Use Raspberry pi 4 as router

Why ?

Why not use the router provided by the ISP ?

The problem has arised for a QOS problem : the need to give some priority to some services like SIP for asterisk PABX.

How ?

Use tutorial to install you pi4. For this use, as the pi4 is fully dedicated to the router function, we work as root, disable any password communication and connect with ssh keys.

Stop DHCPCd

DHCPCD is standard on raspbian, but for this use it is not clear that it has advantages over good old networking service. So it is disabled (source here).

systemctl stop dhcpcd
systemctl disable dhcpcd
apt remove dhcpcd5

Basic network/interface is set :

auto lo
iface lo inet loopback


auto eth0
iface eth0 inet static
        address 192.168.163.252
        netmask 255.255.255.0
        gateway 192.168.163.254
        network 192.168.163.0
        broadcast 192.168.163.255
        dns-nameservers 192.168.163.30 8.8.8.8
        dns-search couderc.eu

After :

ifup eth0

the old and the new IP addresses should ping…

Connect to internet

You need to connect your box configured to pass all traffic to the pi. This done with an additional physical adapter from USB3 to RJ45 (maybe USB2, but to spare what…?). Here we use a subnetwork, but PPPOE could be used for a simple modem.

So we add a second interface :

auto eth1
iface eth1 inet static
        address 192.168.153.2
        netmask 255.255.255.0
        gateway 192.168.153.254
        network 192.168.153.0
        broadcast 192.168.153.255
        dns-nameservers 192.168.153.1 212.27.40 8.8.8.8
        dns-search couderc.eu
        up /usr/local/bin/wondershaper eth1 14000 1000

The last line will be explained later.

Routing

Routing is done by iptable and iptables-persistent

Here is an exemple for /etc/iptables/rules.v4

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# eth1 is WAN interface, #eth0 is LAN interface
-A POSTROUTING -o eth1 -j MASQUERADE

#******************* PREROUTING from WAN to LAN : see too below
# bin
-A PREROUTING -p udp -i eth1 --dport 53 -j DNAT --to-destination 192.168.163.30:53
-A PREROUTING -p tcp -m tcp -i eth1 --dport 53 -j DNAT --to-destination 192.168.163.30:53
# www
-A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j DNAT --to-destination 192.168.163.32:80
-A PREROUTING -p tcp -m tcp -i eth1 --dport 443 -j DNAT --to-destination 192.168.163.32:443
# mail
-A PREROUTING -p tcp -m tcp -i eth1 --dport 25 -j DNAT --to-destination 192.168.163.36:25
-A PREROUTING -p tcp -m tcp -i eth1 --dport 66 -j DNAT --to-destination 192.168.163.36:66
-A PREROUTING -p tcp -m tcp -i eth1 --dport 143  -j DNAT --to-destination 192.168.163.36:143
-A PREROUTING -p tcp -m tcp -i eth1 --dport 587 -j DNAT --to-destination 192.168.163.36:587
-A PREROUTING -p tcp -m tcp -i eth1 --dport 993 -j DNAT --to-destination 192.168.163.36:993
# psql
-A PREROUTING -p tcp -m tcp -i eth1 --dport 5432 -j DNAT --to-destination 192.168.163.35:5432
#sip
-A PREROUTING -p tcp -m tcp -i eth1 --dport 5060  -j DNAT --to-destination 192.168.163.33:5060

COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

### Service rules : ce que l'on accepte sur piIVrouter

# basic global accept rules - ICMP, loopback, traceroute, established all accepted
-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT

# enable traceroute rejections to get sent out
-A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable


# SSH - accept from LAN
-A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
# SSH - accept from WAN
-A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT



# drop all other inbound traffic
-A INPUT -j DROP

### Forwarding rules : ce qui sort

# forward packets along established/related connections
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# forward from LAN (eth0) to WAN (eth1)
-A FORWARD -i eth0 -o eth1 -j ACCEPT

# allow traffic from our NAT pinhole
#******************* FORWARD from WAN to LAN
# bin
-A FORWARD -p udp -d 192.168.163.30 --dport 53 -j ACCEPT
-A FORWARD -p tcp -d 192.168.163.30 --dport 53 -j ACCEPT
# www
-A FORWARD -p tcp -d 192.168.163.32 --dport 80 -j ACCEPT
-A FORWARD -p tcp -d 192.168.163.32 --dport 443 -j ACCEPT
# mail
-A FORWARD -p tcp -d 192.168.163.36 --dport 25 -j ACCEPT
-A FORWARD -p tcp -d 192.168.163.36 --dport 66 -j ACCEPT
-A FORWARD -p tcp -d 192.168.163.36 --dport 143 -j ACCEPT
-A FORWARD -p tcp -d 192.168.163.36 --dport 587 -j ACCEPT
-A FORWARD -p tcp -d 192.168.163.36 --dport 993 -j ACCEPT
# psql
-A FORWARD -p tcp -d 192.168.163.35 --dport  5432 -j ACCEPT
#sip
-A FORWARD -p tcp -d 192.168.163.33 --dport 5060 -j ACCEPT

# drop all other forwarded traffic
-A FORWARD -j DROP

COMMIT

Note that for incoming traffic, each port appears twice, one in PREROUTING table and the other one in FORWARD table.

QOS

wondershaper is a script designed to ensure QOS particularly for SIP. We use the script adapted by J.M.Liotier, see the explanations :

http://serendipity.ruwenzori.net/index.php/2008/06/01/modified-wondershaper-for-better-voip-qos

and the script itself : http://www.ruwenzori.net/code/wondershaper/wondershaper.jml

Please note to update the command line (last line of /etc/network/interfaces) with your throughputs :

up wondershaper device downlink_rate uplink_rate