Isolated Guest Network with a Raspberry Pi

Posted on by mathis

Recently I was unsatisfied with the possibilities my FritzBox router gave me concerning the guest network. At first glance, all was fine – the box allowed me to set one port as “guest network” which was isolated from the rest of my LAN. But then I wanted to set a Pi-Hole as DNS server. It proved difficult to combine both and was relatively slow at the end. So I got a Raspberry Pi 4 Model B with the minimum RAM configuration of 2 GB to manage my guest network. It’s rather cheap but you can do a lot of things with it.

The RasPi comes with built-in Wi-Fi but I wanted to use my VLAN-capable access point infrastructure which I already had in place, so I also bought a USB network card to give the RasPi a second ethernet port. Using a spare SD card I had laying around I set it up with a fixed IP address in my LAN, connected the external network card to the VLAN which was to become the guest network and also configured this with a fixed IP address.

For the following examples, 192.168.5.0/24 will be my internal network (with 192.168.5.1 being the internet router and 192.168.5.9 the Pi-Hole DNS server) and 192.168.99.0/24 will be the guest network. The new RasPi has this /etc/network/interfaces configuration (if you enabled “predictable network interface names” in raspi-config, your interface eth1 will be named differently):

allow-hotplug eth0
allow-hotplug eth1

iface eth0 inet static
     address 192.168.5.10/24
     gateway 192.168.5.1

iface eth1 inet static
     address 192.168.99.1/24

It was enjoyably easy to convert the RasPi to a guest network router which also manages DNS and DHCP for the guest devices!

  1. Install dnsmasq and configure it with this simple /etc/dnsmasq.conf file (move the example configuration out of the way, but keep it for reference):
    # DNS
    no-resolv
    server=192.168.5.9@eth0
    # DHCP
    dhcp-range=eth1,192.168.99.100,192.168.99.199,3h
    dhcp-option=option:dns-server,192.168.99.1,192.168.99.1
    dhcp-option=option:router,192.168.99.1
  2. To enable network traffic forwarding through the RasPi, create a /etc/sysctl.d/10-ip-forwarding.conf with the single line:
    net.ipv4.ip_forward = 1
  3. Install the packages netfilter-persistent and iptables-persistent using apt. While we’re at it, we can also uninstall dhcpcd5 because we use an explicit interface configuration (see above).
  4. Configure network routing (and security!) and persist the rules:
    iptables -t filter -A FORWARD -i eth1 -d 192.168.0.0/16 -j DROP
    iptables -t filter -A FORWARD -j ACCEPT
    iptables -t nat -A POSTROUTING -j MASQUERADE
    netfilter-persistent save

You’re done! Reboot the RasPi and use some devices to test the new isolated network.