House network guarding with Rpi3(firewall)

[VladyslavVolskyi]

Hello Everyone!

I am a new user of Rpi3, so i am interesting in doing my own firewall(my rulles i mean for filtering: blocking YouTube as an example) using Rpi.
But the problem is that i don't know which utilities i need to make: portforwarding, creating rulles etc or make everything without using other programs.
i want to do somethink like - internet->Rpi3(working as firewall, connected to port on switch,
which will take the all trafic from comps)<->switch(connected computers).

I have:
Rpi3(with input interface eth0).
TP-LINK switch x48 ports (for my home network).
network interface adapter(usb-RJ45, for output interface eth1)
ip addres to the Internet.
3xcomputers

Could you help me with:

1) Which OS will be the best for this. (I have already start do my first steps with 2017-11-29-raspbian-stretch)
2)What should i use to make firewall in Rpi, to create roules.
3)How to route trafic from eth0<->eth1.
4)May You advice me how You usually route trafic(which program/utility) on switch, as i make it manually.

Thanks evetyone for attention and help

[epoch1970]

The Rpi is not a great networking platform in general. It is ok if your Internet connection is DSL, if you have a faster connection like fiber the Pi will probably slow down Internet access.

For a firewall application I would recommend using a dedicated distribution, however many of these are built upon BSD and hardware support for Pi 3 is incomplete in BSD AFAIK.
I think dd-wrt runs on Pi, perhaps that is a solution. Otherwise for a local firewall my own recipe is to install Raspbian Lite and shorewall packages (ipv4 and ipv6). I find shorewall concepts simple and effective, and it is well documented.
I also usually install webmin as it provides a good web GUI for Shorewall configuration, but that is certainly a matter of personal taste.
I use Jessie, I expect this would work ok on Stretch.
There are many other firewall applications available on linux, or you can do without any and directly configure iptables if you prefer.

If your switch has a management interface, you could setup the RPi as a "router on a stick" and add a VLAN to eth0. That would give you 2 interfaces to filter/route between. Something like that:

Code: Select all

+-------------------------+  +---------------------------------+
|        Dialup interface |  |        Manageable Switch        |
|        ppp0             |  |                                 |
|ISP box                  |  |Port 1     Port 2     Ports 3..48|
|        Private interface|  |PVID 1234  PVID 1     PVID 1     |
|        eth0             |  |           VLAN 1234             |
+---------^---------------+  +---^--------^----------^---------+
          |                      |        |          |
          +----------------------+        |          |
                                          |          |
+-------------------------+               |          |
|       DMZ or public net |               |          |
|       eth0:1234         |               |          |
|Pi 3                     <---------------+          |
|       LAN               |                          |
|       eth0              |                          |
+-------------------------+                          |
                                                     |
+-------------------------+                          |
|Computers  LAN interface |                          |
|#1..3      eth0          <--------------------------+
+-------------------------+

Alternatively, an extra USB gigabit ethernet interface for the LAN side should be a little faster and set you back by no more than 10 to 15€. Make sure you're using a PSU powerful enough if using a giga USB adapter, these devices do like some power. (The official PSU is fine in this application.)

[VladyslavVolskyi]

Thank you very much for your reply to me

Could I please You maybe to give me some links to links, which YOu describe, you told that you find shorewall concepts simple and effective, and it is well documented, i am looking for an hour and can't find anything special, maybe you have it in favourities

Tell me please all this utilities: BSD AFAIK, dd-wrt, webmin are programs, which i can install in my Raspbian Lite or maybe I mistake?

[epoch1970]

For Shorewall I would recommend you have a look at this page: http://shorewall.org/Introduction.html
On Raspbian there are different packages to install: you will certainly want shorewall-core, shorewall (for ipv4) and shorewall6 (for ipv6). On Raspbian Jessie I found I also needed package shorewall-init, which is a system utility.

About dd-wrt I don't know much, especially under Pi 3. I know so little in fact that I confused it with Openwrt, which unbeknownst to me has recently morphed into the LEDE project I don't know anything about it really, but it looks like there is a system image for Pi 3 and a web GUI application called LuCI. They have a forum: https://forum.lede-project.org

Coming back to Raspbian and Shorewall you can find instructions to installing webmin here: http://www.webmin.com/deb.html
(For some reason many years ago Debian stopped distributing Webmin, so you have to get the package direct from webmin.com. It is a fairly large beast, install is slow on a Pi.)

About BSD-based firewall distributions: As Far As I Know, hardware support for Pi 3 is incomplete (wifi is missing, for one). A system image doesn't look too far away, but I wouldn't bet on its availability yet.

Have fun