How to Use Raspberry Pi as Router and Content Filter

If you have children at your home, you might have felt the need to block certain undesirable websites. Another common problem area are social media websites – you might feel that children (and adults) waste too much time on Facebook, Twitter etc. and want to block them, or at least make them accessible only at certain times of the day.

To make this possible, we need a router plus content filter – an appliance through which all our devices such as laptops, smartphones, and tablets connect to the internet. This appliance also intercepts the websites that these devices access, and blocks them if they try to access a blacklisted website.

There are commercial, ready-to-use content filters available in the market, but for us DIY types, there is no fun in that. Thus, we will get our hands dirty, and set up a Raspberry Pi for the job. We chose the Raspberry Pi for this project because of its tiny size and negligible power consumption. However, these instructions will work nearly unmodified with almost any computer running Debian Linux or a derivative (Ubuntu, Mint etc.).

Disclaimer: This guide assumes an intermediate level of experience with Linux, and a willingness to troubleshoot problems if and when they arise. Prior experience with command lines and firewalls is a bonus.

How it Works

Hardware

We will be using the Raspberry Pi 3 as a router cum content filter. For this, we will need two network interfaces on it – one to connect to the internet, and the other to act as a WiFi hotspot for our other devices to connect to. The Raspberry Pi 3 has a built-in Ethernet jack and WiFi module. So in this scenario, we can use an Ethernet cable (eth0) to connect to the internet, while the WiFi module (wlan0) will act as a hotspot.

Of course, connecting to the internet using Ethernet isn’t always possible. In this case, you will need a compatible USB WiFi dongle (wlan1) to connect to the internet, while the built-in WiFi module (wlan0) will act as a hotspot. This is the configuration that we will use in this guide.

Do keep in mind that while a Raspberry Pi 3 is mostly adequate for a home setup with a few laptops and smartphones, it will not provide the performance needed for a big office setup. Look into more capable hardware if a lot of clients will be connecting to your content filter.

Software

We will use the excellent E2guardian to intercept and filter our web requests. Since content filtering can have a performance impact (depending on the size of the blocklist), we will use Squid cache to offset this performance hit.

Prerequisites

1. Raspberry Pi 3 with the latest version of Raspbian OS installed, and access to the internet. If you are only getting started with the Raspberry Pi, we recommend reading our guide on how to get started with Raspberry Pi 3.

2. [Optional] USB WiFi Dongle – This is needed if, and only if you cannot connect your Raspberry Pi 3 to the internet with an Ethernet cable. If you are planning to use WiFi for both connecting to the internet and as a hotspot, this is required.

3. Physical Access to the Raspberry Pi – Due to the nature this article, a single mistake in the firewall configuration can lock you out of your Pi if you use it in headless mode. Therefore, it is recommended that you connect a monitor, keyboard and mouse while configuring it until everything is set up.

Use Raspberry Pi as Router

1. Connect your Pi to the internet using Ethernet (eth0). If you are using a USB WiFi dongle (probably wlan1) instead, connect that to the internet. Leave the built-in WiFi module (wlan0) as it is for now.

2. Get the prerequisite software that we need:

sudo apt install iptables iptables-persistent hostapd dnsmasq squid3

3. We will set up hostapd so that our Pi can act as a WiFi hotspot. For this, create a config file using your favorite text editor, for example sudo nano /etc/hostapd/hostapd.conf, and paste the content from our GitHub page.

Some lines that you might want to modify according to taste are:

ssid=RaspberryPiAP

This line dictates what the name of the access point will be. I chose RaspberryPiAP.

wpa_passphrase=beebom.com

This specifies the passphrase used to access the hotspot. I used beebom.com, but it is recommended to change it to a strong passphrase of your choice.

4. Next, we will set up a DHCP server using dnsmasq. Edit the config file /etc/dnsmasq.conf, and add the following lines at the end:

[sourcecode]interface=lo,wlan0

no-dhcp-interface=lo

dhcp-range=192.168.8.20,192.168.8.254,255.255.255.0,12h[/sourcecode]

This makes the interface on wlan0 (the built-in WiFi module) hand out IP addresses to clients in the 192.168.8.20 to 192.168.8.254 range.

5. Set up a static IP address for the built-in WiFi module wlan0. Open the file /etc/network/interfaces. It probably looks something like this (emphasis mine):

[sourcecode]source-directory /etc/network/interfaces.d

auto lo
iface lo inet loopback

iface eth0 inet manual

allow-hotplug wlan0
iface wlan0 inet manual
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

allow-hotplug wlan1
iface wlan1 inet manual
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf[/sourcecode]

Here, locate the lines in bold dealing with wlan0, and change them, so that the file looks like the following:

[sourcecode]source-directory /etc/network/interfaces.d

auto lo
iface lo inet loopback

iface eth0 inet manual

allow-hotplug wlan0
iface wlan0 inet static
hostapd /etc/hostapd/hostapd.conf
address 192.168.8.1
netmask 255.255.255.0
allow-hotplug wlan1
iface wlan1 inet manual
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf[/sourcecode]

This sets up a static IP address 192.168.8.1 on wlan0. Remember this address, as this is the address we will use to communicate with our Raspberry Pi later on.

6. Now set up IP forwarding. Edit the file /etc/sysctl.conf, and add the following line to it:

net.ipv4.ip_forward=1

7. Now we will configure network address translation (NAT) in our firewall. To do this, enter the following 2 commands:

sudo iptables -t nat -A POSTROUTING -s 192.168.8.0/24 ! -d 192.168.8.0/24 -j MASQUERADE

sudo iptables-save | sudo tee /etc/iptables/rules.v4

The first command sets up NAT, while the second command saves our present firewall configuration to a file called /etc/iptables/rules.v4. This makes sure that the configuration persists across reboots.

8. At this point, reboot your Raspberry Pi. This is to make sure that all the changes we made in the configuration files are functional.

9. After rebooting, you should be able to see the newly created RaspberryPiAP hotspot (unless you changed the name in step 3) on your other devices such as laptops and smartphones. You can connect to it using the password you specified, and access the internet.

This is all you need to do to if you need a basic, low-powered router. If you want to set up a content filter as well, read on.

Set Up Content Filter Using E2guardian

E2guardian is not present in the default Raspbian repositories. To install it, go to the project’s Github page, and download the file ending in armhf.deb. Now open Terminal, go to your Downloads folder (or wherever you chose to download the file), and install it:

cd ~/Downloads

sudo dpkg -i ./e2guardian_*_jessie_armhf.deb

You will probably see a few errors about missing packages when you install E2guardian. To rectify this, let the installation finish, and enter the following command :

sudo apt-get install -f

Using Content Lists

There are several lists present in the /etc/e2guardian/lists directory. These files include bannedextensionlist, bannediplist, bannedphraselist, bannedsitelist, bannedurllist, exceptionlist, and more. These files are properly documented with comments. Take a look at them to familiarize yourself.

As an example, let’s suppose you wish to block some popular social networks. Open the /etc/e2guardian/lists/bannedsitelist file, and under the Blanket SSL/CONNECT block (since these websites use https instead of plain http), add the following lines:

facebook.com
twitter.com
reddit.com

Now reload the E2guardian service using the command sudo service e2guardian reload (you will have to run this command every time you modify the configuration files). Any clients using the content filter will now be unable to access these websites. Even the mobile sites (eg. m.twitter.com) and dedicated smartphone apps will not work.

E2guardian also blocks porn by default. If you wish to allow it (hey, we aren’t judging), open the /etc/e2guardian/lists/bannedphraselist file, and locate the following line:

.Include</etc/e2guardian/lists/phraselists/pornography/banned>

Comment it out by adding a hash (# symbol) to the front, so that it looks like this:

#.Include</etc/e2guardian/lists/phraselists/pornography/banned>

Again, reload the configuration with sudo service e2guardian reload, and you’re done.

Configuring Clients

Now that our proxy server is set up, we can move on to configuring the clients. To use the content filter, all clients need to be connected to the Rapberry Pi’s hotspot, and configured to use the proxy. Configuring a proxy is different across all operating systems and devices. However, we will demonstrate how to set it up on Windows and Android, since these are more popular.

Windows

Go to Control Panel > Network and Internet > Internet Options. In the window that opens up, navigate to the Connections tab, and click on LAN settings.

Here, click on Advanced, and enter 192.168.8.1 as the proxy address, and 8080 as the port. Make sure that the Use the same proxy server for all protocols box is checked. Click OK.

That is all you need to do. Most popular web browsers such as Google Chrome and Firefox will automatically pick up the system proxy settings.

Android

Go to System Settings > WiFi. Now tap and hold the Raspberry Pi hotspot, and select Modify network. Under Advanced options, set the Proxy option to Manual. Now, under Proxy hostname, enter the IP address of the Pi 192.168.8.1. Under Proxy port, enter 8080, and tap on Save.

You can now test the configuration of the proxy. Try going to a website in your blacklist – you will see an “Access Denied” page like this:

Enforcing Proxy Usage

So far, we are relying on clients playing nice and using the internet through the content filter. Of course, this rarely happens in the real world. So to enforce all clients to go through the proxy, run the following commands:

sudo iptables -A PREROUTING -t nat -p tcp --destination-port 80 -j REDIRECT --to-ports 8080

sudo iptables -A PREROUTING -t nat -p tcp --destination-port 443 -j REDIRECT --to-ports 8080

sudo iptables-save | sudo tee /etc/iptables/rules.v4

This will automatically redirect all http (port 80) and https (port 443) traffic on the raspberry Pi’s hotspot to the content filter proxy. Now, without configuring proxy settings on your devices, they will not be able to access secure https websites such as Facebook, Gmail, Twitter etc. at all. This makes sure that anyone who wishes to connect to your Pi hotspot has to go through the proxy.

This is all you need to know for basic usage of the content filter. If you wish to learn some advanced features, read on.

Advanced Usage Scenarios

Setting Up a Time-Based Filter

Let’s say you want to block the websites we mentioned in the Using Content Lists section above, but only at certain times of the day. I personally prefer to block Reddit, Facebook and Twitter during work hours (9am – 5pm) on weekdays because they are a productivity nightmare.

Open the /etc/e2guardian/lists/bannedsitelist file, and add the following line to it:

time: 9 0 17 0 01234

This line works as follows – the timer starts at 9 (9 am) 0 (00 minutes), till 17 (5 pm in 24-hr format) 0 (00 minutes), from 0 (Monday) to 4 (Friday).

Let’s take another example:

time: 10 30 20 45 024

This will block the configured sites from 10:30 am (10 30) till 8:45 pm (20 45) on Monday (0), Wednesday (2), and Friday (4).

Letting Certain IP Addresses Bypass the Proxy

It is possible to let certain IP addresses bypass the content filter. This can be set up by configuring the firewall. You might have noticed that in our dnsmasq.conf, we only set the hotspot to assign IP addresses from 192.168.8.20 to 192.168.8.254 to clients. That means addresses from 192.168.8.2 to 192.168.8.19 will not be automatically assigned to any client (we cannot use 192.168.8.1 because that is what our Raspberry Pi itself uses).

To do this, first set up a static IP on the device to which you want to give full access. For example, to set up a static IP of 192.168.8.2 on a Windows machine, use these settings:

Now, on your Raspberry Pi, run the following commands.

sudo iptables -t nat -A PREROUTING -p tcp -s 192.168.8.2 --destination-port 80 -j RETURN

sudo iptables -t nat -A PREROUTING -p tcp -s 192.168.8.2 --destination-port 443 -j RETURN

Now, disable the usage of proxy on your device, and try to open a banned website. You should be able to open it. If there are more IP addresses that you want to add to the whitelist, run the above two commands again, but replace the IP address with the one you want. Once you are satisfied with the whitelist, run the following command to save your firewall config:

sudo iptables-save | sudo tee /etc/iptables/rules.v4

One important thing to keep in mind is that you should not let anyone know the whitelisted IP addresses. Otherwise, they can simply set their device to that IP address to bypass the proxy.

Security Concerns

Since your Raspberry Pi will be the entry and exit point for all your communications, it is important to secure it. Here are some tips on how to improve security. Keep in mind that these are just basic pointers and not a comprehensive list of security pitfalls. The amount of security will depend on the nature of your network (home, small office etc.) and how mischievous the users are.

Disable Unneeded Services

Since this is a router, it is best to only run the services that we require. More services running means more vulnerabilities that can potentially be exploited. Definitely do not use this system as a regular desktop.

Go to Menu > Preferences > Raspberry Pi Configuration. In the Interfaces tab, disable all services that you do not require.

Change the Default Password

A fresh Raspbian installation comes with the default password ‘raspberry’ for the default user ‘pi’. It is recommended to change this to a more secure password. To change it, open a terminal run this command:

passwd

Remove the Monitor and Other Peripherals

Since all that will run on this Pi is the software required to use it as a router and web filter, we do not need a monitor or other peripherals such as a mouse and keyboard attached to it. If you do need to change settings and such, you can always use SSH, or attach a monitor and keyboard as needed.

Turn off Auto Login

Raspbian is set up to automatically log in with the ‘pi’ user credentials without prompting for password. This might be ok for a general purpose family desktop, but dangerous for a router. To disable this, on the Raspbian desktop, go to Menu > Preferences > Raspberry Pi Configuration. In the System tab, in front of the Auto login heading, uncheck the Login as user ‘pi’ checkbox.

In the same dialog box, it is also advisable to set the Boot setting to To CLI. This will save resources since we do not need a GUI on a router. If you do want to use the desktop for any reason, log in with your username, and run the startx command to turn on the graphical interface.

Troubleshooting Common Problems

Interfaces Keep Getting Renamed

This is very common if you are using two wireless interfaces on your Pi. If you are using Ethernet to connect your Pi to the internet, you can safely ignore this section. The problem is that both the wireless interfaces (wlan0 and wlan1) sometimes swap names after a reboot. That is, the built-in WiFi module wlan0 gets renamed to wlan1, and vice versa. This is of course a big problem since we rely on them having a consistent name for our configuration files. Here is how to make it consistent across reboots:

1. Find out the MAC address of your interfaces. Run the command ifconfig | grep HWaddr on your Raspberry Pi. You will see an output like the following:

Note down the text to the right of the word ‘HWaddr’ in the wlan0 and wlan1 section. You can safely ignore the eth0 section. These are the MAC addresses of your wireless interfaces.

If you are not sure which MAC address belongs to which interface, simply unplug the USB WiFi dongle, and run the command again. The wlan interface that comes up now is your built-in WiFi interface, while the other one is USB.

2. Create a new file /etc/udev/rules.d/10-network.rules using your favorite text editor. For example :

sudo nano /etc/udev/rules.d/10-network.rules

3. Enter the following text in this file. Replace the xx:xx:xx:xx etc. with the appropriate MAC address:

[sourcecode]# Set up the built-in WiFi module as wlan0. Replace the xx:xx:xx etc. with the
# built-in module’s MAC address
SUBSYSTEM==”net”, ACTION==”add”, ATTR{address}==”xx:xx:xx:xx:xx:xx”, NAME=”wlan0″

# Set up the USB WiFi dongle as wlan1. Replace the yy:yy:yy etc. with the
# USB dongle’s MAC address
SUBSYSTEM==”net”, ACTION==”add”, ATTR{address}==”yy:yy:yy:yy:yy:yy”, NAME=”wlan1″[/sourcecode]

Make sure that the built-in WiFi interface’s MAC address corresponds to wlan0, and the USB WiFi to wlan1 since that is the convention we are following in this guide.

4. Reboot your Raspberry Pi. Your interfaces will start with the correct name now.

Resetting Firewall Configuration

Another common problem is a badly configured firewall. Depending on your network configuration, it might take several tries before you get the firewall right. If at any point you think that you might have messed up the firewall configuration, run the following commands to start from scratch:

sudo iptables --flush
sudo iptables --table nat --flush
sudo iptables --delete-chain
sudo iptables --table nat --delete-chain

This will delete all firewall configuration. You can now start configuring the firewall from scratch. Once you are satisfied, run the command sudo iptables-save | sudo tee /etc/iptables/rules.v4 to make the configuration permanent.

SEE ALSO: How To Run Commands on Raspberry Pi by Email

Use Your Raspberry Pi as Router and Content Filter

That is all on turning your Raspberry Pi into a potent router plus content filter proxy. You can get the exact configuration files we used for our setup on our GitHub page. Do let us know how it works out for you. If something does not work as expected, or a step feels too confusing, feel free to ask us a question in the comments section below.