Mainboard as Internet Router + Wireless AP + NAS Project

Creators & Developers Mainboard
1

So I just got the email that my project proposal was accepted into the creator contest thing, and a mainboard for me to dev on is coming soon. Therefore, I wanted to start this thread to outline the project, its goals, list needed parts, solicit feedback and ideas, etc. And to reserve space for the final how-to writeup once it is done.

Thanks to Framework for helping to make this project happen years earlier than it would if I had to wait to upgrade my laptop’s mainboard first!

PROJECT RATIONALE: Commercially available consumer grade routers kind of suck. Much like traditional laptops, they are not reasily upgradeable, repairable, etc. All in one board combos of SOC, wifi radios, and nvram flash memory means for most users that a failure in one part, or a significant wifi standards upgrade comes out, or a security issue in the firmware of an old abandoned model is discovered, then the whole unit needs replaced at significant cost. Whereas, many Framework users will have upgraded their mainboards in the coming years, and will need something useful to do with the older (but perfectly capable of this task) mainboard.

CREATOR CONTEXT: I have a Netgear R7000P main router (Wifi 5 only) + an R7000 as a secondary AP ( both running the third party DD-WRT open source firmware ) + a separate Raspberry Pi functioning as NAS. I have done long range wifi projects to cover an entire 40 acre site, as well as create a broadband between link two sites nearly a mile apart with custom and off the shelf hardware buildups. While it is great to have DD-WRT on the routers as an option, there are some features that just are not coming to my routers, due to chip level and proprietary firmware blob limitations. WPA3 is the most glaring example of tech that I cannot get without a hardware upgrade. Also, the pre-compiled packages available in opkg are often out of date, compiled with odd options and strange incompatibilities, or sometimes badly feature crippled in the ARM environment. I have used Raspberry Pi’s of various generations to create ad hoc hotspots and aviation ADS-B receivers, so I am somewhat familiar with the hardware and driver requirements for getting this working with modern linux kernels. I have also done proof of concept USB wireless dongle APs connected to my current Framework laptop that passed packets to a wider LAN/WAN connection.

PROPOSED SOLUTION: Use a Framework mainboard and its associated well-supported CPU as the primary wired and wireless router for a small home or office network, complete with most of the necessary things from a commercially available consumer grade router. The goal will not be to make the highest performance router ever, but to develop recipes for maximal re-use of current gen (aka soon to be last gen) components that would likely be upgraded alongside a main board upgrade, with minimal new purchases.

The critical list of functions that the router and AP should handle elegantly include:

  • WAN static IP, DHCP client, etc
  • Firewall
  • OpenVPN and/or WireGuard server
  • OpenVPN and/or WireGuard client
  • USB ethernet ports (at least 1, demonstrated 2-8 working in as a network bridge would be better)
  • USB connected wifi dongles with infrastructure AP mode (at least 1, 2+ working in network bridge would be better)
  • Bootable storage
  • External storage
  • SSH access for setup and control of the router
  • DNS server, with support for local domain / hostname list, upstream queries, support for LAN and VPN LAN, etc.
  • DHCP, with dynamic update of local DNS entries
  • NAS for external storage with important protocols, such as CIFS (aka samba) and SFTP, allowing for general file backup and easily connecting modern media players such as Kodi, VLC, etc.
  • 3d printable case design with sufficient room off of each side to host a reasonable amount of USB peripherals, optional cooling fans, etc

STRETCH GOALS:

  • AX210 6E card working in AP mode (as a use for old Framework supplied cards, may not be possible with proprietary blob firmwares)
  • Parameterized OpenSCAD model file for the case design
  • Federated network storage protocols such as DRBD, UnionFS, and/or similar
  • ~25m long powered USB extension cable sets to spread out AP dongles and/or antennas
  • QoS
  • DMZ
  • IP or MAC based device sandboxing (denial of WAN access) on a permanent or scheduled basis
  • Guest networks with access to WAN but not LAN
  • Minimizing total power consumption, no fan necessary for normal routing loading, etc.
  • Small touchscreen for display of system stats, “nice” reboots, etc.

METHOD: I plan to use arch linux, DE-less install, as the base for my recipe. Part of this is go with what you know, but I also firmly believe this is the best starting point for this use case. I will be implementing one feature at a time until I reach full functionality of the necessary features, then using it as my main home router after that.

PARTS USED IN THIS PROJECT:

OPTIONAL PARTS:

  • NVM.e 2230 AX210 card from Framework Marketplace, USD$19
  • Wifi antennas for AX210 from Framework Marketplace USD$14
  • USB power meter: https://m.aliexpress.com/item/32854809579.html , USD$12
  • USB Touchscreen
  • External USB hard drives or SSD enclosures

PITFALLS:

  • USB is not exactly the best connection method for devices that want to be low latency like network cards and wifi dongles, especially multiple devices on the same bus
  • USB wifi dongles sometimes consume unreasonable amounts of wattage vs the ERP they put out
  • Intel support for AX210 in general, proprietary blob firmware in Linux, but especially over-conservative interpretation of regulatory domains for AP mode. Research in progress on this.

GENERAL STEPS:

  • Purchase required items
  • Receive mainboard
  • Verify batteryless operation and USB-PD power supply operation, explore TDP and pass through power limits
  • Stand up USB to wired internet peripherals
  • Stand up USB to wireless AP internet peripherals
  • Install and configure equivalent NAS
  • Install and test firewall
  • Move this into primary position on my home network
  • Work on optional features one at a time
  • Party like its 1999.

I welcome all of your input, feature request additions, best practice idea documents, etc.!

24 Likes
2

Nice!!

There are a few parts hanging around begging to be used:

  • there are M.2 2230 A+E gigabit cards and even a 2.5 GbE card (don’t know if these work using CNVi though)
  • for a NAS, there’s an M.2 to 5-port SATA adapter, although the reviews say the PCB is very thin

It might be better to have a single gigabit connection from the M.2 2230 to a cheap gigabit switch and from there to dedicated APs, running a controller on the mainboard like UniFi or Omada with these APs. Even better with a 2.5 G link, but 2.5 G switches still aren’t all that cheap.

In regards to the OS, you seem to really know what you’re doing here so I doubt I can contribute, but I did play around with pfSense and later a IDS applications (first Sophos UTM then Untangle, though I see that’s now gone 100% enterprise). Two very useful and powerful packages available on pfSense were Snort and Suricata. The Framework mainboard certainly has the power to run these; most routers don’t.

Oooh, oooh, there’s also Pi-hole (though that’s for Raspbian/Debian).

You’re comfortable with Arch, but there’s also Vyatta for a from-the-ground-up router OS.

That’s kind of feature creep though, emphasizing more NAS and IDS parts. You’re probably aware of all this stuff, I just wanted to make sure.

Good luck on your project and I’ll be following closely! :grinning:

5 Likes
3

Thanks for chiming in with the ideas. Would be happy to collaborate with you or someone else on parallel development of this project using those ingredients in the recipe. I probably won’t include most of those elements you mentioned, only because they don’t quite fit my use case and areas of expertise as well.

Agreed that the single connection to a switch would probably be the easier route. However, I think I will do the multiple USB wired NICs directly attached to the F.w, because I have them on hand, and to demonstrate how and perf test different configurations. That and I don’t have and don’t want to buy a wired switch if I can avoid it.

As to Arch vs Vyatta, definitely an interesting suggestion. If I had more time to dig into their software ecosystem, I’d be a lot more likely to lean that way. As it is, again defaulting to what I know at the start, maybe branch out more after the skeleton functions are done and especially after wireless AP dongle drivers are proven working.

Pi-Hole has other equivalents out there in the arch ecosystem IIRC. I didn’t include ad blocking or DNS denial list in required or stretch goals as I haven’t had a lot of great experiences with them. Tends to break more sites and functions than it saves in bandwidth and CPU to not load ads, browsers do this better in many cases, etc, in my opinion. I can certainly see this being a required function for a school, office, church, library, etc though!

Please don’t take my not incorporating your suggestions as invalidating them on any level, other than my personal preferences. If you have any other ideas, I’m all ears / eyes / whatever.

2 Likes
4

Sure, no problem, we have different ideas and ultimately different end goals. To be honest I have more talk and ideas than skill. :wink:

1 Like
5

Haha yeah it takes both inspiration and perspiration to get a new idea implemented.

USB-PD charger, cable, USB power meter, cheap ram and SSD, and another AX210 non vPro card are on their way for this project.

6

You absolutely could do this, but I think it is HUGE overkill on the processing power of the setup, just in general. Depending on the throughput of your small network, I just don’t see the thing coming anywhere close to needing all that power.

Still, the beauty of the Framework design principle, is that it only needs to make sense to you. So all the best, and I’ll be keeping an eye out for it!

7

You’re 100% correct lol. I do plan to use the board for a few other functions simultaneously also, but those are beyond the scope of this project.

2 Likes
8

Have you considered networking your Framework laptop/router mainboard via Thunderbolt networking? Works really well. With a Framework laptop connected to an Intel NUC 8i5bek with a cable between the usb-c ports (both running arch) I get an excellent 10Gbe link - over a gigabyte a second. It is very nice for moving vm images/large files and would mean your router can make use of the i5’s horsepower…10Gbe routers are expensive and this setup is great for a homelab.

Most of the Linux doc on Thunderbolt networking implies link local networking but you can also add the thunderbolt interfaces to an ethernet bridge - the NUC forwards internet traffic on its ethernet to/from the Framework.

1 Like
9

I do not personally have a use case for TB networking, and I do not have a NUC to turn into a switch (if I am understanding what you are meaning in your description). Again, parallel dev with me if you want to on your variation!

10

Just a little more specific feedback request, as I am deciding what wireless NIC cards to focus on, and was curious what is more important to all of you. Please reply with as many from this list as you think should be the first NIC cards I acquire and try for this project:

  • Least cost
  • Reuse AX210 and make it the most functional possible considering Intel / driver limitations
  • State of the art tech like Wifi 6E
  • Older but better supported wifi ap mode chipsets in linux
  • Lowest power consumption
  • Something else (please specify)
11

I’d be more than happy with parallel development.

I was using the NUC to test the idea as I don’t have a Framewotk mainboard yet (I’m based in UK so not on sale from the marketplace yet…soon I hope). The Framework mainboard in a mini pc like case would replace the NUC acting as switch/router/firewall/AP as required. The Framework mainboard should be much better than the NUC with more TB ports, usb C PD and battery operation, better cooling and an open design. NUCs have lots of weird closed source or undocumented bits and Intel support is poor.

12

Since this will be a wired and wireless router, reliability and performance is paramount. With that in mind:

This is probably best. The AX210 is being field tested in almost every Framework laptop and despite some teething problems in drivers, appears to work well overall. Caveat: see below.

No - that’s one thing it appears the AX210 Linux drivers can’t handle at all right now. Since it’s just used to increase speed - if you want increased speed, go wired: gigabit, 2.5 GbE, 5 GbE, 10 GbE.

No need, if WiFi 6 (ignoring 6E) can be supported, WiFi 5, WiFi 4, etc. can all be supported too.

If this will be permanently line powered, who cares? This brings up an interesting point though, if the battery were included in the build, it could function as a UPS. Even so, the power consumption of the card is insignificant compared to the overall power consumption on line power. (Also if you need a UPS use an actual UPS that has proper battery conditioning and greatly expanded capacity but I digress).

13

It would be nice to use the built in AX210. Intel’s recent firmware seems buggy though. On my Framework (batch 8, bios 3.07, Arch linux 5.17.5-arch1-1 up to date) recent firmware versions in /lib/firmware/ don’t seem to always correctly initialise the card at boot time.

Using iwlwifi-ty-a0-gf-a0-62.ucode.xz seems to work for me but you have to rm the subsequent versions iwlwifi-ty-a0-gf-a0-63, 66, 67, 68 and 71 all seem to fail at boot sometimes.

I’d guess this will get fixed before too long.

Supporting a wireless adapter that had good open source drivers , AP modes and/or bridging to ethernet (and TB for my use case!) would also be nice.

15

Quick update: USB Power meter, AX210 and spare antenna, SSD, and RAM have arrived so far. Springtime is irrigation season here so pretty busy the next few days, but I’ll set aside some time to work on this once the mainboard arrives.

Just got an updated email from Framework saying that the Mainboard hasn’t shipped yet, but will soon.

2 Likes
16

Excited to hear your progress with this as you post updates. I’ve done homemade Linux and BSD routers before with OpenWRT and PfSense before, definitely a good project idea for this board.

The hardware’s overkill just for a household’s routing and firewall, but it’s something that could be good for enterprise applications too. We build Linux firewalls from scratch at my employer with off the shelf hardware, this could be very much in the same vein for a lower powered solution.

Only commentary I have is Linux wifi routers do work, and you’d be able to use the Framework’s wifi card with it, but, depending on the size of area you’re looking to cover and what you’re looking to do with wireless versus hard wired connectivity, it might be better to put a dedicated WAP downstream from the Framework. I do this with my home network, OpenWRT router and a Ubiquiti WAP.

17

I’ll definitely be hitting you up to check my work on initial firewall config, when I get to that point. I know enough about iptables and such to make me dangerous, not enough to hit a home run on the first swing lol.

In my setup, this unit will be a wireless AP for core of the home coverage, and there will necessarily be a second wireless AP in the other corner of my house. Therefore I can document both use cases, and people can go whichever route makes sense for their physical and electronic topology…

2 Likes
18

This is exactly the kind of content I love to see from the community, and exactly the kind of use I would have for old mainboards. You have a rather ambitious list of goals, but it is definitely not hardware limited! :wink:

I do not mean to deter you from your goal, but I wonder if you have considered virtualization as an option to reach all of your needs on the software side? For example, it seems like there are a couple of different concerns which might best be handled separately:

  1. Routing/networking/firewall
  2. NAS for backup
  3. Potential media sharing possibilities (i.e. the mention of streaming with Kodi, I’d add Jellyfin/Plex)

Separating out these concerns, one possibility that arises is the use of a barebones, virtualization-focused OS like Proxmox to create separate VMs or containers for these functions. For example, it is not uncommon to virtualize an extremely feature-complete routing OS like Opn/pfSense to function as the router/firewall (pfSense on Proxmox, OpnSense on Proxmox + with HA, you could also use OpenWRT as well). Then you could use separate containers for NAS/filesharing functions as well as streaming. The VM focused on routing would come with advantages, since these battle-tested, routing-focused OSes have many features baked-in. I’m not as familiar with the OpnSense side of things, but all of these are available on my openWRT router:

  • QoS
  • DMZ
  • Guest networks
  • Fail2ban
  • Various VPN server/client protocols
  • A pretty web portal for configuration, as well as SSH access with command line

If you’re using 11th gen, you likely don’t have the CPU cores to create separate VMs for all of these functions. You’d probably want a VM for the most security-related function (firewall) but the NAS/streaming-related functions could probably work well using the LXC containers supported by Proxmox.

Of course, you’re probably looking to make this more “appliance-like” than this, but I thought this could be an interesting option with some advantages. Best of luck on your project!

19

In my current setup, the two items quoted above are handled with one subsystem, i.e. samba / smbd . Samba is not the most awesomest thing ever, but it is a very well known road and widely compatible with linux, Android apps, etc.

Interesting thought about containerization, different VMs for different functions. I can see security boons from this setup, but I can also see resource and especially user hassle banes from such a thing as well. I will consider that as a stretch goal.

On a different subject, I have been experimenting the USB power meter and my existing Framework laptop. I am seeing a very stable 19v at 2.85a from a ~100w class USB-PD power supply under 100% CPU stress test + battery charging demand. Minimum CPU and charging load conditions is more like 19.7v at .5 to .9 amps and highly variable in this range. Will be interesting to compare this to a battery-less mainboard setup.

20

Gotcha. Yeah, that is certainly a rather flexible and attainable approach. An LXC container running a Nextcloud instance would be somewhat interesting, although way more involved.

An additional pro is that a VM for the router/firewall subsystem means that you can easily snapshot the whole router OS, making rollbacks to known working configuration a piece of cake. The user hassle is absolutely a con, although I don’t know how much worse of a hassle it is compared with the pain of configuring router software in general. Anyone doing this will need to “get in to the weeds” a bit :smile: . Though the VM is certainly an abstraction that can add a bit of complexity.

Yeah, 11th gen has 4 cores… I’d think that using 1 or 2 cores for a router VM and sharing the remainder using LXC would not be too problematic. LXC containers (and my personal preference, LXD containers) are very nice because I can have several running concurrently with very little resource penalty, and you can set resource limits, etc. For more general server usage of these mainboards, the more plentiful E cores in the 12th gen might be sort of interesting, but that’s way out of scope of your project :laughing:

21

you can’t readily (if at all) use an intel wifi card because they don’t support AP mode, they’re client only cards.