manual

DHCP from ISP

Above we set DHCP and we set a static IP. The purpose of this is so we can still forward packets through to the modem to be able to access the web interface or ssh.

We do still need DHCP to get an IP address form our ISP though. I like to use dhcpcd instead of udhcp (the default in Alpine Linux), because it allows for Prefix Delegation, which is used in IPv6 networks.

My /etc/dhcpcd.conf looks like this:

# Enable extra debugging
# debug
# logfile /var/log/dhcpcd.log

# Allow users of this group to interact with dhcpcd via the control
# socket.
#controlgroup wheel

# Inform the DHCP server of our hostname for DDNS.
hostname gateway

# Use the hardware address of the interface for the Client ID.
# clientid
# or
# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as
# per RFC4361. Some non-RFC compliant DHCP servers do not reply with
# this set. In this case, comment out duid and enable clientid above.
duid

# Persist interface configuration when dhcpcd exits.
persistent

# Rapid commit support.
# Safe to enable by default because it requires the equivalent option
# set on the server to actually work.
option rapid_commit

# A list of options to request from the DHCP server.
option domain_name_servers, domain_name, domain_search, host_name
option classless_static_routes

# Most distributions have NTP support.
option ntp_servers

# Respect the network MTU.
# Some interface drivers reset when changing the MTU so disabled by
# default.
#option interface_mtu 1586

# A ServerID is required by RFC2131.
require dhcp_server_identifier

# Generate Stable Private IPv6 Addresses instead of hardware based
# ones
slaac private

# A hook script is provided to lookup the hostname if not set by the
# DHCP server, but it should not be run by default.
nohook lookup-hostname

# Disable solicitations on all interfaces
noipv6rs

# Wait for IP before forking to background
waitip 6

# Don't touch DNS
nohook resolv.conf

allowinterfaces eth1 eth0.2
# Use the interface connected to WAN
interface eth1
    waitip 4
    noipv4ll
    ipv6rs # enable routing solicitation get the default IPv6 route
    iaid 1
    ia_pd 1/::/56 eth0.2/2/64
    timeout 30

interface eth0.2
    ipv6only

Basic IPtables firewall with routing

This demonstrates how to set up basic routing with a permissive outgoing firewall. Incoming packets are blocked. The rest is commented in the rule set.

First install iptables:

apk add iptables ip6tables

#########################################################################
# Basic iptables IPv4 routing rule set
#
# 192.168.1.0/24 routed directly to PPP0 via NAT
# 
#########################################################################

#
# Mangle Table
# We leave this empty for the moment.
#
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

#
# Filter Table
# This is where we decide to ACCEPT, DROP or REJECT things
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
*filter

# Create rule chain per input interface for forwarding packets
:FWD_ETH0 - [0:0]
:FWD_ETH1 - [0:0]
:FWD_PPP0 - [0:0]

# Create rule chain per input interface for input packets (for host itself)
:IN_ETH0 - [0:0]
:IN_ETH1 - [0:0]
:IN_PPP0 - [0:0]

# Create a log drop chain
:LOG_DROP - [0:0]

# Pass input packet to corresponding rule chain
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j IN_ETH0
-A INPUT -i eth1 -j IN_ETH1
-A INPUT -i ppp0 -j IN_PPP0

# Pass forwarded packet to corresponding rule chain
-A FORWARD -i eth0 -j FWD_ETH0
-A FORWARD -i eth1 -j FWD_ETH1
-A FORWARD -i ppp0 -j FWD_PPP0

# Forward LAN traffic out
-A FWD_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Forward SSH packets from network to modem
-A FWD_ETH1 -s 192.168.0.0/30 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Forward HTTP to modem's webserver
-A FWD_ETH1 -s 192.168.0.0/30 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Forward traffic to ISP
-A FWD_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# SSH to Router
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# DNS to Router
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# FreeRadius Client (eg a UniFi AP)
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# NTP to Router
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Accept traffic
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# SSH To Modem from Router
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# HTTP to modem
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Accept incoming tracked PPP0 connection
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT

#
# NAT Table
# This is where translation of packets happens and "forwarding" of ports
# to specific hosts.
#
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# Port forwarding for Bittorrent
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.1.20
-A PREROUTING -i ppp0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.1.20

# Allows routing to our modem subnet so we can access the web interface or SSH
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 22 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE

# Allows hosts of the network to use the PPP tunnel
-A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE
COMMIT

I'd also highly suggest reading these resources if you are new to iptables:

/etc/sysctl.d/local.conf

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

# Needed to use fwmark, only required if you want to set up the VPN subnet later in this article
net.ipv4.conf.all.rp_filter = 2

# Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

Note IPv6 is disabled here if you want that see the other tutorial Linux Router with VPN on a Raspberry Pi (IPv6). You may also wish to look at ip-sysctl.txt to read about the other keys.

DHCP

apk add dhcp

/etc/conf.d/dhcpd

Specify the configuration file location, interface to run on and that you want DHCPD to run in IPv4 mode.

# /etc/conf.d/dhcpd: config file for /etc/init.d/dhcpd

# If you require more than one instance of dhcpd you can create symbolic
# links to dhcpd service like so
#   cd /etc/init.d
#   ln -s dhcpd dhcpd.foo
#   cd ../conf.d
#   cp dhcpd dhcpd.foo
# Now you can edit dhcpd.foo and specify a different configuration file.
# You'll also need to specify a pidfile in that dhcpd.conf file.
# See the pid-file-name option in the dhcpd.conf man page for details.

# If you wish to run dhcpd in a chroot, uncomment the following line
# DHCPD_CHROOT="/var/lib/dhcp/chroot"

# All file paths below are relative to the chroot.
# You can specify a different chroot directory but MAKE SURE it's empty.

# Specify a configuration file - the default is /etc/dhcp/dhcpd.conf
DHCPD_CONF="/etc/dhcp/dhcpd.conf"

# Configure which interface or interfaces to for dhcpd to listen on.
# List all interfaces space separated. If this is not specified then
# we listen on all interfaces.
DHCPD_IFACE="eth0"

# Insert any other dhcpd options - see the man page for a full list.
DHCPD_OPTS="-4"

/etc/dhcp/dhcpd.conf

Configure your DHCP configuration server. For my DHCP server I'm going to have three subnets. Each has a specific purpose. You may choose to have any number of subnets like below. The broadcast-address would be different if you used VLANs. However in this case we are not.

authoritative;
ddns-update-style interim;

shared-network home {
  subnet 192.168.1.0 netmask 255.255.255.0 {
    range 192.168.1.10 192.168.1.240;
    option subnet-mask 255.255.255.0;
    option broadcast-address 192.168.1.255;
    option routers 192.168.1.1;
    option ntp-servers 192.168.1.1;
    option domain-name-servers 192.168.1.1;
    allow unknown-clients;
  }

  subnet 192.168.2.0 netmask 255.255.255.0 {
    range 192.168.2.10 192.168.2.240;
    option subnet-mask 255.255.255.0;
    option broadcast-address 192.168.2.255;
    option routers 192.168.2.1;
    option ntp-servers 192.168.2.1;
    option domain-name-servers 192.168.1.1;
    ignore unknown-clients;
  }

  subnet 192.168.3.0 netmask 255.255.255.0 {
    range 192.168.3.10 192.168.3.240;
    option subnet-mask 255.255.255.0;
    option broadcast-address 192.168.3.255;
    option routers 192.168.3.1;
    option ntp-servers 192.168.3.1;
    option domain-name-servers 192.168.1.1;
    ignore unknown-clients;
  }
}

host Gaming_Computer {
  hardware ethernet 00:53:00:FF:FF:11;
  fixed-address 192.168.1.20;
  option subnet-mask 255.255.255.0;
  option broadcast-address 192.168.1.255;
  option routers 192.168.1.1;
  option host-name "gaming_computer";
}

host Linux_Workstation {
  hardware ethernet 00:53:00:FF:FF:22;
  fixed-address 192.168.2.21;
  option subnet-mask 255.255.255.0;
  option broadcast-address 192.168.2.255;
  option routers 192.168.2.1;
  option host-name "linux_workstation";
}

host printer {
  hardware ethernet 00:53:00:FF:FF:33;
  fixed-address 192.168.3.9;
  option subnet-mask 255.255.255.0;
  option broadcast-address 192.168.3.255;
  option routers 192.168.3.1;
}

Make sure to add this to the default run level once configured:

rc-update add dhcpd default

Synchronizing the clock

You can choose to use BusyBox's ntpd or you can choose a more fully fledged option like OpenNTPD or Chrony

Busybox /etc/conf.d/ntpd

Allow clients to synchronize their clocks with the router.

# By default ntpd runs as a client. Add -l to run as a server on port 123.
NTPD_OPTS="-l -N -p <REMOTE TIME SERVER>"

Make sure to add this to the default run level once configured:

rc-update add ntpd default

Or if you prefer to synchronize with multiple servers...

Chrony /etc/chrony.conf

apk add chrony

logdir /var/log/chrony
log measurements statistics tracking

allow 192.168.0.0/30
allow 192.168.1.0/24
allow 192.168.2.0/24
allow 192.168.3.0/24
allow 192.168.4.0/24
broadcast 30 192.168.0.3
broadcast 30 192.168.1.255
broadcast 30 192.168.2.255
broadcast 30 192.168.3.255
broadcast 30 192.168.4.255

server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst

initstepslew 10 pool.ntp.org
driftfile /var/lib/chrony/chrony.drift
hwclockfile /etc/adjtime
rtcdevice /dev/rtc0
rtcsync

OpenNTPD /etc/ntpd.conf

Install OpenNTPD

apk add openntpd

Add to default run level.

rc-update add openntpd default

/etc/ntpd.conf

# sample ntpd configuration file, see ntpd.conf(5)

# Addresses to listen on (ntpd does not listen by default)
listen on 192.168.1.1
listen on 192.168.2.1

# sync to a single server
#server ntp.example.org

# use a random selection of NTP Pool Time Servers
# see http://support.ntp.org/bin/view/Servers/NTPPoolServers
server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org
server 3.pool.ntp.org

tlsdate

The time can also be extracted from a https handshake. If the certificate is self-signed you will need to use skip-verification:

apk add tlsdate

tlsdate -V --skip-verification -p 80 -H example.com

timezone

You might also want to set a timezone, see Setting the timezone.

Saving Time

There are two ways to do this. If you didn't buy an RTC clock see Saving time with Software Clock. If you did like the PiFace Real Time Clock see Saving time with Hardware Clock

Unbound DNS forwarder with dnscrypt

We want to be able to do our lookups using dnscrypt without installing DNSCrypt on every client on the network. DNSCrypt can use it's own protocol or DNS over HTTPS.

The router will also run a DNS forwarder and request unknown domains over DNSCrypt for our clients. Borrowed from the ArchLinux wiki article on dnscrypt-proxy.

Unbound

First install

apk add unbound

/etc/unbound/unbound.conf

server:
    # Use this to include other text into the file.
    include: "/etc/unbound/filter.conf"

    # verbosity number, 0 is least verbose. 1 is default.
    verbosity: 1

    # specify the interfaces to answer queries from by ip-address.
    # The default is to listen to localhost (127.0.0.1 and ::1).
    # specify 0.0.0.0 and ::0 to bind to all available interfaces.
    # specify every interface[@port] on a new 'interface:' labelled line.
    # The listen interfaces are not changed on reload, only on restart.
    interface: 192.168.2.1
    interface: 192.168.3.1

    # Enable IPv4, "yes" or "no".
    do-ip4: yes

    # Enable IPv6, "yes" or "no".
    do-ip6: yes

    # Enable UDP, "yes" or "no".
    do-udp: yes

    # Enable TCP, "yes" or "no".
    do-tcp: yes

    # control which clients are allowed to make (recursive) queries
    # to this server. Specify classless netblocks with /size and action.
    # By default everything is refused, except for localhost.
    # Choose deny (drop message), refuse (polite error reply),
    # allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),
    # allow_snoop (recursive and nonrecursive ok)
    # deny_non_local (drop queries unless can be answered from local-data)
    # refuse_non_local (like deny_non_local but polite error reply).
    # access-control: 0.0.0.0/0 refuse
    # access-control: 127.0.0.0/8 allow
    # access-control: ::0/0 refuse
    # access-control: ::1 allow
    # access-control: ::ffff:127.0.0.1 allow
    access-control: 192.168.1.0/24 allow
    access-control: 192.168.2.0/24 allow
    access-control: 192.168.3.0/24 allow

    # the log file, "" means log to stderr.
    # Use of this option sets use-syslog to "no".
    logfile: "/var/log/unbound/unbound.log"

    # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
    # log to. If yes, it overrides the logfile.
    use-syslog: no

    # print one line with time, IP, name, type, class for every query.
    # log-queries: no

    # print one line per reply, with time, IP, name, type, class, rcode,
    # timetoresolve, fromcache and responsesize.
    # log-replies: no

    # enable to not answer id.server and hostname.bind queries.
    hide-identity: yes

    # enable to not answer version.server and version.bind queries.
    # hide-version: yes

    # enable to not answer trustanchor.unbound queries.
    hide-trustanchor: yes


    # Harden against very small EDNS buffer sizes.
    harden-short-bufsize: yes

    # Harden against unseemly large queries.
    harden-large-queries: yes

    # Harden against out of zone rrsets, to avoid spoofing attempts.
    harden-glue: yes

    # Harden against receiving dnssec-stripped data. If you turn it
    # off, failing to validate dnskey data for a trustanchor will
    # trigger insecure mode for that zone (like without a trustanchor).
    # Default on, which insists on dnssec data for trust-anchored zones.
    harden-dnssec-stripped: yes

    # Harden against queries that fall under dnssec-signed nxdomain names.
    harden-below-nxdomain: yes

    # Harden the referral path by performing additional queries for
    # infrastructure data.  Validates the replies (if possible).
    # Default off, because the lookups burden the server.  Experimental
    # implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
    # harden-referral-path: no

    # Harden against algorithm downgrade when multiple algorithms are
    # advertised in the DS record.  If no, allows the weakest algorithm
    # to validate the zone.
    harden-algo-downgrade: yes

    # Use 0x20-encoded random bits in the query to foil spoof attempts.
    # This feature is an experimental implementation of draft dns-0x20.
    use-caps-for-id: yes

    # Allow the domain (and its subdomains) to contain private addresses.
    # local-data statements are allowed to contain private addresses too.
    private-domain: "<HOSTNAME>"

    # if yes, the above default do-not-query-address entries are present.
    # if no, localhost can be queried (for testing and debugging).
    do-not-query-localhost: no

    # File with trusted keys, kept uptodate using RFC5011 probes,
    # initial file like trust-anchor-file, then it stores metadata.
    # Use several entries, one per domain name, to track multiple zones.
    #
    # If you want to perform DNSSEC validation, run unbound-anchor before
    # you start unbound (i.e. in the system boot scripts).  And enable:
    # Please note usage of unbound-anchor root anchor is at your own risk
    # and under the terms of our LICENSE (see that file in the source).
    # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
    auto-trust-anchor-file: "/etc/unbound/root.key"

    # If unbound is running service for the local host then it is useful
    # to perform lan-wide lookups to the upstream, and unblock the
    # long list of local-zones above.  If this unbound is a dns server
    # for a network of computers, disabled is better and stops information
    # leakage of local lan information.
    unblock-lan-zones: no

    # If you configure local-data without specifying local-zone, by
    # default a transparent local-zone is created for the data.
    #
    # You can add locally served data with
    # local-zone: "local." static
    # local-data: "mycomputer.local. IN A 192.0.2.51"
    # local-data: 'mytext.local TXT "content of text record"'

    # request upstream over TLS (with plain DNS inside the TLS stream).
    # Default is no.  Can be turned on and off with unbound-control.
    # tls-upstream: no

    # Forward zones
    # Create entries like below, to make all queries for 'example.com' and
    # 'example.org' go to the given list of servers. These servers have to handle
    # recursion to other nameservers. List zero or more nameservers by hostname
    # or by ipaddress. Use an entry with name "." to forward all queries.
    # If you enable forward-first, it attempts without the forward if it fails.
    # forward-zone:
    #    name: "example.com"
    #    forward-addr: 192.0.2.68
    #    forward-addr: 192.0.2.73@5355  # forward to port 5355.
    #    forward-first: no
    #    forward-tls-upstream: no
    #    forward-no-cache: no
    # forward-zone:
    #    name: "example.org"
    #    forward-host: fwd.example.com

forward-zone:
    name: "."
    forward-addr: 172.16.32.1@53
    forward-addr: ::1@53000
    forward-addr: 127.0.0.1@53000

Blocking Microsoft Telemetry on the network by domain

Microsoft has added telemetry analytics to Windows which you may want to block at a network level. More information about that can be found here.

This script takes in a list of domains and produces a filter file. We are directing all lookups to "0.0.0.1" which is an invalid IP and should fail immediately, unlike localhost. There are lists of the addresses in various places such as the tools people use to do this locally on Windows, ie Destroy-Windows-10-Spying, DisableWinTracking, Debloat-Windows-10 and Dominator.Windows10. I have prepared the list further down: Linux Router with VPN on a Raspberry Pi#/etc/unbound/filter.conf.

You could also use this to block advertising, but that's probably easier to do in a web browser with something like uBlock Origin.

Another way is to disable this stuff with a group policy see Manage connections from Windows operating system components to Microsoft services only for Windows 10 Enterprise, version 1607 and newer and Windows Server 2016.

/etc/unbound/unbound.conf

In your main unbound configuration add

include: /etc/unbound/filter.conf

Script to prepare/sort domains for Unbound

#!/bin/sh

##################################################
# Script taken from http://npr.me.uk/unbound.html
# Note you need GNU sed
##################################################

# Remove "#" comments
# Remove space and tab
# Remove blank lines
# Remove localhost and broadcasthost lines
# Keep just the hosts
# Remove leading and trailing space and tab (again)
# Make everything lower case

sed -e "s/#.*//" \
    -e "s/[ \x09]*$//"\
    -e "/^$/ d" \
    -e "/^.*local.*/ d" \
    -e "/^.*broadcasthost.*/ d" \
    -e "s/\(^.*\) \([a-zA-Z0-9\.\-]*\)/\2/" \
    -e "s/^[ \x09]*//;s/[ \x09]*$//" $1 \
    -e "s/\(.*\)/\L\1/" hosts.txt > temp1.txt

# Remove any duplicate hosts

sort temp1.txt | uniq >temp2.txt

# Remove any hosts starting with "."
# Create the two required lines for each host.

sed -e "/^\..*/ d" \
    -e "s/\(^.*\)/local-zone: \x22\1\x22 redirect\nlocal-data: \x22\1 A 0.0.0.1\x22/" \
       temp2.txt > filter.conf

# Clean up
rm temp1.txt
rm temp2.txt

/etc/unbound/filter.conf

local-zone: "a-0001.a-msedge.net" redirect
local-data: "a-0001.a-msedge.net A 0.0.0.1"
local-zone: "a-0001.dc-msedge.net" redirect
local-data: "a-0001.dc-msedge.net A 0.0.0.1"
local-zone: "a-0002.a-msedge.net" redirect
local-data: "a-0002.a-msedge.net A 0.0.0.1"
local-zone: "a-0003.a-msedge.net" redirect
local-data: "a-0003.a-msedge.net A 0.0.0.1"
local-zone: "a-0004.a-msedge.net" redirect
local-data: "a-0004.a-msedge.net A 0.0.0.1"
local-zone: "a-0005.a-msedge.net" redirect
local-data: "a-0005.a-msedge.net A 0.0.0.1"
local-zone: "a-0006.a-msedge.net" redirect
local-data: "a-0006.a-msedge.net A 0.0.0.1"
local-zone: "a-0007.a-msedge.net" redirect
local-data: "a-0007.a-msedge.net A 0.0.0.1"
local-zone: "a-0008.a-msedge.net" redirect
local-data: "a-0008.a-msedge.net A 0.0.0.1"
local-zone: "a-0009.a-msedge.net" redirect
local-data: "a-0009.a-msedge.net A 0.0.0.1"
local-zone: "a-0010.a-msedge.net" redirect
local-data: "a-0010.a-msedge.net A 0.0.0.1"
local-zone: "a-0011.a-msedge.net" redirect
local-data: "a-0011.a-msedge.net A 0.0.0.1"
local-zone: "a-0012.a-msedge.net" redirect
local-data: "a-0012.a-msedge.net A 0.0.0.1"
local-zone: "a.ads1.msn.com" redirect
local-data: "a.ads1.msn.com A 0.0.0.1"
local-zone: "a.ads2.msads.net" redirect
local-data: "a.ads2.msads.net A 0.0.0.1"
local-zone: "a.ads2.msn.com" redirect
local-data: "a.ads2.msn.com A 0.0.0.1"
local-zone: "ac3.msn.com" redirect
local-data: "ac3.msn.com A 0.0.0.1"
local-zone: "activity.windows.com" redirect
local-data: "activity.windows.com A 0.0.0.1"
local-zone: "adnexus.net" redirect
local-data: "adnexus.net A 0.0.0.1"
local-zone: "adnxs.com" redirect
local-data: "adnxs.com A 0.0.0.1"
local-zone: "ads1.msads.net" redirect
local-data: "ads1.msads.net A 0.0.0.1"
local-zone: "ads1.msn.com" redirect
local-data: "ads1.msn.com A 0.0.0.1"
local-zone: "ads.msn.com" redirect
local-data: "ads.msn.com A 0.0.0.1"
local-zone: "aidps.atdmt.com" redirect
local-data: "aidps.atdmt.com A 0.0.0.1"
local-zone: "aka-cdn-ns.adtech.de" redirect
local-data: "aka-cdn-ns.adtech.de A 0.0.0.1"
local-zone: "a-msedge.net" redirect
local-data: "a-msedge.net A 0.0.0.1"
local-zone: "a.rad.msn.com" redirect
local-data: "a.rad.msn.com A 0.0.0.1"
local-zone: "array101-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array102-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array102-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array103-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array103-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array104-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array104-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array201-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array202-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array202-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array203-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array203-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array204-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array204-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array401-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array402-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array402-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array403-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array403-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array404-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array404-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array405-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array405-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array406-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array406-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array407-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array407-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "array408-prod.do.dsp.mp.microsoft.com" redirect
local-data: "array408-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "ars.smartscreen.microsoft.com" redirect
local-data: "ars.smartscreen.microsoft.com A 0.0.0.1"
local-zone: "az361816.vo.msecnd.net" redirect
local-data: "az361816.vo.msecnd.net A 0.0.0.1"
local-zone: "az512334.vo.msecnd.net" redirect
local-data: "az512334.vo.msecnd.net A 0.0.0.1"
local-zone: "b.ads1.msn.com" redirect
local-data: "b.ads1.msn.com A 0.0.0.1"
local-zone: "b.ads2.msads.net" redirect
local-data: "b.ads2.msads.net A 0.0.0.1"
local-zone: "bingads.microsoft.com" redirect
local-data: "bingads.microsoft.com A 0.0.0.1"
local-zone: "bl3301-a.1drv.com" redirect
local-data: "bl3301-a.1drv.com A 0.0.0.1"
local-zone: "bl3301-c.1drv.com" redirect
local-data: "bl3301-c.1drv.com A 0.0.0.1"
local-zone: "bl3301-g.1drv.com" redirect
local-data: "bl3301-g.1drv.com A 0.0.0.1"
local-zone: "blob.weather.microsoft.com" redirect
local-data: "blob.weather.microsoft.com A 0.0.0.1"
local-zone: "bn1304-e.1drv.com" redirect
local-data: "bn1304-e.1drv.com A 0.0.0.1"
local-zone: "bn1306-a.1drv.com" redirect
local-data: "bn1306-a.1drv.com A 0.0.0.1"
local-zone: "bn1306-e.1drv.com" redirect
local-data: "bn1306-e.1drv.com A 0.0.0.1"
local-zone: "bn1306-g.1drv.com" redirect
local-data: "bn1306-g.1drv.com A 0.0.0.1"
local-zone: "bn2b-cor001.api.p001.1drv.com" redirect
local-data: "bn2b-cor001.api.p001.1drv.com A 0.0.0.1"
local-zone: "bn2b-cor002.api.p001.1drv.com" redirect
local-data: "bn2b-cor002.api.p001.1drv.com A 0.0.0.1"
local-zone: "bn2b-cor003.api.p001.1drv.com" redirect
local-data: "bn2b-cor003.api.p001.1drv.com A 0.0.0.1"
local-zone: "bn2b-cor004.api.p001.1drv.com" redirect
local-data: "bn2b-cor004.api.p001.1drv.com A 0.0.0.1"
local-zone: "bn2wns1.wns.windows.com" redirect
local-data: "bn2wns1.wns.windows.com A 0.0.0.1"
local-zone: "bn3p-cor001.api.p001.1drv.com" redirect
local-data: "bn3p-cor001.api.p001.1drv.com A 0.0.0.1"
local-zone: "bn3sch020022328.wns.windows.com" redirect
local-data: "bn3sch020022328.wns.windows.com A 0.0.0.1"
local-zone: "b.rad.msn.com" redirect
local-data: "b.rad.msn.com A 0.0.0.1"
local-zone: "bs.serving-sys.com" redirect
local-data: "bs.serving-sys.com A 0.0.0.1"
local-zone: "by3301-a.1drv.com" redirect
local-data: "by3301-a.1drv.com A 0.0.0.1"
local-zone: "by3301-c.1drv.com" redirect
local-data: "by3301-c.1drv.com A 0.0.0.1"
local-zone: "by3301-e.1drv.com" redirect
local-data: "by3301-e.1drv.com A 0.0.0.1"
local-zone: "c-0001.dc-msedge.net" redirect
local-data: "c-0001.dc-msedge.net A 0.0.0.1"
local-zone: "cache.datamart.windows.com" redirect
local-data: "cache.datamart.windows.com A 0.0.0.1"
local-zone: "candycrushsoda.king.com" redirect
local-data: "candycrushsoda.king.com A 0.0.0.1"
local-zone: "c.atdmt.com" redirect
local-data: "c.atdmt.com A 0.0.0.1"
local-zone: "ca.telemetry.microsoft.com" redirect
local-data: "ca.telemetry.microsoft.com A 0.0.0.1"
local-zone: "cdn.atdmt.com" redirect
local-data: "cdn.atdmt.com A 0.0.0.1"
local-zone: "cdn.content.prod.cms.msn.com" redirect
local-data: "cdn.content.prod.cms.msn.com A 0.0.0.1"
local-zone: "cdn.onenote.net" redirect
local-data: "cdn.onenote.net A 0.0.0.1"
local-zone: "cds1204.lon.llnw.net" redirect
local-data: "cds1204.lon.llnw.net A 0.0.0.1"
local-zone: "cds1293.lon.llnw.net" redirect
local-data: "cds1293.lon.llnw.net A 0.0.0.1"
local-zone: "cds20417.lcy.llnw.net" redirect
local-data: "cds20417.lcy.llnw.net A 0.0.0.1"
local-zone: "cds20431.lcy.llnw.net" redirect
local-data: "cds20431.lcy.llnw.net A 0.0.0.1"
local-zone: "cds20450.lcy.llnw.net" redirect
local-data: "cds20450.lcy.llnw.net A 0.0.0.1"
local-zone: "cds20457.lcy.llnw.net" redirect
local-data: "cds20457.lcy.llnw.net A 0.0.0.1"
local-zone: "cds20475.lcy.llnw.net" redirect
local-data: "cds20475.lcy.llnw.net A 0.0.0.1"
local-zone: "cds21244.lon.llnw.net" redirect
local-data: "cds21244.lon.llnw.net A 0.0.0.1"
local-zone: "cds26.ams9.msecn.net" redirect
local-data: "cds26.ams9.msecn.net A 0.0.0.1"
local-zone: "cds425.lcy.llnw.net" redirect
local-data: "cds425.lcy.llnw.net A 0.0.0.1"
local-zone: "cds459.lcy.llnw.net" redirect
local-data: "cds459.lcy.llnw.net A 0.0.0.1"
local-zone: "cds494.lcy.llnw.net" redirect
local-data: "cds494.lcy.llnw.net A 0.0.0.1"
local-zone: "cds965.lon.llnw.net" redirect
local-data: "cds965.lon.llnw.net A 0.0.0.1"
local-zone: "ch1-cor001.api.p001.1drv.com" redirect
local-data: "ch1-cor001.api.p001.1drv.com A 0.0.0.1"
local-zone: "ch1-cor002.api.p001.1drv.com" redirect
local-data: "ch1-cor002.api.p001.1drv.com A 0.0.0.1"
local-zone: "ch3301-c.1drv.com" redirect
local-data: "ch3301-c.1drv.com A 0.0.0.1"
local-zone: "ch3301-e.1drv.com" redirect
local-data: "ch3301-e.1drv.com A 0.0.0.1"
local-zone: "ch3301-g.1drv.com" redirect
local-data: "ch3301-g.1drv.com A 0.0.0.1"
local-zone: "ch3302-c.1drv.com" redirect
local-data: "ch3302-c.1drv.com A 0.0.0.1"
local-zone: "ch3302-e.1drv.com" redirect
local-data: "ch3302-e.1drv.com A 0.0.0.1"
local-zone: "choice.microsoft.com" redirect
local-data: "choice.microsoft.com A 0.0.0.1"
local-zone: "choice.microsoft.com.nsatc.net" redirect
local-data: "choice.microsoft.com.nsatc.net A 0.0.0.1"
local-zone: "clientconfig.passport.net" redirect
local-data: "clientconfig.passport.net A 0.0.0.1"
local-zone: "client-s.gateway.messenger.live.com" redirect
local-data: "client-s.gateway.messenger.live.com A 0.0.0.1"
local-zone: "client.wns.windows.com" redirect
local-data: "client.wns.windows.com A 0.0.0.1"
local-zone: "c.msn.com" redirect
local-data: "c.msn.com A 0.0.0.1"
local-zone: "compatexchange1.trafficmanager.net" redirect
local-data: "compatexchange1.trafficmanager.net A 0.0.0.1"
local-zone: "compatexchange.cloudapp.net" redirect
local-data: "compatexchange.cloudapp.net A 0.0.0.1"
local-zone: "continuum.dds.microsoft.com" redirect
local-data: "continuum.dds.microsoft.com A 0.0.0.1"
local-zone: "corpext.msitadfs.glbdns2.microsoft.com" redirect
local-data: "corpext.msitadfs.glbdns2.microsoft.com A 0.0.0.1"
local-zone: "corp.sts.microsoft.com" redirect
local-data: "corp.sts.microsoft.com A 0.0.0.1"
local-zone: "cp101-prod.do.dsp.mp.microsoft.com" redirect
local-data: "cp101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "cp201-prod.do.dsp.mp.microsoft.com" redirect
local-data: "cp201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "cp401-prod.do.dsp.mp.microsoft.com" redirect
local-data: "cp401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "cs1.wpc.v0cdn.net" redirect
local-data: "cs1.wpc.v0cdn.net A 0.0.0.1"
local-zone: "db3aqu.atdmt.com" redirect
local-data: "db3aqu.atdmt.com A 0.0.0.1"
local-zone: "db3wns2011111.wns.windows.com" redirect
local-data: "db3wns2011111.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101100122.wns.windows.com" redirect
local-data: "db5sch101100122.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101100127.wns.windows.com" redirect
local-data: "db5sch101100127.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101100831.wns.windows.com" redirect
local-data: "db5sch101100831.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101100835.wns.windows.com" redirect
local-data: "db5sch101100835.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101100917.wns.windows.com" redirect
local-data: "db5sch101100917.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101100925.wns.windows.com" redirect
local-data: "db5sch101100925.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101100928.wns.windows.com" redirect
local-data: "db5sch101100928.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101100938.wns.windows.com" redirect
local-data: "db5sch101100938.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101001.wns.windows.com" redirect
local-data: "db5sch101101001.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101022.wns.windows.com" redirect
local-data: "db5sch101101022.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101024.wns.windows.com" redirect
local-data: "db5sch101101024.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101031.wns.windows.com" redirect
local-data: "db5sch101101031.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101034.wns.windows.com" redirect
local-data: "db5sch101101034.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101042.wns.windows.com" redirect
local-data: "db5sch101101042.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101044.wns.windows.com" redirect
local-data: "db5sch101101044.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101122.wns.windows.com" redirect
local-data: "db5sch101101122.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101123.wns.windows.com" redirect
local-data: "db5sch101101123.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101125.wns.windows.com" redirect
local-data: "db5sch101101125.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101128.wns.windows.com" redirect
local-data: "db5sch101101128.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101129.wns.windows.com" redirect
local-data: "db5sch101101129.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101133.wns.windows.com" redirect
local-data: "db5sch101101133.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101145.wns.windows.com" redirect
local-data: "db5sch101101145.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101209.wns.windows.com" redirect
local-data: "db5sch101101209.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101221.wns.windows.com" redirect
local-data: "db5sch101101221.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101228.wns.windows.com" redirect
local-data: "db5sch101101228.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101231.wns.windows.com" redirect
local-data: "db5sch101101231.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101237.wns.windows.com" redirect
local-data: "db5sch101101237.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101317.wns.windows.com" redirect
local-data: "db5sch101101317.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101324.wns.windows.com" redirect
local-data: "db5sch101101324.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101329.wns.windows.com" redirect
local-data: "db5sch101101329.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101333.wns.windows.com" redirect
local-data: "db5sch101101333.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101334.wns.windows.com" redirect
local-data: "db5sch101101334.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101338.wns.windows.com" redirect
local-data: "db5sch101101338.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101419.wns.windows.com" redirect
local-data: "db5sch101101419.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101424.wns.windows.com" redirect
local-data: "db5sch101101424.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101426.wns.windows.com" redirect
local-data: "db5sch101101426.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101427.wns.windows.com" redirect
local-data: "db5sch101101427.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101430.wns.windows.com" redirect
local-data: "db5sch101101430.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101445.wns.windows.com" redirect
local-data: "db5sch101101445.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101511.wns.windows.com" redirect
local-data: "db5sch101101511.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101519.wns.windows.com" redirect
local-data: "db5sch101101519.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101529.wns.windows.com" redirect
local-data: "db5sch101101529.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101535.wns.windows.com" redirect
local-data: "db5sch101101535.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101541.wns.windows.com" redirect
local-data: "db5sch101101541.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101543.wns.windows.com" redirect
local-data: "db5sch101101543.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101608.wns.windows.com" redirect
local-data: "db5sch101101608.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101618.wns.windows.com" redirect
local-data: "db5sch101101618.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101629.wns.windows.com" redirect
local-data: "db5sch101101629.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101631.wns.windows.com" redirect
local-data: "db5sch101101631.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101633.wns.windows.com" redirect
local-data: "db5sch101101633.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101640.wns.windows.com" redirect
local-data: "db5sch101101640.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101711.wns.windows.com" redirect
local-data: "db5sch101101711.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101722.wns.windows.com" redirect
local-data: "db5sch101101722.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101739.wns.windows.com" redirect
local-data: "db5sch101101739.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101745.wns.windows.com" redirect
local-data: "db5sch101101745.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101813.wns.windows.com" redirect
local-data: "db5sch101101813.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101820.wns.windows.com" redirect
local-data: "db5sch101101820.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101826.wns.windows.com" redirect
local-data: "db5sch101101826.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101835.wns.windows.com" redirect
local-data: "db5sch101101835.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101837.wns.windows.com" redirect
local-data: "db5sch101101837.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101844.wns.windows.com" redirect
local-data: "db5sch101101844.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101907.wns.windows.com" redirect
local-data: "db5sch101101907.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101914.wns.windows.com" redirect
local-data: "db5sch101101914.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101929.wns.windows.com" redirect
local-data: "db5sch101101929.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101939.wns.windows.com" redirect
local-data: "db5sch101101939.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101101941.wns.windows.com" redirect
local-data: "db5sch101101941.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101102015.wns.windows.com" redirect
local-data: "db5sch101102015.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101102017.wns.windows.com" redirect
local-data: "db5sch101102017.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101102019.wns.windows.com" redirect
local-data: "db5sch101102019.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101102023.wns.windows.com" redirect
local-data: "db5sch101102023.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101102025.wns.windows.com" redirect
local-data: "db5sch101102025.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101102032.wns.windows.com" redirect
local-data: "db5sch101102032.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101102033.wns.windows.com" redirect
local-data: "db5sch101102033.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110108.wns.windows.com" redirect
local-data: "db5sch101110108.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110109.wns.windows.com" redirect
local-data: "db5sch101110109.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110114.wns.windows.com" redirect
local-data: "db5sch101110114.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110135.wns.windows.com" redirect
local-data: "db5sch101110135.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110142.wns.windows.com" redirect
local-data: "db5sch101110142.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110204.wns.windows.com" redirect
local-data: "db5sch101110204.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110206.wns.windows.com" redirect
local-data: "db5sch101110206.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110214.wns.windows.com" redirect
local-data: "db5sch101110214.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110225.wns.windows.com" redirect
local-data: "db5sch101110225.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110232.wns.windows.com" redirect
local-data: "db5sch101110232.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110245.wns.windows.com" redirect
local-data: "db5sch101110245.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110315.wns.windows.com" redirect
local-data: "db5sch101110315.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110323.wns.windows.com" redirect
local-data: "db5sch101110323.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110325.wns.windows.com" redirect
local-data: "db5sch101110325.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110328.wns.windows.com" redirect
local-data: "db5sch101110328.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110331.wns.windows.com" redirect
local-data: "db5sch101110331.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110341.wns.windows.com" redirect
local-data: "db5sch101110341.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110343.wns.windows.com" redirect
local-data: "db5sch101110343.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110345.wns.windows.com" redirect
local-data: "db5sch101110345.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110403.wns.windows.com" redirect
local-data: "db5sch101110403.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110419.wns.windows.com" redirect
local-data: "db5sch101110419.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110438.wns.windows.com" redirect
local-data: "db5sch101110438.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110442.wns.windows.com" redirect
local-data: "db5sch101110442.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110501.wns.windows.com" redirect
local-data: "db5sch101110501.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110527.wns.windows.com" redirect
local-data: "db5sch101110527.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110533.wns.windows.com" redirect
local-data: "db5sch101110533.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110618.wns.windows.com" redirect
local-data: "db5sch101110618.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110622.wns.windows.com" redirect
local-data: "db5sch101110622.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110624.wns.windows.com" redirect
local-data: "db5sch101110624.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110626.wns.windows.com" redirect
local-data: "db5sch101110626.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110634.wns.windows.com" redirect
local-data: "db5sch101110634.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110705.wns.windows.com" redirect
local-data: "db5sch101110705.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110724.wns.windows.com" redirect
local-data: "db5sch101110724.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110740.wns.windows.com" redirect
local-data: "db5sch101110740.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110810.wns.windows.com" redirect
local-data: "db5sch101110810.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110816.wns.windows.com" redirect
local-data: "db5sch101110816.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110821.wns.windows.com" redirect
local-data: "db5sch101110821.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110822.wns.windows.com" redirect
local-data: "db5sch101110822.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110825.wns.windows.com" redirect
local-data: "db5sch101110825.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110828.wns.windows.com" redirect
local-data: "db5sch101110828.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110835.wns.windows.com" redirect
local-data: "db5sch101110835.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110919.wns.windows.com" redirect
local-data: "db5sch101110919.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110921.wns.windows.com" redirect
local-data: "db5sch101110921.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110923.wns.windows.com" redirect
local-data: "db5sch101110923.wns.windows.com A 0.0.0.1"
local-zone: "db5sch101110929.wns.windows.com" redirect
local-data: "db5sch101110929.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103081814.wns.windows.com" redirect
local-data: "db5sch103081814.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103082011.wns.windows.com" redirect
local-data: "db5sch103082011.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103082111.wns.windows.com" redirect
local-data: "db5sch103082111.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103082308.wns.windows.com" redirect
local-data: "db5sch103082308.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103082406.wns.windows.com" redirect
local-data: "db5sch103082406.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103082409.wns.windows.com" redirect
local-data: "db5sch103082409.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103082609.wns.windows.com" redirect
local-data: "db5sch103082609.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103082611.wns.windows.com" redirect
local-data: "db5sch103082611.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103082709.wns.windows.com" redirect
local-data: "db5sch103082709.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103082712.wns.windows.com" redirect
local-data: "db5sch103082712.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103082806.wns.windows.com" redirect
local-data: "db5sch103082806.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103090115.wns.windows.com" redirect
local-data: "db5sch103090115.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103090415.wns.windows.com" redirect
local-data: "db5sch103090415.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103090513.wns.windows.com" redirect
local-data: "db5sch103090513.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103090515.wns.windows.com" redirect
local-data: "db5sch103090515.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103090608.wns.windows.com" redirect
local-data: "db5sch103090608.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103090806.wns.windows.com" redirect
local-data: "db5sch103090806.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103090814.wns.windows.com" redirect
local-data: "db5sch103090814.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103090906.wns.windows.com" redirect
local-data: "db5sch103090906.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103091011.wns.windows.com" redirect
local-data: "db5sch103091011.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103091012.wns.windows.com" redirect
local-data: "db5sch103091012.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103091106.wns.windows.com" redirect
local-data: "db5sch103091106.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103091108.wns.windows.com" redirect
local-data: "db5sch103091108.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103091212.wns.windows.com" redirect
local-data: "db5sch103091212.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103091311.wns.windows.com" redirect
local-data: "db5sch103091311.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103091414.wns.windows.com" redirect
local-data: "db5sch103091414.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103091511.wns.windows.com" redirect
local-data: "db5sch103091511.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103091617.wns.windows.com" redirect
local-data: "db5sch103091617.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103091715.wns.windows.com" redirect
local-data: "db5sch103091715.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103091817.wns.windows.com" redirect
local-data: "db5sch103091817.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103091908.wns.windows.com" redirect
local-data: "db5sch103091908.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103091911.wns.windows.com" redirect
local-data: "db5sch103091911.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103092010.wns.windows.com" redirect
local-data: "db5sch103092010.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103092108.wns.windows.com" redirect
local-data: "db5sch103092108.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103092109.wns.windows.com" redirect
local-data: "db5sch103092109.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103092209.wns.windows.com" redirect
local-data: "db5sch103092209.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103092210.wns.windows.com" redirect
local-data: "db5sch103092210.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103092509.wns.windows.com" redirect
local-data: "db5sch103092509.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103100117.wns.windows.com" redirect
local-data: "db5sch103100117.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103100121.wns.windows.com" redirect
local-data: "db5sch103100121.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103100221.wns.windows.com" redirect
local-data: "db5sch103100221.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103100313.wns.windows.com" redirect
local-data: "db5sch103100313.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103100314.wns.windows.com" redirect
local-data: "db5sch103100314.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103100510.wns.windows.com" redirect
local-data: "db5sch103100510.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103100511.wns.windows.com" redirect
local-data: "db5sch103100511.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103100611.wns.windows.com" redirect
local-data: "db5sch103100611.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103100712.wns.windows.com" redirect
local-data: "db5sch103100712.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103101105.wns.windows.com" redirect
local-data: "db5sch103101105.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103101208.wns.windows.com" redirect
local-data: "db5sch103101208.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103101212.wns.windows.com" redirect
local-data: "db5sch103101212.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103101314.wns.windows.com" redirect
local-data: "db5sch103101314.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103101411.wns.windows.com" redirect
local-data: "db5sch103101411.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103101413.wns.windows.com" redirect
local-data: "db5sch103101413.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103101513.wns.windows.com" redirect
local-data: "db5sch103101513.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103101610.wns.windows.com" redirect
local-data: "db5sch103101610.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103101611.wns.windows.com" redirect
local-data: "db5sch103101611.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103101705.wns.windows.com" redirect
local-data: "db5sch103101705.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103101711.wns.windows.com" redirect
local-data: "db5sch103101711.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103101909.wns.windows.com" redirect
local-data: "db5sch103101909.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103101914.wns.windows.com" redirect
local-data: "db5sch103101914.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103102009.wns.windows.com" redirect
local-data: "db5sch103102009.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103102112.wns.windows.com" redirect
local-data: "db5sch103102112.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103102203.wns.windows.com" redirect
local-data: "db5sch103102203.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103102209.wns.windows.com" redirect
local-data: "db5sch103102209.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103102310.wns.windows.com" redirect
local-data: "db5sch103102310.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103102404.wns.windows.com" redirect
local-data: "db5sch103102404.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103102609.wns.windows.com" redirect
local-data: "db5sch103102609.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103102610.wns.windows.com" redirect
local-data: "db5sch103102610.wns.windows.com A 0.0.0.1"
local-zone: "db5sch103102805.wns.windows.com" redirect
local-data: "db5sch103102805.wns.windows.com A 0.0.0.1"
local-zone: "db5wns1d.wns.windows.com" redirect
local-data: "db5wns1d.wns.windows.com A 0.0.0.1"
local-zone: "db5.wns.windows.com" redirect
local-data: "db5.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090104.wns.windows.com" redirect
local-data: "db6sch102090104.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090112.wns.windows.com" redirect
local-data: "db6sch102090112.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090116.wns.windows.com" redirect
local-data: "db6sch102090116.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090122.wns.windows.com" redirect
local-data: "db6sch102090122.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090203.wns.windows.com" redirect
local-data: "db6sch102090203.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090206.wns.windows.com" redirect
local-data: "db6sch102090206.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090208.wns.windows.com" redirect
local-data: "db6sch102090208.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090209.wns.windows.com" redirect
local-data: "db6sch102090209.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090211.wns.windows.com" redirect
local-data: "db6sch102090211.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090305.wns.windows.com" redirect
local-data: "db6sch102090305.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090306.wns.windows.com" redirect
local-data: "db6sch102090306.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090308.wns.windows.com" redirect
local-data: "db6sch102090308.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090311.wns.windows.com" redirect
local-data: "db6sch102090311.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090313.wns.windows.com" redirect
local-data: "db6sch102090313.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090410.wns.windows.com" redirect
local-data: "db6sch102090410.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090412.wns.windows.com" redirect
local-data: "db6sch102090412.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090504.wns.windows.com" redirect
local-data: "db6sch102090504.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090510.wns.windows.com" redirect
local-data: "db6sch102090510.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090512.wns.windows.com" redirect
local-data: "db6sch102090512.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090513.wns.windows.com" redirect
local-data: "db6sch102090513.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090514.wns.windows.com" redirect
local-data: "db6sch102090514.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090519.wns.windows.com" redirect
local-data: "db6sch102090519.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090613.wns.windows.com" redirect
local-data: "db6sch102090613.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090619.wns.windows.com" redirect
local-data: "db6sch102090619.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090810.wns.windows.com" redirect
local-data: "db6sch102090810.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090811.wns.windows.com" redirect
local-data: "db6sch102090811.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090902.wns.windows.com" redirect
local-data: "db6sch102090902.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090905.wns.windows.com" redirect
local-data: "db6sch102090905.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090907.wns.windows.com" redirect
local-data: "db6sch102090907.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090908.wns.windows.com" redirect
local-data: "db6sch102090908.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090910.wns.windows.com" redirect
local-data: "db6sch102090910.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102090911.wns.windows.com" redirect
local-data: "db6sch102090911.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091003.wns.windows.com" redirect
local-data: "db6sch102091003.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091007.wns.windows.com" redirect
local-data: "db6sch102091007.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091008.wns.windows.com" redirect
local-data: "db6sch102091008.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091009.wns.windows.com" redirect
local-data: "db6sch102091009.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091011.wns.windows.com" redirect
local-data: "db6sch102091011.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091103.wns.windows.com" redirect
local-data: "db6sch102091103.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091105.wns.windows.com" redirect
local-data: "db6sch102091105.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091204.wns.windows.com" redirect
local-data: "db6sch102091204.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091209.wns.windows.com" redirect
local-data: "db6sch102091209.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091305.wns.windows.com" redirect
local-data: "db6sch102091305.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091307.wns.windows.com" redirect
local-data: "db6sch102091307.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091308.wns.windows.com" redirect
local-data: "db6sch102091308.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091309.wns.windows.com" redirect
local-data: "db6sch102091309.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091314.wns.windows.com" redirect
local-data: "db6sch102091314.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091412.wns.windows.com" redirect
local-data: "db6sch102091412.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091503.wns.windows.com" redirect
local-data: "db6sch102091503.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091507.wns.windows.com" redirect
local-data: "db6sch102091507.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091602.wns.windows.com" redirect
local-data: "db6sch102091602.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091603.wns.windows.com" redirect
local-data: "db6sch102091603.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091606.wns.windows.com" redirect
local-data: "db6sch102091606.wns.windows.com A 0.0.0.1"
local-zone: "db6sch102091607.wns.windows.com" redirect
local-data: "db6sch102091607.wns.windows.com A 0.0.0.1"
local-zone: "deploy.static.akamaitechnologies.com" redirect
local-data: "deploy.static.akamaitechnologies.com A 0.0.0.1"
local-zone: "device.auth.xboxlive.com" redirect
local-data: "device.auth.xboxlive.com A 0.0.0.1"
local-zone: "dev.virtualearth.net" redirect
local-data: "dev.virtualearth.net A 0.0.0.1"
local-zone: "df.telemetry.microsoft.com" redirect
local-data: "df.telemetry.microsoft.com A 0.0.0.1"
local-zone: "diagnostics.support.microsoft.com" redirect
local-data: "diagnostics.support.microsoft.com A 0.0.0.1"
local-zone: "disc101-prod.do.dsp.mp.microsoft.com" redirect
local-data: "disc101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "disc201-prod.do.dsp.mp.microsoft.com" redirect
local-data: "disc201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "disc401-prod.do.dsp.mp.microsoft.com" redirect
local-data: "disc401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "dmd.metaservices.microsoft.com" redirect
local-data: "dmd.metaservices.microsoft.com A 0.0.0.1"
local-zone: "dns.msftncsi.com" redirect
local-data: "dns.msftncsi.com A 0.0.0.1"
local-zone: "ec.atdmt.com" redirect
local-data: "ec.atdmt.com A 0.0.0.1"
local-zone: "ecn.dev.virtualearth.net" redirect
local-data: "ecn.dev.virtualearth.net A 0.0.0.1"
local-zone: "eu.vortex.data.microsoft.com" redirect
local-data: "eu.vortex.data.microsoft.com A 0.0.0.1"
local-zone: "feedback.microsoft-hohm.com" redirect
local-data: "feedback.microsoft-hohm.com A 0.0.0.1"
local-zone: "feedback.search.microsoft.com" redirect
local-data: "feedback.search.microsoft.com A 0.0.0.1"
local-zone: "feedback.windows.com" redirect
local-data: "feedback.windows.com A 0.0.0.1"
local-zone: "flex.msn.com" redirect
local-data: "flex.msn.com A 0.0.0.1"
local-zone: "fs.microsoft.com" redirect
local-data: "fs.microsoft.com A 0.0.0.1"
local-zone: "geo-prod.do.dsp.mp.microsoft.com" redirect
local-data: "geo-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "geover-prod.do.dsp.mp.microsoft.com" redirect
local-data: "geover-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "g.msn.com" redirect
local-data: "g.msn.com A 0.0.0.1"
local-zone: "h1.msn.com" redirect
local-data: "h1.msn.com A 0.0.0.1"
local-zone: "h2.msn.com" redirect
local-data: "h2.msn.com A 0.0.0.1"
local-zone: "i1.services.social.microsoft.com" redirect
local-data: "i1.services.social.microsoft.com A 0.0.0.1"
local-zone: "i1.services.social.microsoft.com.nsatc.net" redirect
local-data: "i1.services.social.microsoft.com.nsatc.net A 0.0.0.1"
local-zone: "i-bl6p-cor001.api.p001.1drv.com" redirect
local-data: "i-bl6p-cor001.api.p001.1drv.com A 0.0.0.1"
local-zone: "i-by3p-cor001.api.p001.1drv.com" redirect
local-data: "i-by3p-cor001.api.p001.1drv.com A 0.0.0.1"
local-zone: "i-by3p-cor002.api.p001.1drv.com" redirect
local-data: "i-by3p-cor002.api.p001.1drv.com A 0.0.0.1"
local-zone: "i-ch1-cor001.api.p001.1drv.com" redirect
local-data: "i-ch1-cor001.api.p001.1drv.com A 0.0.0.1"
local-zone: "i-ch1-cor002.api.p001.1drv.com" redirect
local-data: "i-ch1-cor002.api.p001.1drv.com A 0.0.0.1"
local-zone: "img-s-msn-com.akamaized.net" redirect
local-data: "img-s-msn-com.akamaized.net A 0.0.0.1"
local-zone: "inference.location.live.net" redirect
local-data: "inference.location.live.net A 0.0.0.1"
local-zone: "insiderppe.cloudapp.net" redirect
local-data: "insiderppe.cloudapp.net A 0.0.0.1"
local-zone: "i-sn2-cor001.api.p001.1drv.com" redirect
local-data: "i-sn2-cor001.api.p001.1drv.com A 0.0.0.1"
local-zone: "i-sn2-cor002.api.p001.1drv.com" redirect
local-data: "i-sn2-cor002.api.p001.1drv.com A 0.0.0.1"
local-zone: "kv101-prod.do.dsp.mp.microsoft.com" redirect
local-data: "kv101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "kv201-prod.do.dsp.mp.microsoft.com" redirect
local-data: "kv201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "kv401-prod.do.dsp.mp.microsoft.com" redirect
local-data: "kv401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "lb1.www.ms.akadns.net" redirect
local-data: "lb1.www.ms.akadns.net A 0.0.0.1"
local-zone: "licensing.mp.microsoft.com" redirect
local-data: "licensing.mp.microsoft.com A 0.0.0.1"
local-zone: "live.rads.msn.com" redirect
local-data: "live.rads.msn.com A 0.0.0.1"
local-zone: "ls2web.redmond.corp.microsoft.com" redirect
local-data: "ls2web.redmond.corp.microsoft.com A 0.0.0.1"
local-zone: "m.adnxs.com" redirect
local-data: "m.adnxs.com A 0.0.0.1"
local-zone: "mediaredirect.microsoft.com" redirect
local-data: "mediaredirect.microsoft.com A 0.0.0.1"
local-zone: "mobile.pipe.aria.microsoft.com" redirect
local-data: "mobile.pipe.aria.microsoft.com A 0.0.0.1"
local-zone: "msedge.net" redirect
local-data: "msedge.net A 0.0.0.1"
local-zone: "msftncsi.com" redirect
local-data: "msftncsi.com A 0.0.0.1"
local-zone: "msntest.serving-sys.com" redirect
local-data: "msntest.serving-sys.com A 0.0.0.1"
local-zone: "oca.telemetry.microsoft.com" redirect
local-data: "oca.telemetry.microsoft.com A 0.0.0.1"
local-zone: "oca.telemetry.microsoft.com.nsatc.net" redirect
local-data: "oca.telemetry.microsoft.com.nsatc.net A 0.0.0.1"
local-zone: "officeclient.microsoft.com" redirect
local-data: "officeclient.microsoft.com A 0.0.0.1"
local-zone: "oneclient.sfx.ms" redirect
local-data: "oneclient.sfx.ms A 0.0.0.1"
local-zone: "pre.footprintpredict.com" redirect
local-data: "pre.footprintpredict.com A 0.0.0.1"
local-zone: "preview.msn.com" redirect
local-data: "preview.msn.com A 0.0.0.1"
local-zone: "pti.store.microsoft.com" redirect
local-data: "pti.store.microsoft.com A 0.0.0.1"
local-zone: "query.prod.cms.rt.microsoft.com" redirect
local-data: "query.prod.cms.rt.microsoft.com A 0.0.0.1"
local-zone: "rad.msn.com" redirect
local-data: "rad.msn.com A 0.0.0.1"
local-zone: "redir.metaservices.microsoft.com" redirect
local-data: "redir.metaservices.microsoft.com A 0.0.0.1"
local-zone: "register.cdpcs.microsoft.com" redirect
local-data: "register.cdpcs.microsoft.com A 0.0.0.1"
local-zone: "reports.wes.df.telemetry.microsoft.com" redirect
local-data: "reports.wes.df.telemetry.microsoft.com A 0.0.0.1"
local-zone: "s0.2mdn.net" redirect
local-data: "s0.2mdn.net A 0.0.0.1"
local-zone: "schemas.microsoft.akadns.net" redirect
local-data: "schemas.microsoft.akadns.net A 0.0.0.1"
local-zone: "search.msn.com" redirect
local-data: "search.msn.com A 0.0.0.1"
local-zone: "secure.adnxs.com" redirect
local-data: "secure.adnxs.com A 0.0.0.1"
local-zone: "secure.flashtalking.com" redirect
local-data: "secure.flashtalking.com A 0.0.0.1"
local-zone: "services.wes.df.telemetry.microsoft.com" redirect
local-data: "services.wes.df.telemetry.microsoft.com A 0.0.0.1"
local-zone: "settings.data.glbdns2.microsoft.com" redirect
local-data: "settings.data.glbdns2.microsoft.com A 0.0.0.1"
local-zone: "settings.data.microsoft.com" redirect
local-data: "settings.data.microsoft.com A 0.0.0.1"
local-zone: "settings-sandbox.data.microsoft.com" redirect
local-data: "settings-sandbox.data.microsoft.com A 0.0.0.1"
local-zone: "settings-ssl.xboxlive.com" redirect
local-data: "settings-ssl.xboxlive.com A 0.0.0.1"
local-zone: "settings-win.data.microsoft.com" redirect
local-data: "settings-win.data.microsoft.com A 0.0.0.1"
local-zone: "settings-win-ppe.data.microsoft.com" redirect
local-data: "settings-win-ppe.data.microsoft.com A 0.0.0.1"
local-zone: "sn3301-c.1drv.com" redirect
local-data: "sn3301-c.1drv.com A 0.0.0.1"
local-zone: "sn3301-e.1drv.com" redirect
local-data: "sn3301-e.1drv.com A 0.0.0.1"
local-zone: "sn3301-g.1drv.com" redirect
local-data: "sn3301-g.1drv.com A 0.0.0.1"
local-zone: "so.2mdn.net" redirect
local-data: "so.2mdn.net A 0.0.0.1"
local-zone: "spynet2.microsoft.com" redirect
local-data: "spynet2.microsoft.com A 0.0.0.1"
local-zone: "spynetalt.microsoft.com" redirect
local-data: "spynetalt.microsoft.com A 0.0.0.1"
local-zone: "spyneteurope.microsoft.akadns.net" redirect
local-data: "spyneteurope.microsoft.akadns.net A 0.0.0.1"
local-zone: "sqm.df.telemetry.microsoft.com" redirect
local-data: "sqm.df.telemetry.microsoft.com A 0.0.0.1"
local-zone: "sqm.telemetry.microsoft.com" redirect
local-data: "sqm.telemetry.microsoft.com A 0.0.0.1"
local-zone: "sqm.telemetry.microsoft.com.nsatc.net" redirect
local-data: "sqm.telemetry.microsoft.com.nsatc.net A 0.0.0.1"
local-zone: "static.2mdn.net" redirect
local-data: "static.2mdn.net A 0.0.0.1"
local-zone: "storecatalogrevocation.storequality.microsoft.com" redirect
local-data: "storecatalogrevocation.storequality.microsoft.com A 0.0.0.1"
local-zone: "storeedgefd.dsx.mp.microsoft.com" redirect
local-data: "storeedgefd.dsx.mp.microsoft.com A 0.0.0.1"
local-zone: "store-images.s-microsoft.com" redirect
local-data: "store-images.s-microsoft.com A 0.0.0.1"
local-zone: "support.microsoft.com" redirect
local-data: "support.microsoft.com A 0.0.0.1"
local-zone: "survey.watson.microsoft.com" redirect
local-data: "survey.watson.microsoft.com A 0.0.0.1"
local-zone: "t0.ssl.ak.dynamic.tiles.virtualearth.net" redirect
local-data: "t0.ssl.ak.dynamic.tiles.virtualearth.net A 0.0.0.1"
local-zone: "t0.ssl.ak.tiles.virtualearth.net" redirect
local-data: "t0.ssl.ak.tiles.virtualearth.net A 0.0.0.1"
local-zone: "telecommand.telemetry.microsoft.com" redirect
local-data: "telecommand.telemetry.microsoft.com A 0.0.0.1"
local-zone: "telecommand.telemetry.microsoft.com.nsatc.net" redirect
local-data: "telecommand.telemetry.microsoft.com.nsatc.net A 0.0.0.1"
local-zone: "telemetry.appex.bing.net" redirect
local-data: "telemetry.appex.bing.net A 0.0.0.1"
local-zone: "telemetry.microsoft.com" redirect
local-data: "telemetry.microsoft.com A 0.0.0.1"
local-zone: "telemetry.urs.microsoft.com" redirect
local-data: "telemetry.urs.microsoft.com A 0.0.0.1"
local-zone: "test.activity.windows.com" redirect
local-data: "test.activity.windows.com A 0.0.0.1"
local-zone: "tile-service.weather.microsoft.com" redirect
local-data: "tile-service.weather.microsoft.com A 0.0.0.1"
local-zone: "time.windows.com" redirect
local-data: "time.windows.com A 0.0.0.1"
local-zone: "tk2.plt.msn.com" redirect
local-data: "tk2.plt.msn.com A 0.0.0.1"
local-zone: "tsfe.trafficshaping.dsp.mp.microsoft.com" redirect
local-data: "tsfe.trafficshaping.dsp.mp.microsoft.com A 0.0.0.1"
local-zone: "urs.smartscreen.microsoft.com" redirect
local-data: "urs.smartscreen.microsoft.com A 0.0.0.1"
local-zone: "v10.vortex-win.data.metron.live.com.nsatc.net" redirect
local-data: "v10.vortex-win.data.metron.live.com.nsatc.net A 0.0.0.1"
local-zone: "v10.vortex-win.data.microsoft.com" redirect
local-data: "v10.vortex-win.data.microsoft.com A 0.0.0.1"
local-zone: "version.hybrid.api.here.com" redirect
local-data: "version.hybrid.api.here.com A 0.0.0.1"
local-zone: "view.atdmt.com" redirect
local-data: "view.atdmt.com A 0.0.0.1"
local-zone: "vortex-bn2.metron.live.com.nsatc.net" redirect
local-data: "vortex-bn2.metron.live.com.nsatc.net A 0.0.0.1"
local-zone: "vortex-cy2.metron.live.com.nsatc.net" redirect
local-data: "vortex-cy2.metron.live.com.nsatc.net A 0.0.0.1"
local-zone: "vortex.data.glbdns2.microsoft.com" redirect
local-data: "vortex.data.glbdns2.microsoft.com A 0.0.0.1"
local-zone: "vortex.data.metron.live.com.nsatc.net" redirect
local-data: "vortex.data.metron.live.com.nsatc.net A 0.0.0.1"
local-zone: "vortex.data.microsoft.com" redirect
local-data: "vortex.data.microsoft.com A 0.0.0.1"
local-zone: "vortex-db5.metron.live.com.nsatc.net" redirect
local-data: "vortex-db5.metron.live.com.nsatc.net A 0.0.0.1"
local-zone: "vortex-hk2.metron.live.com.nsatc.net" redirect
local-data: "vortex-hk2.metron.live.com.nsatc.net A 0.0.0.1"
local-zone: "vortex-sandbox.data.microsoft.com" redirect
local-data: "vortex-sandbox.data.microsoft.com A 0.0.0.1"
local-zone: "vortex-win.data.metron.live.com.nsatc.net" redirect
local-data: "vortex-win.data.metron.live.com.nsatc.net A 0.0.0.1"
local-zone: "vortex-win.data.microsoft.com" redirect
local-data: "vortex-win.data.microsoft.com A 0.0.0.1"
local-zone: "watson.microsoft.com" redirect
local-data: "watson.microsoft.com A 0.0.0.1"
local-zone: "watson.ppe.telemetry.microsoft.com" redirect
local-data: "watson.ppe.telemetry.microsoft.com A 0.0.0.1"
local-zone: "watson.telemetry.microsoft.com" redirect
local-data: "watson.telemetry.microsoft.com A 0.0.0.1"
local-zone: "watson.telemetry.microsoft.com.nsatc.net" redirect
local-data: "watson.telemetry.microsoft.com.nsatc.net A 0.0.0.1"
local-zone: "wdcpalt.microsoft.com" redirect
local-data: "wdcpalt.microsoft.com A 0.0.0.1"
local-zone: "wdcp.microsoft.com" redirect
local-data: "wdcp.microsoft.com A 0.0.0.1"
local-zone: "web.vortex.data.microsoft.com" redirect
local-data: "web.vortex.data.microsoft.com A 0.0.0.1"
local-zone: "wes.df.telemetry.microsoft.com" redirect
local-data: "wes.df.telemetry.microsoft.com A 0.0.0.1"
local-zone: "win10.ipv6.microsoft.com" redirect
local-data: "win10.ipv6.microsoft.com A 0.0.0.1"
local-zone: "win10-trt.msedge.net" redirect
local-data: "win10-trt.msedge.net A 0.0.0.1"
local-zone: "win1710.ipv6.microsoft.com" redirect
local-data: "win1710.ipv6.microsoft.com A 0.0.0.1"
local-zone: "wscont.apps.microsoft.com" redirect
local-data: "wscont.apps.microsoft.com A 0.0.0.1"
local-zone: "www.msedge.net" redirect
local-data: "www.msedge.net A 0.0.0.1"
local-zone: "www.msftconnecttest.com" redirect
local-data: "www.msftconnecttest.com A 0.0.0.1"
local-zone: "www.msftncsi.com" redirect
local-data: "www.msftncsi.com A 0.0.0.1"

DNSCrypt

Configuring DNSCrypt to send it's lookups through the VPN and not directly out your ppp interface is done using a socks proxy.

You can test that you're not getting DNS leaks by using dnsleak.com or this one from GRC. Providers like CloudFlare and Google (1.1.1.1, 8.8.8.8) use anycast which should be pointing to a server located to where your VPN exits.

/etc/dnscrypt-proxy/dnscrypt-proxy.toml

Using the sample dnscrypt config is fine, you will need to make these changes:

listen_addresses = ['127.0.0.1:53000', '[::1]:53000']
proxy = "socks5://127.0.0.1:1080"

Dante

First install dante, you'll need to pin the testing repository. See: Alpine Linux package management#Repository pinning.

apk add dante-server@testing

Configure it like so:

/etc/sockd.conf

logoutput: stderr
internal: 127.0.0.1 port = 1080
external: tun0
clientmethod: none
socksmethod: none
user.unprivileged: sockd

# Allow connections from localhost to any host
client pass {
        from: 127.0.0.1/8 to: 0.0.0.0/0
	log: error # connect/disconnect
}

# Generic pass statement - bind/outgoing traffic
socks pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        command: bind connect udpassociate
        log: error # connect disconnect iooperation
}

# Generic pass statement for incoming connections/packets
socks pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        command: bindreply udpreply
        log: error # connect disconnect iooperation
}

Finally the services to the the default run level:

rc-update add sockd default

rc-update add unbound default

rc-update add dnscrypt-proxy default

Random number generation

There are two ways to assist with random number generation Entropy and randomness. This can be particularly useful if you're generating your own Diffie-Hellman nonce file, used in the FreeRadius EAP-TLS configuration section. Or for that matter any process which requires lots of random number generation such as generating certificates or public private keys.

Haveged

Haveged is a great way to improve random number generation speed. It uses the unpredictable random number generator based upon an adaptation of the HAVEGE algorithm.

Install haveged:

apk add haveged

Start haveged service:

service haveged start

Add service to boot

rc-update add haveged default

Start rngd service:

service haveged start

Add service to boot:

rc-update add haveged default

rng-tools with bcm2708-rng

Pre Alpine Linux 3.8 (which includes rngd 5)

All Raspberry Pis come with the bcm2708-rng random number generator on board. If you are doing this project on a Raspberry Pi then you may choose to use this also.

Add the kernel module to /etc/modules:

echo "bcm2708-rng" > /etc/modules

Insert module:

modprobe bcm2708-rng

Install rng-tools:

apk add rng-tools

Set the random device (/dev/random) and rng device (/dev/hwrng) in /etc/conf.d/rngd

RNGD_OPTS="--no-drng=1 --no-tpm=1 -o /dev/random -r /dev/hwrng"

Post Alpine Linux 3.8 (which includes rngd 6)

With AlpineLinux 3.8 you don't have to insert the module as it is already built in the kernel.

Additionally the syntax has changed for rngd so for /etc/conf.d/rngd you'll need

RNGD_OPTS="-x1 -o /dev/random -r /dev/hwrng"

Start rngd service:

service rngd start

Add service to boot:

rc-update add rngd default

You can test it with:

cat /dev/hwrng | rngtest -c 1000

You should see something like:

rngtest 5
Copyright (c) 2004 by Henrique de Moraes Holschuh
This is free software; see the source for copying conditions.  There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

rngtest: starting FIPS tests...
rngtest: bits received from input: 20000032
rngtest: FIPS 140-2 successes: 1000
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=117.709; avg=808.831; max=3255208.333)Kibits/s
rngtest: FIPS tests speed: (min=17.199; avg=22.207; max=22.653)Mibits/s
rngtest: Program run time: 25178079 microseconds

It's possible you might have a some failures. That's okay, two runs I did previously had a failure each.

WiFi 802.1x EAP and FreeRadius

A more secure way than using pre-shared keys (WPA2) is to use EAP-TLS and use separate certificates for each device. See FreeRadius EAP-TLS configuration

VPN Tunnel on specific subnet

As mentioned earlier in this article it might be useful to have a VPN subnet and a non-VPN subnet. Typically gaming consoles or computers might want low-latency connections. For this exercise we use fwmark.

We expand the network to look like this:

Network Diagram with IPv4 tunnel
Network Diagram with IPv4 tunnel

Install the necessary packages:

apk add openvpn iproute2 iputils

/etc/modules

You'll want to add the tun module

tun

/etc/iproute2/rt_tables

Add the two routing tables to the bottom of rt_tables. It should look something like this:

#
# reserved values
#
255	local
254	main
253	default
0	unspec
#
# local
#
#1	inr.ruhep
1 ISP
2 VPN

/etc/network/interfaces

Next up add the virtual interface (really just a IP address to eth0) eth0:2, just under eth0 will do.

# Route to VPN subnet
auto eth0:2
iface eth0:2 inet static
  address 192.168.2.1
  netmask 255.255.255.0
  broadcast 192.168.2.255
  post-up /etc/network/fwmark_rules

/etc/sysctl.d/local.conf

If you want to use fwmark rules you need to change this setting. It causes the router to still do source validation.

# Needed to use fwmark
net.ipv4.conf.all.rp_filter = 2

fwmark won't work if you have this set to 1.

/etc/network/fwmark_rules

In this file we want to put the fwmark rules and set the correct priorities.

#!/bin/sh

# Normal packets to go direct out WAN
/sbin/ip rule add fwmark 1 table ISP prio 100

# Put packets destined into VPN when VPN is up
/sbin/ip rule add fwmark 2 table VPN prio 200

# Prevent packets from being routed out when VPN is down.
# This prevents packets from falling back to the main table
# that has a priority of 32766
/sbin/ip rule add prohibit fwmark 2 prio 300

/etc/ppp/ip-up

Next up we want to create the routes that should be run when PPP comes online. There are special hooks we can use in ip-up and ip-down to refer to the IP address, ppp man file - Scripts You can also read about them in your man file if you have ppp-doc installed.

#!/bin/sh
#
# This script is run by pppd when there's a successful ppp connection.
#

# Flush out any old rules that might be there
/sbin/ip route flush table ISP

# Add route to table from subnets on LAN
/sbin/ip route add 192.168.1.0/24 dev eth0 table ISP
/sbin/ip route add 192.168.2.0/24 dev eth0 table ISP

# Add route from IP given by ISP to the table
/sbin/ip rule add from ${IPREMOTE} table ISP prio 100

# Add a default route
/sbin/ip route add table ISP default via ${IPREMOTE} dev ${IFNAME}

/etc/ppp/ip-down

#!/bin/sh
#
# This script is run by pppd after the connection has ended.
#

# Delete the rules when we take the interface down
/sbin/ip rule del from ${IPREMOTE} table ISP prio 100

/etc/openvpn/route-up-fwmark.sh

OpenVPN needs similar routing scripts and it also has it's own special hooks that allow you to specify particular values. A full list is here OpenVPN man file - Environmental Variables

#!/bin/sh
#
# This script is run by OpenVPN when there's a successful VPN connection.
#

# Flush out any old rules that might be there
/sbin/ip route flush table VPN

# Add route to table from 192.168.2.0/24 subnet on LAN
/sbin/ip route add 192.168.2.0/24 dev eth0 table VPN

# Add route from VPN interface IP to the VPN table
/sbin/ip rule add from ${ifconfig_local} table VPN prio 200

# Add a default route
/sbin/ip route add default via ${ifconfig_local} dev ${dev} table VPN

/etc/openvpn/route-pre-down-fwmark.sh

#!/bin/sh
#
# This script is run by OpenVPN after the connection has ended
#

# Delete the rules when we take the interface down
/sbin/ip rule del from ${ifconfig_local} table VPN prio 200

What I did find was when starting and stopping the OpenVPN service if you used:

service openvpn stop

The rules in route-pre-down-fwmark.sh were not executed.

However:

/etc/init.d/openvpn stop

seemed to work correctly.

Advanced IPtables rules that allow us to route into our two routing tables

This is an expansion of the previous set of rules. It sets up NAT masquerading for the 192.168.2.0 to go through the VPN using marked packets.

I used these guides to write complete this:

#########################################################################
# Advanced routing rule set
# Uses 192.168.1.0 via ISP
#      192.168.2.0 via VPN
#
# Packets to/from 192.168.1.0/24 are marked with 0x1 and routed to ISP
# Packets to/from 192.168.2.0/24 are marked with 0x2 and routed to VPN
#
#########################################################################

#
# NAT Table
# This is where translation of packets happens and "forwarding" of ports
# to specific hosts.
#
*nat

# Set default policies for table
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# Port forwarding for Bittorrent
-A PREROUTING -i tun0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20
-A PREROUTING -i tun0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20

# Allows routing to our modem subnet so we can access the web interface
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE

# Allows hosts of the network to use the VPN tunnel
-A POSTROUTING -o tun0 -j MASQUERADE

# Allows hosts of the network to use the PPP tunnel
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT

#
# Filter Table
# This is where we decide to ACCEPT, DROP or REJECT things
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Create rule chain per input interface for forwarding packets
:FWD_ETH0 - [0:0]
:FWD_ETH1 - [0:0]
:FWD_PPP0 - [0:0]
:FWD_TUN0 - [0:0]

# Create rule chain per input interface for input packets (for host itself)
:IN_ETH0 - [0:0]
:IN_ETH1 - [0:0]
:IN_PPP0 - [0:0]
:IN_TUN0 - [0:0]

# Create a log drop chain
:LOG_DROP - [0:0]

# Create a reject chain
:LOG_REJECT - [0:0]

# Pass input packet to corresponding rule chain
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j IN_ETH0
-A INPUT -i eth1 -j IN_ETH1
-A INPUT -i ppp0 -j IN_PPP0
-A INPUT -i tun0 -j IN_TUN0

# Track forwarded packets
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Pass forwarded packet to corresponding rule chain
-A FORWARD -i eth0 -j FWD_ETH0
-A FORWARD -i eth1 -j FWD_ETH1
-A FORWARD -i ppp0 -j FWD_PPP0
-A FORWARD -i tun0 -j FWD_TUN0

# Forward traffic to ISP
-A FWD_ETH0 -s 192.168.1.0/24 -j ACCEPT

# Forward traffic to VPN
-A FWD_ETH0 -s 192.168.2.0/24 -j ACCEPT

# Allow excepted server to be FORWARD to ppp0
#-A FWD_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT

# Forward SSH packets from network to modem
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Forward HTTP packets from network to modem
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Forward Bittorrent Port to workstation
-A FWD_TUN0 -d 192.168.2.20/32 -p tcp -m tcp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_TUN0 -d 192.168.2.20/32 -p udp -m udp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# SSH to Router
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_ETH0 -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# DNS to Router
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT

# FreeRadius Client (eg a UniFi AP)
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Ubiquiti UAP Device Discovery Broadcast
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# NTP to Router
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Accept traffic to router on both subnets
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Allow excepted server to be INPUT to eth0 from LAN
#-A IN_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT

# SSH To Modem from Router
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# HTTP To Modem from Router
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Accept incoming tracked PPP0 connection
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Log dropped packets coming in on PPP0
-A IN_PPP0 -j LOG --log-prefix "DROP:INPUT " --log-level 6
-A IN_PPP0 -j LOG_DROP

# Accept incoming tracked TUN0 connection
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Log dropped packets coming in on TUN0
-A IN_TUN0 -j LOG --log-prefix "DROP:INPUT " --log-level 6
-A IN_TUN0 -j LOG_DROP
COMMIT

#
# Mangle Table
# This is the place where our markings happen, whether they be 0x1 or 0x2
#
*mangle

# Set default policies for table
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff

# If packet MARK is 2, then it means there is already a connection mark and the
# original packet came in on VPN
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x2 -j ACCEPT

# Check exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) are 0x1
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -m mark --mark 0x1 -j ACCEPT

# Mark packets coming from 192.168.2.0/24 are 0x2
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x2/0xffffffff

# If packet MARK is 1, then it means there is already a connection mark and the
# original packet came in on ISP
-A PREROUTING -s 192.168.1.0/24 -m mark --mark 0x1 -j ACCEPT

# Mark packets 192.168.1.0/24 are 0x1
-A PREROUTING -s 192.168.1.0/24 -j MARK --set-xmark 0x1/0xffffffff

# Mark exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) as 0x1
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -j MARK --set-xmark 0x1/0xffffffff

# Set mark to 0 - This is for the modem. Otherwise it will mark with 0x1 or 0x2
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff

# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT

You may want to delete certain rules here that do not apply to you, eg the FreeRadius rules. That is covered later in this article.

OpenVPN Routing

Usually when you connect with OpenVPN the remote VPN server will push routes down to your system. We don't want this as we still want to be able to access the internet without the VPN. We have also created our own routes that we want to use earlier in this guide.

You'll need to add this to the bottom of your OpenVPN configuration file:

# Prevents default gateway from being set on the default routing table
route-noexec

# Allows route-up script to be executed
script-security 2

# Calls custom shell script after connection to add necessary routes
route-up /etc/openvpn/route-up-fwmark.sh
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh

My VPNs are arranged like this in /etc/openvpn:

OpenVPN configuration file for that server:

countrycode.serverNumber.openvpn.conf

OpenVPN certs for that server:

countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.crt
countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.key
countrycode.serverNumber.openvpn/myKey.crt
countrycode.serverNumber.openvpn/myKey.key

So I use this helpful script to automate the process of changing between servers:

#!/bin/sh

vpn_server_filename=$1

rm /etc/openvpn/openvpn.conf
ln -s $vpn_server_filename /etc/openvpn/openvpn.conf
chown -R openvpn:openvpn /etc/openvpn
chmod -R a=-rwx,u=+rX /etc/openvpn
chmod u=x /etc/openvpn/*.sh*

if grep -Fxq "#CustomStuffHere" openvpn.conf
then
    echo "Not adding custom routes, this server has been used previously"
else
    echo "Adding custom route rules"
cat <<EOF >> /etc/openvpn/openvpn.conf

#CustomStuffHere
# Prevents default gateway from being set on the default routing table
route-noexec

# Allows route-up script to be executed
script-security 2

# Calls custom shell script after connection to add necessary routes
route-up /etc/openvpn/route-up-fwmark.sh
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh

# Logging of OpenVPN to file
#log /etc/openvpn/openvpn.log
EOF

fi
echo "Remember to set BitTorrent port forward in VPN control panel"

That way I can simply change between servers by running:

changevpn.sh countrycode.serverNumber.openvpn

and then restart openvpn. I am also reminded to put the port forward through on the VPN control panel so my BitTorrent client is connectable:

service openvpn restart

Finally add openvpn to the default run level

rc-update add openvpn default

Creating a LAN only Subnet

In this section, we'll be creating a LAN only subnet. This subnet will be 192.168.3.0/24. The idea of this subnet is nodes in it cannot have their packets forwarded to the Internet, however they can be accessed via the other LAN subnets 192.168.1.0/24 and 192.168.2.0/24. This approach doesn't use VLANs although that would be recommended if you had a managed switch. The idea of this subnet is for things like WiFi access points, IP Phones which contact a local Asterisk server and of course printers.

At the end of this section we will have something like:

Network Diagram LAN ONLY Route with IPv4
Network Diagram LAN ONLY Route with IPv4

/etc/iproute2/rt_tables

First up we'll add a third routing table:

3 LAN

/etc/network/interfaces

Add a an extra virtual interface (really just a IP address to eth0).

# LAN Only
auto eth0:3
iface eth0:3 inet static
  address 192.168.3.1
  netmask 255.255.255.0
  broadcast 192.168.3.255
  post-up /etc/network/route_LAN

/etc/network/route_LAN

This file will have our route added to it

#!/bin/sh

# Add routes from ISP to LAN
/sbin/ip route add 192.168.1.0/24 dev eth0 table LAN

# Add route from VPN to LAN
/sbin/ip route add 192.168.2.0/24 dev eth0 table LAN

# Add route from LAN to it's own table
/sbin/ip route add 192.168.3.0/24 dev eth0 table LAN

/etc/ppp/ip-up

Append a route from the LAN subnet to the ISP table

# Add route to LAN subnet
/sbin/ip route add 192.168.3.0/24 dev eth0 table ISP

/etc/openvpn/route-up-fwmark.sh

Append a route from the LAN subnet to the VPN table

# Add route to LAN only subnet
/sbin/ip route add 192.168.3.0/24 dev eth0 table VPN

/etc/ntpd.conf

Add a listen address for ntp (OpenNTPD).

You should now have:

# Addresses to listen on (ntpd does not listen by default)
listen on 192.168.1.1
listen on 192.168.2.1
listen on 192.168.3.1

Devices needing the correct time will need to use this NTP server because they will not be able to get it from the Internet.

Blocking bogons

Our LAN now has 4 subnets in total that are possible:

  • 192.168.0.0/30 (connection between modem and router)
  • 192.168.1.0/24 (ISP table, directly routed out WAN)
  • 192.168.2.0/24 (VPN table, routed out VPN)
  • 192.168.3.0/24 (Null routed subnet for LAN only hosts)
  • 172.16.32.0/20 (VPN provider's network, so we can access things on the VPN's network).

Everything else should be rejected. No packets should ever be forwarded on 192.168.5.2 or 10.0.0.5 for example.

Installing ipset

Install ipset:

apk add ipset

Add it to start up:

rc-update add ipset default

Now we need to load the lists of addresses into ipset Securing Your Server using IPset and Dynamic Blocklists mentions a script which was particularly useful. This script could be run on a cron job if you wanted to regularly update it and for the full bogon list you should as they change when that address space has been allocated.

For the purpose of this we will be using just the bogon-bn-nonagg.txt list.

0.0.0.0/8
10.0.0.0/8
100.64.0.0/10
127.0.0.0/8
169.254.0.0/16
172.16.0.0/12
192.0.0.0/24
192.0.2.0/24
192.168.0.0/16
198.18.0.0/15
198.51.100.0/24
203.0.113.0/24
224.0.0.0/4
240.0.0.0/4

This is unlikely to change as it's the IPV4 Reserved IP addresses space. The script:

#! /bin/bash

# /usr/local/sbin/fullbogons-ipv4
# BoneKracker
# Rev. 11 October 2012
# Tested with ipset 6.13

# Purpose: Periodically update an ipset used in a running firewall to block
# bogons. Bogons are addresses that nobody should be using on the public
# Internet because they are either private, not to be assigned, or have
# not yet been assigned.
#
# Notes: Call this from crontab. Feed updated every 4 hours.

# target="http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt"
# Use alternative URL from pfSense, due to 404 error with URL above
target="https://files.pfsense.org/lists/bogon-bn-nonagg.txt"
ipset_params="hash:net"

filename=$(basename ${target})
firewall_ipset=${filename%.*}           # ipset will be filename minus ext
data_dir="/var/tmp/${firewall_ipset}"   # data directory will be same
data_file="${data_dir}/${filename}"

# if data directory does not exist, create it
mkdir -pm 0750 ${data_dir}

# function to get modification time of the file in log-friendly format
get_timestamp() {
    date -r $1 +%m/%d' '%R
}

# file modification time on server is preserved during wget download
[ -w ${data_file} ] && old_timestamp=$(get_timestamp ${data_file})

# fetch file only if newer than the version we already have
wget -qNP ${data_dir} ${target}

if [ "$?" -ne "0" ]; then
    logger -p cron.err "IPSet: ${firewall_ipset} wget failed."
    exit 1
fi

timestamp=$(get_timestamp ${data_file})

# compare timestamps because wget returns success even if no newer file
if [ "${timestamp}" != "${old_timestamp}" ]; then

    temp_ipset="${firewall_ipset}_temp"
    ipset create ${temp_ipset} ${ipset_params}

    #sed -i '/^#/d' ${data_file}            # strip comments
    sed -ri '/^[#< \t]|^$/d' ${data_file}   # occasionally the file has been xhtml

    while read network; do
        ipset add ${temp_ipset} ${network}
    done < ${data_file}

    # if ipset does not exist, create it
    ipset create -exist ${firewall_ipset} ${ipset_params}

    # swap the temp ipset for the live one
    ipset swap ${temp_ipset} ${firewall_ipset}
    ipset destroy ${temp_ipset}

    # log the file modification time for use in minimizing lag in cron schedule
    logger -p cron.notice "IPSet: ${firewall_ipset} updated (as of: ${timestamp})."

fi

Now you should see the list loaded into memory when you do:

ipset list

We want to save it so our router can refer to it next time it starts up so for that:

/etc/init.d/ipset save

Adding our allowed networks

IPv4

ipset create allowed-nets-ipv4 hash:net,iface family inet

Then you can add each of your allowed networks:

ipset add allowed-nets-ipv4 192.168.0.0/30,eth1
ipset add allowed-nets-ipv4 192.168.1.0/24,eth0
ipset add allowed-nets-ipv4 192.168.2.0/24,eth0
ipset add allowed-nets-ipv4 192.168.3.0/24,eth0
ipset add allowed-nets-ipv4 127.0.0.0/8,lo
ipset add allowed-nets-ipv4 172.16.32.0/20,tun0

IPv6

For IPv6 if you've got any Unique local address ranges you may choose to add them:

ipset create allowed-nets-ipv6 hash:net,iface family inet6

ipset add allowed-nets-ipv6 fde4:8dba:82e1::/48,tun0
ipset add allowed-nets-ipv6 fde4:8dba:82e1:ffff::/64,eth0


Finally save the sets with this command so they can be loaded next boot:

/etc/init.d/ipset save

Restricting our LAN subnet with iptables, and blocking the bogons

Finally we can apply our iptables rules, to filter both 192.168.3.0/24 and make sure that subnets like 192.168.5.0/24 are not forwarded or accessible by our router. You will need to review these rules, and remove the ones that do not apply to you.

Don't forget to change your RADIUS rules if you moved your WiFi APs into the 192.168.3.0/24 subnet. You'll also need to edit /etc/raddb/clients.conf

I used a new table here called "raw". This table is more primitive than the filter table. It cannot have FORWARD rules or INPUT rules. Therefore you will still need a FORWARD rule in your filter table to block bogons originating from your LAN.

The only kind of rules we may use here are PREROUTING and OUTPUT. The OUTPUT rules will only filter traffic originating from our router's local processes, such as if we ran the ping command to a bogon range on the router's command prompt.

Traffic passes over the raw table, before connecting marking as indicated by this packet flow map: Netfilter packet flow graph this means we don't have to strip the mark off the bogon range in the mangle table anymore.

#########################################################################
# Advanced routing rule set
# Uses 192.168.1.0 via ISP
#      192.168.2.0 via VPN
#      192.168.3.0 via LAN
#
# Packets to/from 192.168.1.0/24 are marked with 0x1 and routed to ISP
# Packets to/from 192.168.2.0/24 are marked with 0x2 and routed to VPN
# Packets to/from 192.168.3.0/24 are routed to LAN and not forwarded onto
#                                    the internet
#
#########################################################################

#
# Raw Table
# This table is the place where we drop all illegal packets from networks that
# do not exist
#
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Create a log drop chain
:LOG_DROP_BOGON - [0:0]

# Create an output chain
:OUT_PPP0 - [0:0]
:OUT_TUN0 - [0:0]

# Allows traffic from VPN tunnel
-A PREROUTING -s 172.16.32.0/20 -i tun0 -j ACCEPT

# Allows traffic to VPN tunnel
-A PREROUTING -d 172.16.32.0/20 -j ACCEPT

# Block specified bogons coming in from ISP and VPN
# (unlikely to happen as they filter them on their router)
-A PREROUTING -i ppp0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON
-A PREROUTING -i tun0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON

# Allows my excepted ranges.
-A PREROUTING -m set --match-set allowed-nets-ipv4 src,src -j ACCEPT

# Pass output interface to corresponding chain
-A OUTPUT -o ppp0 -j OUT_PPP0
-A OUTPUT -o tun0 -j OUT_TUN0

# Log drop chain
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon (ipv4) : " --log-level 6
-A LOG_DROP_BOGON -j DROP

# Block packets originating from the router destined to bogon ranges
-A OUT_PPP0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON

# Blocks packets originating from the router destined to bogon ranges
-A OUT_TUN0 -d 172.16.32.0/20 -j ACCEPT
-A OUT_TUN0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON
COMMIT

#
# NAT Table
# This is where translation of packets happens and "forwarding" of ports
# to specific hosts.
#
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# Port forwarding for Bittorrent
-A PREROUTING -i tun0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20
-A PREROUTING -i tun0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20

# Allows routing to our modem subnet so we can access the web interface
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE

# Allows hosts of the network to use the VPN tunnel
-A POSTROUTING -o tun0 -j MASQUERADE

# Allows hosts of the network to use the PPP tunnel
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT

#
# Filter Table
# This is where we decide to ACCEPT, DROP or REJECT things
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Create rule chain per input interface for forwarding packets
:FWD_ETH0 - [0:0]
:FWD_ETH1 - [0:0]
:FWD_PPP0 - [0:0]
:FWD_TUN0 - [0:0]

# Create rule chain per input interface for input packets (for host itself)
:IN_ETH0 - [0:0]
:IN_ETH1 - [0:0]
:IN_PPP0 - [0:0]
:IN_TUN0 - [0:0]

# Create a drop chain
:LOG_DROP - [0:0]

# Create a log drop chain
:LOG_DROP_BOGON - [0:0]

# Create a reject chain
:LOG_REJECT_LANONLY - [0:0]

# Create an output chain
:OUT_PPP0 - [0:0]
:OUT_TUN0 - [0:0]

# Pass input packet to corresponding rule chain
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j IN_ETH0
-A INPUT -i eth1 -j IN_ETH1
-A INPUT -i ppp0 -j IN_PPP0
-A INPUT -i tun0 -j IN_TUN0

# Track forwarded packets
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Pass forwarded packet to corresponding rule chain
-A FORWARD -i eth0 -j FWD_ETH0
-A FORWARD -i eth1 -j FWD_ETH1
-A FORWARD -i ppp0 -j FWD_PPP0
-A FORWARD -i tun0 -j FWD_TUN0

# Pass output interface to corresponding chain
-A OUTPUT -o ppp0 -j OUT_PPP0
-A OUTPUT -o tun0 -j OUT_TUN0

# Forward traffic to Modem
-A FWD_ETH0 -d 192.168.0.1/32 -j ACCEPT

# Allow routing to remote address on VPN
-A FWD_ETH0 -s 192.168.1.0/24 -d 172.16.32.1/32 -o tun0 -j ACCEPT
-A FWD_ETH0 -s 192.168.2.0/24 -d 172.16.32.1/32 -o tun0 -j ACCEPT

# Allow forwarding from LAN hosts to LAN ONLY subnet
-A FWD_ETH0 -s 192.168.1.0/24 -d 192.168.3.0/24 -j ACCEPT
-A FWD_ETH0 -s 192.168.2.0/24 -d 192.168.3.0/24 -j ACCEPT

# Allow LAN ONLY subnet to contact other LAN hosts
-A FWD_ETH0 -s 192.168.3.0/24 -d 192.168.1.0/24 -j ACCEPT
-A FWD_ETH0 -s 192.168.3.0/24 -d 192.168.2.0/24 -j ACCEPT

# Refuse to forward bogons to the internet!
-A FWD_ETH0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON

# Forward traffic to ISP
-A FWD_ETH0 -s 192.168.1.0/24 -j ACCEPT

# Forward traffic to VPN
-A FWD_ETH0 -s 192.168.2.0/24 -j ACCEPT

# Prevent 192.168.3.0/24 from accessing internet
-A FWD_ETH0 -s 192.168.3.0/24 -j LOG_REJECT_LANONLY

# Allow excepted server to be FORWARD to ppp0
#-A FWD_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT

# Forward SSH packets from network to modem
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Forward HTTP packets from network to mode
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Forward Bittorrent Port to workstation
-A FWD_TUN0 -d 192.168.2.20/32 -p tcp -m tcp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_TUN0 -d 192.168.2.20/32 -p udp -m udp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# SSH to Router
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_ETH0 -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# DNS to Router
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT

# FreeRadius Client (eg a UniFi AP)
-A IN_ETH0 -s 192.168.3.10/32 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_ETH0 -s 192.168.3.10/32 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Ubiquiti UAP Device Discovery Broadcast
-A IN_ETH0 -s 192.168.3.10/32 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# NTP to Router
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_ETH0 -s 192.168.3.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Accept traffic to router on both subnets
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Allow excepted server to be INPUT to eth0 from LAN
#-A IN_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT

# SSH To Modem from Router
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# HTTP To Modem from Router
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Accept incoming tracked PPP0 connection
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Log dropped packets coming in on PPP0
-A IN_PPP0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6
-A IN_PPP0 -j LOG_DROP

# Accept incoming tracked TUN0 connection
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Log dropped packets coming in on TUN0
-A IN_TUN0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6
-A IN_TUN0 -j LOG_DROP

# Log dropped bogons that never got forwarded
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon forward (ipv4) " --log-level 6
-A LOG_DROP_BOGON -j DROP

# Log rejected packets
-A LOG_REJECT_LANONLY -j LOG --log-prefix "Rejected packet from LAN only range : " --log-level 6
-A LOG_REJECT_LANONLY -j REJECT --reject-with icmp-port-unreachable
COMMIT

#
# Mangle Table
# This is the place where our markings happen, whether they be 0x1 or 0x2
#
*mangle

# Set default policies for table
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff

# If packet MARK is 2, then it means there is already a connection mark and the
# original packet came in on VPN
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x2 -j ACCEPT

# Check exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) are 0x1
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -m mark --mark 0x1 -j ACCEPT

# Mark packets coming from 192.168.2.0/24 are 0x2
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x2/0xffffffff

# If packet MARK is 1, then it means there is already a connection mark and the
# original packet came in on ISP
-A PREROUTING -s 192.168.1.0/24 -m mark --mark 0x1 -j ACCEPT

# Mark packets 192.168.1.0/24 are 0x1
-A PREROUTING -s 192.168.1.0/24 -j MARK --set-xmark 0x1/0xffffffff

# Mark exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) as 0x1
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -j MARK --set-xmark 0x1/0xffffff

# Strip mark if packet is destined for modem
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff

# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT

Other Tips

Diagnosing firewall problems

netcat, netcat6

Netcat can be useful for testing if a port is open or closed or filtered.

apk add netcat-openbsd

After installing netcat we can use it like this:

Say we wanted to test for IPv6, UDP, Port 547 we would do this on the router:

nc -6 -u -l 547

and then this on the client to connect to it:

nc -u -v -6 2001:0db8:1234:0001::1 547

tcpdump

tcpdump can also be useful for dumping the contents of packets coming in on an interface:

apk add tcpdump

Then we can run it. This example captures all DNS traffic originating from 192.168.2.20.

tcpdump -i eth0 udp and src 192.168.2.20 and port 53

You can write the file out with the -w option, and view it in Wireshark locally on your computer. You can increase the verbosity with the -v option. Using -vv will be even more verbose. -vvv will show even more.

lbu cache

Configure lbu cache so that you don't need to download packages when you restart your router eg Local APK cache

This is particularly important as some of the images do not contain ppp-pppoe. This might mean you're unable to get an internet connection to download the other packages on boot.

lbu encryption /etc/lbu/lbu.conf

In /etc/lbu/lbu.conf you might want to enable encryption to protect your VPN keys.

# what cipher to use with -e option
DEFAULT_CIPHER=aes-256-cbc

# Uncomment the row below to encrypt config by default
ENCRYPTION=$DEFAULT_CIPHER

# Uncomment below to avoid <media> option to 'lbu commit'
# Can also be set to 'floppy'
LBU_MEDIA=mmcblk0p1

# Set the LBU_BACKUPDIR variable in case you prefer to save the apkovls
# in a normal directory instead of mounting an external media.
# LBU_BACKUPDIR=/root/config-backups

# Uncomment below to let lbu make up to 3 backups
# BACKUP_LIMIT=3

Remember to set a root password, by default Alpine Linux's root account is passwordless.

passwd root

Backup apkprov

It's a good idea to back up your apk provision file. You can pull it off your router to your local workstation with:

scp -r root@192.168.2.1:/media/mmcblk0p1/<YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc ./

And decrypt it with:

openssl enc -d -aes-256-cbc -in <YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc -out <YOUR HOST NAME>.apkovl.tar.gz

It can be encrypted with:

openssl aes-256-cbc -salt -in <YOUR HOST NAME>.apkovl.tar.gz -out <YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc

Harden SSH

Generate a SSH key

ssh-keygen -t rsa -b 4096

You will want to put the contents of id_rsa.pub in /etc/ssh/authorized_keys

You can put multiple public keys on multiple lines if more than one person has access to the router.

/etc/ssh/sshd_config

A couple of good options to set in here can be:

ListenAddress 192.168.1.1
ListenAddress 192.168.2.1

While this isn't usually a good idea, a router doesn't need more than one user.

PermitRootLogin yes

The most important options:

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile  /etc/ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords no
AllowTcpForwarding no
X11Forwarding no

/etc/conf.d/sshd

You will want to add

rc_need="net"

This instructs OpenRC to make sure the network is up before starting ssh.

Finally add sshd to the default run level

rc-update add sshd default


Additionally you may want to look at Secure Secure Shell and tighten OpenSSH's cryptography options.

References