As I mentioned in my previous post, I bought an OrangePi R1+ to use as a router for my work laptop. Well, I received it the other day and its great! It does run hot, even with the CPU/RAM heatsinks I added it hovers around 65c, that’s partially due to the case it seems, which maybe could have some more air holes. The thing is tiny - about half the length of a RPi. It manages 800mbps+ according to iperf3, so easily forwards my ~310mbps FTTP.

I set it up as a router using nftables and dhcpd:

apt install isc-dhcp-server tcpdump wondershaper nftables dnsutils whois iperf3 speedtest-cli

You can control a few options by running armbian-config but I found most things were easier/better done the regular Debian way, I feel the same with raspi-config.

For some weird reason Armbian has it configured with eth0 and lan0, which made no sense (why not wan and lan if anything?) so I fixed that by modifying /etc/udev/rules.d/70-rename-lan.rules to rename the usb ethernet back to eth1:

SUBSYSTEM=="net", ACTION=="add", DRIVERS=="r8152", NAME="eth1"

So now I have the “lan” (connects to the laptop) on eth0 and “wan” (connects to the router) on eth1. It’s a little confusing as the router is on my usual LAN, but to the OrangePi/laptop that’s the WAN.

I disabled root login and switched to sudo:

passwd -d root
passwd -l root

As it uses u-boot instead of grub, I had to disable IPv6 using sysctl instead, and enabled IP forwarding in /etc/sysctl.conf:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
vm.swappiness=100
net.ipv4.ip_forward = 1

I changed /etc/default/chrony to only listen on IPv4:

DAEMON_OPTS="-F -1 -4"

As it’s still based on Debian Buster, you can’t just drop files in /etc/ssh/sshd_config.d/, so I changed a few things in the main sshd_config:

ListenAddress <eth1 ip>
AddressFamily inet
PermitRootLogin no
PasswordAuthentication no

I also noticed wondershaper seems different to Bullseye, it doesn’t have the off by 10x bug but also doesn’t seem as accurate, so wondershaper eth0 512 1024 seems to give you around 1.5mbps both ways!

The red/green LED’s on the board are annoying, as the green one I assume is a status/disk LED rarely comes on, and the red (power?) one seems to be confused with the ethernet activity LED - maybe the Armbian install is really just the NanoPi R2S build and they haven’t fixed the DTB, as the max/min brightess of 0-255 seem to do nothing and its just 0/1 = on/off. So I wrote a couple of scripts - one to turn them off after its finished booting, and another to turn them on just before shutdown (as otherwise you can’t tell when its shutdown as the LED’s are already off!) and some systemd units:

/usr/local/bin/ledsoff.sh:

echo 0 > /sys/devices/platform/gpio-leds/leds/status_led/brightness
echo 0 > /sys/devices/platform/gpio-leds/leds/wan_led/brightness
echo 0 > /sys/devices/platform/gpio-leds/leds/lan_led/brightness

/usr/local/bin/ledson.sh:

echo 1 > /sys/devices/platform/gpio-leds/leds/status_led/brightness
echo 1 > /sys/devices/platform/gpio-leds/leds/wan_led/brightness
echo 1 > /sys/devices/platform/gpio-leds/leds/lan_led/brightness

/etc/systemd/system/run-at-startup.service:

[Unit]
Description=Run script at startup after all systemd services are loaded
After=getty.target

[Service]
Type=simple
RemainAfterExit=yes
ExecStart=/usr/local/bin/ledsoff.sh
TimeoutStartSec=0

[Install]
WantedBy=default.target

/etc/systemd/system/run-before-shutdown.service:

[Unit]
Description=Run my custom task at shutdown
DefaultDependencies=no
After=shutdown.target

[Service]
Type=oneshot
ExecStart=/usr/local/bin/ledson.sh
TimeoutStartSec=0

[Install]
WantedBy=shutdown.target

To expand the root filesystem to make use of the entire 32gb microSD card, and enable the new services, I ran:

systemctl daemon-reload
systemctl enable --now run-at-startup.service
systemctl enable --now run-before-shutdown.service
systemctl enable armbian-resize-filesystem
systemctl enable --now nftables
systemctl enable --now isc-dhcp-server
systemctl disable --now unattended-upgrades.service
systemctl disable --now apt-daily-upgrade.timer
systemctl disable --now wpa_supplicant.service
systemctl disable --now smartd

And that’s about it, it’s now sitting in the loft with WAN going to the switch and LAN going to the patchpanel, so when I plug the laptop into the wallport in my office, it gets a DHCP address, DNS servers, gateway etc; and can use my FTTP without being able to connect to anything on my home LAN (one of my PC’s can ssh using keys into it for control/backup).

Update: Just upgraded it to Bullseye (Armbian 21.08.1) using the same method as regular Debian and it’s running fine. I also disabled a few more processes/services which were pointless like wpa_supplicant on a board with no wifi and smartd on a board that only has an sdcard for storage! After a week or so its still hovering around 60-65c. I also measured the current use with a couple of different USB-C power supplies and it never got above 0.71A @ 5.03v (averaged less than half an amp) so I’ve no idea why they say a 2A+ power supply is needed.