Raspberry Pi Internet Gateway & Firewall


Raspberry Pi Gateway

Preamble

This article describes how to create an internet gateway using the Raspberry Pi. The terms gateway/router/firewall are similar and the RasPi will perform all of these duties.

It will function as a gateway by sitting between all devices on the network and the internet connection box, in this case an NBN router. The Raspi system will function as a router in its own right by sharing the internet connection with all devices on the network. As all internet traffic has to pass through this gateway, it can be configured as a firewall by controlling what is allowed in and out.

You could simply attach the network switch directly to the NBN router without a separate gateway, or even plug devices directly into the NBN router and/or also connect to it wirelessly. This is the method most commonly used, especially by non-tech types and is completely fine. However, NBN routers come configured with their own interface with limited options. Lobbing a gateway system between the network and the NBN router means you have unlimited configuration options through the awesome Linux operating system. This is definitely for tech types only..

The procedure will be based upon my experiences with setting up gateway and firewall systems using Unix and Linux on regular PC hardware. The links to these are listed at the end of the page and may be useful for some background reading, which is beyond the scope of this article.

Prerequisites

You will need a working knowledge of using the Linux command line interface (CLI), a solid theory of ethernet networking (thank-you, Xerox) and a Masters degree in TCP/IP. A Diploma in Network Engineering from TAFE Tasmania will do just nicely..

Preparing the RasPi

For my sins I am using an earlier RasPi 1B model which includes 2 USB ports and one ethernet port. I will not be using wireless as I need maximal data speed through the gateway. The second interface will comprise a USB-ethernet adapter, plugged into one of the Pi's USB ports.

I am using the peculiarly-named Raspbian Stretch on a 16GB SDCard (find instructions here). The graphical interface isn't strictly necessary for a gateway and will inevitably sap some of the limited system resources, but I plan to plug in a monitor to run Conky to keep an eye on things and keep it pretty. Most of the configuration however will use SSH so don't forget to enable ssh before plugging the SDCard into the RasPi.

To start off I booted the RasPi with the ethernet cable connected to my existing network. You will need a DHCP Server to allocate an IP Address to the Pi. Usually this will be the NBN router or similar. Consult the router's logs to see which IP to use to connect using SSH (default user/password is pi/raspberry). Alternatively connect a keyboard, mouse and monitor to the RasPi and run the ifconfig command in a terminal window.

Configuring Updates

With a virginal copy of Raspbian booted up, I usually run a few basic configuration steps..

sudo raspi-config opens a menu where the default SSH password can be changed - highly recommended - and also change the hostname to something more original.

Run sudo apt-get update and sudo apt-get upgrade to get the latest versions of everything on the system. Grab a coffee as this can take some time..

Configuring Networking

Firstly log-in to the web interface of your NBN router and navigate to its networking section. Take note of the IP address as this will be needed later..

To configure the network interface on the RasPi gateway, run the ifconfig command and take note of the ethernet interface. This is usually called eth0 and should already have an IP Address. This now needs to be a static IP as the Gateway can't rely on another (DHCP) Server to connect it to the network. That would be plain silly.

Using the editor of your choice, edit the file /etc/dhcpcd.conf and enter the information from the ifconfig command into the relevant section. Examples are shown in the file itself. Here you can change the static IP address (usually class C - 192.168.0.1-192.168.0.254) if required. Make sure the subnet mask ('Mask') remains compatible with the IP (usually class C - 255.255.255.0) and that the default gateway is the IP of your NBN router. Save and close. This will be your internal-facing network interface (i.e. will sit on your LAN).

Run the command sudo ip link set eth0 down && sudo ip link set eth0 up where eth0 represents the network interface (modify this if necessary). This should reload the network without a reboot. Time is money after all.

After reloading the network system, make sure there is still internet connectivity. I use ping google.com. Do not proceed until this works. Things are about to become a bit more complicated.

Before continuing, if you are configuring the RasPi gateway from another workstation, make sure it has a static IP address. Internet (and wireless) routers function as DHCP servers, but will not be available after the next few steps..

Shut down the RasPi system, disconnect the internally-facing ethernet cable and plug this into a network switch (see diagram at top of page). This will be your internal network connection for all devices on the LAN. Make sure all wired devices, including any separate wireless access points, now connect to this switch. This includes the workstation you are using to ssh into the pi gateway.

Next attach the second network interface - usually a USB to ethernet adapter - to the RasPi gateway and connect it to your NBN router with a network cable. When the RasPi boots it should detect the second network interface and the LEDs should light up on the adapter. Lovely. Running ifconfig again should identify the second adapter as eth1. This is now your outward facing network adapter.

Again edit /etc/dhcpcd.conf and add the IP details of the outward facing (USB-Ethernet) interface - usually eth1. This IP must be compatible with the IP of your NBN router, typically a Class A IP like 10.0.0.1. You checked it earlier..

To get the port forwarding thing happening, run this command with a gusto: sudo echo 1 > /proc/sys/net/ipv4/ip_forward

Then edit the file /etc/sysctl.conf and uncomment the line to enable packet forwarding for IPv4: net.ipv4.ip_forward=1.

Run the command iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE to make the port forwarding happen.

If it's all working, save the iptables to a file to make it all hapen automatically on reboot: sudo iptables-save > /etc/iptables.up.rules

Next create a script in /etc/network/if-pre-up.d/ with the following contents..

sudo vi /etc/network/if-pre-up.d/iptables

==========================================
#!/bin/sh
#This script restores iptables upon reboot

iptables-restore < /etc/iptables.up.rules

exit 0
==========================================

Change ownership and permissions of the script so it will run at boot..

sudo chown root:root /etc/network/if-pre-up.d/iptables && sudo chmod +x /etc/network/if-pre-up.d/iptables && sudo chmod 755 /etc/network/if-pre-up.d/iptables

Conclusion

Done! Speed testing showed that this RasPi 1B-based gateway ran consistently at a totally shithouse 3mpbs on my 12mbps NBN connection. I've been getting the full 12 monkeys through my ageing Compaq Celeron 600 slimline, running Linux Mint 8 gateway with 496mb RAM for fuck's sake.

SO why bother you ask? I agree. Maybe a later RasPi will fare better.. Feel free to use these instructions to create a PC-based Linux network gateway. Time to revisit some of those old AMD Athlon motherboards. Pass the wine will you..?

AndyM | Updated July 2019