How to Set Up and Configure a Debian Router on Debian 12 Bookworm System

Introduction

Setting up a Debian-based router is an excellent choice for users who need a custom, efficient, and secure network gateway. Debian 12 “Bookworm” provides a stable and reliable platform for routing and network management. In this guide, we will walk you through setting up and configuring a Debian router on a Debian 12 system.

Prerequisites

Before proceeding, ensure you have the following:

• A computer with Debian 12 installed
• At least two network interfaces (one for the WAN and one for the LAN)
• Root or sudo privileges
• Basic understanding of networking concepts

Step 1: Update the System

Before configuring the router, update the system to ensure you have the latest packages:

sudo apt update && sudo apt upgrade -y

Step 2: Configure Network Interfaces

Edit the network configuration file to define your network interfaces. Open the configuration file:

sudo nano /etc/network/interfaces

Configure the WAN (external network) and LAN (internal network) interfaces. For example:

# WAN interface (eth0)
auto eth0
iface eth0 inet dhcp

# LAN interface (eth1)
auto eth1
iface eth1 inet static
    address 192.168.1.1
    netmask 255.255.255.0

Save the file and restart networking:

sudo systemctl restart networking

Step 3: Enable IP Forwarding

To enable packet forwarding, modify the sysctl configuration file:

sudo nano /etc/sysctl.conf

Uncomment or add the following line:

net.ipv4.ip_forward=1

Apply the changes:

sudo sysctl -p

Step 4: Configure NAT with iptables

Set up NAT (Network Address Translation) to allow internal clients to access the internet through the router:

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

To make the rules persistent across reboots, install the iptables-persistent package:

sudo apt install iptables-persistent

Save the iptables rules:

sudo netfilter-persistent save

Step 5: Set Up a DHCP Server

Install the ISC DHCP server:

sudo apt install isc-dhcp-server -y

Edit the DHCP configuration file:

sudo nano /etc/dhcp/dhcpd.conf

Add the following configuration:

default-lease-time 600;
max-lease-time 7200;
authoritative;

subnet 192.168.1.0 netmask 255.255.255.0 {
    range 192.168.1.100 192.168.1.200;
    option routers 192.168.1.1;
    option domain-name-servers 8.8.8.8, 8.8.4.4;
}

Specify the LAN interface for the DHCP server by editing:

sudo nano /etc/default/isc-dhcp-server

Set the interface:

INTERFACESv4="eth1"

Restart the DHCP service:

sudo systemctl restart isc-dhcp-server
sudo systemctl enable isc-dhcp-server

Step 6: Configure DNS Resolution

If you want to set up a local DNS caching server, install Unbound:

sudo apt install unbound -y

Configure Unbound to forward DNS queries by editing:

sudo nano /etc/unbound/unbound.conf.d/custom.conf

Add the following:

server:
    interface: 127.0.0.1
    access-control: 192.168.1.0/24 allow
    forward-zone:
        name: "."
        forward-addr: 8.8.8.8
        forward-addr: 8.8.4.4

Restart Unbound:

sudo systemctl restart unbound
sudo systemctl enable unbound

Step 7: Testing the Router

Check IP Forwarding

Run the following command:

cat /proc/sys/net/ipv4/ip_forward

It should return 1. If not, recheck your sysctl configuration.

Test Internet Access

On a client machine connected to the LAN, set the default gateway to 192.168.1.1 and test connectivity:

ping 8.8.8.8

You should receive replies. Also, test DNS resolution:

ping google.com

Step 8: Enhance Security

Consider using ufw (Uncomplicated Firewall) to manage access rules:

sudo apt install ufw -y

Allow necessary traffic:

sudo ufw allow in on eth1
sudo ufw allow out on eth0
sudo ufw enable

Conclusion

You have now successfully configured a Debian 12 “Bookworm” system as a router. This setup allows internal network clients to access the internet securely through NAT while providing essential network services like DHCP and DNS. You can extend this setup further by adding VPN support or traffic shaping policies to optimize network performance.