As I mentioned in my previous post, I bought an OrangePi R1+ to use as a router for my work laptop. Well, I received it the other day and its great! It does run hot, even with the CPU/RAM heatsinks I added it hovers around 65c, that’s partially due to the case it seems, which maybe could have some more air holes. The thing is tiny - about half the length of a RPi. It manages 800mbps+ according to iperf3, so easily forwards my ~310mbps FTTP.
I set it up as a router using nftables and dhcpd:
apt install isc-dhcp-server tcpdump wondershaper nftables dnsutils whois iperf3 speedtest-cli
You can control a few options by running armbian-config but I found most things were easier/better done the regular Debian way, I feel the same with
For some weird reason Armbian has it configured with eth0 and lan0, which made no sense (why not wan and lan if anything?) so I fixed that by modifying
/etc/udev/rules.d/70-rename-lan.rules to rename the usb ethernet back to eth1:
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="r8152", NAME="eth1"
So now I have the “lan” (connects to the laptop) on eth0 and “wan” (connects to the router) on eth1. It’s a little confusing as the router is on my usual LAN, but to the OrangePi/laptop that’s the WAN.
I disabled root login and switched to sudo:
passwd -d root passwd -l root
As it uses u-boot instead of grub, I had to disable IPv6 using sysctl instead, and enabled IP forwarding in
net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 vm.swappiness=100 net.ipv4.ip_forward = 1
/etc/default/chrony to only listen on IPv4:
DAEMON_OPTS="-F -1 -4"
As it’s still based on Debian Buster, you can’t just drop files in
/etc/ssh/sshd_config.d/, so I changed a few things in the main sshd_config:
ListenAddress <eth1 ip> AddressFamily inet PermitRootLogin no PasswordAuthentication no
I also noticed wondershaper seems different to Bullseye, it doesn’t have the off by 10x bug but also doesn’t seem as accurate, so
wondershaper eth0 512 1024 seems to give you around 1.5mbps both ways!
The red/green LED’s on the board are annoying, as the green one I assume is a status/disk LED rarely comes on, and the red (power?) one seems to be confused with the ethernet activity LED - maybe the Armbian install is really just the NanoPi R2S build and they haven’t fixed the DTB, as the max/min brightess of 0-255 seem to do nothing and its just 0/1 = on/off. So I wrote a couple of scripts - one to turn them off after its finished booting, and another to turn them on just before shutdown (as otherwise you can’t tell when its shutdown as the LED’s are already off!) and some systemd units:
echo 0 > /sys/devices/platform/gpio-leds/leds/status_led/brightness echo 0 > /sys/devices/platform/gpio-leds/leds/wan_led/brightness echo 0 > /sys/devices/platform/gpio-leds/leds/lan_led/brightness
echo 1 > /sys/devices/platform/gpio-leds/leds/status_led/brightness echo 1 > /sys/devices/platform/gpio-leds/leds/wan_led/brightness echo 1 > /sys/devices/platform/gpio-leds/leds/lan_led/brightness
[Unit] Description=Run script at startup after all systemd services are loaded After=getty.target [Service] Type=simple RemainAfterExit=yes ExecStart=/usr/local/bin/ledsoff.sh TimeoutStartSec=0 [Install] WantedBy=default.target
[Unit] Description=Run my custom task at shutdown DefaultDependencies=no After=shutdown.target [Service] Type=oneshot ExecStart=/usr/local/bin/ledson.sh TimeoutStartSec=0 [Install] WantedBy=shutdown.target
To expand the root filesystem to make use of the entire 32gb microSD card, and enable the new services, I ran:
systemctl daemon-reload systemctl enable --now run-at-startup.service systemctl enable --now run-before-shutdown.service systemctl enable armbian-resize-filesystem systemctl enable --now nftables systemctl enable --now isc-dhcp-server systemctl disable --now unattended-upgrades.service systemctl disable --now apt-daily-upgrade.timer systemctl disable --now wpa_supplicant.service systemctl disable --now smartd
And that’s about it, it’s now sitting in the loft with WAN going to the switch and LAN going to the patchpanel, so when I plug the laptop into the wallport in my office, it gets a DHCP address, DNS servers, gateway etc; and can use my FTTP without being able to connect to anything on my home LAN (one of my PC’s can ssh using keys into it for control/backup).
Update: Just upgraded it to Bullseye (Armbian 21.08.1) using the same method as regular Debian and it’s running fine. I also disabled a few more processes/services which were pointless like wpa_supplicant on a board with no wifi and smartd on a board that only has an sdcard for storage! After a week or so its still hovering around 60-65c. I also measured the current use with a couple of different USB-C power supplies and it never got above 0.71A @ 5.03v (averaged less than half an amp) so I’ve no idea why they say a 2A+ power supply is needed.