Raspberry Pi Router
Keeping my ASUS router up to date was becoming a pain. Sometimes the updates failed, and every few weeks it would freeze up returning DHCP requests and require a restart.
I'd previously improved my home network by using powerline and WIFI access points which took some of the burden away from the router itself. I'd also read that many routers aren't very powerful when it comes to the CPU and RAM they have available to them. So thought why not replace my current router with something like a Raspberry Pi?
To successfully achieve this I'd have to break down the functions of a typical "home router". Looking into it they usually handle the following:
- Firewall / Routing
- WIFI access point
- DHCP server
- DNS server
- Some web interface to interact with
- Sometimes an SMB server
My powerline network mentioned previously already handles the switch and WIFI access point side of things, and I can reliably get 1Gbps via that, so the router itself just has to handle internet specific traffic, firewall, and issue DHCP leases.
Hardware wise I opted to use a Pi 4 (4gb model) as I had one lying around. The other benefits are it has proper network bandwidth (1Gbps), and would have plenty of CPU and RAM to do the job. Additionally all I needed was one interface to my home LAN, and another to the internet. This could be achieved using the onboard ethernet of the Pi (going to the LAN), and a USB3 to ethernet adaptor (going to the internet).
Software wise I thought about using OpenWRT, which is a Linux distro specific for custom home routers, but I wasn't that familiar with it. Other options in the space are pfSense and OPNsense, though I wasn't 100% sure as to arm64 Raspberry Pi support, plus never really used Unix other than a vague representation via MacOS.
Being a pretty important part of my network I thought I'd stick to what I know, Ubuntu.
This gave the following benefits over a traditional home router.
- Raspberry Pi is an officially supported platform on Ubuntu.
- Ubuntu's LTS release maintains security patches for ~5 years, 20.04 LTS has support up to 2025.
- Uses a modern Linux kernel 5.4+, again with patches going into the future.
- Being the gateway into my house, having reliable patches and security updates is pretty important.
To reduce the attack surface as much as possible I've avoided a web interface, making the only "official" way in to configure things, via key based SSH from within my home LAN.
Firewall wise I've stuck with UFW, it's built into Ubuntu and uses iptables / netfilter under the hood. This also handles routing rules for passing and dropping traffic across the two network interfaces.
For DHCP I've stuck with the recommendation from the Ubuntu server guide and use isc-dhcp-server. DNS wise i've avoided a server for now by setting the default DNS issued to Cloudflare's public resolver 220.127.116.11 & 18.104.22.168.
Luckily with Ubuntu keeping things up to date is pretty easy. It has automatic updates via
unattended-upgrades which can be configured to check and install security updates on a daily basis. If those updates require a reboot this can also be done automatically and configured to happen at a more convenient time. I chose 4am which shouldn't effect normal internet usage.
Another thing that would be nice is Canonical Livepatch, which can update the Linux kernel without restarting, however Livepatch doesn't support the Pi's arm64 architecture so kernel switching would instead happen during an automatic reboot.
I've tried to keep the setup to a minimum, Ubuntu Server, no desktop, only running software that's strictly needed to do the job and nothing more. When possible I've opted for built in software to avoid bloat and help keep the attack surface small.
The Pi sits at around 0.05 / 4 CPU usage (quad core), with memory at around 210MB / 4GB so plenty of head room.
Thermals are generally good sitting around 40-42C.
It has no trouble handling my traffic which is the typical browsing, gaming, Youtube and Netflix.
Right now its just running on an SD card, which isn't ideal. It's a 32GB card, so capacity isn't a problem, and speed wise isn't a problem either, but constantly writing logs could potentially cause it to fail.
Ideally I'd have it boot and write to a USB3 powered SSD.
Having the router run its own DNS server would speed up DNS requests via caching. Ping times to Cloudflare are ~15ms where as ping times to my router are consistently 3ms.
I also want to setup WireGuard VPN to allow me to tunnel home from anywhere. This is currently provided by another machine on my network, but the Pi Router seems to have plenty of headroom to spare.