Raspberry Pi Router


This is a different type of router, designed to attach to a WiFi internet source such as a mobile phone hotspot and provides a wired ethernet DHCP and DNS service.
It's really a variation of the Wifi Hotspot turned around the other way

Address ranges

This sets up a 192.168.0.* network where the router sits at 192.168.0.10 and the attached devices get allocated addressed in the range of 192.168.0.100 to 192.168.0.200 with long DHCP lease times (great for a household). Internet cafes should probably use smaller lease times.


1. Naming your router

First you'll need to setup your /etc/hosts and /etc/hostname file.

/etc/hostname
router.home

/etc/hosts
127.0.0.1   localhost
::1     localhost ip6-localhost ip6-loopback
ff02::1     ip6-allnodes
ff02::2     ip6-allrouters

192.168.0.10    router.home router


2. Connecting to the internet via Wifi

Then setup your Wifi to connect to the source of your internet:

/etc/wpa_supplicant/wpa_supplicant.conf
country=GB
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1

network={
    ssid="PhoneHotSpotName"
    psk="ThePassword"
    scan_ssid=1
    key_mgmt=WPA-PSK
}


3. Install and configure the DNS software

First we need to install the software components and disable them so they don't run on their own at startup

sudo apt-get   install dnsmasq
sudo systemctl disable dnsmasq


3.2 Configure DNSMASQ

This does both the DHCP and DNS lookup stuff for the hotspot.
If it doesn't run the result is a type of zombie Wifi with limited functionality, and /etc/resolv.conf will not have a working nameserver so you may want to edit in the temporary line 8.8.8.8 there until you get DNSMASQ working.

Then it needs to be configured:
Create/edit /etc/dnsmasq.conf
sudo vi /etc/dnsmasq.conf
and make it look like this:

/etc/dnsmasq.conf (2.0kB)
#
# Cutestudio's Raspberry Pi Hotspot/Seedeclip4 dnsmasq config file:
# For option help type 'man dnsmasq', the command line option are the same as these:
#

# Listen only on this (i.e. only connected devices use dnsmasq)
interface=wlan0

# Allow DHCP serving
bind-interfaces
# DHCP assigns IP addresses with a lease time
dhcp-range=192.168.1.2,192.168.1.20,255.255.255.0,24h

# Never ask upstream about short names (without a dot or domain part)
domain-needed
# Never forward addresses in the non-routed address spaces.
bogus-priv

# Really make sure we're using this (should be used by default)
addn-hosts=/etc/hosts

# Optionally filter out adware and malware,
#  E.g to filter out facebook
   # wget -O facebook.ban https://raw.githubusercontent.com/jmdugan/blocklists/master/corporations/facebook/all
   # sudo cp facebook.ban /etc
addn-hosts=/etc/facebook.ban

# Other adware to filter
 # https://github.com/StevenBlack/hosts
 # https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

  # wget -O final_blocklist.txt "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
  # sudo cp final_blocklist.txt /etc/final_blocklist.txt
addn-hosts=/etc/final_blocklist.txt

# Stop various silliness
filterwin2k
stop-dns-rebind

# To prevent the eth0 from giving us some dodgy domain via /etc/resolv.conf we ignore it via no-resolv.
#  This has the side effect of stopping us seeing the nameserver entry in there that we needed for 
#  the internet to work. So we specify some google nameservers which are just as good here.
# To keep the Pi still using the original DNS assigned via eth0's dhcpd we also edit resolvconf.conf
#  comment out the dnsmasq line there as we are using dnsmasq ONLY for the Wifi devices.
no-resolv

# Because we are using no-resolv...
server=8.8.4.4                  # Forward DNS requests to Google
server=8.8.8.8                  # Forward DNS requests to Google

# synth-domain=,[,]
synth-domain=home,192.168.1.0/24
# auth-zone=home,192.168.1.0/24

# auth-server=,|

Note

This has two 'adblock' host file references inside, please read the comments in the file about how to set them up.


Automating the router setup in a handy script

Now we need a script to get it all up and running.

/usr/local/bin/routerstart (1.5kB)
#!/bin/bash

function daemon_stop()
{
    echo "Stopping all wlan services (if running)..."
    systemctl daemon-reload
    systemctl stop hostapd
    systemctl stop dnsmasq
}

function daemon_start()
{
    echo "Waiting for eth0 to be setup before trying to run DNSMasq"
    sleep 10
    echo "Start DNSMasq"
    systemctl start dnsmasq
}

function forwarding()
{
    echo "Enable IPV4 forwarding"
    sysctl net.ipv4.ip_forward=1
}

function iptables_clear()
{
    echo "Clear iptables (in case we play with this script from the command line)"
    iptables -F
    iptables -t nat -F
}

function iptables_router()
{
    # Allow just your own LAN
    iptables -P FORWARD DROP
    iptables -A FORWARD -i wlan0 -j ACCEPT

    # Cut off your own LAN from the wifi.
    iptables -A FORWARD -i wlan0 -d 192.168.0.0/16 -j REJECT
    iptables -A FORWARD -i wlan0 -d 10.0.0.0/24    -j REJECT

    # Route as required
    iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

    echo "Add NAT routing as we'll need this for routing between our subnets and the internet"
    iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
}

function iptables_list()
{
    # List the iptables
    echo "Filter"
    iptables -L -v
    echo "NAT"
    iptables -t nat -L -v
}

function iptables_config()
{
    iptables_clear
    iptables_router
    iptables_list
}

# Tidy up in case we are playing with this script
daemon_stop

# Setup the hotspot
forwarding
daemon_start
iptables_config

# Clean exit
exit 0


4. Make it all happen on startup

Once you are happy it works add the hotspot startup lines it to rc.local so it's there on every startup:

sudo vi /etc/rc.local

Add these lines to your rc.local

/etc/rc.local
printf "Starting Wifi/Ethernet router "
/bin/bash /usr/local/bin/routerstart &


Reboot safely by typing:

sync
sudo reboot


5. Switch out after hours (optional!)

It's also possible to save bandwidth by having the router block the internet between certain hours. This is done between 2 and 8am in the following example below. To achieve this you need to edit the crontab. Do this by typing

sudo crontab -e

To make sure the bottom looks like this:
# For more information see the manual pages of crontab(5) and cron(8)

# m h  dom mon dow   command
0 2 * * * iptables -A INPUT -i wlan0 -j DROP
0 8 * * * iptables -D INPUT -i wlan0 -j DROP


This will block the wifi during 2am and 8am, unless there is a powercut ahen it will be reconnected. This stops all those chattering webpages etc from using 6 hours of bandwidth, and of course stops anyone from outside looking around!


Copyright © 2007-2023, CuteStudio
Page generated in 0.095s, Powered by Silk V1.3-0 from Cutestudio