0
ljones0

Best device for an "internet ethernet condom"

Recommended Posts

And no, that isn't supposed to be a rude title :-) !

 

Let me try to explain. What I'm trying to do is to have some sort of device run pi-hole. I have tried this in the past with success but when I last tried it I was using a raspberry pi zero and a usb wifi adapter - so it really only worked for one PC. What I'm now trying to do is to try to do the same for my entire home network. My guess is that I need some sort of small computer to put in front of the first device the internet touches (a router). So if I put a small arm based computer just before the router running pi-hole that (in theroy) should mean all the devices after the pi-hole get the black-hole ad blocking from the pi-hole.

 

Snag is though I'm at a bit of a loss as to which device I should buy. Clearly a raspberry pi zero isn't going to be anywhere near what is needed (plus I'm hoping *not* to have wifi on such a device for security reasons). I've also read that if you try to use USB (I'd need one usb ethernet adapter) and ethernet on the bigger raspberry pis - since they are both being done from the same chip the result is that they both get slowed down badly. My guess as to what I need is something with no wifi and two gigabit ethernet ports - one port connects to the internet itself, the other to the router and that can run armbian, and thus pi-hole (it also appears that pi-hole should work from any device running debian, not just a raspberry pi!).

 

I've seen one such device which might do the job - the clearfog base and fortunatly it appears to be supported by armbian as well. Only snag is that as I look through the forums it appears to have some nasty eMMC issues which looks like it could cause trouble. Or another idea - use an odrioid MC1 solo although it does have gigabit ethernet the second ethernet port would have to be via USB and from what I can gather usb 2.0 ethernet devices aren't particularly stable or very fast.

 

One other option is to repurpose an old thin client and use that but then that probably will also only have single ethernet (and probably not gigabit either) plus although such a  thing uses less power than a full x86 desktop, it is still uses a lot of power compared to small arm based computer. And where possible I want to save power and try not to have another "gas-guzzler" x86 device running.

 

Has anyone tried such a thing before at all?

 

ljones

Share this post


Link to post
Share on other sites

Isn't a pi-hole just a DNS server? You don't need multiple interfaces for that, nor do you need gigabit speeds to serve a local network.

All you'd need to do would be update the DHCP settings in your router to set the DNS server to that of the pi-hole. 

 

Share this post


Link to post
Share on other sites
9 hours ago, ljones0 said:

Let me try to explain. What I'm trying to do is to have some sort of device run pi-hole. I have tried this in the past with success but when I last tried it I was using a raspberry pi zero and a usb wifi adapter

 

PiHole works fine with most boards that are equivalent to a RPi2 for most home networks when wired up...

 

NanoPI NEO would probably be perfect for this application with current Armbian...

Share this post


Link to post
Share on other sites

I think you have two different technologies confused.  

 

Pi-Hole works by acting as a DNS server, and simply redirecting any DNS requests for sites on it's blocking lists with blank/null/innocuous content.

This can be located anywhere inside your network that is reachable by your other devices, and, as it only handles the DNS requests, does not require a lot of processing or network capacity.  I'd recommend a wired device, but yes, a pi zero with an ethernet dongle would handle the traffic for an average home network admirably.  Something with built-in ethernet would obviously be better from a reliability standpoint (eg. nanoPi neo, orangePi zero, etc)

 

What I think you're looking for is more than ad-blocking, but an actual stateful firewall with packet inspection.  For that you'd need to go with beefier hardware.  Personally, I'm still waiting on a pfSense release for the espressobin for that, but what kind of hardware specs you need will depend on your network throughput and traffic.

 

Share this post


Link to post
Share on other sites

Intresting answers mind you if I could use a pi zero or a pi 2 or 3 but wired I would. Did not realise that pizero was just a DNS server I was thinking pretty much maybe even for something along those lines high speed would be needed. A firewall with packet inspection sounds like an even better (I'm guessing here) idea although I have no idea on even how to try that or set one up!

 

ljones

Share this post


Link to post
Share on other sites

I have an OrangePi zero as DNS server utilizing Pihole and Armbian, Dietpi earlier until they dropped their support for OrangePi boards,  as base for almost two years now  and running great. Also this board is dirt cheap and way enough for this application.

The WiFi on board is crappy but as long as you wire it with copper it runs fine.

Share this post


Link to post
Share on other sites
13 hours ago, devman said:

Personally, I'm still waiting on a pfSense release for the espressobin for that, but what kind of hardware specs you need will depend on your network throughput and traffic.

 

Here you go...

 

https://store.netgate.com/pfSense/SG-1100.aspx

 

It's the EspressoBin as a custom build - has a pfSense/Netgate TPM from Microchip...

 

https://www.netgate.com/blog/netgates-new-sg-1100-punches-way-above-its-weight.html

 

Not sure if running pfSense on eBin is blocked, but something tells me it's fairly likely....

Share this post


Link to post
Share on other sites
1 hour ago, sfx2000 said:

 

Here you go...

 

https://store.netgate.com/pfSense/SG-1100.aspx

 

It's the EspressoBin as a custom build - has a pfSense/Netgate TPM from Microchip...

 

https://www.netgate.com/blog/netgates-new-sg-1100-punches-way-above-its-weight.html

 

Not sure if running pfSense on eBin is blocked, but something tells me it's fairly likely....

Thanks, I didn't realize it had finally come available.  Looks like it's not an option, as it's for a v7 board w/emmc, and the image isn't available without buying their hardware package.

 

I do wish pfSense had said upfront that it would not be available without the hardware. There's literally no reason for them to have stated that they were working on a port and try to appropriate the espressobin userbase when it would be only sold as yet another proprietary box.  I feel a bit shafted when he did say things like:


 

Quote

This said, I’d like to reassure you we have no plan to shut down the pfSense project. I’ve dropped a lot of hints that our development on ARM platforms is continuing, and that support for 64-bit ARM, in the form of support for the espresso.bin community board, a $49 router with 3 gigabit Ethernet ports, crypto offload, on-board storage and more, will soon appear as an official pfSense software platform that you do not have to purchase from us as an appliance.

 

Share this post


Link to post
Share on other sites

Pi-hole install...default gateway/router change the DHCP to point to the pi-hole inside your network (better yet...setup your pi-hole as your internal network DHCP server, tell it to point all DHCP clients to default gateway , let it assign the IP's [you can even set "STATIC leases with MAC addresses of hardware])

I set mine up on an old busted screen dual core laptop (that also runs my 3D printer), but it will function just fine on a RPI or Orange Pi...it really doesn't have tons of overhead.

Make your default gateway (if it can) force all port 53 (DNS) requests to your pi-hole LAN IP

 

I just wish PFsense worked on ARM..would put it on a OPi R1, two 100mb ethernet...how many people have over 100mb connections outside their LAN.

 

 

Share this post


Link to post
Share on other sites
49 minutes ago, WarHawk_AVG said:

I just wish PFsense worked on ARM..would put it on a OPi R1, two 100mb ethernet...how many people have over 100mb connections outside their LAN.

 

 

PFsense does, just not the community version.

 

I guess I'll give up and do it the hard way.  Armbian + iptables

 

@sfx2000Thanks for the tip.

Share this post


Link to post
Share on other sites
14 hours ago, devman said:

PFsense does, just not the community version.

 

I guess I'll give up and do it the hard way.  Armbian + iptables

 

Well - there's always OpenWRT, and the eBin is growing support there - and for a router oriented build - it's a good place to start

 

Alternately - here's a blog/build using Arch with the eBin -- should be similar with Armbian...

 

https://blog.tjll.net/building-my-perfect-router/

 

Netgate is going to do what they're going to do -- keep in mind that they did independently fund armv7a development for FreeBSD as part of pfSense support for the SG-1000 on Ti Sitara, and did a lot of work on mvebu for their coldfog based SG-3100 on Armada - so to protect their investment in freebsd, I kind of understand it...

 

(and then there's the whole political mess with pfSense, OpnSense, and Monowall - a lot of butt hurts, bad feelings, big egos, etc... so I can see why pfSense/Netgate did what they did... I try to stay out of it, just looking in from the outside)

Share this post


Link to post
Share on other sites
On 1/14/2019 at 12:03 PM, Werner said:

The WiFi on board is crappy but as long as you wire it with copper it runs fine.

 

If one is running a DNS server for the LAN/WLAN - probably better to keep it on the wire :)

Share this post


Link to post
Share on other sites
On 1/15/2019 at 4:31 PM, sfx2000 said:

 

If one is running a DNS server for the LAN/WLAN - probably better to keep it on the wire :)

Most definitely...trying to do it over wifi could cause some REAALY bad lag

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
0