Blocking porn at home using a Raspberry Pi
Background
I recently attended Lascon, a security conference held annually in Austin, Texas each year. Whilst there, I was inspired by one of its speakers, John Bambenek, a security expert with ThreatSTOP who secured his home network with two Raspberry Pi’s running a mixture of open source and proprietary software.
As a father of three, I’d been meaning to tighten up our home network for some time, and having a Raspberry Pi 3 kicking around I thought it about time I did something about it.

Wireless Access Points 101
A wireless access point provides the network name you see advertised when you try and connect to the WiFi from your device. If you connected to the WiFi right now at home, you are probably connecting to you home routers WiFi network.
Your Raspberry Pi can provide that same service without any additional hardware, and it’s this access point you’ll be asking your kids to connect to.
At the time of writing, a Raspberry Pi is will cost you around $40, and the software I describe is all open source (free to use).
You need to be reasonably tech savvy to complete this tutorial, but I’ve tried to keep the steps as simple and well documented as possible.
When you complete it successfully, you’ll be asking your kids to connect to your new WiFi network and they will be transparently filtered from the sites you choose to block.
How To Build a Filtered Wireless Access Point
In this guide, I will show you how to configure a wireless access point for your home that will help prevent your family stumbling on known porn sites (around 1.7 Million), create custom black lists, plus block significant amounts of internet advertising during their regular browsing habits.
Best of all, this runs as a new wireless network along side your existing setup, so you can just connect your kids devices to it if you wish to carry on unfiltered.
To get started, you will need a Raspberry Pi 3 or later, with both WiFi and Ethernet enabled. Feel free to customize this (e.g. a wireless bridge) if you understand the underlying Linux networking options of a split network.
Installing Raspbian
First, let’s start with a clean install of Raspbian, the official Raspberry Pi Operating System. This article is based on Debian Buster running Kernel 4.19. Rather than repeat well documented steps on the Raspberry Pi website, I’m going to suggest you head there first:
With a fresh install, follow the onscreen instructions and configure your network settings to connect to your existing home network. You’ll need this so you can download the packages I reference below.
All good? I now recommend reading this Medium article on the Raspberry Pi Desktop itself so you can cut and past the examples. (Control-Shift-V to past in to Terminal)
Now, let’s also jump in to a terminal session. If you are using the GUI desktop, you’ll find the Terminal icon along the top left navigation bar.
Set up Your Wireless Access Point
First, let’s download and install the core software needed for setting up our wireless access point:
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install iptables iptables-persistent hostapdIf prompted to backup your current iptables configuration, say ‘Yes’ and continue. Once that’s installed we are going to turn the WiFi on the Raspberry Pi in to a wireless access point.
First, let’s edit the APD configuration:
sudo nano /etc/hostapd/hostapd.confAdd the following to your file. Make sure you customize the first two options for your network:
# This is the name of your Wireless Access Point your devices will connect to
ssid=HomePiFilter
# The pass phrase to connect to the network.
wpa_passphrase=MyS3curP@ssPhR@$E
# The following can be left as is
interface=wlan0
wpa=2
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
hw_mode=g
channel=1
beacon_int=100
dtim_period=2
max_num_sta=255
rts_threshold=2347
fragm_threshold=2346
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wmm_enabled=1
wmm_ac_bk_cwmin=4
wmm_ac_bk_cwmax=10
wmm_ac_bk_aifs=7
wmm_ac_bk_txop_limit=0
wmm_ac_bk_acm=0
wmm_ac_be_aifs=3
wmm_ac_be_cwmin=4
wmm_ac_be_cwmax=10
wmm_ac_be_txop_limit=0
wmm_ac_be_acm=0
wmm_ac_vi_aifs=2
wmm_ac_vi_cwmin=3
wmm_ac_vi_cwmax=4
wmm_ac_vi_txop_limit=94
wmm_ac_vi_acm=0
wmm_ac_vo_aifs=2
wmm_ac_vo_cwmin=2
wmm_ac_vo_cwmax=3
wmm_ac_vo_txop_limit=47
wmm_ac_vo_acm=0
own_ip_addr=127.0.0.1
eapol_key_index_workaround=0
eap_server=0Set Up Your Interfaces
To enable this wireless access point to communicate with your existing network, you need to create a NAT between the two networks.
We’ll start by adding interface configurations for your existing network and your new access point.
You are going to need to provide an IP from your home network you are happy to reserve permanently to your Raspberry Pi. Check your current router configuration for you current private network range and gateway (router) IP. My example below uses 10.0.1.1 but yours is very likely to be different.
I’m assuming you have two network interfaces on your Raspberry Pi, wlan0 (your wireless interface) and eth0 (your physical ethernet). Don’t forget to plug your Ethernet cable in! Adjust these interface identifiers through this guide if appropriate.
First, open the following file:
sudo nano /etc/network/interfacesAnd then add:
# This will connect to your home network via an ethernet cable
# MAKE SURE YOU CHANGE 10.0.1.200 TO A MACHINE ON YOUR HOME NETWORK
# AND ENTER THE CORRECT GATEWAY ADDRESSallow-hotplug eth0
iface eth0 inet static
address 10.0.1.200
netmask 255.255.255.0
address 10.0.1.1# This is your wireless access point
allow-hotplug wlan0
iface wlan0 inet static
hostapd /etc/hostapd/hostapd.conf
address 192.168.4.1
netmask 255.255.255.0
Set Up Traffic Forwarding
Now, let’s enable traffic forwarding between the networks:
sudo nano /etc/sysctl.confFind the line below and uncomment it (remove the leading #):
net.ipv4.ip_forward=1Now, lets setup the traffic forwarding rules for the NAT:
sudo iptables -t nat -A POSTROUTING -s 192.168.4.0/24 ! -d 192.168.4.0/24 -j MASQUERADEsudo iptables-save | sudo tee /etc/iptables/rules.v4
All good? Time to reboot the Raspberry Pi and log back in to the console.
Installing Pi-hole
Pi-hole is an excellent, free (but will happily take your donations) DNS server to black hole advertising domains. We are going to take advantage of this functionality as well as adding some of our own to block those unwanted porn sites.
sudo curl -sSL https://install.pi-hole.net | bashThis will kick off the Pi-hole installation menu. Let’s walk through it:
Accept the first few pages using ‘OK’. When asked to choose the Interface, pick wlan0 (the wireless access point):

Select your preferred upstream DNS provider. Google is selected by default:

Next, chose your preferred Ad Blocking provider lists (or none if you don’t want to block advertisements):

Next, select the preferred protocols. If unsure, leaving both IPv4 and IPv6 checked is fine:

When asked “Do you want to use your current network settings as a static address”, answer “No”:

For your IPv4 address, enter the wlan0 network which is 192.168.4.1/24:

For the IPv4 gateway, enter 192.168.4.1:

When asked if you want to install the web admin interface, choose “On”:

When asked about installing lighttpd web server, again select “On”:

When asked about logging queries, again select “On”:

Finally, if you want to see which devices are doing what (i.e. which kids are accessing which sites), choose “0 — Show everything”

On the final page, make a note of your generated password. You’ll need this later!
Enable showing the “Website Blocked” page
If you would like everyone to see when a site is being blocked, rather than just failing to load, edit the following file:
sudo nano /etc/pihole/pihole-FTL.confAdd the following line at the end:
BLOCKINGMODE=IP-NODATA-AAAAThen run:
sudo killall -SIGHUP pihole-FTLEnabling the DHCP Server
Now you have Pi-hole installed, we need to enable its DHCP server. This will allocate clients connecting to the new network an IP address separate to you existing home network. It will also tell them to use Pi-hole as a DNS server, which will block those unwanted websites.
From the Raspbian Desktop, open the web browser and visit:
http://localhost/admin
First, click ‘Login’ and enter the password you noted earlier.
Now click ‘Settings’ from the left-hand menu and enter the password you were given after setting up Pi-hole above.
Click DHCP, and check the ‘DHCP server enabled box’. The defaults supplied should be sufficient for most home networks:

At the bottom of the page, click ‘Save’.
Important: Now IGNORE the flashing red warning to disable the DHCP server on your router. The reason for this is we aren’t replacing the DHCP server on your home network, and this DHCP service is ONLY available to clients that connect to the new WiFi network. (If you don’t believe me, try connecting to 192.168.4.1 on your home network. There is no route to that host so your home network is unaware of it.)
Installing Porn Filter Lists
Using DNS filtering we can easily block known porn sites. I’m very grateful to Chad Mayfield for publishing his block list ready to use on line. If you want to see how he did it, check out his article here.
If you want to make use of porn filtering lists, edit the following file:
sudo nano /etc/pihole/adlists.listAnd add this line to the end:
https://raw.githubusercontent.com/chadmayfield/my-pihole-blocklists/master/lists/pi_blocklist_porn_all.listThen from the command line, run:
pihole -gIf you return to the Pi-hole dashboard you should now see the number of domains blocked around the 2 million mark!
Preventing DNS Bypassing
Now, tech-savvy kids may eventually work out this is DNS based filtering, and all they need to do is change their DNS servers and bypass the filtered DNS. We can fix that! What we can do is ensure the network sends all DNS queries on Port 53 to our Pi-hole DNS server.
On the command line run the following:
sudo iptables -A PREROUTING -t nat -p udp --destination-port 53 -j REDIRECT --to-ports 53sudo iptables -A PREROUTING -t nat -p tcp --destination-port 53 -j REDIRECT --to-ports 53sudo iptables-save | sudo tee /etc/iptables/rules.v4
Testing It All Out
We are now ready to test everything we have just set up.
Preferably from a new device, look for a new WiFi hotspot with the name you configured above. Connect to it, and enter the passphrase you also configured.
All being well, that device should now be able to connect to the internet as normal.
Now, try connecting to one of those better known porn sites. What you should see is something like the following:

Keeping An Eye On Things
If you want to see what Pi-hole is blocking for you, you can return to the web interface. There are three ways to get to it. The easiest is from the Raspbian Desktop by simply opening the web browser and visiting:
Alternatively, You will either need to know the Raspberry Pi’s ethernet address on your home network, or you can connect to the new WiFi network and visit the gateway address at http://192.168.4.1/admin
Visiting the Query Log page will show you what devices have been trying to connect to where:

Manual Blacklisting and Whitelisting
If there are additional sites you would like to block on the network, you can manually add them via the ‘Blacklist’ tab. Either full or partial matching can be used for a very flexible ruleset.
Equally, if Pi-hole has been overzealous with its blocking, you can enable sites again under the ‘Whitelist’ tab.
Limitations and Future Projects
If you haven’t spotted it already, we are securing our new network through DNS filtering. It’s a very effective setup, being both fast, flexible, and reasonably respecting the privacy of the users data on the network. (For increased privacy, simply turn off logging on Pi-hole).
What it can’t do is tell you exactly when someone is visiting a website, provide content filtering, or configure access controls (e.g. permitted access times). There are tools and services to support this which I hope to follow up with at another time.
I hope you found this tutorial useful! Please share, and let me know if you want to see any follow up articles. Stay safe…
** All copyright and trademarks attributed to the original holders.
