My dad has been under constant duress lately from seemingly unending spam calls. While he isn’t tech-illiterate, he could definitely use a boost in web security. Rather than buying an off-the-shelf consumer router, I decided to build a custom Unified Threat Management (UTM) system using an old laptop I had lying around.

This project was the perfect opportunity to sharpen my networking and sysadmin skills while solving a real-world problem. My goal was to turn a retired laptop into a powerful router and firewall, placing it between his ISP gateway and new access points. Because of the size of his house and the nature of his work, I knew that I would have to have at least two APs to spread the coverage.

Phase 1: The Hardware Scavenger Hunt

The first step was determining the bill of materials. I needed a machine that wasn't necessarily powerful, but had at least one functional Ethernet port. I settled on the Lenovo ThinkPad T450 I had retired a few years ago.

Since the laptop would live between the Xfinity Gateway (WAN) and the internal network (LAN), I needed two physical interfaces. Since the laptop only had one built-in Ethernet port, the hardware list grew to include:

• Server: Lenovo ThinkPad T450

• Interfaces: Built-in Ethernet (LAN) + USB-A to Ethernet Adapter (WAN)

• Wi-Fi: Two Enterprise Access Points (hopefully found from E-Waste)

• Switching: A cheap Gigabit Switch (determined to be a need after only having a 100Mbps switch at my house)

• Power: POE+ Injectors for the APs

  
  

I ran into my first hardware speedbump immediately: the only Ethernet adapter I had on hand was USB-C, and daisy-chaining it through a USB-A adapter caused driver recognition issues. A quick online order for a dedicated USB-A Ethernet adapter solved the issue and the laptop recognized it immediately. Besides the gigabit switch ($15 for non-POE), I was able to get all the other equipment from local E-Waste.

Phase 2: OS Installation & The BIOS Trap

I chose Ubuntu Server for its stability and massive community support. The installation process seemed straightforward—download the ISO, flash it to a USB drive with Rufus, and boot.

However, I hit a snag: the installer looped endlessly at the GRUB welcome screen. After some troubleshooting, I realized I had formatted the USB as MBR (bad mistake) instead of GPT.

• The Fix: Re-imaged the drive with GPT partition scheme.

• BIOS Settings: Disabled Legacy Boot and CSM to force a pure UEFI environment.

  
  

Once the OS was installed, I set up SSH and prepared for the real work.

Phase 3: Network Configuration (Netplan & Interfaces)

This was the core of the project: teaching a general-purpose laptop to act like a router.

I configured the network using Netplan.

• WAN Interface: Set to DHCP (to receive an IP from the ISP).

• LAN Interface: Assigned a static IP in a Class C subnet with DHCP disabled (since I'd handle that later).

  
  

Lesson Learned: YAML is extremely picky about indentation. I wasted time debugging an error caused by using a tab character instead of spaces.

To enable routing, I had to tell the Linux kernel to allow traffic to pass between interfaces.

1. Enable IP Forwarding: Ran sysctl -w net.ipv4.ip_forward=1 and edited sysctl.conf to make it permanent.

2. IP Masquerading (NAT): This "hides" all the devices on the private LAN behind the laptop's single public IP. I initially tried iptables, but switched to UFW (Uncomplicated Firewall).

   
   

Phase 4: DHCP and Wi-Fi

With the routing logic in place, I needed a way to hand out IP addresses to clients. I installed isc-dhcp-server.

• Config: I pointed it to the LAN interface, defined the subnet range, mask, and router IP.

• Troubleshooting: I used tail -f /var/log/syslog to watch the DHCP handshake in real-time. Seeing the Access Point request and receive an IP let me know that everything was working properly.

  
  

Once the first AP had an IP, I SSH’d into it to configure the SSID and security objects. My phone connected immediately which is the point where I was confident the project would be a success.

Phase 5: Security & Services (The "UTM" Part)

To turn this from a simple router into a security device, I added a few critical layers:

1. The Firewall (UFW) I adopted a "deny all, allow necessary" policy.

• Default: Deny Incoming / Allow Outgoing.

• Allow: SSH, DHCP, and DNS.

• NAT Rules: I had to carefully re-apply the masquerade rules within UFW's before.rules file to ensure traffic could still flow out to the internet.

  
  

2. DNS Filtering (Pi-hole) I installed Pi-hole to act as a network-wide ad blocker. This required tweaking the Ubuntu system resolver to stop the built-in DNS stub listener and pointing Pi-hole to the LAN IP. Now, ads and trackers are blocked before they even reach the devices.

3. Remote Access (Tailscale) I installed Tailscale to link the server to my personal mesh. This allows me to remote into my dad's router from my house to troubleshoot issues without needing port forwarding or complex VPN setups.

Phase 6: Deployment & Mesh Setup

Back at my dad’s house, deployment was surprisingly smooth.

1. Bridge Mode: I used the ISP app to switch his Xfinity Gateway into Bridge Mode, turning it into a dumb modem.

   1. This couldn't be done from the browser for some reason and the easiest way was from Xfinity's app.

2. The Mesh: I connected the second AP and configured it as a mesh node. I set the radio channels and verified the "Hive" settings.

a. Recreating the same security object, SSID, interface settings.

b. Attaching SSID to wifi interface and Hive settings to management interface.

c. Did all this with AP2 connected to the switch with the other devices then tested it on the other side of the house

3.

Conclusion:

What started as a pile of old hardware is now a high-performance network gateway. I successfully repurposed a ThinkPad T450 into a router that delivers gigabit speeds, network-wide ad blocking, and total traffic control. At this point, I could technically remove the Xfinity gateway completely and save him a bit of money each month but I like having the emergency fallback option of resetting the gateway and swapping back to the old SSID on a dime. The "stress test" exceeded my expectations, and most importantly, the network is robust and will be good practice to manage as my network engineering journey continues.