Raspberry Pi Router

This is a different type of router, designed to attach to a WiFi internet source such as a mobile phone hotspot and provides a wired ethernet DHCP and DNS service.
It's really a variation of the Wifi Hotspot turned around the other way

Address ranges

This sets up a 192.168.0.* network where the router sits at and the attached devices get allocated addressed in the range of to with long DHCP lease times (great for a household). Internet cafes should probably use smaller lease times.

1. Naming your router

First you'll need to setup your /etc/hosts and /etc/hostname file.


/etc/hosts   localhost
::1     localhost ip6-localhost ip6-loopback
ff02::1     ip6-allnodes
ff02::2     ip6-allrouters    router.home router

2. Connecting to the internet via Wifi

Then setup your Wifi to connect to the source of your internet:

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev


3. Install and configure the DNS software

First we need to install the software components and disable them so they don't run on their own at startup

sudo apt-get   install dnsmasq
sudo systemctl disable dnsmasq

3.2 Configure DNSMASQ

This does both the DHCP and DNS lookup stuff for the hotspot.
If it doesn't run the result is a type of zombie Wifi with limited functionality, and /etc/resolv.conf will not have a working nameserver so you may want to edit in the temporary line there until you get DNSMASQ working.

Then it needs to be configured:
Create/edit /etc/dnsmasq.conf
sudo vi /etc/dnsmasq.conf
and make it look like this:

/etc/dnsmasq.conf (2.0kB)
# Cutestudio's Raspberry Pi Hotspot/Seedeclip4 dnsmasq config file:
# For option help type 'man dnsmasq', the command line option are the same as these:

# Listen only on this (i.e. only connected devices use dnsmasq)

# Allow DHCP serving
# DHCP assigns IP addresses with a lease time

# Never ask upstream about short names (without a dot or domain part)
# Never forward addresses in the non-routed address spaces.

# Really make sure we're using this (should be used by default)

# Optionally filter out adware and malware,
#  E.g to filter out facebook
   # wget -O facebook.ban https://raw.githubusercontent.com/jmdugan/blocklists/master/corporations/facebook/all
   # sudo cp facebook.ban /etc

# Other adware to filter
 # https://github.com/StevenBlack/hosts
 # https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

  # wget -O final_blocklist.txt "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
  # sudo cp final_blocklist.txt /etc/final_blocklist.txt

# Stop various silliness

# To prevent the eth0 from giving us some dodgy domain via /etc/resolv.conf we ignore it via no-resolv.
#  This has the side effect of stopping us seeing the nameserver entry in there that we needed for 
#  the internet to work. So we specify some google nameservers which are just as good here.
# To keep the Pi still using the original DNS assigned via eth0's dhcpd we also edit resolvconf.conf
#  comment out the dnsmasq line there as we are using dnsmasq ONLY for the Wifi devices.

# Because we are using no-resolv...
server=                  # Forward DNS requests to Google
server=                  # Forward DNS requests to Google

# synth-domain=,[,]
# auth-zone=home,

# auth-server=,|


This has two 'adblock' host file references inside, please read the comments in the file about how to set them up.

Automating the router setup in a handy script

Now we need a script to get it all up and running.

/usr/local/bin/routerstart (1.5kB)

function daemon_stop()
    echo "Stopping all wlan services (if running)..."
    systemctl daemon-reload
    systemctl stop hostapd
    systemctl stop dnsmasq

function daemon_start()
    echo "Waiting for eth0 to be setup before trying to run DNSMasq"
    sleep 10
    echo "Start DNSMasq"
    systemctl start dnsmasq

function forwarding()
    echo "Enable IPV4 forwarding"
    sysctl net.ipv4.ip_forward=1

function iptables_clear()
    echo "Clear iptables (in case we play with this script from the command line)"
    iptables -F
    iptables -t nat -F

function iptables_router()
    # Allow just your own LAN
    iptables -P FORWARD DROP
    iptables -A FORWARD -i wlan0 -j ACCEPT

    # Cut off your own LAN from the wifi.
    iptables -A FORWARD -i wlan0 -d -j REJECT
    iptables -A FORWARD -i wlan0 -d    -j REJECT

    # Route as required
    iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

    echo "Add NAT routing as we'll need this for routing between our subnets and the internet"
    iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

function iptables_list()
    # List the iptables
    echo "Filter"
    iptables -L -v
    echo "NAT"
    iptables -t nat -L -v

function iptables_config()

# Tidy up in case we are playing with this script

# Setup the hotspot

# Clean exit
exit 0

4. Make it all happen on startup

Once you are happy it works add the hotspot startup lines it to rc.local so it's there on every startup:

sudo vi /etc/rc.local

Add these lines to your rc.local

printf "Starting Wifi/Ethernet router "
/bin/bash /usr/local/bin/routerstart &

Reboot safely by typing:

sudo reboot

5. Switch out after hours (optional!)

It's also possible to save bandwidth by having the router block the internet between certain hours. This is done between 2 and 8am in the following example below. To achieve this you need to edit the crontab. Do this by typing

sudo crontab -e

To make sure the bottom looks like this:
# For more information see the manual pages of crontab(5) and cron(8)

# m h  dom mon dow   command
0 2 * * * iptables -A INPUT -i wlan0 -j DROP
0 8 * * * iptables -D INPUT -i wlan0 -j DROP

This will block the wifi during 2am and 8am, unless there is a powercut ahen it will be reconnected. This stops all those chattering webpages etc from using 6 hours of bandwidth, and of course stops anyone from outside looking around!

Copyright © 2007-2023, CuteStudio
Page generated in 0.153s, Powered by Silk V1.3-0 from Cutestudio