Recently I was unsatisfied with the possibilities my FritzBox router gave me concerning the guest network. At first glance, all was fine – the box allowed me to set one port as “guest network” which was isolated from the rest of my LAN. But then I wanted to set a Pi-Hole as DNS server. It proved difficult to combine both and was relatively slow at the end. So I got a Raspberry Pi 4 Model B with the minimum RAM configuration of 2 GB to manage my guest network. It’s rather cheap but you can do a lot of things with it.
The RasPi comes with built-in Wi-Fi but I wanted to use my VLAN-capable access point infrastructure which I already had in place, so I also bought a USB network card to give the RasPi a second ethernet port. Using a spare SD card I had laying around I set it up with a fixed IP address in my LAN, connected the external network card to the VLAN which was to become the guest network and also configured this with a fixed IP address.
For the following examples, 192.168.5.0/24 will be my internal network (with 192.168.5.1 being the internet router and 192.168.5.9 the Pi-Hole DNS server) and 192.168.99.0/24 will be the guest network. The new RasPi has this
/etc/network/interfaces configuration (if you enabled “predictable network interface names” in
raspi-config, your interface
eth1 will be named differently):
iface eth0 inet static
iface eth1 inet static
It was enjoyably easy to convert the RasPi to a guest network router which also manages DNS and DHCP for the guest devices!
- Install dnsmasq and configure it with this simple
/etc/dnsmasq.conffile (move the example configuration out of the way, but keep it for reference):
- To enable network traffic forwarding through the RasPi, create a
/etc/sysctl.d/10-ip-forwarding.confwith the single line:
net.ipv4.ip_forward = 1
- Install the packages
apt. While we’re at it, we can also uninstall
dhcpcd5because we use an explicit interface configuration (see above).
- Configure network routing (and security!) and persist the rules:
iptables -t filter -A FORWARD -i eth1 -d 192.168.0.0/16 -j DROP
iptables -t filter -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
You’re done! Reboot the RasPi and use some devices to test the new isolated network.