Raspberry Pi Router Guide


Do you have an interest in tech and enjoy the odd DIY project?

Make your own router.

It’s not as hard as it sounds. Grab an old PC, add a 2nd NIC, install pfSense (a Router distribution of FreeBSD) and you’re done. You’ll have a router sitting there using 50-100W of power 24/7 with a very simple setup process and a nice web GUI.

So why would anyone want to use a Raspberry Pi as a router if it’s only going to be slower and more complicated?

  1. It’ll only pull 2-3W of power
  2. It’s tiny, smaller than most consumer routers
  3. Buying it probably won’t make you broke
  4. You’ll learn more about how a router, Linux and basic networking works by setting it up from scratch

The only caveat is it’s limited to 100Mbs full duplex so if you’ll be routing more than ~80Mbs of traffic then you should look at something faster.

In this guide I’ll take you through every step of making a working router that does NAT, Firewalling, DNS and DHCP. I will also be setting up and using VLANs so we can use the single Ethernet port for both WAN and LAN securely, this means you’ll need a managed/smart switch that supports VLAN tagging or you can use a USB Ethernet adapter and leave out the VLAN related instructions (I’ll tell you what to do instead).

Setup Raspbian


Download and install the lite version of Raspbian from the Raspberry Pi website. If you need help writing the image to the microSD card they have guides on how to image it on common OSs. Put the microSD card in the Raspberry Pi, power up and let it sort itself out. Once it’s ready it’ll display the IP address it’s obtained and you can SSH in, the default username is pi and the password is raspberry. You’ll want to change them to something secure.

pi@raspberrypi:~ $ passwd pi
Changing password for pi.
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
pi@raspberrypi:~ $

Install Software Packages


To make it easier you’ll want to do is make sure everything you do is ran as root by typing ‘sudo bash‘ every time you reboot and log in as the pi user. This will save typing sudo before everything. ‘apt-get update‘ will update the application repositories so you’ll be pulling up to date versions of applications with apt-get install.

pi@raspberrypi:~ $ sudo bash
root@raspberrypi:/home/pi# apt-get update

I’ll be using Vim for editing files but you can use nano (comes pre-installed) or any editor of your choice. Also if you’re not going to be using VLANs you can leave out the ‘vlan‘ package. DNSmasq will be handling DNS/DHCP and we’ll be using iptables for the NAT/Firewall.

root@raspberrypi:/home/pi# apt-get install vim vlan dnsmasq iptables-persistent

Network and VLAN Setup


Before it will do any routing we need to enable IP forwarding in ‘/etc/sysctl.conf

root@raspberrypi:/home/pi# vim /etc/sysctl.conf

Edit the line that says ‘#net.ipv4.ip_forward=1’ and remove the ‘#’.

net.ipv4.ip_forward=1

VLAN Method:

Echo in the ‘8021q‘ kernel module to ‘/etc/modules‘ then reboot.

root@raspberrypi:/home/pi# echo 8021q >> /etc/modules
root@raspberrypi:/home/pi# reboot

After the reboot your Pi will be able to create VLAN interfaces. It’s time to edit ‘/etc/network/interfaces’ and add the VLAN interface. The number on the end of the VLAN name indicates what VLAN it will be on. Here I’m using VLAN 8 on eth0 so I call it eth0.8, however if you want it on another VLAN you can just change it (example: eth2.76 would be VLAN 76 on eth2).

root@raspberrypi:/home/pi# vim /etc/network/interfaces
source-directory /etc/network/interfaces.d

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp
post-up ifup eth0.8

iface eth0.8 inet static
address 192.168.8.1
netmask 255.255.255.0
network 192.168.8.0
broadcast 192.168.8.255

Reboot or type ‘/etc/init.d/networking restart’.

Non VLAN Method:

Edit ‘/etc/network/interfaces’ to setup the interfaces. If you don’t have the same interface names type ‘ip a‘ to see what they’re called.

root@raspberrypi:/home/pi# vim /etc/network/interfaces
source-directory /etc/network/interfaces.d

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet static
address 192.168.8.1
netmask 255.255.255.0
network 192.168.8.0
broadcast 192.168.8.255

Reboot or type ‘/etc/init.d/networking restart’.

DNS/DHCP


Using DNSmasq makes it very simple to do DNS and DHCP. The config comes filled with stuff you don’t need so delete it first. You’ll just need 4 lines in DNSmasq’s config and it will do the job.

root@raspberrypi:/home/pi# rm /etc/dnsmasq.conf
root@raspberrypi:/home/pi# vim /etc/dnsmasq.conf
interface=eth0.8
listen-address=127.0.0.1
domain=yourdomain.com
dhcp-range=192.168.8.1,192.168.8.254,12h

Note that where I type “eth0.8” you’ll need to type the name of your LAN connection.

IPTABLES


It’s really worth trying to learn how to make your own iptables rules for port forwarding etc. In the future I’ll make posts explaining in a lot more detail how to use iptables and eventually PF on openBSD.

Here are basic rules that work like a normal router and allow you to SSH in from the WAN side (so you won’t lock yourself out).

root@raspberrypi:/home/pi# vim /etc/dnsmasq.conf
*nat
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

*filter
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j DROP
COMMIT

Apple these rules with the command:

root@raspberrypi:/home/pi# iptables-restore < /etc/iptables/rules.v4

You may need to reboot again before it works but hopefully now you’ll have a working Raspberry Pi Router. If you need PPPoE or some other way of getting internet on your WAN then that is a whole other project in itself but this setup is great for making a DMZ or just isolating your network from other people in the house.

 

 

I hope you’ve learnt something reading this. I’d love feedback on how I can improve this guide so please comment!

Share this postTweet about this on TwitterShare on FacebookPin on Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *