Convert your Raspberry Pi into a Router


Today we are going to convert our raspberry pi into an effective router to create a new local subnet where we can safely host our servers and their services.

The device we are going to use is a Raspberry Pi 3b model with latest Raspbian installed, but any device with *nix, an ethernet adapter and 1 free usb slot (either 2.0, 3.0, usb c, micro usb) with usb-to-ethernet support compiled, should work (most systems have this compiled by default, so it should not be a problem).


THINGS YOU WILL NEED:

a small device (in this case a Pi), a usb-to-ethernet cable (to create a new physical address), a switch (in case you want to extend your connections), ethernet cables (with different sizes, depends on your setup)

THINGS YOU COULD NEED:

a usb hub just in case your device only has 1 usb slot.


Let's get things started!

  1. Connect the your small device to a working router (any router with internet access would do the work), connect it using the onboard ethernet adapter. In this case the gateway interface will be eth0
  2. Connect your usb-to-ethernet dongle to any free usb slot on your device.
  3. You should see a new interface (`ip addr`), our subnet will be on eth1. If you don't see the new interface, make sure your system supports usb-to-ethernet)
  4. Connect a small ethernet cable from the usb-to-ethernet to a switch (for providing networking to other devices)
I highly recommend you do this operations on a physical screen
connected to your device, and a usb keyboard.
Some operations over SSH could make you lose access.

I also recommend you to remove network-manager, netplan, or any networking auto-configuration software, as our server will be configured statically in a way that is supported by most *nix systems.


Start by installing `isc-dhcp-server` package, which is a dhcp server so we can automatically assign ips to our local sub-network on eth1.

apt-get install isc-dhcp-server


Modify /etc/default/isc-dhcp-server to tell isc-dhcp-server to use your eth1 interface. You can uncomment the ipv6 line if you need ipv6 on your local network (which usually is not required).

vim /etc/default/isc-dhcp-server
isc-dhcp-server
# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
 
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
 
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
#DHCPDv4_PID=/var/run/dhcpd.pid
#DHCPDv6_PID=/var/run/dhcpd6.pid
 
# Additional options to start dhcpd with.
#       Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""
 
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
#       Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="eth1"
#INTERFACESv6="eth1"

We will be using the 192.168.2.0/24 network for our new subnet, but you can use anyone you want!
Modify our dhcpd configuration on /etc/dhcp/dhcpd.conf

vim /etc/dhcp/dhcpd.conf
dhcpd.conf
# time in seconds, setup to your needs
default-lease-time 600;
max-lease-time 7200;
 
# 192.168.2.0/24
subnet 192.168.2.0 netmask 255.255.255.0 {
  authoritative;
 
  # the range of ips to give to clients
  # set at your own needs
  range 192.168.2.2 192.168.2.254;
 
  # i guess this can be omitted
  option subnet-mask 255.255.255.0;
 
  # this is important i guess
  option broadcast-address 192.168.2.255;
 
  # we are going to be 192.168.2.1, the router
  option routers 192.168.2.1;
 
  # you will be the dns server too
  option domain-name-servers 192.168.2.1;
  # otherwise, you can simply not configure a dns server and use any other
  #option domain-name-servers 1.1.1.1;
}
 
# an example of dhcp reservation by mac address
host adevicename {
  hardware ethernet 01:23:45:6a:bc:de;
  fixed-address 192.168.2.130; # .130 is just an example
}

Set yourself (the router) a static ip address:

ifconfig eth1 up
ip addr add 192.168.2.1/24 dev eth1

Configure iptables to route traffic from eth1 to eth0 and viceversa:

# postrouting to our gateway interface eth0
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 
# this should in theory, block incoming packets that were not established first
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
 
# enable ip forwarding if you haven't done yet
echo 1 > /proc/sys/net/ipv4/ip_forward

To finish the setup, restart the isc-dhcp-server

systemctl restart isc-dhcp-server


We will be using dnsmasq as our DNS Server, because it is very easy to install and configure.

apt-get install dnsmasq

Configure the dns server:

vim /etc/dnsmasq.conf
dnsmasq.conf
# bind on custom interface or ip
#except-interface=lo
#bind-interfaces
#listen-address=192.168.2.1
 
# log dns queries and dhcp requests
#log-queries
#log-dhcp
 
# expand /etc/hosts hosts to your dns
expand-hosts
 
# forward dns request to this ip
# when you can't resolve an address
server=1.1.1.1
# if omitted, dnsmasq will use resolvconf to return
# the dns configuration inherited by the dhcp server

Restart the dnsmasq server

systemctl restart dnsmasq


Connect your server or laptop to the switch you've configured earlier, and wollah!

Enjoy!