How to Use Raspberry Pi as Router and Content Filter

If you have children at your home, you might have felt the need to block certain undesirable websites. Another common problem area are social media websites – you might feel that children (and adults) waste too much time on Facebook, Twitter etc. and want to block them, or at least make them accessible only at certain times of the day.

To make this possible, we need arouterpluscontent filter– an appliance through which all our devices such as laptops, smartphones, and tablets connect to the internet. This appliance also intercepts the websites that these devices access, and blocks them if they try to access a blacklisted website.

There are commercial, ready-to-use content filters available in the market, but for us DIY types, there is no fun in that. Thus, we will get our hands dirty, and set up a Raspberry Pi for the job. We chose the Raspberry Pi for this project because of its tiny size and negligible power consumption. However,these instructions will work nearly unmodified with almost any computer running Debian Linux or a derivative(Ubuntu, Mint etc.).

Disclaimer:This guide assumes an intermediate level of experience with Linux, and a willingness to troubleshoot problems if and when they arise. Prior experience with command lines and firewalls is a bonus.

How it Works

Hardware

We will be using the Raspberry Pi 3 as a router cum content filter. For this, we will needtwo network interfaceson it – one to connect to the internet, and the other to act as a WiFi hotspot for our other devices to connect to. The Raspberry Pi 3 has a built-in Ethernet jack and WiFi module. So in this scenario, we can use an Ethernet cable (eth0) to connect to the internet, while the WiFi module (wlan0) will act as a hotspot.

Of course, connecting to the internet using Ethernet isn’t always possible. In this case, you will need a compatible USB WiFi dongle (wlan1) to connect to the internet, while the built-in WiFi module (wlan0) will act as a hotspot. This is the configuration that we will use in this guide.

Do keep in mind that while a Raspberry Pi 3 is mostly adequate for a home setup with a few laptops and smartphones,it will not provide the performance needed for a big office setup. Look into more capable hardware if a lot of clients will be connecting to your content filter.

Software

We will use the excellentE2guardianto intercept and filter our web requests. Since content filtering can have a performance impact (depending on the size of the blocklist), we will useSquidcache to offset this performance hit.

Prerequisites

1.Raspberry Pi 3with the latest version of Raspbian OS installed, and access to the internet. If you are only getting started with the Raspberry Pi, we recommend reading our guide onhow to get started with Raspberry Pi 3.

2.[Optional]USB WiFi Dongle– This is needed if, and only if you cannot connect your Raspberry Pi 3 to the internet with an Ethernet cable. If you are planning to use WiFi for both connecting to the internet and as a hotspot, this is required.

3.Physical Access to the Raspberry Pi– Due to the nature this article, a single mistake in the firewall configuration can lock you out of your Pi if you use it in headless mode. Therefore, it is recommended that you connect a monitor, keyboard and mouse while configuring it until everything is set up.

Use Raspberry Pi as Router

1.Connect your Pi to the internet using Ethernet(eth0). If you are using a USB WiFi dongle (probablywlan1) instead, connect that to the internet. Leave the built-in WiFi module (wlan0) as it is for now.

2.Get theprerequisite softwarethat we need:

3.We will set uphostapdso that ourPi can act as a WiFi hotspot. For this, create a config file using your favorite text editor, for examplesudo nano /etc/hostapd/hostapd.conf, and paste the content from ourGitHub page.

Some lines that you might want to modify according to taste are:

This line dictates what the name of the access point will be. I choseRaspberryPiAP.

This specifies the passphrase used to access the hotspot. I usedbeebom.com, but it is recommended to change it to a strong passphrase of your choice.

4.Next, we willset up a DHCP serverusingdnsmasq. Edit the config file/etc/dnsmasq.conf, and add the following lines at the end:

[sourcecode]interface=lo,wlan0

no-dhcp-interface=lo

dhcp-range=192.168.8.20,192.168.8.254,255.255.255.0,12h[/sourcecode]

This makes the interface onwlan0(the built-in WiFi module) hand out IP addresses to clients in the192.168.8.20to192.168.8.254range.

5.Set upa static IP addressfor the built-in WiFi modulewlan0. Open the file/etc/network/interfaces. It probably looks something like this (emphasis mine):

[sourcecode]source-directory /etc/network/interfaces.d

auto loiface lo inet loopback

iface eth0 inet manual

allow-hotplug wlan0iface wlan0 inet manualwpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

allow-hotplug wlan1iface wlan1 inet manualwpa-conf /etc/wpa_supplicant/wpa_supplicant.conf[/sourcecode]

Here,locate the lines in bold dealingwithwlan0, andchange them, so that the file looks like the following:

[sourcecode]source-directory /etc/network/interfaces.d

auto loiface lo inet loopback

iface eth0 inet manual

allow-hotplug wlan0iface wlan0 inet statichostapd /etc/hostapd/hostapd.confaddress 192.168.8.1netmask 255.255.255.0allow-hotplug wlan1iface wlan1 inet manualwpa-conf /etc/wpa_supplicant/wpa_supplicant.conf[/sourcecode]

This sets up a static IP address192.168.8.1on wlan0. Remember this address, asthis is the address we will use to communicate with our Raspberry Pi later on.

6.Nowset up IP forwarding. Edit the file/etc/sysctl.conf, and add the following line to it:

7.Now we willconfigure network address translation(NAT) in our firewall. To do this, enter the following 2 commands:

The first command sets up NAT, while the second command saves our present firewall configuration to a file called/etc/iptables/rules.v4. This makes sure that the configuration persists across reboots.

8.At this point,reboot your Raspberry Pi. This is to make sure that all the changes we made in the configuration files are functional.

9.After rebooting, you should be able to see the newly createdRaspberryPiAPhotspot (unless you changed the name in step 3) on your other devices such as laptops and smartphones. You can connect to it using the password you specified, and access the internet.

This is all you need to do to if you need a basic, low-powered router. If you want to set up a content filter as well, read on.

Set Up Content Filter Using E2guardian

E2guardian is not present in the default Raspbian repositories. To install it, go to the project’sGithub page, and download the file ending inarmhf.deb. Now open Terminal, go to yourDownloadsfolder (or wherever you chose to download the file), and install it:

You will probably see a few errors about missing packages when you install E2guardian. To rectify this, let the installation finish, and enter the following command :

Using Content Lists

There are several lists present in the/etc/e2guardian/listsdirectory. These files include bannedextensionlist, bannediplist, bannedphraselist, bannedsitelist, bannedurllist, exceptionlist, and more. These files are properly documented with comments. Take a look at them to familiarize yourself.

As an example, let’s suppose you wish toblock some popular social networks. Open the/etc/e2guardian/lists/bannedsitelistfile, and under theBlanket SSL/CONNECTblock (since these websites usehttpsinstead of plainhttp), add the following lines:

Now reload the E2guardian service using the commandsudo service e2guardian reload(you will have to run this command every time you modify the configuration files). Any clients using the content filter will now be unable to access these websites. Even the mobile sites (eg. m.twitter.com) and dedicated smartphone apps will not work.

E2guardian alsoblocks porn by default. If you wish to allow it (hey, we aren’t judging), open the/etc/e2guardian/lists/bannedphraselistfile, and locate the following line:

Comment it out by adding ahash(# symbol) to the front, so that it looks like this:

Again, reload the configuration withsudo service e2guardian reload, and you’re done.

Configuring Clients

Now that our proxy server is set up, we can move on to configuring the clients. To use the content filter, all clients need to be connected to the Rapberry Pi’s hotspot, and configured to use the proxy. Configuring a proxy is different across all operating systems and devices. However, we will demonstrate how to set it up on Windows and Android, since these are more popular.

Windows

Go toControl Panel > Network and Internet > Internet Options. In the window that opens up, navigate to theConnectionstab, and click onLAN settings.

Here, click onAdvanced, and enter192.168.8.1as the proxy address, and8080as the port. Make sure that theUse the same proxy server for all protocolsbox is checked. ClickOK.

That is all you need to do. Most popular web browsers such as Google Chrome and Firefox will automatically pick up the system proxy settings.

Android

Go toSystem Settings > WiFi. Now tap and hold the Raspberry Pi hotspot, and selectModify network. UnderAdvanced options, set theProxyoption toManual. Now, underProxy hostname, enter the IP address of the Pi192.168.8.1. UnderProxy port, enter8080, and tap onSave.

You can now test the configuration of the proxy. Try going to a website in your blacklist – you will see an “Access Denied” page like this:

Enforcing Proxy Usage

So far, we are relying on clients playing nice and using the internet through the content filter. Of course, this rarely happens in the real world. So to enforce all clients to go through the proxy, run the following commands:

This will automatically redirect allhttp(port 80) andhttps(port 443) traffic on the raspberry Pi’s hotspot to the content filter proxy. Now, without configuring proxy settings on your devices, they will not be able to access securehttpswebsites such as Facebook, Gmail, Twitter etc. at all. This makes sure that anyone who wishes to connect to your Pi hotspot has to go through the proxy.

This is all you need to know for basic usage of the content filter. If you wish to learn some advanced features, read on.

Advanced Usage Scenarios

Setting Up a Time-Based Filter

Let’s say you want to block the websites we mentioned in theUsing Content Listssection above, butonly at certain times of the day. I personally prefer to block Reddit, Facebook and Twitter during work hours (9am – 5pm) on weekdays because they are a productivity nightmare.

Open the/etc/e2guardian/lists/bannedsitelistfile, and add the following line to it:

This line works as follows – the timer starts at9(9 am)0(00 minutes), till17(5 pm in 24-hr format)0(00 minutes), from0(Monday) to4(Friday).

Let’s take another example:

This will block the configured sites from 10:30 am (10 30) till 8:45 pm (20 45) on Monday (0), Wednesday (2), and Friday (4).

Letting Certain IP Addresses Bypass the Proxy

It is possible to let certain IP addresses bypass the content filter. This can be set up byconfiguring the firewall. You might have noticed that in ourdnsmasq.conf, we only set the hotspot to assign IP addresses from192.168.8.20to192.168.8.254to clients. That means addresses from192.168.8.2to192.168.8.19will not be automatically assigned to any client (we cannot use192.168.8.1because that is what our Raspberry Pi itself uses).

To do this, firstset up a static IPon the device to which you want to give full access. For example, to set up a static IP of192.168.8.2on a Windows machine, use these settings:

Now, on your Raspberry Pi, run the following commands.

Now,disable the usage of proxy on your device, and try to open a banned website. You should be able to open it. If there are more IP addresses that you want to add to the whitelist, run the above two commands again, but replace the IP address with the one you want. Once you are satisfied with the whitelist, run the following command to save your firewall config:

One important thing to keep in mind is that you should not let anyone know the whitelisted IP addresses. Otherwise, they can simply set their device to that IP address to bypass the proxy.

Security Concerns

Since your Raspberry Pi will be the entry and exit point for all your communications, it is important to secure it. Here are some tips on how to improve security. Keep in mind that these are just basic pointers and not a comprehensive list of security pitfalls. The amount of security will depend on the nature of your network (home, small office etc.) and how mischievous the users are.

Disable Unneeded Services

Since this is a router, it is best to only run the services that we require. More services running means more vulnerabilities that can potentially be exploited. Definitelydo not use this system as a regular desktop.

Go toMenu > Preferences > Raspberry Pi Configuration. In theInterfacestab, disable all services that you do not require.

Change the Default Password

A fresh Raspbian installation comes with the default password ‘raspberry’ for the default user ‘pi’. It is recommended to change this to a more secure password. To change it, open a terminal run this command:

Remove the Monitor and Other Peripherals

Since all that will run on this Pi is the software required to use it as a router and web filter, we do not need a monitor or other peripherals such as a mouse and keyboard attached to it. If you do need to change settings and such, you can always use SSH, or attach a monitor and keyboard as needed.

Raspbian is set up to automatically log in with the ‘pi’ user credentials without prompting for password. This might be ok for a general purpose family desktop, but dangerous for a router. To disable this, on the Raspbian desktop, go toMenu > Preferences > Raspberry Pi Configuration. In theSystemtab, in front of theAuto loginheading, uncheck theLogin as user ‘pi’checkbox.

In the same dialog box, it is also advisable to set theBootsetting toTo CLI. This will save resources since we do not need a GUI on a router. If you do want to use the desktop for any reason, log in with your username, and run thestartxcommand to turn on the graphical interface.

Troubleshooting Common Problems

Interfaces Keep Getting Renamed

This is very common if you are usingtwo wireless interfaceson your Pi.If you are using Ethernet to connect your Pi to the internet, you can safely ignore this section. The problem is that both the wireless interfaces (wlan0andwlan1) sometimes swap names after a reboot. That is, the built-in WiFi modulewlan0gets renamed towlan1, and vice versa. This is of course a big problem since we rely on them having a consistent name for our configuration files. Here is how to make it consistent across reboots:

1.Find out theMAC address of your interfaces. Run the commandifconfig | grep HWaddron your Raspberry Pi. You will see an output like the following:

Note down the text to the right of the word ‘HWaddr’ in thewlan0andwlan1section. You can safely ignore theeth0section. These are the MAC addresses of your wireless interfaces.

If you are not sure which MAC address belongs to which interface, simply unplug the USB WiFi dongle, and run the command again. Thewlaninterface that comes up now is your built-in WiFi interface, while the other one is USB.

2.Create a new file/etc/udev/rules.d/10-network.rulesusing your favorite text editor. For example :

3.Enter the following text in this file.Replace the xx:xx:xx:xx etc. with the appropriate MAC address:

[sourcecode]# Set up the built-in WiFi module as wlan0. Replace the xx:xx:xx etc. with the# built-in module’s MAC addressSUBSYSTEM==”net”, ACTION==”add”, ATTR{address}==”xx:xx:xx:xx:xx:xx”, NAME=”wlan0″

Set up the USB WiFi dongle as wlan1. Replace the yy:yy:yy etc. with the# USB dongle’s MAC addressSUBSYSTEM==”net”, ACTION==”add”, ATTR{address}==”yy:yy:yy:yy:yy:yy”, NAME=”wlan1″[/sourcecode]

Make sure that the built-in WiFi interface’s MAC address corresponds towlan0, and the USB WiFi towlan1since that is the convention we are following in this guide.

4.Reboot your Raspberry Pi. Your interfaces will start with the correct name now.

Resetting Firewall Configuration

Another common problem is a badly configured firewall. Depending on your network configuration, it might take several tries before you get the firewall right. If at any point you think that you might have messed up the firewall configuration, run the following commands to start from scratch:

This will deleteallfirewall configuration. You can now start configuring the firewall from scratch. Once you are satisfied, run the commandsudo iptables-save | sudo tee /etc/iptables/rules.v4to make the configuration permanent.

SEE ALSO:How To Run Commands on Raspberry Pi by Email

Use Your Raspberry Pi as Router and Content Filter

That is all on turning your Raspberry Pi into a potent router plus content filter proxy. You can get the exact configuration files we used for our setup onour GitHub page. Do let us know how it works out for you. If something does not work as expected, or a step feels too confusing, feel free to ask us a question in the comments section below.

Shivam Raj

Command lines, DIY, video games, linguistics, and a little bit of everything else.

Add new comment

Name

Email ID

How to Use Raspberry Pi as Router and Content Filter#

How it Works#

Hardware#

Software#

Prerequisites#

Use Raspberry Pi as Router#

Set Up Content Filter Using E2guardian#

Using Content Lists#

Configuring Clients#

Windows#

Android#

Enforcing Proxy Usage#

Advanced Usage Scenarios#

Setting Up a Time-Based Filter#

Letting Certain IP Addresses Bypass the Proxy#

Security Concerns#

Disable Unneeded Services#

Change the Default Password#

Remove the Monitor and Other Peripherals#

Turn off Auto Login#

Troubleshooting Common Problems#

Interfaces Keep Getting Renamed#

Set up the USB WiFi dongle as wlan1. Replace the yy:yy:yy etc. with the# USB dongle’s MAC addressSUBSYSTEM==”net”, ACTION==”add”, ATTR{address}==”yy:yy:yy:yy:yy:yy”, NAME=”wlan1″[/sourcecode]#

Resetting Firewall Configuration#

Use Your Raspberry Pi as Router and Content Filter#

Shivam Raj#