Using a Raspberry as a Linux Router with Pi-Hole

Hi,

This morning I re-installed a pi-hole and I'm trying to set up my raspberry as a Linux router.

Here's my home network:

                             WAN                                    LAN
[InternetRouter] <--------------------------> [PiHole] <--------------------------> [Wifi-Router]
[192.168.1.1/24]        [wan: 192.168.1.2/24] -------- [lan: 192.168.2.1/24]        [192.168.2.2]

The Pi has 3 network interfaces, eth0, wlan0 and the USB ethernet adapter eth1.

I disabled the wlan0 interface, because I don't need it. In order to do so, edit the /boot/config.txt and add a line: dtoverlay=disable-wifi. You may also disable bluetooth radio by adding: dtoverlay=disable-bt

Then, in order to help identifying those NICs, I created this file: /etc/udev/rules.d/10-network.rules

  • SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="xx:xx:xx:xx:xx:xx", NAME="wan"
  • SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="xx:xx:xx:xx:xx:xx", NAME="lan"

You'll find the proper mac addresses using ifconfig.

  • lan is the interface connected to the LAN network 192.168.2.0
  • wan is the interface connected to the WAN network 192.168.1.0

Both interfaces are configured with static IP addresses in the following files:

  • /etc/network/interfaces.d/lan
    auto lan
    iface lan inet static
      address 192.168.2.1
      netmask 255.255.255.0
      network 192.168.2.0
      broadcast 192.168.2.255
    
  • /etc/network/interfaces.d/wan
    auto wan
    allow-hotplug wan
    iface wan inet static
      address 192.168.1.2
      netmask 255.255.255.0
      gateway 192.168.1.1
    

I also disabled IPV6 and enabled IP Forwarding in /etc/sysctl.conf, add:

  • net.ipv4.ip_forward=1
  • net.ipv6.conf.all.disable_ipv6=1

Then run those iptables rules:

  • iptables -t nat -A POSTROUTING -o wan -j MASQUERADE
  • iptables -A INPUT -i lan -j ACCEPT
  • iptables -A INPUT -i wan -m state --state ESTABLISHED,RELATED -j ACCEPT
  • iptables -A OUTPUT -j ACCEPT
  • iptables -t nat -A PREROUTING -i lan -p udp ! --source 192.168.2.1 ! --destination 192.168.2.1 --dport 53 -j DNAT --to 192.168.2.1
  • iptables -t nat -A PREROUTING -i lan -p tcp ! --source 192.168.2.1 ! --destination 192.168.2.1 --dport 53 -j DNAT --to 192.168.2.1

Then in order to restore those iptables rules at each reboot:

  • sudo apt install iptables-persistent

Save those rules in a file:

  • iptables-save > /etc/iptables/rules.v4

Reload the service:

  • service iptables-persistent reload

Disable dhcpcd service:

  • sudo systemctl disable dhcpcd.service

to disable the wi-fi interface on a raspberry pi, edit the /boot/config.txt and add a line
dtoverlay=disable-wifi

similarly you can disable the bluetooth radio by adding
dtoverlay=disable-bt

1 Like

I got something working by flushing out the iptables rules ! Apparently there is something wrong in them.

Also, I had to disable dhcpcd:

  • sudo systemctl disable dhcpcp.service

Things left to do:

  • If a client set a custom DNS server, it bypass the pihole. How can I prevent that?

Solution:

  • iptables -t nat -A PREROUTING -i <local-nic> -p tcp ! --source <local-ip-of-pihole> ! --destination <local-ip-of-pihole> --dport 53 -j DNAT --to <local-ip-of-pihole>
  • iptables -t nat -A PREROUTING -i <local-nic> -p udp ! --source <local-ip-of-pihole> ! --destination <local-ip-of-pihole> --dport 53 -j DNAT --to <local-ip-of-pihole>

In my case, I had to do:

  • iptables -t nat -A PREROUTING -i eth0 -p udp ! --source 192.168.2.1 ! --destination 192.168.2.1 --dport 53 -j DNAT --to 192.168.2.1
  • iptables -t nat -A PREROUTING -i eth0 -p tcp ! --source 192.168.2.1 ! --destination 192.168.2.1 --dport 53 -j DNAT --to 192.168.2.1

Proof:

 ~  nslookup thepiratebay.org 1.1.1.1 
Server:         1.1.1.1
Address:        1.1.1.1:53

Name:   thepiratebay.org
Address: 0.0.0.0

Name:   thepiratebay.org
Address: ::
 ~  nslookup thepiratebay.org 192.168.2.1
Server:         192.168.2.1
Address:        192.168.2.1:53

Name:   thepiratebay.org
Address: 0.0.0.0

Name:   thepiratebay.org
Address: ::

When disabling pi-hole:

 ~  nslookup thepiratebay.org 1.1.1.1
Server:         1.1.1.1
Address:        1.1.1.1:53

Non-authoritative answer:
Name:   thepiratebay.org
Address: 2606:4700:7::a29f:8906
Name:   thepiratebay.org
Address: 2606:4700:7::a29f:8806

Non-authoritative answer:
Name:   thepiratebay.org
Address: 162.159.136.6
Name:   thepiratebay.org
Address: 162.159.137.6

Is your Wifi router in AP mode?

No, it's actually in Bridge mode. I haven't found a way to assign an ip to it yet.

I had that kind of issue with a Netgear Nighthawk.

I found out to try AP mode and everything fell into place.

I assume it is wired, because you said you disabled WiFi on the Pi.

In layman's terms:
How did you get one Ethernet port on your lan side to accept two IP addresses? One for the router and one for the Pi-Hole.

My Pi has 2 ethernets. 1 on the motherboard, 1 in USB (Amazon.com : Raspberry Pi 2 Ethernet To Usb).

What I meant is:

How is the router part and the pi-hole part sharing the same address on the LAN side?

The router is not in the lan side, it's the wan side.

The wan side is on the network 192.168.1.0/24 while the lan side is on 192.168.2.0/24.

Okay,

Thanks!

I thought you had your Pi listening and routing on the same port and address.

So what you did was lie to the Pi and tell it the LAN side of your ISP gateway/router was WAN then told your pi-Router to treat that traffic as WAN?

I'm, fairly, sure if you switch the wireless router to AP mode, it will allow you to assign an IP address. Especially since the device in front of it is, essentially, the gateway as it sees the network.

No no.

Yeah I guess this is something like that. Have you seen the network diagram on the first post? It should be enough to explain what's going on.

I guess I should try indeed, haven't had the time to do it yet.

Yeah, but you labeled it as wan and I noticed it was a local IP address and I assumed ETH1 was just for the WIFI router and I did not understand you had isolated the two; I thought you had somehow gotten the PI to see all that with one connection because I was caught up with another thread that was trying to do the same thing on one port and their wifi on Starlink.
I still do not understand how DNS requests from 192.168.2.x are getting routed by 192.168.1.0 but after reading your posts, a few times, I'm guessing you are using MASQUERADE and PREROUTING to make it happen.

I get the concept, but my Linux is not that good.

I linked to your post and just started asking questions.

edit

See if you can help this person:

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.