Using the Raspberry Pi as a router?

I've been using my model B as a router with traffic shaping, using just the one Ethernet port it comes with. Here's a quick-and-dirty on how:

1. Enable IPv4 Forwarding, so your Pi acts as a router by forwarding any traffic it receives

2. Configure your Pi with static network configuration so it will not be influenced by DHCP changes suggested below. Here are the contents of my /etc/network/interfaces as reference:

   # pi@flux:/home/pi/projects/adsl/rrdlogger (master *)
   # cat /etc/network/interfaces 
   auto lo
   iface lo inet loopback
   #iface eth0 inet dhcp
   iface eth0 inet static
    address 192.168.1.1
    netemask 255.255.255.0
    gateway 192.168.1.254 # IP of my ADSL router box
   allow-hotplug wlan0
   iface wlan0 inet manual
   wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
   iface default inet dhcp
   

3. Now change your network's DHCP settings such that the default gateway/router is your Pi. This likely means changing the settings on your existing ADSL router box. In my example above, my Pi's IP address is 192.168.1.1.

When your devices next reconnect to the network, they will be told your Pi is their gateway to the internet, and all they internet-bound traffic will be sent to it. Your Pi will in turn relay all that traffic to your usual router. You might need to disconnect and then reconnect your devices for these changes to take effect.

Now you can create or install a tool to do your monitoring for you, such as vnstat.

Traffic Shaping

As for traffic shaping, here's another quick-and-dirty guide which will make use of my own personal variant of wondershaper.

For this to be useful you need to know how fast your internet connection is. You can usually find this from your (original) router's web interface, but failing that you can get an estimate using a speedtest.

1. sudo apt-get install iptables
2. wget https://raw.github.com/meermanr/adsl/master/wondershaper/wondershaper

3. sudo ./wondershaper eth0 will print the current status of traffic shaping. Obviously the expected status is there is no shaping, which means there's a single rule in effect, called pfifo_fast:

   • (eth0 is the name of the wired network adaptor on a model B. See ifconfig for the names of interfaces on your system)

   # pi@flux:/home/pi/projects/adsl/wondershaper (master *)
   # sudo ./wondershaper eth0
   qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
    Sent 1908 bytes 15 pkt (dropped 0, overlimits 0 requeues 0) 
    backlog 0b 0p requeues 0
   

4. sudo ./wondershaper eth0 3000 370, where:

   • 3000 is my internet connection's downlink speed in kbit. So 3Mbit == 3000kbit
   • 370 is my internet connection's uplink speed, in kbit again.

5. sudo ./wondershaper eth0 should now show much more output:

   # pi@flux:/home/pi/projects/adsl/wondershaper (master *)
   # sudo ./wondershaper eth0
   qdisc htb 1: root refcnt 2 r2q 10 default 0 direct_packets_stat 0
    Sent 1858 bytes 9 pkt (dropped 0, overlimits 0 requeues 0) 
    backlog 0b 0p requeues 0 
   qdisc sfq 40: parent 1:40 limit 127p quantum 1526b depth 127 divisor 1024 perturb 10sec 
    Sent 1858 bytes 9 pkt (dropped 0, overlimits 0 requeues 0) 
    backlog 0b 0p requeues 0 
   qdisc sfq 10: parent 1:10 limit 127p quantum 1526b depth 127 divisor 1024 perturb 10sec 
    Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
    backlog 0b 0p requeues 0 
   qdisc sfq 20: parent 1:20 limit 127p quantum 1526b depth 127 divisor 1024 perturb 10sec 
    Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
    backlog 0b 0p requeues 0 
   qdisc sfq 30: parent 1:30 limit 127p quantum 1526b depth 127 divisor 1024 perturb 10sec 
    Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
    backlog 0b 0p requeues 0 
   qdisc ingress ffff: parent ffff:fff1 ---------------- 
    Sent 768 bytes 12 pkt (dropped 0, overlimits 0 requeues 0) 
    backlog 0b 0p requeues 0 
   class htb 1:1 root rate 370000bit ceil 370000bit burst 10Kb cburst 1599b 
    Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
    rate 0bit 0pps backlog 0b 0p requeues 0 
    lended: 0 borrowed: 0 giants: 0
    tokens: 3459453 ctokens: 540531
   class htb 1:10 parent 1:1 leaf 10: prio 1 rate 370000bit ceil 370000bit burst 1599b cburst 1599b 
    Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
    rate 0bit 0pps backlog 0b 0p requeues 0 
    lended: 0 borrowed: 0 giants: 0
    tokens: 540531 ctokens: 540531
   class htb 1:20 parent 1:1 leaf 20: prio 2 rate 246000bit ceil 246000bit burst 1599b cburst 1599b 
    Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
    rate 0bit 0pps backlog 0b 0p requeues 0 
    lended: 0 borrowed: 0 giants: 0
    tokens: 813000 ctokens: 813000
   class htb 1:30 parent 1:1 leaf 30: prio 3 rate 74000bit ceil 74000bit burst 1599b cburst 1599b 
    Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
    rate 0bit 0pps backlog 0b 0p requeues 0 
    lended: 0 borrowed: 0 giants: 0
    tokens: 2702687 ctokens: 2702687
   class htb 1:40 root leaf 40: prio 0 rate 100000Kbit ceil 100000Kbit burst 512Kb cburst 1600b 
    Sent 3486 bytes 15 pkt (dropped 0, overlimits 0 requeues 0) 
    rate 0bit 0pps backlog 0b 0p requeues 0 
    lended: 15 borrowed: 0 giants: 0
    tokens: 654609 ctokens: 1250
   

Your outbound network traffic is now being shaped by your Pi, and your inbound traffic is being throttled slightly to ensure that the Pi, and not your original routing box, has control of traffic.

To disable shaping, just run sudo ./wondershaper eth0 clear. You can change the uplink and downlink rates without clearing first, but it doesn't hurt.

Update: You also need to disable the transmission of ICMP redirects, since we need all traffic to go through the Pi for shaping to happen. It turns out that the Linux kernel is smart enough to figure out that the clients on your home network could talk directly to the ADSL box, rather than bounce traffic through the Pi, and it tells them this at every opportunity. The clients then send their traffic directly to your ADSL box, and the Pi doesn't get a chance to shape it. Disable it on the fly like so (lost when you next reboot):

echo 0 | sudo tee /proc/sys/net/ipv4/conf/*/send_redirects

Update the following to set this during boot: /etc/sysctl.conf

net/ipv4/conf/eth0/send_redirects = 0

(Thanks to https://unix.stackexchange.com/a/58081/22537 for this tip)

You may also be interested in my personal notes on configuring a Linux gateway: http://www.robmeerman.co.uk/unix/gateway

• how do you set the wifi network name and password that other devices can connect to?

  fommil

  – fommil

  2013年09月02日 11:35:10 +00:00

  Commented Sep 2, 2013 at 11:35
• A great guide. I do have a question about your wondershaper suggestion, though: is the limit per-client or overall?

  Bob

  – Bob

  2013年09月06日 11:15:22 +00:00

  Commented Sep 6, 2013 at 11:15
• @fommil: My guide above assumes you still use the modem/router/WiFi-access-point that your ISP gave you, but that you configure it such that all clients which connect are told "Send traffic to the Pi". This is usually done by entering your Pi's (static!) IP address into the DHCP settings of your ISP box. Typically in a field called "Gateway", "Default Gateway", or perhaps "Default route".

  RobM

  – RobM

  2013年10月13日 12:15:52 +00:00

  Commented Oct 13, 2013 at 12:15
• @Bob: The numbers you enter are the total for your internet link. The wondershaper script than attempts to fair-share this to all your clients based on demand. So if only one client is using the internet, it should get 100% of it. If another client starts up they will, after a bit of "settling time" (~10 seconds) end up using 50% each, and so on.

  RobM

  – RobM

  2013年10月13日 12:17:32 +00:00

  Commented Oct 13, 2013 at 12:17
• Perfect. Just a note to @fommil, none of my routers (and I assume many more are the same) provide an easy way to set the gateway assigned via DHCP. I ended up turning off DHCP on the router and setting up a DHCP server on the Pi - it's a fairly simple process (search for a guide if you want to).

  Bob

  – Bob

  2013年10月13日 12:27:52 +00:00

  Commented Oct 13, 2013 at 12:27

Having a little network background, the first thing that comes to mind is use it as a Snort box, and then you don't have to worry about only having one interface. You would setup your switch/router to forward all traffic to the Pi, but also pass it onto the end device. This is known as a switchport monitor, but your device may not support it. You may need a managed switch to do this. Snort would then analyze the traffic and report on it. More information on Snort http://www.snort.org/

The nice thing about this kind of setup is your Pi is sitting off to the side watching everything that is being run through the switch, rather than sitting inline with the data. If you have a software glitch this way, traffic can still flow, just not be monitored. With what you are describing with two interfaces, your program crashes, your network crashes.

This does not use the pi as a router, but does allow you to monitor and report on traffic that is moving across your network.

I have used the Raspberry Pi for routing, and it worked well. As you say, you need at least one more network interface, as the Raspberry Pi has only one Ethernet port. You can add another interface connected to the USB port. I have used a GSM modem and a Wi-Fi stick.

Things to note:

• Use a powered USB hub. Wi-Fi and GSM devices demand more power than what the Raspberry Pi's USB ports can supply.
• If you shop for Wi-Fi devices, get one with good Linux support. You want one that works in access point mode, and not all sticks do. Check at linuxwireless.org.

Here is my blog post about routing, and another about setting up a Wi-Fi access point. This guide helped me with the routing setup. The routing stuff is not very specific to the Raspberry Pi; anything that works on Linux in general should be possible. The details depend a bit on which distribution you use.

I have been using the Raspberry Pi as a router for about a month now, without any problems. I have an actual commercial Wi-Fi Access Port, not a home Wi-Fi router, so I used that. I also have a USB-to-Ethernet converter that was "borrowed" from the Wii. That goes to the home LAN, and the Raspberry Pi's built-in Ethernet goes to the WAN/Internet.

Go get a copy of IPFire for the Raspberry Pi. You want the ARM version, without a serial console and the latest stable version. Click on the ARM tab. Download the "Image for the armv5tel architecture".

Boot off of it. Hook up a HDMI TV and keyboard. Answer the first few questions. The rest of the configuration can be done from a browser on the home network, so you won't need the TV or keyboard after that.

It was not too hard, and worked like a champ! Here are the formal instructions: https://wiki.ipfire.org/hardware/arm/rpi/threeplus

One last thing. If you are going to use a USB-powered Wi-Fi dongle, check your Raspberry Pi's power supply. A 700 mA USB power supply may be enough to power the Raspberry Pi, but it doesn't leave much to power the Wi-Fi. Either use a powered USB hub, or power the Raspberry Pi with a 1 to 2 A USB power supply.
Good Luck!

(This addendum follows my previous answer, which was a guide on how to configure your Pi as your LAN's internet gateway)

Not content with monitoring my overall internet usage, I've written a tool that monitors the internet usage of each device on my LAN. This allows me to see the instantaneous usage in a console window, and to generate charts of historical usage so I can see what happened overnight.

Rhodes, a tool for monitoring real-time and historical network usage of LAN devices (based on MAC address): https://github.com/meermanr/adsl/tree/master/rhodes

Sample of console output:

193 kiB/s TX 17 kiB/s RX 0004edbf98c0 home.gateway (Billion Electric Co.)
 0 kiB/s TX 0 kiB/s RX 2002af18dc15 Samsung Galaxy Tab 10.1, Vicky
 0 kiB/s TX 0 kiB/s RX 34af2c01197b Nintendo 3DS:XL, Robert
 0 kiB/s TX 0 kiB/s RX 34af2c3af204 Nintendo 3DS:XL, Vicky
 0 kiB/s TX 0 kiB/s RX 34af2c9cfffd Nintendo WiiU
 0 kiB/s TX 0 kiB/s RX 6045bd9c9dbc Xbox360 Slim
 0 kiB/s TX 0 kiB/s RX 745e1c56c297 Pioneer SX-LX57
 13 kiB/s TX 109 kiB/s RX 7831c1be0c34 Az Pro (Macbook Pro)
 0 kiB/s TX 0 kiB/s RX 80ea96e6214e Roberts-AirPort-Time-Capsule
 0 kiB/s TX 0 kiB/s RX 88308a770370 Samsung Galaxy S3, Vicky
189 kiB/s TX 211 kiB/s RX b827eb8fc0f3 Flux (Raspberry Pi)
 2 kiB/s TX 39 kiB/s RX b8e8563acb34 Macbook Pro, Vicky
 0 kiB/s TX 0 kiB/s RX d022be2c26ef Samsung Galaxy Note 3, Rob
 0 kiB/s TX 0 kiB/s RX f82fa89368ea

The first column shows how much devices are transmitting, which usually means uploading to the internet. The exception to this it the ADSL router itself (home.gateway in the sample above) which transmits data received from the ISP the device which requested it (i.e. downloads). Of course it also transmits uploads to the internet, but it does that using its ADSL modem, which is not on the LAN and so not visible to this tool.

The other exception would be the Raspberry Pi ("Flux" in the above) itself, which of course transmits all the data it manages, in both directions.

But apart from those exceptions, the TX (transmit) numbers refer to upload, and the RX (receive) numbers to download. The third column is the device's MAC address (without the usual ":" or "-" separators). The forth column shows the human-readable name of the device, if it is known.

Charts are generated by running ./index.py, which is intended to be called from a web server like lighttpd (with index.py added to the index-file.names configuration setting in /etc/lighttpd/lighttpd.conf). You can just run it manually, and it will generate some images and print HTML to STDOUT. So you would want to redirect that to a file which you can open in a browser:

./index.py > index.html

Then open index.html in your preferred browser.

Installation requirements (all can be installed with apt-get install):

• tcpdump - Command line tools for capturing and describing network traffic
• rrdtool - Round Robin Database tool, records and charts time-series data
• rrdcached - Round Robin Database Caching Daemon, service which reduces overheads when working concurrently with multiple RRD files.

• pypy-upstream (a fast implementation of the Python programming language)

  • You can use the stock Python is you like: python rhodes.py (pypy is an alternative implementation of the Python programming language which does Just-In-Time (JIT) Compilation, so long-running scripts will use less CPU cycles at the cost of more memory)

Usage note: The 'tcpdump' tool used by this script requires root privileges to access raw network traffic. This is achieved by launching sudo tcpdump when the script starts, so you may be prompted to enter your password. Personally, I've added a NOPASSWD rule to /etc/sudoers so I am never prompted.

• usb
• security
• ethernet