Notes

Notes Organized thoughts & experiments Zola 2026-04-07T00:00:00+00:00 https://blog.boers.email/atom.xml Building a Custom NixOS Router for Freedom Internet 2026-04-07T00:00:00+00:00 2026-04-07T00:00:00+00:00 Unknown https://blog.boers.email/posts/freedom-internet-nixos/ <p>Due to the persistent lack of IPv6 support at Odido, I finally made the switch to <strong><a rel="external" href="https://freedom.nl">Freedom Internet</a></strong>. My primary goal was to learn how IPv6 works, and frankly, I was done with Odido's lax attitude toward their customers.</p> <h2 id="from-pfsense-to-nixos">From pfSense to NixOS</h2> <p>My initial setup was running pfSense 2.7. The transition to Freedom was actually seamless at first; after configuring DHCPv6, I had an IPv6 connection immediately. However, things went south when I decided to update to version 2.8 to stay current. Suddenly <em>-bam-</em> my router hung indefinitely while loading <code>if_pppoe</code>.</p> <p>I had been wanting to try <strong>OPNsense</strong> for a while, so I took the opportunity to install it, but I simply couldn't get it online. I reinstalled pfSense 2.7, but strangely encountered the same issues. That’s when I had the "brilliant" idea to build my own router from scratch using <strong>NixOS</strong>. After 15 hours of debugging, scouring blog posts, and plenty of "vibecoding," I finally achieved a working dual-stack connection!</p> <p>This blog was written after a couple of months using this setup and adjusted with changes beyond my initial setup.</p> <h2 id="technical-notes">Technical Notes</h2> <p>For those looking to attempt a similar NixOS setup, here are the key takeaways from my configuration:</p> <ul> <li><strong>PPPD for IPv4:</strong> I use <code>pppd</code> to manage the entire IPv4 connection (IP, routing, and DNS).</li> <li><strong>systemd-networkd for IPv6:</strong> <code>systemd-networkd</code> handles the full IPv6 stack and all LAN interfaces.</li> <li><strong>VLAN Tagging:</strong> The PPPoE connection runs over a VLAN with <strong>ID 6</strong>.</li> <li><strong>MTU Settings:</strong> On the physical WAN port, I set <code>linkConfig.MTUBytes = "1508"</code> to accommodate the PPPoE overhead while maintaining 1500 byte packets.</li> <li><strong>PPPoE Config:</strong> I set both <code>mtu</code> and <code>mru</code> to 1500 in the <code>pppd</code> configuration.</li> <li><strong>IPv4 Gateway:</strong> I use <code>defaultroute</code> to let <code>pppd</code> set the IPv4 gateway automatically.</li> <li><strong>DNS:</strong> I run <strong>AdGuard Home</strong> as my local DNS resolver with Freedom's DNS-over-TLS (<code>dns.freedom.nl</code>) and Quad9 as upstreams. This provides encrypted DNS queries, local caching, and network-wide ad/tracker blocking without client-side configuration.</li> <li><strong>IPv6 Solicit:</strong> Setting <code>WithoutRA = "solicit"</code> is important because Freedom doesn't send Router Advertisements; you have to start with DHCPv6 immediately.</li> <li><strong>Manual IPv6 Route:</strong> I manually set the default IPv6 route using <code>routes = [{ Gateway = "::"; ... }];</code> because Freedom does not provide this via DHCPv6.</li> <li><strong>Race Conditions:</strong> I applied <code>linkConfig.RequiredForOnline = "yes";</code> to the <code>pppd</code> interface to resolve a race condition between <code>pppd</code> and <code>systemd-networkd</code>.</li> <li><strong>CAKE QoS:</strong> I use the CAKE queue discipline for traffic shaping at 950 Mbps. This includes NAT awareness, ACK filtering, and handling for the PPPoE overhead to keep bufferbloat low while maintaining high throughput.</li> </ul> <h2 id="ipv6-prefix-delegation">IPv6 Prefix Delegation</h2> <p>Freedom provides a <code>/48</code> IPv6 prefix via DHCPv6-PD. Configuring this with systemd-networkd is straightforward. On each LAN interface, I enable prefix delegation and router advertisements:</p> <pre class="giallo" style="color-scheme: light dark; color: light-dark(#24292E, #E1E4E8); background-color: light-dark(#FFFFFF, #24292E);"><code data-lang="nix"><span class="giallo-l"><span style="color: light-dark(#E36209, #FFAB70);">networkConfig</span><span style="color: light-dark(#B31D28, #FDAEB7);font-style: italic;"> =</span><span> {</span></span> <span class="giallo-l"><span style="color: light-dark(#6F42C1, #B392F0);"> IPv6SendRA</span><span style="color: light-dark(#D73A49, #F97583);"> =</span><span style="color: light-dark(#032F62, #9ECBFF);"> "</span><span style="color: light-dark(#032F62, #9ECBFF);">yes</span><span style="color: light-dark(#032F62, #9ECBFF);">"</span><span>;</span></span> <span class="giallo-l"><span style="color: light-dark(#6F42C1, #B392F0);"> DHCPPrefixDelegation</span><span style="color: light-dark(#D73A49, #F97583);"> =</span><span style="color: light-dark(#032F62, #9ECBFF);"> "</span><span style="color: light-dark(#032F62, #9ECBFF);">yes</span><span style="color: light-dark(#032F62, #9ECBFF);">"</span><span>;</span></span> <span class="giallo-l"><span>}</span><span style="color: light-dark(#B31D28, #FDAEB7);font-style: italic;">;</span></span></code></pre> <p>systemd-networkd then:</p> <ol> <li>Requests the prefix from the upstream WAN interface</li> <li>Automatically assigns a <code>/64</code> subnet to the LAN interface</li> <li>Sends Router Advertisements so devices can auto-configure addresses</li> <li>Handles renewals transparently</li> </ol> <p>This results in devices getting globally routable IPv6 addresses without any manual subnet management or NAT configuration.</p> <h2 id="nftables-learning-by-doing">nftables: Learning by Doing</h2> <p>I’ll be the first to admit I don’t know enough about nftables yet, but writing things neatly into my NixOS configuration give me extra motivation to have a deeper understanding of such things. For example setting time-based access control for my robot vacuum:</p> <pre class="giallo" style="color-scheme: light dark; color: light-dark(#24292E, #E1E4E8); background-color: light-dark(#FFFFFF, #24292E);"><code data-lang="plain"><span class="giallo-l"><span>iifname "wifi" ip saddr ${dreame} oifname "peepee" meta hour "10:00"-"19:00" accept comment "Dreame Internet Access Window";</span></span> <span class="giallo-l"><span>iifname "wifi" ip saddr ${dreame} oifname "peepee" drop comment "Block Dreame Internet outside schedule";</span></span></code></pre> <p>Now it can only phone home between 10 AM and 7 PM. I run <a rel="external" href="https://www.ntop.org/products/traffic-analysis/ntopng/">ntopng</a> on this same router and noticed it's phoning home to Chinese Alibaba cloud servers all day long. This rule gives it a strict time window for internet access while keeping it blocked the rest of the day.</p> <p>Other fun rules include:</p> <ul> <li><strong><a rel="external" href="https://git.boers.email/nodes/seed.boers.email/rad:z2Jkf9zxGPxEhCfGLpgRAcHRj8x2n/tree/5411bfe04757ea9688555fb3fdd5ae5657481f0f/hosts/dosukoi/modules/firewall.nix#L75">Inter-VLAN routing</a></strong> with granular controls—my management VLAN can reach everything, but IoT devices are restricted</li> <li><strong><a rel="external" href="https://git.boers.email/nodes/seed.boers.email/rad:z2Jkf9zxGPxEhCfGLpgRAcHRj8x2n/tree/5411bfe04757ea9688555fb3fdd5ae5657481f0f/hosts/dosukoi/modules/firewall.nix#L31">Dynamic blocklist</a></strong> integration that drops traffic from known malicious IPs and web scanning services like Shodan.</li> </ul> <h2 id="hardware-and-performance">Hardware and Performance</h2> <p>The router runs on a <strong><a rel="external" href="https://eu.protectli.com/products/v1410/">Protectli V1410</a></strong>, a fanless mini PC with four 2.5GbE ports and an Intel N100 CPU. It's silent, low-power, and more than capable of handling gigabit fiber with all the services I run on it.</p> <p>Performance-wise, the setup is pretty solid: I’m currently hitting <strong>910 Mbps down and ~830 Mbps up</strong>. Good, but I've had pretty consistent 1Gbps up/down on my Odido line using their ONT and router.</p> <h2 id="configuration-files">Configuration Files</h2> <p>If you want to see the code behind this setup, you can find my NixOS modules here:</p> <ul> <li><a rel="external" href="https://git.boers.email/nodes/seed.boers.email/rad:z2Jkf9zxGPxEhCfGLpgRAcHRj8x2n/tree/5411bfe04757ea9688555fb3fdd5ae5657481f0f/hosts/dosukoi/modules/interfaces.nix">Network Interfaces Configuration</a></li> <li><a rel="external" href="https://git.boers.email/nodes/seed.boers.email/rad:z2Jkf9zxGPxEhCfGLpgRAcHRj8x2n/tree/5411bfe04757ea9688555fb3fdd5ae5657481f0f/hosts/dosukoi/modules/firewall.nix">Firewall Configuration</a></li> </ul> <p><em>Note: These files will likely evolve. If you're reading this in the future, be sure to check the master branch for the latest updates.</em></p> <h3 id="resources">Resources</h3> <p>I've leaned on multiple online blogs and resources, in no particular order:</p> <ul> <li><a rel="external" href="https://www.sput.nl/internet/freedom/config.html">sput.nl</a></li> <li><a rel="external" href="https://s-n.me/building-a-nixos-router-for-a-uk-fttp-isp-the-basics">s-n.me</a></li> <li><a rel="external" href="https://www.jjpdev.com/posts/home-router-nixos/">jjpdev</a></li> </ul> Is this thing on? 2026-04-06T00:00:00+00:00 2026-04-06T00:00:00+00:00 Unknown https://blog.boers.email/posts/let-there-be-posts/ <h2 id="are-we-live">Are we live?</h2> <p>I think so? Happy blogging</p> <img alt="Test image" title="Test image" src="https://blog.boers.email/processed_images/1.c176694bc50d8f20.png" srcset="https://blog.boers.email/processed_images/1.d84c65bbbb101c54.png 512w" class="" /> <pre class="giallo" style="color-scheme: light dark; color: light-dark(#24292E, #E1E4E8); background-color: light-dark(#FFFFFF, #24292E);"><code data-lang="shellscript"><span class="giallo-l"><span style="color: light-dark(#005CC5, #79B8FF);">print</span><span>(</span><span style="color: light-dark(#6F42C1, #B392F0);">"</span><span style="color: light-dark(#6F42C1, #B392F0);">pythonenv</span><span style="color: light-dark(#6F42C1, #B392F0);">"</span><span>)</span></span></code></pre>