J. Rogers, SE Ohio, 19 July 2025, 2302
📜 1. Legacy Setup: How It All Began
In the early days of personal networking, savvy users would:
-
Recycle 386 or 486 PCs to act as dedicated Linux firewalls
-
Use modems and PPP dial-on-demand to connect to the internet
-
Configure iptables (or ipchains) by hand
-
Gradually evolve to use SmoothWall, IPCop, or Monowall for UI-driven management
These setups routed all traffic through a trusted box that:
-
Filtered incoming/outgoing packets
-
Provided NAT
-
Sometimes served as a DNS proxy, DHCP server, or web cache (via
Squid) -
Gave users complete control over their own network perimeter
🚀 2. Modern Setup: The Raspberry Pi as a Smart Edge Firewall
Why the Pi?
-
Low power (~3W)
-
Small form factor—hide it behind the router
-
Cheap—$10–$50 depending on model
-
Runs full Linux—Debian-based (Raspberry Pi OS, DietPi, etc.)
-
Silent—no moving parts, perfect for 24/7 use
What This Setup Does:
A single Raspberry Pi can now:
✅ Replace the router's firewall
✅ Serve as a DNS sinkhole (Pi-hole)
✅ Act as a Squid caching proxy
✅ Route all traffic through a VPN tunnel (OpenVPN or WireGuard)
✅ Block ads and telemetry across every device on the network
✅ Expose no open services to the outside world
✅ Provide metrics, monitoring, and logs if desired
🔧 3. Network Architecture
🖧 Diagram
[LAN Devices] ─────┐
│
[ Raspberry Pi Firewall ]
│ (VPN, Pi-hole, Squid)
▼
[ISP Router/Modem]
▼
[Internet]
The Raspberry Pi sits between your LAN and the internet, usually on its own subnet. You configure your internal devices to:
-
Use it as the gateway
-
Use it as the DNS server
All external traffic passes through the Pi first, which encrypts it via VPN before it hits the router or ISP.
🧰 4. Core Components
1. Pi-hole (DNS-based Ad Blocker)
-
Filters domains using community-maintained blocklists
-
Removes ads at the DNS level—before HTTP(S) requests are made
-
Easy web UI
-
Works on all devices, no plugins required
Install:
curl -sSL https://install.pi-hole.net | bash
2. Squid Proxy (Optional HTTP Cache)
-
Caches static content (images, scripts) for faster browsing
-
Saves bandwidth
-
Supports transparent proxying (with iptables)
Install:
sudo apt install squid
3. OpenVPN / WireGuard (VPN Tunneling)
-
Routes all traffic through encrypted tunnel
-
Prevents ISP snooping, router compromise, MITM
-
Easy to auto-start at boot
-
WireGuard is newer, faster, simpler
WireGuard Install:
sudo apt install wireguard
4. iptables / nftables (Packet Filtering)
-
Controls all routing and access
-
NAT, port forwarding, filtering, logging
Example: Only allow traffic from LAN to VPN interface:
iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT
iptables -A FORWARD -i wg0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
🧩 5. Optional Enhancements
| Feature | Tool / Suggestion |
|---|---|
| DNS-over-TLS/HTTPS | Unbound |
| Intrusion Detection | Suricata, Snort |
| Log Aggregation | Promtail + Loki + Grafana |
| Traffic Visualization | ntopng, Bandwhich |
| Fail2Ban for SSH brute | Fail2Ban |
| VPN for Remote Access | WireGuard (phone/laptop tunnel home) |
| Custom Blocklists | StevenBlack, NoTracking, Energized |
| Host-based Monitoring | Monit, Cockpit |
🧱 6. Security Principles
-
No open ports: External scans hit a wall
-
Minimal attack surface: Just one outbound VPN connection
-
Encrypted everything: No plaintext DNS or HTTP
-
Local-only admin access: Firewall is headless and SSH only over LAN
-
Physical segmentation: Firewall has two NICs (e.g. onboard + USB Ethernet) for clean routing
⚙️ 7. Maintenance Checklist
-
✅ Auto-update blocklists (cron or Pi-hole GUI)
-
✅ Auto-restart VPN on failure
-
✅ Monitor Squid cache health (clean regularly)
-
✅ Secure local SSH (key auth, limited IPs, nonstandard port)
-
✅ Back up config files weekly
🧠8. Philosophy
"The router is not the perimeter—the Pi is."
This setup represents a shift in control: from blind trust in commercial routers and cloud DNS, to full visibility and autonomy over your network boundary. It’s minimal, elegant, and robust.
🔚 9. Final Thoughts
If you’ve ever wished your home network could work more like a hardened corporate firewall—but with zero telemetry and full transparency—this is it.
You don't need cloud subscriptions.
You don't need an expensive appliance.
You just need a Pi and some willpower.
Would you like this exported as a GitHub README or Markdown file? I can also include iptables, WireGuard, or Pi-hole config samples if you'd like to go deeper.
No comments:
Post a Comment