I needed a very basic 'Internet sharing' router setup with one of my Raspberry Pis, and I thought I'd document the setup process here in case I need to do it again.
I should note that for more complex use cases, or where you really need to worry about security and performance, you should use something like OpenWRT, pfSense, or VyOS—or just buy a decent out-of-the-box router!
But I needed a super-simple router setup for some testing (seriously... look at the picture—the thing's about to fall off my desk!), and I had two network interfaces on a Raspberry Pi running the 64-bit build of Raspberry Pi OS. These instructions work on that OS, as well as Debian, Ubuntu, and derivative distros.
I'm going to assume you're okay with the first interface (eth0
) using DHCP to get an IP address from a DCHP server, router, or modem it's plugged into. That will be the 'WAN' side of the router.
The 'LAN' side interface (which I'm assuming is eth1
) will connect through to another computer or a switch so it can distribute connections to one or more computers.
Since the OS uses DHCPCD to manage network interfaces, edit /etc/dhcpcd.conf
and add in a static IP address configuration for the 2nd ethernet interface:
interface eth1
static ip_address=192.168.1.1/24
static routers=192.168.1.1
static domain_name_servers=8.8.8.8
Reload dhcpcd with: sudo systemctl daemon-reload && sudo systemctl restart dhcpcd
.
Then save the following script (which comes from the Ubuntu wiki) as nat.sh
, and make it executable with chmod +x nat.sh
:
echo -e "\n\nLoading simple rc.firewall-iptables version $FWVER..\n"
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
EXTIF="eth0"
INTIF="eth1"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
#======================================================================
#== No editing beyond this line is required for initial MASQ testing ==
echo -en " loading modules: "
echo " - Verifying that all kernel modules are ok"
$DEPMOD -a
echo "----------------------------------------------------------------------"
echo -en "ip_tables, "
$MODPROBE ip_tables
echo -en "nf_conntrack, "
$MODPROBE nf_conntrack
echo -en "nf_conntrack_ftp, "
$MODPROBE nf_conntrack_ftp
echo -en "nf_conntrack_irc, "
$MODPROBE nf_conntrack_irc
echo -en "iptable_nat, "
$MODPROBE iptable_nat
echo -en "nf_nat_ftp, "
$MODPROBE nf_nat_ftp
echo "----------------------------------------------------------------------"
echo -e " Done loading modules.\n"
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo " Clearing any existing rules and setting default policy.."
iptables-restore <<-EOF
*nat
-A POSTROUTING -o "$EXTIF" -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i "$EXTIF" -o "$INTIF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i "$INTIF" -o "$EXTIF" -j ACCEPT
-A FORWARD -j LOG
COMMIT
EOF
echo -e "\nrc.firewall-iptables v$FWVER done.\n"
Run that script with sudo sh ./nat.sh
, and at this point the Pi should be routing traffic for something simple like a bridge or Internet sharing.
Since it's not also operating as a DHCP server, you need to manually specify an IP address on the computer (or all the computers, if using a switch) connected to the eth1
/ 'LAN' interface of the Pi, so set them to IP addresses greater than .1, e.g. 192.168.1.2
, with the router set to 192.168.1.1
.
Like I said, this is not meant to be a full-featured router by any means—it's just bridging a connection through one Raspberry Pi between a 'WAN' and a 'LAN', and I didn't even configure it so it would be persistent after a reboot!
Check out Ubuntu's full Router setup guide for a more thorough setup, or use just install OpenWRT ;)
Comments
You can also install FreeBSD directly on the RPi and use pf for your firewall+nat. When customized properly these home made routers are way better than most network appliances at same hardware level.
True
which carrier board is that?
This one in particular is the Seeed Studio routerboard; check it out and the DFRobot routerboard on my Pi PCI Express Device website: https://pipci.jeffgeerling.com/boards_cm
How good is the throughput on the device? I want to move away from using my ISPs router to using my own, but want something small and energy efficient so I can keep my network up while mucking around with my home server. We do have 1Gbps here so ideally want something which can handle that speed.
I'd guess any of the Pi's ARM-based hardware will be CPU bound - especially with a burst of smaller packets.
Jeff was able to get 2.5 Gbps (by overclocking and with jumbo frames). https://www.youtube.com/watch?v=wCbQQ5-sjGM
Since much of the Internet is not built with jumbo frame support the jumbo frame throughput numbers is pointless for a router/firewall. (Cool and worth the testing for other LAN-to-LAN applications nonetheless!)
I too would be interested in detailed throughput testing routing packets through the Dual GigE Compute Board with a Pi4 Compute Module.
For the combined price of the two boards it is very quickly getting into the real of other products' prices though.
Check out my review and the benchmarks here: Two Tiny Dual-Gigabit Raspberry Pi CM4 Routers.
Nice Project!
What kind of Raspberry Pi is that?
Havn't found one with 2 Network Interfaces.
By Jeff's earlier comment it's a Compute Module along with a Dual GigE Carrier Board (link below).
I'd guess he has an affiliate link so use that first to help him out. ;-)
https://pipci.jeffgeerling.com/boards_cm
Seeed Studio - SKU 110110090
Can you share the model of base board?
This is a nice showcase and guide to using two ethernet interfaces. I really do need to upgrade my setup to use a cat 5e connection for my WAN side connection.
I did a how-to guide on routing with a Raspberry Pi 3 using the built-in wifi interface as the 'WAN' side, bridging across to the ethernet LAN interface here: https://www.shogan.co.uk/kubernetes/building-a-raspberry-pi-kubernetes-…
The post covers setting up DHCP for the LAN side and shows a few iptables routing rules, which would be applicable to this setup too if anyone is curious as to taking this setup further with some routing logic. The downside to my specific configuration is of course the additional latency and potential signal issues with the incoming interface being wireless.
Hey!
Take a look at firehol.org for an easy substitute for that nat.sh script.
Is this even worth it over a Commercial solution like a Microtik cAP or something? I mean those devices are able to route Wan-Lan at gigabit speeds is this board also able to do that? And as far as I have seen the cost of this solution is higher than, or equal to a commercial solution but with less features it seems. I'd love to see a video on this with some speed testing and maybe some other software like opensense on this.
It's a myth that two or more NICs are necessary for a router.
One NIC suffices, as long as the internal network(s) make(s) systematic use of VLAN(s).
Packets cannot jump across VLANs and thus an internal VLAN-based network will stay completely isolated from the external (untagged) network even when just one physical NIC is used.
Not necessary, but highly desirable if you want full duplex gigabit throughput!
Hello Jeff!
And what about 3 Nics? Is there a solution for it? I would like to build a consistent solution to replace my pfsense pc