Explain Firewall PCs like I'm very inebriated please

Having got my Raspberry Pi for Christmas, I was finally able to enter the world of home labs and I'm slowly getting everything up and running.

That said, one thing I was super excited about but hasn't come to fruition was Pi-Hole. That's for two reasons, one my Pi isn't hardwired into the router and two my router kinda sucks (Virgin Media Hub 5).

So I came here to ask for recommendations for a router. One that would allow me to run vLANs and use my Pi for adblocking. Honestly the advice I got was like fire and I was like water.

I wanted a simple cheap solution and everyone was like just spend 🥺

Eventually though, my ignorance waned and I started looking into what the suggestions were, which was essentially buy an N100 Firewall Mini PC with 4 Ethernet Port, load up PFSense or OpenWRT, then buy an Access Point, connect it and profit.

So with my dreams of a £50 plug and play experience down the drain, can someone explain to me how it all works? Why is this the suggestion? My Pi is kinda set and leave. My NAS is set and leave, will a firewall PC be the same? Also why a firewall PC over a second Pi?

AbidingOhmsLaw ,

I run a Unifi USG-1 router/gateway now but before that I got a used AC1000 router from the thrift store for $5 and loaded OpenWRT on that. I eventually got an Aris modem to replace the Comcrap Gateway because it was messing with the DNS traffic, even when piHole was set as DNS for every machine. So if I were you I would go look at the OpenWRT list of units that will accept their firmware. Pay attention to the hardware revision as well as the model number, it matters.

https://openwrt.org/toh/views/toh_fwdownload

Then head over to a local thrift store or two and see if you can find any for cheep.

sabreW4K3 OP ,
@sabreW4K3@lemmy.tf avatar

I've been looking at a bunch of different SBCs that can run OpenWRT because I really want that minimal power draw, but there's so many more that are x86

its_me_gb ,

The biggest issue you're going to have is that the Virgin hubs don't allow you to change the DNS server that they hand out via DHCP.

By default, Virgin hubs are in 'Router mode', this means that they use DHCP to hand out IP addresses, a default gateway address (the hubs own IP address), and DNS server addresses. Typically the DNS server will be the Hub itself and any request sent to the hub will then be forwarded on to the DNS servers that the hub had defined for forward lookup.

Virgin have decided that they know best and don't allow you to change the DNS servers that they forward your requests to, so you can't modify the router to point to your PiHole.

There are a couple of options here (and forgive me, I'm doing this from memory as I no longer use virgin):

  1. Disable DHCP (IP addresses management) on the Virgin hub and enable it on the PiHole, if possible. You can then configure the PiHole to hand out the IP addresses for the network, including the PiHole address as the DNS servers (and the Virgin hub as the gateway).

  2. Put the Virgin Hub into 'modem mode'. This requires you to buy an additional router that will allow you to change the DNS servers to point to your PiHole. Putting the Virgin hub in modem mode basically disables all Router functionality and tells it to only terminate the network connection of the virgin connection, you then connect you new router to the hub (and only your new router) to perform all of the functions required to handle your network. You'll also need to disable WiFi on the Virgin hub (but I think it may do that automatically in modem mode).

In my opinion, if you can use the method in point 1, that'll be your easiest and cheapest option, if not, you're going to have to get a new router.

When I had Virgin (many, many years ago) I went down route 2, but mainly because I wanted more control over my network than Virgin would allow me than with their shitty virgin hubs.

sabreW4K3 OP ,
@sabreW4K3@lemmy.tf avatar

You don't know how much I've treasured this post and I couldn't reply as I had it sitting in my inbox so I could find it easily. But thank you so much. I'm trying to go route two so I can run my IOT stuff on a VLAN.

its_me_gb ,

I'm glad it helped! As i said, it was all from memory and was a good few years ago, so hopefully it all still applies!

The_Shwa ,

I dont know much about your router/ap, but from some light googling the virgin media hub 5 has 2.5gb/s ethernet and wifi 6 which should be fairly decent. I agree with what most comments are saying about connecting the pi using ethernet ("hardwiring" it) and setting a static ip. The raspberry pi image flasher even has an option for that in the advanced settings if I'm not mistaken. If youre worried about not being able to plug a keyboard/mouse and monitor to the pi look at ssh. If you arnt comfortable with command line/terminal I cant say I'd recommend setting up your own router/firewall.

If you dont have any ethernet ports available on your router then looking at a good switch for 2.5 gbps might be a better bet, I always perfer physical connections to wifi.

If you do want to jump down the rabbit hole of pfsense/opnsense/openwrt then hit ebay and look for a cheap workstation and an intel nic, that will get you started messing about with it. Be sure to do research about power consumption of the device youre getting, the raspberry pis sip power but beefier machines will suck some power and might show up on your electricity bill.

I use opnsense, the forums are a good place to look at hardware that you might want to gravitate towards, intel nics have been my best bet but there are plenty of resources to tell you what is compatible and what isnt with openbsd.

sabreW4K3 OP ,
@sabreW4K3@lemmy.tf avatar

OPNSense seems to be where everyone ends up eventually. Which surprises me given that it's so overwhelmingly x86 and as you say, the power consumption can be like glugging.

CosmicApe ,

Connect the pi to your router via ethernet, give the pi a static IP, point your router DNS to the IP of the pi. That's pretty much all you need to do aside from actually setting up pi-hole

Edgarallenpwn ,
@Edgarallenpwn@midwest.social avatar

If you can find a cheap off lease/used enterprise workstation and get a decent nic that could take your budget down for a router . I was running an optiplex 9010 with a i340-T4 as my opnsense box for years and that was ~75 USD in 2020.

Edit: I ended up picking this little box a year ago for 60 bucks and love it. Way less awkward in the living room than a sff PC as a router.

sabreW4K3 OP ,
@sabreW4K3@lemmy.tf avatar

That for 60 quid is awesome. Is it quiet?

Edgarallenpwn ,
@Edgarallenpwn@midwest.social avatar

Yeah I haven't noticed any noise. It's fanless and the whole outer case is the heatsink. It is pretty heavy for it's size though

pineapplelover ,

Install debian server, open ssh, docker, adguard home (I find this UI easier to use but if you wanna go with pihole go ahead)

sabreW4K3 OP ,
@sabreW4K3@lemmy.tf avatar

Why Debian Server over Raspberry Pi OS?

AlternateRoute ,

Simple answer would be to attached the pi to the router via the router Ethernet port on the LAN side and learn how DHCP and DNS work.

Pi-hole is primarily a forwarding DNS server that filters DNS requests

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • homelab@lemmy.ml
  • test
  • worldmews
  • mews
  • All magazines
    •