Do you have an interest in tech and enjoy the odd DIY project?
Make your own router.
It’s not as hard as it sounds. Grab an old PC, add a 2nd NIC, install pfSense (a Router distribution of FreeBSD) and you’re done. You’ll have a router sitting there using 50-100W of power 24/7 with a very simple setup process and a nice web GUI.
So why would anyone want to use a Raspberry Pi as a router if it’s only going to be slower and more complicated?
- It’ll only pull 2-3W of power
- It’s tiny, smaller than most consumer routers
- Buying it probably won’t make you broke
- You’ll learn more about how a router, Linux and basic networking works by setting it up from scratch
The only caveat is it’s limited to 100Mbs full duplex so if you’ll be routing more than ~80Mbs of traffic then you should look at something faster.
In this guide I’ll take you through every step of making a working router that does NAT, Firewalling, DNS and DHCP. I will also be setting up and using VLANs so we can use the single Ethernet port for both WAN and LAN securely, this means you’ll need a managed/smart switch that supports VLAN tagging or you can use a USB Ethernet adapter and leave out the VLAN related instructions (I’ll tell you what to do instead).
Setup Raspbian
Download and install the lite version of Raspbian from the Raspberry Pi website. If you need help writing the image to the microSD card they have guides on how to image it on common OSs. Put the microSD card in the Raspberry Pi, power up and let it sort itself out. Once it’s ready it’ll display the IP address it’s obtained and you can SSH in, the default username is pi and the password is raspberry. You’ll want to change them to something secure.
pi@raspberrypi:~ $ passwd pi Changing password for pi. (current) UNIX password: Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully pi@raspberrypi:~ $
Install Software Packages
To make it easier you’ll want to do is make sure everything you do is ran as root by typing ‘sudo bash‘ every time you reboot and log in as the pi user. This will save typing sudo before everything. ‘apt-get update‘ will update the application repositories so you’ll be pulling up to date versions of applications with apt-get install.
pi@raspberrypi:~ $ sudo bash root@raspberrypi:/home/pi# apt-get update
I’ll be using Vim for editing files but you can use nano (comes pre-installed) or any editor of your choice. Also if you’re not going to be using VLANs you can leave out the ‘vlan‘ package. DNSmasq will be handling DNS/DHCP and we’ll be using iptables for the NAT/Firewall.
root@raspberrypi:/home/pi# apt-get install vim vlan dnsmasq iptables-persistent
Network and VLAN Setup
Before it will do any routing we need to enable IP forwarding in ‘/etc/sysctl.conf‘
root@raspberrypi:/home/pi# vim /etc/sysctl.conf
Edit the line that says ‘#net.ipv4.ip_forward=1’ and remove the ‘#’.
net.ipv4.ip_forward=1
VLAN Method:
Echo in the ‘8021q‘ kernel module to ‘/etc/modules‘ then reboot.
root@raspberrypi:/home/pi# echo 8021q >> /etc/modules root@raspberrypi:/home/pi# reboot
After the reboot your Pi will be able to create VLAN interfaces. It’s time to edit ‘/etc/network/interfaces’ and add the VLAN interface. The number on the end of the VLAN name indicates what VLAN it will be on. Here I’m using VLAN 8 on eth0 so I call it eth0.8, however if you want it on another VLAN you can just change it (example: eth2.76 would be VLAN 76 on eth2).
root@raspberrypi:/home/pi# vim /etc/network/interfaces
source-directory /etc/network/interfaces.d auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp post-up ifup eth0.8 iface eth0.8 inet static address 192.168.8.1 netmask 255.255.255.0 network 192.168.8.0 broadcast 192.168.8.255
Reboot or type ‘/etc/init.d/networking restart’.
Non VLAN Method:
Edit ‘/etc/network/interfaces’ to setup the interfaces. If you don’t have the same interface names type ‘ip a‘ to see what they’re called.
root@raspberrypi:/home/pi# vim /etc/network/interfaces
source-directory /etc/network/interfaces.d auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp auto eth1 iface eth1 inet static address 192.168.8.1 netmask 255.255.255.0 network 192.168.8.0 broadcast 192.168.8.255
Reboot or type ‘/etc/init.d/networking restart’.
DNS/DHCP
Using DNSmasq makes it very simple to do DNS and DHCP. The config comes filled with stuff you don’t need so delete it first. You’ll just need 4 lines in DNSmasq’s config and it will do the job.
root@raspberrypi:/home/pi# rm /etc/dnsmasq.conf root@raspberrypi:/home/pi# vim /etc/dnsmasq.conf
interface=eth0.8 listen-address=127.0.0.1 domain=yourdomain.com dhcp-range=192.168.8.1,192.168.8.254,12h
Note that where I type “eth0.8” you’ll need to type the name of your LAN connection.
IPTABLES
It’s really worth trying to learn how to make your own iptables rules for port forwarding etc. In the future I’ll make posts explaining in a lot more detail how to use iptables and eventually PF on openBSD.
Here are basic rules that work like a normal router and allow you to SSH in from the WAN side (so you won’t lock yourself out).
root@raspberrypi:/home/pi# vim /etc/dnsmasq.conf
*nat -A POSTROUTING -o eth0 -j MASQUERADE COMMIT *filter -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -j DROP COMMIT
Apple these rules with the command:
root@raspberrypi:/home/pi# iptables-restore < /etc/iptables/rules.v4
You may need to reboot again before it works but hopefully now you’ll have a working Raspberry Pi Router. If you need PPPoE or some other way of getting internet on your WAN then that is a whole other project in itself but this setup is great for making a DMZ or just isolating your network from other people in the house.
I hope you’ve learnt something reading this. I’d love feedback on how I can improve this guide so please comment!
This Post Has 5 Comments
Greetings, John:
Reading your Guide and thinking, also, that you are quite knowledgeable with respect to networking, I’m wondering whether you may be willing to help me out with the following:
(Preface: I am a complete ‘noob’ with respect to both, networking and programming a Raspberry Pi. Having written that, I am a keen learner!)
I have the following network in my home: internet comes into house to an ISP modem/Wi-Fi router (I have the Wi-Fi component turned off). Via ethernet, modem is connected to a wireless mesh router system (Netgear Orbi).
Goal: I want to set up a VPN (using Raspberry Pi) in order to ‘rout’ all home based internet traffic through the VPN. I have done a lot of reading about setting up a Raspberry Pi as both a VPN client and a VPN server.
Challenge: Since all devices in the home access the internet via the the Orbi Wi-Fi router, I’m thinking that I have to place the Raspberry Pi in between the modem and the Orbi Router. I think that I need to connect the modem to the Pi’s ethernet port via ethernet cable and then output/input internet from the Raspberry Pi to/from the wireless router by using a USB ethernet adapter and ethernet cable to connect to the ethernet port on the wireless router (since that is the only way that the internet may be connected to the Orbi wireless router).
Would the above be the correct physical/wiring connections for my purpose? Unsure of the networking terminology, would the Pi be router or a bridge or… in this setup? I essentially want the Pi to relay the internet connection to the wireless router and to process, as a VPN, all outgoing and incoming internet traffic. If this is do-able, what would I need to learn about in order to program the Pi in order to manage this setup?
Your assistance with this query would be most appreciated!
Michael
I don’t know the exact steps requited to achieve what you want to do. My personal solution for simplicity/management would be using pfSense or Untangle however these require x86 systems.
Upon doing some research online I found this guide that allows you achieve what you want to do. The only thing I would do after following it is change the default gateway your DHCP server hands out to be the raspberry pi itself.
https://www.tomshardware.com/reviews/raspberry-pi-vpn-gateway,6103.html
I believe this achieves exactly what you want. Let me know how it goes and good luck!
Hi, you made a written mistake above in the IPTABLES configuration section, it’s not “vim /etc/dnsmasq.conf” but “vim etc/iptables/rules.v4” 🙂
Ah! I thought that was out of place!
Thank you for the guide and the correction. I am trying to setup my a Raspberry Pi 4 on my home network between my Google Wifi and the internet. Love that you showed how to VLANs as well, since I’m hoping to just use the Pi’s gigabit LAN.
Thanks again!
Just to don’t leave anything to chance.. inside the rules.v4 file you have to remove everything or, if you prefer, comment out all the text with # ; after that you will have to copy and paste all what John wrote above in his directions 🙂