Team2890/learning-garden
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5e46134cd2600a0e1d16f51ea2ac08143ee12f38
learning-garden/sources/pi-hole-blocker-project.md

533 lines
17 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
pageType: source
id: source.pi-hole-blocker-project
title: Pi-hole-Blocker-Project
sourceType: local-file
sourcePath: /home/topher/.openclaw/workspace-crash-bot/projects/pihole-blocker.md
ingestedAt: 2026-05-02T21:01:38.021Z
updatedAt: 2026-05-02T21:01:38.021Z
status: active
growth: seed
---
# Pi-hole-Blocker-Project
## Source
- Type: `local-file`
- Path: `/home/topher/.openclaw/workspace-crash-bot/projects/pihole-blocker.md`
- Bytes: 16974
- Updated: 2026-05-02T21:01:38.021Z
## Content
````text
# Pi-hole Blocker Project
**Status:** Planning / Not started
**Thread:** #pihole
**Hardware:** Seeed Studio Dual-GbE Carrier Board with 4GB RAM + 32GB eMMC (CM4)
**URL:** https://www.seeedstudio.com/Dual-GbE-Carrier-Board-with-4GB-RAM-32GB-eMMC-RPi-CM4-Case-p-5029.html
---
## ⚠️ Project Scope Expanded (2026-04-17)
This project has evolved from a simple Pi-hole DNS ad-blocker into a **full DIY router/firewall** for the home network. The FCC's March 2026 ban on new foreign-made consumer routers and concerns about closed-source router firmware (eeros) drove the decision to make the CM4 the network brain.
**New target architecture:**
```
Modem → CM4 (router/firewall/DNS/VPN/DHCP) → Switch → eeros (bridge mode, WiFi only) → Devices
```
The eeros become dumb WiFi access points. The CM4 handles everything else.
---
## Decision Log
### 2026-04-17 — Architecture Revision (Full Router Mode)
**Changed from:** Option 1 (DNS redirect only, eeros as router)
**Changed to:** Option 3 (CM4 as full router/firewall, eeros in bridge mode)
**Drivers:**
- FCC foreign router ban (March 2026) makes closed-source router future uncertain
- Desire for router-level VPN (protect all devices without client software)
- eeros as black-box devices on network — want to contain their visibility
- Full control over DHCP, firewall, DNS — architectural self-defense
**Software stack confirmed:** Raspberry Pi OS Lite (NOT OpenWrt)
- Pi-hole needs full Linux (systemd, dnsmasq) — won't run on OpenWrt
- Pi OS gives Time Machine support (OpenWrt can't do this easily)
- Manual iptables/nftables for firewall (learning value > GUI)
- WireGuard VPN restored (router-level VPN is a different use case than Tailscale per-device)
**pfSense/OPNsense rejected for CM4:** Both are amd64/x86-64 only. No ARM builds exist. Intel N100 firewall boxes ($150-200) are the hardware swap option if x86 is needed later.
**OpenWrt considered but rejected:** Its built-in `adblock` package works functionally but lacks Pi-hole's web UI, query logs, and per-client breakdown. Pi OS + Pi-hole = better for a learning/demo environment.
### 2026-04-04 — Initial Research
**Hardware selected:** CM4 with dual GbE + eMMC (no SD card!)
**Chosen approach:** Raspberry Pi OS Lite + Pi-hole (manual install)
- Full control
- Well-documented
- eMMC more reliable than SD
- Dual GbE enables passthrough or bridge mode
**Rejected:**
- Pre-built images (outdated, inflexible)
- DietPi (good but less common for troubleshooting)
- Docker (overkill for dedicated hardware)
---
## TODO (When Ready)
- [ ] Flash Raspberry Pi OS Lite (64-bit) to eMMC
- [ ] Enable SSH, set hostname before first boot
- [ ] First boot + network config
- [ ] Install Pi-hole: `curl -sSL https://install.pi-hole.net | bash`
- [ ] Configure upstream DNS (Cloudflare/Google/Quad9)
- [ ] Decide network mode: passthrough vs bridge vs VLAN
- [ ] Point router DNS to Pi-hole IP
- [ ] Test + document
---
## Network Config Notes (Dual GbE)
**Goal:** Transparent filtering for entire network
### Option 1: Single Port + Router DNS Redirect (Recommended) ⭐
```
Modem → Existing Router → Pi-hole (eth0 only) → All devices
↳ Time Machine (same port)
```
**How:** Router forces all port 53 traffic to Pi-hole IP
**Pros:**
- Simplest setup
- Existing router handles DHCP/NAT (less to break)
- Time Machine works on same network
- Dual GbE not needed, but harmless
**Cons:**
- Devices can bypass with hardcoded DNS (8.8.8.8)
- Router must support DNS redirect/forced DNS
**Best for:** Most home setups, transparent operation
---
### Option 2: Bridge Mode (Dual GbE Active)
```
Router → eth0 ─┬─ Pi-hole (bridged) ─┬─ eth1 → Switch/House
└─ Time Machine share ─┘
```
**How:** Both ports bridged at OS level, Pi acts as Layer 2 device
**Pros:**
- All traffic passes through (harder to bypass)
- Time Machine visible to all devices
- Existing router still handles DHCP/NAT
**Cons:**
- More complex network config (bridge interfaces)
- Pi becomes network dependency (if it dies, network dies)
**Best for:** Maximum coverage, willing to troubleshoot bridging
---
### Option 3: Full Inline Router (Dual GbE)
```
Modem → eth0 (WAN) → Pi-hole routes/NAT → eth1 (LAN) → House
↳ Time Machine on LAN side
```
**How:** Pi replaces your router entirely
**Pros:**
- Complete control, can't bypass
- Full firewall/NAT control
- True network segmentation possible
**Cons:**
- Most complex (DHCP, NAT, firewall rules)
- Single point of failure
- Time Machine only visible to LAN side
- Need to reconfigure entire network
**Best for:** Advanced users, want full network control
---
## Decision Log
### 2026-04-04 — Final Decisions
**Network Mode:** REVISED — Option 3 (Full Inline Router) ⭐
- CM4 replaces eeros as router/firewall
- eeros go into bridge mode (WiFi access points only)
- Phased rollout (see Phased Implementation Plan below)
- Original Option 1 (DNS redirect) is Phase 1 only
**Add-ons Confirmed:**
- ✅ Pi-hole (DNS ad-blocking)
- ✅ Unbound (recursive DNS, privacy)
- ✅ Time Machine (Mac backups via Samba + Avahi)
- ✅ Wireshark/tcpdump lab (packet capture for learning)
- ✅ WireGuard VPN — RESTORED (router-level VPN for all devices, see VPN section)
- ✅ iptables/nftables firewall (NAT, port forwarding, kill switch)
- ✅ DHCP server (dnsmasq or isc-dhcp-server)
- ✅ VLAN support (isolate WiFi/IoT from trusted wired devices)
**Location:** HOME (separate from brewery setup)
**Dual GbE Verdict:** NOT overkill — enables bridge mode for packet capture learning lab 🎓
**Rejected:**
- Pre-built Pi-hole images (outdated, inflexible)
- DietPi (less common for troubleshooting)
- Docker (overkill for dedicated hardware)
- OpenWrt as OS (Pi-hole can't run on OpenWrt natively; Pi OS + manual firewall gives more flexibility)
- pfSense/OPNsense (amd64 only — no ARM support, won't run on CM4)
- Intel N100 firewall box (considered as hardware swap, decided to stick with CM4)
**Software stack:** Raspberry Pi OS Lite (not OpenWrt) — gives full Pi-hole, Time Machine, Linux CLI for lab, and manual firewall/routing via iptables
---
## Phased Implementation Plan (2026-04-17)
### Phase 1: Pi-hole + Time Machine (alongside existing eeros)
- Flash Pi OS Lite to eMMC
- Install Pi-hole, Unbound
- Set up Time Machine (Samba + Avahi)
- eeros stay as router, DNS redirect to Pi-hole
- **Goal:** Get the box running, learn the hardware
### Phase 2: Router Mode (weekend test)
- Enable IP forwarding on CM4
- Set up iptables NAT + firewall rules on CM4
- Configure DHCP server on CM4
- Put eeros into bridge mode
- **CM4 eth0 = WAN (modem), CM4 eth1 = LAN (switch → eeros)**
- Test thoroughly — keep rollback plan ready
### Phase 3: VPN + Hardening
- Install WireGuard, configure full/split tunnel VPN
- Add kill switch (iptables rule to block non-VPN outbound)
- Set up DNS hijacking (DNAT port 53 → Pi-hole)
- Monitor eero traffic with tcpdump
- **Goal:** Privacy layer + containment of eeros as black-box devices
### Phase 4: VLAN Isolation (optional, advanced)
- 802.1Q VLANs on CM4
- VLAN 1: Trusted (wired devices, Time Machine)
- VLAN 2: WiFi/IoT (all eero-connected devices)
- Firewall rules between VLANs
- **Goal:** Even if eero firmware is compromised, it can't see trusted LAN traffic
---
## Router-Level VPN (2026-04-17)
**Why:** All traffic from every device on the network gets VPN protection without installing VPN clients on individual devices. ISP/eeros only see encrypted packets going to a VPN endpoint.
**Architecture:**
```
Devices → eeros (WiFi) → CM4 (Pi-hole DNS first, then VPN tunnel) → Internet
```
Pi-hole resolves DNS locally (ad blocking), then clean requests go through WireGuard tunnel.
### VPN Provider Options
| Option | Cost | Protocol | Notes |
|--------|------|----------|-------|
| **Mullvad** ⭐ | €5/mo | WireGuard | Gold standard. No account/email needed. Audited no-logs. |
| **ProtonVPN Free** | Free | WireGuard | No data cap, 5 countries. Good for testing. |
| **ProtonVPN Plus** | $10/mo | WireGuard | More servers, Secure Core routing. |
| **Self-hosted VPS** | $3-6/mo | WireGuard | Full control, you're the admin. |
| **Windscribe Free** | Free (10GB/mo) | WireGuard | Budget test option. |
**Recommendation:** Start with ProtonVPN Free to test, move to Mullvad for production.
### Setup Commands
```bash
# Install WireGuard
sudo apt install wireguard
# Drop in VPN config
sudo nano /etc/wireguard/wg0.conf
# NAT for VPN tunnel
sudo iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
sudo iptables -A FORWARD -i eth1 -o wg0 -j ACCEPT
sudo iptables -A FORWARD -i wg0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Bring up
sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0
```
### Kill Switch (prevent leaks if VPN drops)
```bash
sudo iptables -A FORWARD -i eth1 ! -o wg0 -j DROP
```
### Split vs Full Tunnel
| Mode | VPN'd | Not VPN'd | Use |
|------|-------|-----------|-----|
| **Split** | Web browsing | Local/Time Machine | Start here. Less latency. |
| **Full** | Everything | Nothing | Max privacy. More latency. |
---
## eero Bridge Mode — Security Considerations (2026-04-17)
### What eeros CAN see in bridge mode
- Broadcast/multicast traffic (ARP, mDNS, DHCP requests)
- MAC addresses of all devices
- Unencrypted (HTTP) traffic — rare now
- Frame-level metadata (who talks to who)
### What eeros CAN'T see in bridge mode
- DNS queries (handled by Pi-hole on CM4)
- HTTPS content (encrypted end-to-end)
- VPN traffic (double-encrypted)
- Routing decisions (CM4 handles)
### Threat Model
| Threat | Severity | Mitigation |
|--------|----------|------------|
| Firmware eavesdropping | Medium | Monitor eero traffic via tcpdump on CM4 |
| Remote management backdoor | Medium | Firewall eero management traffic, block firmware update IPs |
| DNS exfiltration | Low | DNAT port 53 redirect to Pi-hole |
| Full compromise | High | VLAN isolation (Phase 4) |
### Best Mitigation: VLAN Architecture
```
CM4 eth1 → VLAN 1 (Trusted - wired devices)
→ VLAN 2 (WiFi/IoT - eeros only)
```
Even a fully compromised eero can only see VLAN 2 traffic. Trusted wired devices are invisible.
---
## FCC Router Ban — Strategic Context (2026-04-17)
**March 2026:** FCC added all foreign-made consumer routers to its Covered List. No new foreign-made router models can receive FCC authorization for sale in the US.
- Existing routers: Still legal to own and use
- Firmware updates: Waivered until March 1, 2027 (uncertain after that)
- New models: Banned unless manufactured domestically
- US-branded routers (eero, Netgear, Ubiquiti): Also affected — they're all made in Asia
**Why this matters for this project:**
- eeros may stop receiving firmware updates after March 2027
- Building your own router on open hardware sidesteps the entire regulatory issue
- CM4 carrier board is a development board, not a consumer router — different FCC category
- You control the software pipeline, not dependent on any manufacturer
- This ban may be less about security and more about forcing onshore manufacturing where US legal jurisdiction (CALEA, FISA, NSLs) applies
**Conclusion:** Rolling your own router isn't just a fun project — it's architectural self-defense against a future where consumer routers are increasingly subject to government access frameworks.
---
## Learning/Lab Use Cases (Dual GbE Bonus!)
### Packet Capture & Analysis (Wireshark/tcpdump)
**Bridge mode = perfect learning lab:**
```
Router → eth0 → Pi (bridged) → eth1 → House
Full packet capture
```
**What you can learn:**
- Wireshark filters and display rules
- Protocol analysis (DNS, HTTP, SMB, etc.)
- Network troubleshooting
- Security analysis (spot suspicious traffic)
- IoT device behavior (what's my Roomba actually doing?)
**Tools to install:**
- `wireshark` (GUI, needs X11/VNC) or `tshark` (CLI)
- `tcpdump` (lightweight CLI capture)
- `nethogs` (bandwidth by process)
- `iftop` / `ntopng` (real-time traffic visualization)
**Example commands:**
```bash
# Capture all traffic on eth0
sudo tcpdump -i eth0 -w capture.pcap
# Live DNS query monitoring
sudo tshark -i eth0 -Y "dns" -T fields -e dns.qry.name
# Real-time bandwidth by host
sudo nethogs -t -c 5 eth0
```
**Privacy note:** You'll see EVERYTHING on your network — passwords in plaintext (HTTP), browsing history, device fingerprints. Great for learning, serious responsibility.
---
### Other Lab Scenarios
| Scenario | Setup | Learning Value |
|----------|-------|----------------|
| **Network segmentation** | VLANs on dual NIC | Enterprise networking |
| **Firewall rules** | iptables/nftables | Security hardening |
| **QoS testing** | Traffic shaping | Bandwidth management |
| **MITM analysis** | ARP spoofing detection | Security awareness |
| **Service monitoring** | Port scanning, service discovery | Network mapping |
---
**Verdict:** Dual GbE is NOT overkill if you want a learning lab. Bridge mode + packet capture = home network university. 🎓
---
## Add-on Modules (Optional)
### Confirmed Interest (2026-04-04)
| Add-on | Purpose | Notes |
|--------|---------|-------|
| **Time Machine Target** | Network backup for Macs | Samba + Avahi, ~50MB RAM |
| **Grafana + TILT Data** | Fermentation visualization | Pipe TILT data → InfluxDB → Grafana |
| **Fire Stick Display** | Brew house monitoring screen | Display Grafana dashboard on Fire Stick |
### Architecture Clarification (2026-04-04)
**Location split:**
- **Pi-hole CM4:** HOME (with dual GbE)
- **TILT Bridge:** BREWERY (ESP32)
- **Home Assistant:** BREWERY (separate instance)
- **Fire Stick:** BREWERY (display)
**Implication:** TILT data already lives at brewery HA. Fire Stick should just display brewery HA directly!
### Simplified Brew House Display
```
TILT → ESP32 Bridge → Brewery HA → Fire Stick (kiosk browser)
```
**No need to pipe to home!** Fire Stick points at `http://brewery-ha:8123/lovelace/fermentation-dashboard`
### Home Pi-hole Box Add-ons (Final)
| Add-on | Purpose | Priority |
|--------|---------|----------|
| Pi-hole | DNS ad-blocking | Core |
| Unbound | Recursive DNS (privacy) | High |
| Time Machine | Mac backups | High |
| Wireshark/tcpdump | Packet capture lab | Medium (learning) |
| Grafana (home metrics) | Network monitoring | Low (optional) |
---
## Time Machine Backup — Detailed Specs
### Requirements
| Item | Details |
|------|---------|
| **OS** | Raspberry Pi OS Lite (any version) |
| **Services** | Samba (SMB), Avahi (mDNS/Bonjour) |
| **Storage** | USB drive (SSD recommended) or network share |
| **RAM** | ~50MB overhead |
| **CPU** | Minimal (compression is client-side) |
### How It Works
```
Mac → Bonjour discovery (Avahi) → Samba share → USB drive on Pi
```
1. Avahi advertises `_adisk._tcp` service (Mac sees it as Time Machine destination)
2. Samba provides SMB share with Time Machine extensions
3. Mac backs up over network automatically
---
### Limitations
| Limitation | Impact | Workaround |
|------------|--------|------------|
| **Network speed** | First backup slow (hours), subsequent faster | Use Ethernet, not WiFi |
| **USB drive speed** | HDD = slow, SSD = fast | Use SSD for better experience |
| **Single user** | One Mac per sparsebundle (by default) | Can configure multi-user but tricky |
| **Backup size** | Limited by USB drive capacity | Use large drive (1TB+ recommended) |
| **No encryption** | Backups unencrypted on disk | Enable FileVault on Mac instead |
| **Pi must be on** | No backup if Pi is off | Set static IP, ensure uptime |
---
### Nice-to-Haves
| Feature | Why | How |
|---------|-----|-----|
| **SSD storage** | 10-20× faster than HDD | USB 3.0 SSD enclosure |
| **Dedicated partition** | Isolate backups from OS | Separate USB drive or partition |
| **Backup quotas** | Prevent one Mac from filling drive | `tmutil` setquota per Mac |
| **Auto-mount** | Survive reboots | `/etc/fstab` entry |
| **Monitoring** | Alert if backup fails | HA integration or cron check |
| **Multiple destinations** | Redundancy | Rotate between 2 USB drives |
---
### Setup Commands (Reference)
```bash
# Install Samba + Avahi
sudo apt install samba avahi-daemon
# Create backup share
sudo mkdir -p /srv/timemachine
sudo chown nobody:nogroup /srv/timemachine
sudo chmod 2777 /srv/timemachine
# Configure Samba (/etc/samba/smb.conf)
# Configure Avahi (/etc/avahi/services/timemachine.service)
# Restart services
sudo systemctl restart smbd avahi-daemon
```
---
### Estimated Setup Time
- **Fresh install:** ~30 minutes
- **First Mac backup:** 2-8 hours (depends on data size)
- **Subsequent backups:** 10-30 minutes (incremental)
---
*Created: 2026-04-04*
*Updated: 2026-04-17 — Full router architecture, VPN, eero bridge mode, FCC context*
````
## Notes
<!-- openclaw:human:start -->
<!-- openclaw:human:end -->
## Related
<!-- openclaw:wiki:related:start -->
- No related pages yet.
<!-- openclaw:wiki:related:end -->
Reference in New Issue View Git Blame Copy Permalink