Damn fast Linux-based IPoE NAS/BRAS/BNG implementation
- DHCP helper
- Radius Client
- Walled garden
- Firewall Management
- Subscriber Management
- Unauthorized client detection
- Per-IP Bandwidth Limiting
- VLAN Support
- NAT Support
- IP and DNS access restrictions
- NetFlow sensor
- sFlow sensor
- SNMP server
- rscriptd integration
- HTTP REST API
su -
apt install -y ethtool net-tools conntrack tcpdump htop mtr-tiny sudo irqbalance curl
apt install -y git expat libexpat1-dev build-essential softflowd snmpd snmp
apt install -y php8.4-cli php8.4-mysqli php8.4-mbstring php8.4-bcmath php8.4-curl
apt install -y build-essential libncurses-dev libssl-dev bc flex bison dwarves rsync libelf-dev
apt install -y autoconf libtool pkg-config libpcap-dev libnfnetlink-dev libbpf-dev libdbus-1-dev
apt install -y libvirt-dev libxml2-dev uuid-dev clang linux-cpupower elinks
sudo bash
apt install -y ethtool net-tools conntrack tcpdump htop mtr-tiny curl
apt install -y git expat libexpat1-dev build-essential softflowd snmpd snmp
apt install -y php8.4-cli php8.4-mysqli php8.4-mbstring php8.4-bcmath php8.4-curl
apt install -y autoconf libtool pkg-config libpcap-dev libnfnetlink-dev libbpf-dev libdbus-1-dev libvirt-dev libxml2-dev uuid-dev
apt install -y build-essential libncurses-dev libssl-dev bc flex bison dwarves rsync libelf-dev clang
git clone https://github.com/nightflyza/PureNAS.git /etc/PureNAS
-
Configure your network settings in
/etc/PureNAS/purenas.conf:- Set your LAN/WAN interfaces
- Configure user network range and gateway
- Adjust firewall and shaper settings
-
Initialize the system:
/etc/PureNAS/init
-
Manage subscribers:
# Add subscriber to allowed list /etc/PureNAS/actions/subscriber_allow <IP_ADDRESS> # Remove subscriber from allowed list /etc/PureNAS/actions/subscriber_disallow <IP_ADDRESS> # Shape subscriber bandwidth (download/upload in kbit/s) /etc/PureNAS/actions/subscriber_shape <IP_ADDRESS> <DOWNLOAD_KBIT> [UPLOAD_KBIT] # Remove bandwidth shaping /etc/PureNAS/actions/subscriber_unshape <IP_ADDRESS> # Create permanent IP-MAC record for subscriber /etc/PureNAS/actions/subscriber_mac <IP_ADDRESS> <MAC_ADDRESS> # Remove permanent IP-MAC record for subscriber /etc/PureNAS/actions/subscriber_unmac <IP_ADDRESS> # View all active subscribers /etc/PureNAS/actions/subscribers_show [summary|terse|extensive|top|help] # List unknown subscribers waiting for authorization (IP and MAC from ARP when available) /etc/PureNAS/actions/subscriber_getwaitauth # Check some subscriber access info /etc/PureNAS/actions/uc [IP_ADDRESS]
-
Manage firewall rules:
# Block/unblock IP addresses /etc/PureNAS/actions/ban_ip <IP_ADDRESS|CIDR> /etc/PureNAS/actions/unban_ip <IP_ADDRESS|CIDR> # Block/unblock ICMP to/from IP or CIDR /etc/PureNAS/actions/ban_icmp <IP_ADDRESS|CIDR> /etc/PureNAS/actions/unban_icmp <IP_ADDRESS|CIDR> # Allow/disallow DNS servers /etc/PureNAS/actions/dns_allow <DNS_IP_ADDRESS> /etc/PureNAS/actions/dns_disallow <DNS_IP_ADDRESS> # Block/unblock incoming ports to users network /etc/PureNAS/actions/portinc_block <PORT> /etc/PureNAS/actions/portinc_unblock <PORT> # Block/unblock outgoing ports from users network /etc/PureNAS/actions/portout_block <PORT> /etc/PureNAS/actions/portout_unblock <PORT>
cp -R /etc/PureNAS/dist/purenas.service /etc/systemd/system/
systemctl daemon-reload
systemctl enable purenas.service
check startup status
journalctl -xeu purenas.service
cp -R /etc/PureNAS/dist/99-nat-tuning.conf /etc/sysctl.d/
sysctl -p /etc/sysctl.d/99-nat-tuning.conf
wget http://ubilling.net.ua/stg/stg-2.409.tar.gz
tar zxvf stg-2.409.tar.gz
cd stg-2.409/projects/rscriptd/
./build
/usr/bin/gmake install
export CC=/usr/bin/clang
export CXX=/usr/bin/clang++
export CXXFLAGS=-std=c++11
wget http://ubilling.net.ua/stg/stg-2.409.tar.gz
tar zxvf stg-2.409.tar.gz
cd stg-2.409/projects/rscriptd/
./build
/usr/bin/gmake install
cp -R /etc/PureNAS/dist/rscriptd/* /etc/rscriptd/
after that set Ubilling database connect parameters in /etc/rscriptd/dbconfig.conf and rscriptd secret key in /etc/rscriptd/rscriptd.conf
git clone https://github.com/sflow/host-sflow.git
cd host-sflow
make clean
make FEATURES="HOST"
make install
KVER="$(uname -r | sed -E 's/^([0-9]+\.[0-9]+\.[0-9]+).*/\1/')"
cd /usr/src
wget https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-${KVER}.tar.xz
tar xf linux-${KVER}.tar.xz
cd linux-${KVER}
cp -v /boot/config-$(uname -r) .config
make olddefconfig
scripts/config --disable CONFIG_HZ_250
scripts/config --disable CONFIG_HZ_300
scripts/config --disable CONFIG_HZ_100
scripts/config --enable CONFIG_HZ_1000
scripts/config --set-val CONFIG_HZ 1000
make olddefconfig
make -j$(nproc)
make modules_install
make install
rm -f /boot/vmlinuz-${KVER}+deb13-amd64
rm -f /boot/initrd.img-${KVER}+deb13-amd64
rm -f /boot/System.map-${KVER}+deb13-amd64
rm -f /boot/config-${KVER}+deb13-amd64
update-grub
reboot
check:
grep CONFIG_HZ /boot/config-$(uname -r)
Optional HTTP API may be installed following way:
apt install -y apache2 libapache2-mod-php8.4
cp -R /etc/PureNAS/dist/apache/000-default.conf /etc/apache2/sites-enabled/
cp -R /etc/PureNAS/dist/sudoers/masters /etc/sudoers.d/
ln -fs /etc/PureNAS/dist/api /var/www/html/api
cp -R /etc/PureNAS/dist/webstub/* /var/www/html/
a2enmod rewrite
systemctl reload apache2
And must be configured using specific REST_API_* options in /etc/PureNAS/purenas.conf
Just run action
/etc/PureNAS/actions/core_update
it upgrades and removes everything except your purenas.conf main config file.
/etc/PureNAS/
├── init # Main initialization script
├── purenas.conf # Main configuration file
├── dist # Some configs and presets to configure services
├── actions/ # Command scripts
├── subscriber_allow # allow subscriber access to internet
├── subscriber_disallow # disallow subscriber access to internet
├── subscriber_shape # Apply bandwidth limits to subscriber
├── subscriber_unshape # Remove bandwidth limits from subscriber
├── subscriber_mac # Add subscriber IP+MAC binding (ARP and/or FW_MACFIX)
├── subscriber_unmac # Remove subscriber IP+MAC binding
├── subscribers_show # List all active subscribers
├── subscriber_getwaitauth # List IPs waiting for auth (with MAC from ARP when available)
├── ban_ip # Add IP or CIDR to block list
├── unban_ip # Remove IP or CIDR from block list
├── ban_icmp # Block ICMP to/from IP or CIDR
├── unban_icmp # Unblock ICMP for IP or CIDR
├── dns_allow # Allow DNS server
├── dns_disallow # Disallow DNS server
├── portinc_block # Block incoming port to users network
├── portinc_unblock # Unblock incoming port to users network
├── portout_block # Block outgoing port from users network
├── portout_unblock # Unblock outgoing port from users network
├── uc # Subscribers Tree Debugger
[Packet] --> [PREROUTING] --> MAC? --> DNS spoof? --> [routing]
│
├--> [INPUT] --> Est/Rel? --> Banned? --> Banned ICMP? --> Protected? --> Safe? --> [Accept/Drop]
│
└--> [FORWARD] --> Banned? --> Banned ICMP? --> Est/Rel? --> DNS? --> Allowed? --> Isolation? --> Ports? --> Active? --> [Accept/Drop]
│
v
[POSTROUTING] --> SNAT
[Subscriber IP]
|
v
[Hash bucket] ---> [HTB class] ---> [Rate / Ceil] ---> [qdisc]
1:0 (root)
│
├─ pref 1 ht 800::
│ match 172.16.0.0/16, hashkey = 3rd octet
│ └──────────────► 999: (256 buckets: 00..ff)
│ │
│ for i=0..255: ├─ 999:00 ── match 172.16.0.0/24 ──► 01: (256 buckets)
│ pref 2 ├─ 999:01 ── match 172.16.1.0/24 ──► 02:
│ ht 999:HEX: ├─ ...
│ match 172.16.i.0/24 ├─ 999:0a ── match 172.16.10.0/24 ──► 0b: (256 buckets)
│ hashkey = 4th octet │ │
│ link TABLE_ID │ └─ 0b:00 .. 0b:32 .. 0b:ff
│ │ │
│ │ └─ subscriber_shape: 172.16.10.50 → 0b:32:xxx
│ └─ ...
│
└─ default (no match) ──► 1:ffff
[Interface] --> [PCI Device] --> [NUMA Node] --> [NUMA CPUs/All CPUs] --> [CPU Mask] --> [IRQs] --> [CPUs]
- See CONFIG.md for detailed configuration options.
- See RESTAPI.md for detailed HTTP API description.
- Integration with Ubilling and rscriptd
- Based on original UBRsciptdDebianNAS project