How to turn anything into a router

Original Article ↗ Hacker News Discussion ↗

DIY Routing Basics

  • Many commenters stress that “a router is just a computer doing IP forwarding + NAT,” and Linux already has everything needed (iptables/nftables, dnsmasq, hostapd).
  • Even very old x86 hardware can route gigabit in software for typical home use; routing itself is rarely the bottleneck.
  • Some appreciate the article for demystifying routing; others argue it’s mainly useful as a learning exercise, not the easiest production setup.

Hardware Choices & Performance

  • Common DIY platforms: old laptops/Desktops, mini‑PCs (N100/N150, Atoms), fanless appliances, SBCs (Pi, Banana Pi, NanoPi), and x86 running OpenWRT.
  • Several report 1–2+ Gbps NAT, VPN, and complex firewall rules on modest CPUs (Atoms, low‑end desktop CPUs).
  • Concerns include power consumption (old Macs and generic PCs vs low‑power ARM/mini‑PCs) and reliability of cheap AliExpress boxes.
  • For 10G+, performance gets trickier; some claim modern desktop CPUs can saturate 25G, others say typical router CPUs struggle without offload.

Single NIC + VLANs vs Multiple NICs

  • Strong theme: you can build a “router on a stick” with one NIC and a managed VLAN‑capable switch.
  • Advantages: reuse old hardware; flexible network segmentation (IoT, guest, WAN/LAN separation) over one trunk.
  • Counterpoints: added configuration complexity, potential single‑port bottleneck if pushing near‑symmetrical gigabit, and fear (often called unfounded) of VLAN hopping due to misconfig.
  • Extra NICs or USB NICs are proposed as a simpler mental model for many users.

Wi‑Fi, Mesh, and AP Strategy

  • Many prefer separating routing from Wi‑Fi: run a wired router and dedicated access points (Unifi, Mikrotik, Ruckus, etc.), often with VLAN‑per‑SSID.
  • Hostapd on commodity cards is seen as educational but often worse in performance and reliability than purpose‑built APs.
  • Mesh in homes is debated: some see it as common for larger houses; others call it a minority or overhyped. Mesh is described as mainly AP coordination and wireless backhaul, not magic.

Router OS vs General Linux

  • Split opinion:
    • Pro‑appliance: OpenWRT, OPNsense, pfSense, Sophos, ClearOS give web UIs, updates, backups, and less “weekend sysadmin” work.
    • Pro‑generic Linux/BSD: more flexible, easier to co‑host services, and avoids opaque GUIs that abstract/hide underlying networking.

Firewalling, nftables, and Security

  • Routing is considered “easy”; secure firewalling is hard, especially with modern encrypted traffic.
  • nftables is widely seen as superior to iptables (atomic updates, better debugging), though some stick with iptables out of familiarity.
  • Strong warnings against UPnP and against running many exposed services on the edge router; others argue careful container/VM isolation can be acceptable but increases complexity.
  • Docker’s automatic firewall rules are cited as a common foot‑gun on router hosts.

Tuning, Offload, and Latency

  • A few discuss sysctl and queueing tweaks (e.g., disabling early_demux, fq_codel/CAKE, NIC/stack tuning) to improve latency and jitter, especially for gaming/VoIP.
  • Hardware acceleration: certain NICs and SoCs can offload connection tracking and flow handling via netfilter flowtables; this is niche and hardware‑specific.
  • Dedicated router/switch ASICs (as in commercial routers) are generally acknowledged as lower‑latency and more power‑efficient than Linux bridging/routing on generic NICs.

Policy & “Banning Routers” Angle

  • Some speculate about policy motivations for restricting router imports:
    • Using compromised routers for surveillance, lateral movement, and DDoS.
    • Ability to remotely disable large numbers of devices and cause communication blackouts.
    • Access to metadata (DNS, IPs, volumes) even with TLS.
  • Others are skeptical, pointing out that similar risks exist with domestic brands and that better baseline security requirements (unique passwords, patching obligations) might address many problems.

Practical Recommendations & Gotchas

  • Many advocate: learn with DIY Linux, then consider moving to an appliance OS for day‑to‑day stability.
  • Recommended patterns: router in a closet with serial console for recovery; keep Wi‑Fi separate; avoid overloading the router with unrelated services; use VLANs or extra NICs based on comfort.
  • Several share long‑term success stories with old PCs and embedded boards running OpenBSD, OpenWRT, or OPNsense for years with minimal maintenance.