learning-garden/sources/psb-thinking-pihole-blocker.md

---
pageType: source
id: source.psb-thinking-pihole-blocker
title: psb-thinking-pihole-blocker
sourceType: local-file
sourcePath: /home/topher/.openclaw/workspace-psb-thinking/projects/pihole-blocker.md
ingestedAt: 2026-05-03T02:02:41.347Z
updatedAt: 2026-05-03T02:02:41.347Z
status: active
growth: seed
---

# psb-thinking-pihole-blocker

## Source
- Type: `local-file`
- Path: `/home/topher/.openclaw/workspace-psb-thinking/projects/pihole-blocker.md`
- Bytes: 9252
- Updated: 2026-05-03T02:02:41.347Z

## Content
````text
# Pi-hole Blocker Project

**Status:** Planning / Not started
**Hardware:** Seeed Studio Dual-GbE Carrier Board with 4GB RAM + 32GB eMMC (CM4)
**URL:** https://www.seeedstudio.com/Dual-GbE-Carrier-Board-with-4GB-RAM-32GB-eMMC-RPi-CM4-Case-p-5029.html

---

## Decision Log

### 2026-04-04 — Initial Research

**Hardware selected:** CM4 with dual GbE + eMMC (no SD card!)

**Chosen approach:** Raspberry Pi OS Lite + Pi-hole (manual install)
- Full control
- Well-documented
- eMMC more reliable than SD
- Dual GbE enables passthrough or bridge mode

**Rejected:**
- Pre-built images (outdated, inflexible)
- DietPi (good but less common for troubleshooting)
- Docker (overkill for dedicated hardware)

---

## TODO (When Ready)

- [ ] Flash Raspberry Pi OS Lite (64-bit) to eMMC
- [ ] Enable SSH, set hostname before first boot
- [ ] First boot + network config
- [ ] Install Pi-hole: `curl -sSL https://install.pi-hole.net | bash`
- [ ] Configure upstream DNS (Cloudflare/Google/Quad9)
- [ ] Decide network mode: passthrough vs bridge vs VLAN
- [ ] Point router DNS to Pi-hole IP
- [ ] Test + document

---

## Network Config Notes (Dual GbE)

**Goal:** Transparent filtering for entire network

### Option 1: Single Port + Router DNS Redirect (Recommended) ⭐

```
Modem → Existing Router → Pi-hole (eth0 only) → All devices
                         ↳ Time Machine (same port)
```

**How:** Router forces all port 53 traffic to Pi-hole IP
**Pros:** 
- Simplest setup
- Existing router handles DHCP/NAT (less to break)
- Time Machine works on same network
- Dual GbE not needed, but harmless
**Cons:**
- Devices can bypass with hardcoded DNS (8.8.8.8)
- Router must support DNS redirect/forced DNS

**Best for:** Most home setups, transparent operation

---

### Option 2: Bridge Mode (Dual GbE Active)

```
Router → eth0 ─┬─ Pi-hole (bridged) ─┬─ eth1 → Switch/House
               └─ Time Machine share ─┘
```

**How:** Both ports bridged at OS level, Pi acts as Layer 2 device
**Pros:**
- All traffic passes through (harder to bypass)
- Time Machine visible to all devices
- Existing router still handles DHCP/NAT
**Cons:**
- More complex network config (bridge interfaces)
- Pi becomes network dependency (if it dies, network dies)

**Best for:** Maximum coverage, willing to troubleshoot bridging

---

### Option 3: Full Inline Router (Dual GbE)

```
Modem → eth0 (WAN) → Pi-hole routes/NAT → eth1 (LAN) → House
                    ↳ Time Machine on LAN side
```

**How:** Pi replaces your router entirely
**Pros:**
- Complete control, can't bypass
- Full firewall/NAT control
- True network segmentation possible
**Cons:**
- Most complex (DHCP, NAT, firewall rules)
- Single point of failure
- Time Machine only visible to LAN side
- Need to reconfigure entire network

**Best for:** Advanced users, want full network control

---

## Decision Log

### 2026-04-04 — Final Decisions

**Network Mode:** Option 1 — Single Port + Router DNS Redirect ⭐
- Existing router handles DHCP/NAT
- Router forces DNS to Pi-hole
- Time Machine on same network (no complications)
- Can upgrade to bridge mode later if needed

**Add-ons Confirmed:**
- ✅ Pi-hole (DNS ad-blocking)
- ✅ Unbound (recursive DNS, privacy)
- ✅ Time Machine (Mac backups via Samba + Avahi)
- ✅ Wireshark/tcpdump lab (packet capture for learning)
- ❌ WireGuard — SKIP (Tailscale already covers remote access)

**Location:** HOME (separate from brewery setup)

**Dual GbE Verdict:** NOT overkill — enables bridge mode for packet capture learning lab 🎓

**Rejected:**
- Pre-built Pi-hole images (outdated, inflexible)
- DietPi (less common for troubleshooting)
- Docker (overkill for dedicated hardware)
- Full inline router mode (too complex for v1)
- WireGuard (Tailscale = WireGuard, redundant)

---

## Learning/Lab Use Cases (Dual GbE Bonus!)

### Packet Capture & Analysis (Wireshark/tcpdump)

**Bridge mode = perfect learning lab:**

```
Router → eth0 → Pi (bridged) → eth1 → House
              ↓
         Full packet capture
```

**What you can learn:**
- Wireshark filters and display rules
- Protocol analysis (DNS, HTTP, SMB, etc.)
- Network troubleshooting
- Security analysis (spot suspicious traffic)
- IoT device behavior (what's my Roomba actually doing?)

**Tools to install:**
- `wireshark` (GUI, needs X11/VNC) or `tshark` (CLI)
- `tcpdump` (lightweight CLI capture)
- `nethogs` (bandwidth by process)
- `iftop` / `ntopng` (real-time traffic visualization)

**Example commands:**
```bash
# Capture all traffic on eth0
sudo tcpdump -i eth0 -w capture.pcap

# Live DNS query monitoring
sudo tshark -i eth0 -Y "dns" -T fields -e dns.qry.name

# Real-time bandwidth by host
sudo nethogs -t -c 5 eth0
```

**Privacy note:** You'll see EVERYTHING on your network — passwords in plaintext (HTTP), browsing history, device fingerprints. Great for learning, serious responsibility.

---

### Other Lab Scenarios

| Scenario | Setup | Learning Value |
|----------|-------|----------------|
| **Network segmentation** | VLANs on dual NIC | Enterprise networking |
| **Firewall rules** | iptables/nftables | Security hardening |
| **QoS testing** | Traffic shaping | Bandwidth management |
| **MITM analysis** | ARP spoofing detection | Security awareness |
| **Service monitoring** | Port scanning, service discovery | Network mapping |

---

**Verdict:** Dual GbE is NOT overkill if you want a learning lab. Bridge mode + packet capture = home network university. 🎓

---

## Add-on Modules (Optional)

### Confirmed Interest (2026-04-04)

| Add-on | Purpose | Notes |
|--------|---------|-------|
| **Time Machine Target** | Network backup for Macs | Samba + Avahi, ~50MB RAM |
| **Grafana + TILT Data** | Fermentation visualization | Pipe TILT data → InfluxDB → Grafana |
| **Fire Stick Display** | Brew house monitoring screen | Display Grafana dashboard on Fire Stick |

### Architecture Clarification (2026-04-04)

**Location split:**
- **Pi-hole CM4:** HOME (with dual GbE)
- **TILT Bridge:** BREWERY (ESP32)
- **Home Assistant:** BREWERY (separate instance)
- **Fire Stick:** BREWERY (display)

**Implication:** TILT data already lives at brewery HA. Fire Stick should just display brewery HA directly!

### Simplified Brew House Display

```
TILT → ESP32 Bridge → Brewery HA → Fire Stick (kiosk browser)
```

**No need to pipe to home!** Fire Stick points at `http://brewery-ha:8123/lovelace/fermentation-dashboard`

### Home Pi-hole Box Add-ons (Final)

| Add-on | Purpose | Priority |
|--------|---------|----------|
| Pi-hole | DNS ad-blocking | Core |
| Unbound | Recursive DNS (privacy) | High |
| Time Machine | Mac backups | High |
| Wireshark/tcpdump | Packet capture lab | Medium (learning) |
| Grafana (home metrics) | Network monitoring | Low (optional) |

---

## Time Machine Backup — Detailed Specs

### Requirements

| Item | Details |
|------|---------|
| **OS** | Raspberry Pi OS Lite (any version) |
| **Services** | Samba (SMB), Avahi (mDNS/Bonjour) |
| **Storage** | USB drive (SSD recommended) or network share |
| **RAM** | ~50MB overhead |
| **CPU** | Minimal (compression is client-side) |

### How It Works

```
Mac → Bonjour discovery (Avahi) → Samba share → USB drive on Pi
```

1. Avahi advertises `_adisk._tcp` service (Mac sees it as Time Machine destination)
2. Samba provides SMB share with Time Machine extensions
3. Mac backs up over network automatically

---

### Limitations

| Limitation | Impact | Workaround |
|------------|--------|------------|
| **Network speed** | First backup slow (hours), subsequent faster | Use Ethernet, not WiFi |
| **USB drive speed** | HDD = slow, SSD = fast | Use SSD for better experience |
| **Single user** | One Mac per sparsebundle (by default) | Can configure multi-user but tricky |
| **Backup size** | Limited by USB drive capacity | Use large drive (1TB+ recommended) |
| **No encryption** | Backups unencrypted on disk | Enable FileVault on Mac instead |
| **Pi must be on** | No backup if Pi is off | Set static IP, ensure uptime |

---

### Nice-to-Haves

| Feature | Why | How |
|---------|-----|-----|
| **SSD storage** | 10-20× faster than HDD | USB 3.0 SSD enclosure |
| **Dedicated partition** | Isolate backups from OS | Separate USB drive or partition |
| **Backup quotas** | Prevent one Mac from filling drive | `tmutil` setquota per Mac |
| **Auto-mount** | Survive reboots | `/etc/fstab` entry |
| **Monitoring** | Alert if backup fails | HA integration or cron check |
| **Multiple destinations** | Redundancy | Rotate between 2 USB drives |

---

### Setup Commands (Reference)

```bash
# Install Samba + Avahi
sudo apt install samba avahi-daemon

# Create backup share
sudo mkdir -p /srv/timemachine
sudo chown nobody:nogroup /srv/timemachine
sudo chmod 2777 /srv/timemachine

# Configure Samba (/etc/samba/smb.conf)
# Configure Avahi (/etc/avahi/services/timemachine.service)

# Restart services
sudo systemctl restart smbd avahi-daemon
```

---

### Estimated Setup Time

- **Fresh install:** ~30 minutes
- **First Mac backup:** 2-8 hours (depends on data size)
- **Subsequent backups:** 10-30 minutes (incremental)

---

*Created: 2026-04-04*

---

*Created: 2026-04-04*

````

## Notes
<!-- openclaw:human:start -->
<!-- openclaw:human:end -->

## Related
<!-- openclaw:wiki:related:start -->
- No related pages yet.
<!-- openclaw:wiki:related:end -->