TopherSlater/openclaw-wiki
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6d06f41e4bcaa620299a6b17bc9302e7e4a1f4ff
openclaw-wiki/sources/pi-hole-blocker-project.md

532 lines
17 KiB
Markdown
Raw Normal View History

Initial commit — Fabric vault sources 2026-05-03T00:23:11Z
2026-05-03 00:23:11 +00:00
---
pageType: source
id: source.pi-hole-blocker-project
title: Pi-hole-Blocker-Project
sourceType: local-file
sourcePath: /home/topher/.openclaw/workspace-crash-bot/projects/pihole-blocker.md
ingestedAt: 2026-05-02T21:01:38.021Z
updatedAt: 2026-05-02T21:01:38.021Z
status: active
---
# Pi-hole-Blocker-Project
## Source
- Type: `local-file`
- Path: `/home/topher/.openclaw/workspace-crash-bot/projects/pihole-blocker.md`
- Bytes: 16974
- Updated: 2026-05-02T21:01:38.021Z
## Content
````text
# Pi-hole Blocker Project
**Status:** Planning / Not started
**Thread:** #pihole
**Hardware:** Seeed Studio Dual-GbE Carrier Board with 4GB RAM + 32GB eMMC (CM4)
**URL:** https://www.seeedstudio.com/Dual-GbE-Carrier-Board-with-4GB-RAM-32GB-eMMC-RPi-CM4-Case-p-5029.html
---
## ⚠️ Project Scope Expanded (2026-04-17)
This project has evolved from a simple Pi-hole DNS ad-blocker into a **full DIY router/firewall** for the home network. The FCC's March 2026 ban on new foreign-made consumer routers and concerns about closed-source router firmware (eeros) drove the decision to make the CM4 the network brain.
**New target architecture:**
```
Modem → CM4 (router/firewall/DNS/VPN/DHCP) → Switch → eeros (bridge mode, WiFi only) → Devices
```
The eeros become dumb WiFi access points. The CM4 handles everything else.
---
## Decision Log
### 2026-04-17 — Architecture Revision (Full Router Mode)
**Changed from:** Option 1 (DNS redirect only, eeros as router)
**Changed to:** Option 3 (CM4 as full router/firewall, eeros in bridge mode)
**Drivers:**
- FCC foreign router ban (March 2026) makes closed-source router future uncertain
- Desire for router-level VPN (protect all devices without client software)
- eeros as black-box devices on network — want to contain their visibility
- Full control over DHCP, firewall, DNS — architectural self-defense
**Software stack confirmed:** Raspberry Pi OS Lite (NOT OpenWrt)
- Pi-hole needs full Linux (systemd, dnsmasq) — won't run on OpenWrt
- Pi OS gives Time Machine support (OpenWrt can't do this easily)
- Manual iptables/nftables for firewall (learning value > GUI)
- WireGuard VPN restored (router-level VPN is a different use case than Tailscale per-device)
**pfSense/OPNsense rejected for CM4:** Both are amd64/x86-64 only. No ARM builds exist. Intel N100 firewall boxes ($150-200) are the hardware swap option if x86 is needed later.
**OpenWrt considered but rejected:** Its built-in `adblock` package works functionally but lacks Pi-hole's web UI, query logs, and per-client breakdown. Pi OS + Pi-hole = better for a learning/demo environment.
### 2026-04-04 — Initial Research
**Hardware selected:** CM4 with dual GbE + eMMC (no SD card!)
**Chosen approach:** Raspberry Pi OS Lite + Pi-hole (manual install)
- Full control
- Well-documented
- eMMC more reliable than SD
- Dual GbE enables passthrough or bridge mode
**Rejected:**
- Pre-built images (outdated, inflexible)
- DietPi (good but less common for troubleshooting)
- Docker (overkill for dedicated hardware)
---
## TODO (When Ready)
- [ ] Flash Raspberry Pi OS Lite (64-bit) to eMMC
- [ ] Enable SSH, set hostname before first boot
- [ ] First boot + network config
- [ ] Install Pi-hole: `curl -sSL https://install.pi-hole.net | bash`
- [ ] Configure upstream DNS (Cloudflare/Google/Quad9)
- [ ] Decide network mode: passthrough vs bridge vs VLAN
- [ ] Point router DNS to Pi-hole IP
- [ ] Test + document
---
## Network Config Notes (Dual GbE)
**Goal:** Transparent filtering for entire network
### Option 1: Single Port + Router DNS Redirect (Recommended) ⭐
```
Modem → Existing Router → Pi-hole (eth0 only) → All devices
↳ Time Machine (same port)
```
**How:** Router forces all port 53 traffic to Pi-hole IP
**Pros:**
- Simplest setup
- Existing router handles DHCP/NAT (less to break)
- Time Machine works on same network
- Dual GbE not needed, but harmless
**Cons:**
- Devices can bypass with hardcoded DNS (8.8.8.8)
- Router must support DNS redirect/forced DNS
**Best for:** Most home setups, transparent operation
---
### Option 2: Bridge Mode (Dual GbE Active)
```
Router → eth0 ─┬─ Pi-hole (bridged) ─┬─ eth1 → Switch/House
└─ Time Machine share ─┘
```
**How:** Both ports bridged at OS level, Pi acts as Layer 2 device
**Pros:**
- All traffic passes through (harder to bypass)
- Time Machine visible to all devices
- Existing router still handles DHCP/NAT
**Cons:**
- More complex network config (bridge interfaces)
- Pi becomes network dependency (if it dies, network dies)
**Best for:** Maximum coverage, willing to troubleshoot bridging
---
### Option 3: Full Inline Router (Dual GbE)
```
Modem → eth0 (WAN) → Pi-hole routes/NAT → eth1 (LAN) → House
↳ Time Machine on LAN side
```
**How:** Pi replaces your router entirely
**Pros:**
- Complete control, can't bypass
- Full firewall/NAT control
- True network segmentation possible
**Cons:**
- Most complex (DHCP, NAT, firewall rules)
- Single point of failure
- Time Machine only visible to LAN side
- Need to reconfigure entire network
**Best for:** Advanced users, want full network control
---
## Decision Log
### 2026-04-04 — Final Decisions
**Network Mode:** REVISED — Option 3 (Full Inline Router) ⭐
- CM4 replaces eeros as router/firewall
- eeros go into bridge mode (WiFi access points only)
- Phased rollout (see Phased Implementation Plan below)
- Original Option 1 (DNS redirect) is Phase 1 only
**Add-ons Confirmed:**
- ✅ Pi-hole (DNS ad-blocking)
- ✅ Unbound (recursive DNS, privacy)
- ✅ Time Machine (Mac backups via Samba + Avahi)
- ✅ Wireshark/tcpdump lab (packet capture for learning)
- ✅ WireGuard VPN — RESTORED (router-level VPN for all devices, see VPN section)
- ✅ iptables/nftables firewall (NAT, port forwarding, kill switch)
- ✅ DHCP server (dnsmasq or isc-dhcp-server)
- ✅ VLAN support (isolate WiFi/IoT from trusted wired devices)
**Location:** HOME (separate from brewery setup)
**Dual GbE Verdict:** NOT overkill — enables bridge mode for packet capture learning lab 🎓
**Rejected:**
- Pre-built Pi-hole images (outdated, inflexible)
- DietPi (less common for troubleshooting)
- Docker (overkill for dedicated hardware)
- OpenWrt as OS (Pi-hole can't run on OpenWrt natively; Pi OS + manual firewall gives more flexibility)
- pfSense/OPNsense (amd64 only — no ARM support, won't run on CM4)
- Intel N100 firewall box (considered as hardware swap, decided to stick with CM4)
**Software stack:** Raspberry Pi OS Lite (not OpenWrt) — gives full Pi-hole, Time Machine, Linux CLI for lab, and manual firewall/routing via iptables
---
## Phased Implementation Plan (2026-04-17)
### Phase 1: Pi-hole + Time Machine (alongside existing eeros)
- Flash Pi OS Lite to eMMC
- Install Pi-hole, Unbound
- Set up Time Machine (Samba + Avahi)
- eeros stay as router, DNS redirect to Pi-hole
- **Goal:** Get the box running, learn the hardware
### Phase 2: Router Mode (weekend test)
- Enable IP forwarding on CM4
- Set up iptables NAT + firewall rules on CM4
- Configure DHCP server on CM4
- Put eeros into bridge mode
- **CM4 eth0 = WAN (modem), CM4 eth1 = LAN (switch → eeros)**
- Test thoroughly — keep rollback plan ready
### Phase 3: VPN + Hardening
- Install WireGuard, configure full/split tunnel VPN
- Add kill switch (iptables rule to block non-VPN outbound)
- Set up DNS hijacking (DNAT port 53 → Pi-hole)
- Monitor eero traffic with tcpdump
- **Goal:** Privacy layer + containment of eeros as black-box devices
### Phase 4: VLAN Isolation (optional, advanced)
- 802.1Q VLANs on CM4
- VLAN 1: Trusted (wired devices, Time Machine)
- VLAN 2: WiFi/IoT (all eero-connected devices)
- Firewall rules between VLANs
- **Goal:** Even if eero firmware is compromised, it can't see trusted LAN traffic
---
## Router-Level VPN (2026-04-17)
**Why:** All traffic from every device on the network gets VPN protection without installing VPN clients on individual devices. ISP/eeros only see encrypted packets going to a VPN endpoint.
**Architecture:**
```
Devices → eeros (WiFi) → CM4 (Pi-hole DNS first, then VPN tunnel) → Internet
```
Pi-hole resolves DNS locally (ad blocking), then clean requests go through WireGuard tunnel.
### VPN Provider Options
| Option | Cost | Protocol | Notes |
|--------|------|----------|-------|
| **Mullvad** ⭐ | €5/mo | WireGuard | Gold standard. No account/email needed. Audited no-logs. |
| **ProtonVPN Free** | Free | WireGuard | No data cap, 5 countries. Good for testing. |
| **ProtonVPN Plus** | $10/mo | WireGuard | More servers, Secure Core routing. |
| **Self-hosted VPS** | $3-6/mo | WireGuard | Full control, you're the admin. |
| **Windscribe Free** | Free (10GB/mo) | WireGuard | Budget test option. |
**Recommendation:** Start with ProtonVPN Free to test, move to Mullvad for production.
### Setup Commands
```bash
# Install WireGuard
sudo apt install wireguard
# Drop in VPN config
sudo nano /etc/wireguard/wg0.conf
# NAT for VPN tunnel
sudo iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
sudo iptables -A FORWARD -i eth1 -o wg0 -j ACCEPT
sudo iptables -A FORWARD -i wg0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Bring up
sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0
```
### Kill Switch (prevent leaks if VPN drops)
```bash
sudo iptables -A FORWARD -i eth1 ! -o wg0 -j DROP
```
### Split vs Full Tunnel
| Mode | VPN'd | Not VPN'd | Use |
|------|-------|-----------|-----|
| **Split** | Web browsing | Local/Time Machine | Start here. Less latency. |
| **Full** | Everything | Nothing | Max privacy. More latency. |
---
## eero Bridge Mode — Security Considerations (2026-04-17)
### What eeros CAN see in bridge mode
- Broadcast/multicast traffic (ARP, mDNS, DHCP requests)
- MAC addresses of all devices
- Unencrypted (HTTP) traffic — rare now
- Frame-level metadata (who talks to who)
### What eeros CAN'T see in bridge mode
- DNS queries (handled by Pi-hole on CM4)
- HTTPS content (encrypted end-to-end)
- VPN traffic (double-encrypted)
- Routing decisions (CM4 handles)
### Threat Model
| Threat | Severity | Mitigation |
|--------|----------|------------|
| Firmware eavesdropping | Medium | Monitor eero traffic via tcpdump on CM4 |
| Remote management backdoor | Medium | Firewall eero management traffic, block firmware update IPs |
| DNS exfiltration | Low | DNAT port 53 redirect to Pi-hole |
| Full compromise | High | VLAN isolation (Phase 4) |
### Best Mitigation: VLAN Architecture
```
CM4 eth1 → VLAN 1 (Trusted - wired devices)
→ VLAN 2 (WiFi/IoT - eeros only)
```
Even a fully compromised eero can only see VLAN 2 traffic. Trusted wired devices are invisible.
---
## FCC Router Ban — Strategic Context (2026-04-17)
**March 2026:** FCC added all foreign-made consumer routers to its Covered List. No new foreign-made router models can receive FCC authorization for sale in the US.
- Existing routers: Still legal to own and use
- Firmware updates: Waivered until March 1, 2027 (uncertain after that)
- New models: Banned unless manufactured domestically
- US-branded routers (eero, Netgear, Ubiquiti): Also affected — they're all made in Asia
**Why this matters for this project:**
- eeros may stop receiving firmware updates after March 2027
- Building your own router on open hardware sidesteps the entire regulatory issue
- CM4 carrier board is a development board, not a consumer router — different FCC category
- You control the software pipeline, not dependent on any manufacturer
- This ban may be less about security and more about forcing onshore manufacturing where US legal jurisdiction (CALEA, FISA, NSLs) applies
**Conclusion:** Rolling your own router isn't just a fun project — it's architectural self-defense against a future where consumer routers are increasingly subject to government access frameworks.
---
## Learning/Lab Use Cases (Dual GbE Bonus!)
### Packet Capture & Analysis (Wireshark/tcpdump)
**Bridge mode = perfect learning lab:**
```
Router → eth0 → Pi (bridged) → eth1 → House
Full packet capture
```
**What you can learn:**
- Wireshark filters and display rules
- Protocol analysis (DNS, HTTP, SMB, etc.)
- Network troubleshooting
- Security analysis (spot suspicious traffic)
- IoT device behavior (what's my Roomba actually doing?)
**Tools to install:**
- `wireshark` (GUI, needs X11/VNC) or `tshark` (CLI)
- `tcpdump` (lightweight CLI capture)
- `nethogs` (bandwidth by process)
- `iftop` / `ntopng` (real-time traffic visualization)
**Example commands:**
```bash
# Capture all traffic on eth0
sudo tcpdump -i eth0 -w capture.pcap
# Live DNS query monitoring
sudo tshark -i eth0 -Y "dns" -T fields -e dns.qry.name
# Real-time bandwidth by host
sudo nethogs -t -c 5 eth0
```
**Privacy note:** You'll see EVERYTHING on your network — passwords in plaintext (HTTP), browsing history, device fingerprints. Great for learning, serious responsibility.
---
### Other Lab Scenarios
| Scenario | Setup | Learning Value |
|----------|-------|----------------|
| **Network segmentation** | VLANs on dual NIC | Enterprise networking |
| **Firewall rules** | iptables/nftables | Security hardening |
| **QoS testing** | Traffic shaping | Bandwidth management |
| **MITM analysis** | ARP spoofing detection | Security awareness |
| **Service monitoring** | Port scanning, service discovery | Network mapping |
---
**Verdict:** Dual GbE is NOT overkill if you want a learning lab. Bridge mode + packet capture = home network university. 🎓
---
## Add-on Modules (Optional)
### Confirmed Interest (2026-04-04)
| Add-on | Purpose | Notes |
|--------|---------|-------|
| **Time Machine Target** | Network backup for Macs | Samba + Avahi, ~50MB RAM |
| **Grafana + TILT Data** | Fermentation visualization | Pipe TILT data → InfluxDB → Grafana |
| **Fire Stick Display** | Brew house monitoring screen | Display Grafana dashboard on Fire Stick |
### Architecture Clarification (2026-04-04)
**Location split:**
- **Pi-hole CM4:** HOME (with dual GbE)
- **TILT Bridge:** BREWERY (ESP32)
- **Home Assistant:** BREWERY (separate instance)
- **Fire Stick:** BREWERY (display)
**Implication:** TILT data already lives at brewery HA. Fire Stick should just display brewery HA directly!
### Simplified Brew House Display
```
TILT → ESP32 Bridge → Brewery HA → Fire Stick (kiosk browser)
```
**No need to pipe to home!** Fire Stick points at `http://brewery-ha:8123/lovelace/fermentation-dashboard`
### Home Pi-hole Box Add-ons (Final)
| Add-on | Purpose | Priority |
|--------|---------|----------|
| Pi-hole | DNS ad-blocking | Core |
| Unbound | Recursive DNS (privacy) | High |
| Time Machine | Mac backups | High |
| Wireshark/tcpdump | Packet capture lab | Medium (learning) |
| Grafana (home metrics) | Network monitoring | Low (optional) |
---
## Time Machine Backup — Detailed Specs
### Requirements
| Item | Details |
|------|---------|
| **OS** | Raspberry Pi OS Lite (any version) |
| **Services** | Samba (SMB), Avahi (mDNS/Bonjour) |
| **Storage** | USB drive (SSD recommended) or network share |
| **RAM** | ~50MB overhead |
| **CPU** | Minimal (compression is client-side) |
### How It Works
```
Mac → Bonjour discovery (Avahi) → Samba share → USB drive on Pi
```
1. Avahi advertises `_adisk._tcp` service (Mac sees it as Time Machine destination)
2. Samba provides SMB share with Time Machine extensions
3. Mac backs up over network automatically
---
### Limitations
| Limitation | Impact | Workaround |
|------------|--------|------------|
| **Network speed** | First backup slow (hours), subsequent faster | Use Ethernet, not WiFi |
| **USB drive speed** | HDD = slow, SSD = fast | Use SSD for better experience |
| **Single user** | One Mac per sparsebundle (by default) | Can configure multi-user but tricky |
| **Backup size** | Limited by USB drive capacity | Use large drive (1TB+ recommended) |
| **No encryption** | Backups unencrypted on disk | Enable FileVault on Mac instead |
| **Pi must be on** | No backup if Pi is off | Set static IP, ensure uptime |
---
### Nice-to-Haves
| Feature | Why | How |
|---------|-----|-----|
| **SSD storage** | 10-20× faster than HDD | USB 3.0 SSD enclosure |
| **Dedicated partition** | Isolate backups from OS | Separate USB drive or partition |
| **Backup quotas** | Prevent one Mac from filling drive | `tmutil` setquota per Mac |
| **Auto-mount** | Survive reboots | `/etc/fstab` entry |
| **Monitoring** | Alert if backup fails | HA integration or cron check |
| **Multiple destinations** | Redundancy | Rotate between 2 USB drives |
---
### Setup Commands (Reference)
```bash
# Install Samba + Avahi
sudo apt install samba avahi-daemon
# Create backup share
sudo mkdir -p /srv/timemachine
sudo chown nobody:nogroup /srv/timemachine
sudo chmod 2777 /srv/timemachine
# Configure Samba (/etc/samba/smb.conf)
# Configure Avahi (/etc/avahi/services/timemachine.service)
# Restart services
sudo systemctl restart smbd avahi-daemon
```
---
### Estimated Setup Time
- **Fresh install:** ~30 minutes
- **First Mac backup:** 2-8 hours (depends on data size)
- **Subsequent backups:** 10-30 minutes (incremental)
---
*Created: 2026-04-04*
*Updated: 2026-04-17 — Full router architecture, VPN, eero bridge mode, FCC context*
````
## Notes
<!-- openclaw:human:start -->
<!-- openclaw:human:end -->
## Related
<!-- openclaw:wiki:related:start -->
- No related pages yet.
<!-- openclaw:wiki:related:end -->
Reference in New Issue Copy Permalink