Butterworth (Part 1) : Raspberry Pi 3 Home Gateway

Note : This forms part of a multi-part tutorial that will ultimately describe how I make my home smart.

The working test setup — before making it all neat.

So I recently bought a house in what we call an “Estate” or “Complex” here in South Africa. It is basically a few walled off blocks of suburbia with controlled access and a secured perimeter. Levies are paid monthly for access to shared use of a pool, gym, playground, and (more importantly) Internet.

However, the network connecting us to the Internet is basically just a DHCP allocated Ethernet network with a gateway going out over a 500mbps link. For most people this is fine — and they are not bothered if someone else on the network can see and interact with their devices. They usually just have an access point plugged into the CAT-5 cable coming out the wall in their house. Thus all their iPads, Phones, TV’s, etc are visible to others as one big LAN party.

This is obviously not ideal for a techie, so I proceeded to build a firewall / gateway of my own in order to isolate my home network from everyone else. Sure, I could just go out and buy a home gateway / router, but where is the fun in that?

Step 1 : Materials

  • Raspberry PI 3
  • USB-to-Ethernet Adapter (I used an Ultralink UL-USB02-EN)
  • RPi Power Supply
  • 16Gb MicroSD Card
  • Peripherals to do setup (display, mouse, keyboard)

Step 2 : Preparation

So the basic idea is to endow the Raspberry Pi with two Ethernet ports. One is on board, and the Ultralink adapter provides the other. Thus the CAT-5 cable coming out of the wall and connected to the Estate network will plug into one port, and a CAT-5 cable going to my internal network will go into the other.

In between will be a properly configured Linux (Raspian Jessie) doing the heavy lifting.

Step 3: Installing Jessie onto the SD card

This is basic drive imaging stuff and best described by https://www.raspberrypi.org/documentation/installation/installing-images/

Be sure to download the Raspbian Jessie Lite image (Not NOOBS).

Step 4: Start it up

Once you have a micro SD card with a clean Raspbian Jessie install, it’s time to connect everything up and boot up the Pi.

Once presented with the login prompt you can use the default Jessie credentials :

username: pi
password: raspberry

Step 5: Basic Configuration

Let’s first go root :

pi@raspberry:~ $ sudo su

And then make sure everything is up to date — This may take a while so go grab a coffee :

root@raspberry:~ $ apt-get update; apt-get -y upgrade

Next configure a hostname — I ultimately want a voice assistant like Amazon’s Alexa — called Butterworth — that can switch things on and off around the home, play music, etc. So my personal TLD for the various devices to be added on my network will be butterworth.

root@raspberry:~ $ echo "gateway.butterworth" > /etc/hostname; bash;
root@gateway:/home/pi#

And then finally, you may create yourself a user other than pi, although I prefer using an ssh key and disabling all password authentication. It’s up to you.

Step 6: Configure Interfaces

Before we can do any networking, we need to ensure both ethernet interfaces are configured correctly. So running ifconfig reveals the interfaces :

pi@gateway:~ $ ifconfig | grep eth
eth0      Link encap:Ethernet  HWaddr b8:27:eb:9a:a1:62
eth1 Link encap:Ethernet HWaddr 00:e0:4c:53:44:58

As you can see I have an eth0 and eth1

eth0 is the port connected to the Estate’s network, henceforth referred to as the WAN.

eth1 is the Ultralink USB-to-Ethernet adapter, and will be connected to a WiFi access point — Later I will plug in a switch to take my home network throughout the home.

Let’s configure these in /etc/dhcpcd.conf — Note that many guides suggests using /etc/network/interfaces but this will not work on the Pi

I have decided to use the public 10.0.0.0/24 network (simply because the WAN server 192.168.0.0/24addresses) but you could make it any other subnet:

nano /etc/dhcpcd.conf
#Add the following lines
interface eth1
static ip_address=10.0.0.1
static routers=10.0.0.1
static domain_name_servers=10.0.0.1,8.8.8.8

Notice how the interface uses itself as the gateway and DNS with Google’s DNS ( 8.8.8.8 ) as secondary.

Right. So it seems a /etc/init.d/networking restart does not configure the interface properly. So reboot :

sudo reboot

Once done, you should see eth0 now has its assigned address :

Step 7: DHCP Server

On the home side of the network (eth1), I would like devices to get an IP address just as they would on any other WiFi network. I would also like the ability to assign static IP addresses to certain devices, such as printers and media servers.

To do this I use the well known isc-dhcp-serverpackage (formerly called dhcp3)

apt-get install -y isc-dhcp-server

Depending on the interface it tries to use (default is eth0) it may fail to startup. To be clear you can run the following to give you a verbose error :

systemctl status isc-dhcp-server.service

Now let’s configure it —

nano /etc/dhcp/dhcpd.conf
#add the following to the end
subnet 10.0.0.0 netmask 255.255.255.0 {
    range 10.0.0.10 10.0.0.50;
option domain-name-servers 10.0.0.1, 8.8.8.8;
option domain-name "butterworth";
option routers 10.0.0.1;
option broadcast-address 10.0.0.255;
default-lease-time 600;
max-lease-time 7200;
}

And then a restart

/etc/init.d/isc-dhcp-server restart

So now with the Access Point plugged into eth1 I should get an IP address :

Indeed I have received 10.0.0.13

Step 8: Routing

So now I have a laptop connected to the Pi via eth1 and I have internet access via eth0

In order to tie it together and actually route between the two, we use iptables :

iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -j ACCEPT
mkdir /etc/iptables; iptables-save > /etc/iptables/rules.v4

The first three lines clears any rules that may have been present, although with a default Raspbian Jessie install there will be none.

The next two lines does the NATting and routes traffic between the two interfaces.

The last line saves the iptables configuration to /etc/iptables/rules.v4

But this will not persist across reboots. So we add a line to rc.local to restore like so :

nano /etc/rc.local

#add the following (BEFORE THE exit 0)
iptables-restore /etc/iptables/rules.v4
exit 0

This will run on startup and configure your iptables.

Step 9: Testing

Success! I can ping Google.

Step 10: Optional Extras

Now that we have a basic gateway going, it can be modified depending on your requirements. For example :

A network traffic GUI — ntoppng — ( http://www.ntop.org ) :

apt-get install -y ntopng

Results in a nice realtime analysis of traffic flowing over the gateway :

So now my house has secure Internet. The first step of many towards a smart home.

Thanks for reading.