Hi All, I'm embarking on a project to replace my BT home hub with a Pi! this is a dangerous undertaking for the obvious reason of security. Home routers are designed with firewalling (if that's even a word!!) built in and turned on by default. They are set to outgoing connections only, with (in most cases) the ability to punch pinholes in the firewall for specific gaming or other incoming applications. To see the problem, just open port 22 to a pi (lock it down first!), and see how many attack attempts per day you get!!.
So, even though I'm a fairly old hand at Linux admin, I want to administer the firewall (iptables) using some sort of GUI or other overlay, as iptables is notoriously complex and easy to get wrong.
I want a web-based tool, as I'm not running a desktop on the router pi and don't want to have to run remote xservers to access it. So the common x-based tools are out. I'm playing with webmin at the moment and it looks like it may do the job, but I was wondering if anyone else had done this and can suggest easy admin tools and other advice (like how to set up PPPoE to interface with the BT fibre modem).
cheers all
Doug
-
doughadfield
- Posts: 41
- Joined: Fri Dec 21, 2012 5:27 pm
Re: Pi as home router (with FTTP)
As with other security-related code (cryptography especially), rolling your own is not a good place to start, too many opportunities to make mistakes that open security holes. There are a lot of interesting projects out there that have already taken up the task of building router/firewall devices out of low-end hardware. Wikipedia has a list of some of them here, List of router and firewall distributions, though I've sure I've heard of others in the past that aren't on that list. Two that are there that look interesting on cursory inspection are IPFire and OpenWrt (disclaimer, not a recommendation, I know nothing of these specific projects besides skimming their Wikipedia pages). Both will run on ARM processors, though neither mentions Raspberry Pi directly. If you dig around their related forums, likely someone else has already looked into that (just because Pi hardware is so popular), so there may already be a path to follow. For all I know, one of the existing Pi-oriented distributions may already fancy itself to have firewall special router/firewall abilities.
Note that all the interesting (for this project) high-speed data I/O in the Pi (the ethernet port and the four USB2 ports) all emanate from one USB port in the Pi's SoC, that, though it is USB2 in terms of the protocol it follows, is not exceptionally fast. As a firewall, you'll need at least two network interfaces - if you plug an ethernet-to-USB or a WiFi-to-USB adapter into one of the Pi's USB ports, and use that and the existing ethernet port, the capacity of the SoC's one USB port will be split across both of your network interfaces. Depending on your needs, this may not be enough.
A number of the existing open-source router projects out there are designed to run on hardware optimized to the task - DD-WRT comes to mind, it was specifically designed to run on Linksys routers that were found to be... nicely specialized computer hardware (low power CPUs combined with multiple highly capable network interfaces) already running Unix/Linux derivatives. I love the Raspberry Pi and find it capable of quite a bit, but in the spirit of using the best tool for the job, you may want to look into one of those routers, or similar hardware.
Note that all the interesting (for this project) high-speed data I/O in the Pi (the ethernet port and the four USB2 ports) all emanate from one USB port in the Pi's SoC, that, though it is USB2 in terms of the protocol it follows, is not exceptionally fast. As a firewall, you'll need at least two network interfaces - if you plug an ethernet-to-USB or a WiFi-to-USB adapter into one of the Pi's USB ports, and use that and the existing ethernet port, the capacity of the SoC's one USB port will be split across both of your network interfaces. Depending on your needs, this may not be enough.
A number of the existing open-source router projects out there are designed to run on hardware optimized to the task - DD-WRT comes to mind, it was specifically designed to run on Linksys routers that were found to be... nicely specialized computer hardware (low power CPUs combined with multiple highly capable network interfaces) already running Unix/Linux derivatives. I love the Raspberry Pi and find it capable of quite a bit, but in the spirit of using the best tool for the job, you may want to look into one of those routers, or similar hardware.
Re: Pi as home router (with FTTP)
Pi is great for many things, but not for routing.
Don't get me wrong - I love my pi's, all of them, but I wouldn't use a pi as my home router.
It could be a very nice project for learning about networking, routing, iptables and etc, but not for everyday usage.
Why?
First - hardware limitations, NIC on the pi is quite poor and it's on USB ...
Considering you'd have to add another usb NIC - what kind of forwarding performance you'd get?
I think pi3 could handle 100mbit internet link, but I don't think it would be any better than your current router.
You probably will want wifi too, pi3 wifi is quite weak, you'd need to mod it to use an external antenna,
but still you should consider that onchip wifi is 1T1R and it does not support 40MHz, so the max speed you'd get from it is 75Mbit "link", which would be around 35-40 real Mbits.
Of course you could use some beefed up USB wireless dongle, but wait ... you would have 3 NICs on our poor USB bus ...
Now for the software:
Avoid any GUI's or webinterfaces at all cost, learn to use pure iptables and iproute2 features,
it's very powerful and actually easy to use once you understand how it works.
Same goes for pppoe, it's handled perfectly by pppd with rp-pppoe plugin (it should be in raspbian by default),
no need for GUI's, once configured properly it will work for ages and handle reconnections itself.
Don't hurry and try to put the pi as your main router,
setup a lab environment where the pi would get internet from your main router (DHCP) and act as a gateway for another test LAN behind the other NIC.
You'll need a few other services on the LAN side of the pi - DHCP and DNS server, I could suggest dnsmasq for that - it's easy to configure and works flawlessly.
There are plenty of guides and blogs about making linux gateway, most guides for debian/ubuntu will work on the pi with almost no tweaks.
Don't get me wrong - I love my pi's, all of them, but I wouldn't use a pi as my home router.
It could be a very nice project for learning about networking, routing, iptables and etc, but not for everyday usage.
Why?
First - hardware limitations, NIC on the pi is quite poor and it's on USB ...
Considering you'd have to add another usb NIC - what kind of forwarding performance you'd get?
I think pi3 could handle 100mbit internet link, but I don't think it would be any better than your current router.
You probably will want wifi too, pi3 wifi is quite weak, you'd need to mod it to use an external antenna,
but still you should consider that onchip wifi is 1T1R and it does not support 40MHz, so the max speed you'd get from it is 75Mbit "link", which would be around 35-40 real Mbits.
Of course you could use some beefed up USB wireless dongle, but wait ... you would have 3 NICs on our poor USB bus ...
Now for the software:
Avoid any GUI's or webinterfaces at all cost, learn to use pure iptables and iproute2 features,
it's very powerful and actually easy to use once you understand how it works.
Same goes for pppoe, it's handled perfectly by pppd with rp-pppoe plugin (it should be in raspbian by default),
no need for GUI's, once configured properly it will work for ages and handle reconnections itself.
Don't hurry and try to put the pi as your main router,
setup a lab environment where the pi would get internet from your main router (DHCP) and act as a gateway for another test LAN behind the other NIC.
You'll need a few other services on the LAN side of the pi - DHCP and DNS server, I could suggest dnsmasq for that - it's easy to configure and works flawlessly.
There are plenty of guides and blogs about making linux gateway, most guides for debian/ubuntu will work on the pi with almost no tweaks.
-
doughadfield
- Posts: 41
- Joined: Fri Dec 21, 2012 5:27 pm
Re: Pi as home router (with FTTP)
Thanks both, for your quick and full replies. Let me address your points below:
Performance: I take your point about the I/O bottleneck in the Pi - I have a Pi acting as a NAS and am intimately aware of the I/O limitations
- however my internet connection is 40Mbits/sec down and 10Mbits/sec up, so routing both ways should still not saturate the USB channel (I have a 1Gbit ethernet dongle as well as the built-in ethernet on the pi) - it's a Mod 3 so has plenty of cpu/mem available.
GUI: I'm grateful for your insights regarding GUIs - I'll make the effort to learn iptables syntax in the first instance, to see if that does the job - I must admit I was puzzled by the lack of GUI options for iptables, given the proliferation of GUIs in other linux areas. Perhaps this is why...
Reason to do this in the first place: I started looking into this whilst building a pi cluster, where I have a group of zeros behind a controller pi. I'm bridging the network right now, so that the zeros appear on the house network and can access the internet for apt-get etc. I'd like to put them behind the controller, acting as a router. However to do that I need to add a static route the the internet router (the default router for all network machines, including the cluster controller) pointing back at the private cluster network. Of course there's no ability to add static routes to a bt home hub, so I had the idea of using a pi. This will also afford opportunity for learning, which after all is what the pis are all about.
Why pi, rather than more specialist hardware: I have pis and I know pis - I don't want buy anything specialist, otherwise I'd just buy a router - and of course the learning opportunity...
Other network services: - I already have dns and dhcp on pis - the BT home hub only does routing; nothing else.
So following your advice, I'll proceed with more caution, setting up a sandbox first, and look at administering purely via native command line tools. Thanks both for your advice.
Doug
Performance: I take your point about the I/O bottleneck in the Pi - I have a Pi acting as a NAS and am intimately aware of the I/O limitations
- however my internet connection is 40Mbits/sec down and 10Mbits/sec up, so routing both ways should still not saturate the USB channel (I have a 1Gbit ethernet dongle as well as the built-in ethernet on the pi) - it's a Mod 3 so has plenty of cpu/mem available.GUI: I'm grateful for your insights regarding GUIs - I'll make the effort to learn iptables syntax in the first instance, to see if that does the job - I must admit I was puzzled by the lack of GUI options for iptables, given the proliferation of GUIs in other linux areas. Perhaps this is why...
Reason to do this in the first place: I started looking into this whilst building a pi cluster, where I have a group of zeros behind a controller pi. I'm bridging the network right now, so that the zeros appear on the house network and can access the internet for apt-get etc. I'd like to put them behind the controller, acting as a router. However to do that I need to add a static route the the internet router (the default router for all network machines, including the cluster controller) pointing back at the private cluster network. Of course there's no ability to add static routes to a bt home hub, so I had the idea of using a pi. This will also afford opportunity for learning, which after all is what the pis are all about.
Why pi, rather than more specialist hardware: I have pis and I know pis - I don't want buy anything specialist, otherwise I'd just buy a router
- and of course the learning opportunity...Other network services: - I already have dns and dhcp on pis - the BT home hub only does routing; nothing else.
So following your advice, I'll proceed with more caution, setting up a sandbox first, and look at administering purely via native command line tools. Thanks both for your advice.
Doug
Re: Pi as home router (with FTTP)
Buy Broadcom based router (Asus, etc.), install TomatoUsb or OpenWrt, etc. You will have easy for use web administration and it is Linux.
Re: Pi as home router (with FTTP)
There are tools and desktop gui's for iptables but they tend to be distribution specific (ufw, firewalld and the various related tools). My experience is that they also tend to abstract things out in a way that's good for a desktop machine and sometimes also for a server. They're not so good when you want to start working with routers and nat.doughadfield wrote: GUI: I'm grateful for your insights regarding GUIs - I'll make the effort to learn iptables syntax in the first instance, to see if that does the job - I must admit I was puzzled by the lack of GUI options for iptables, given the proliferation of GUIs in other linux areas. Perhaps this is why...
As a starting point this is a cut down sample of what I use for iptables in the form that can be loaded with iptables-restore (I use the iptables-persistent package on debian based OSes to do this which puts the config in /etc/iptables/rules.v4)
Code: Select all
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 5001 -j ACCEPT
-A INPUT -j LOG --log-prefix "ipt-in: "
COMMIT
-
doughadfield
- Posts: 41
- Joined: Fri Dec 21, 2012 5:27 pm
Re: Pi as home router (with FTTP)
All, after reading all your wise and helpful posts, I've had a brief attack of sanity and decided to use a purpose-built router - in fact, I remembered I had an old netgear WNR3500 knocking about, so I dug it out and lo and behold, it fired up first time on the BT fibre line and has all the features I needed from the planned pi project, including the ability to configure static routes! So, I've got a Pi3 back and a router that works, with GigE ports and everything!
Thanks again for the responses.
Doug
Thanks again for the responses.
Doug