TopherSlater/openclaw-wiki
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
openclaw-wiki/sources/psb-thinking-pihole-blocker.md

350 lines
9.7 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
pageType: source
id: source.psb-thinking-pihole-blocker
title: psb-thinking-pihole-blocker
sourceType: local-file
sourcePath: /home/topher/.openclaw/workspace-psb-thinking/projects/pihole-blocker.md
ingestedAt: 2026-05-03T02:02:41.347Z
updatedAt: 2026-05-03T02:02:41.347Z
status: active
---
# psb-thinking-pihole-blocker
## Source
- Type: `local-file`
- Path: `/home/topher/.openclaw/workspace-psb-thinking/projects/pihole-blocker.md`
- Bytes: 9252
- Updated: 2026-05-03T02:02:41.347Z
## Content
````text
# Pi-hole Blocker Project
**Status:** Planning / Not started
**Hardware:** Seeed Studio Dual-GbE Carrier Board with 4GB RAM + 32GB eMMC (CM4)
**URL:** https://www.seeedstudio.com/Dual-GbE-Carrier-Board-with-4GB-RAM-32GB-eMMC-RPi-CM4-Case-p-5029.html
---
## Decision Log
### 2026-04-04 — Initial Research
**Hardware selected:** CM4 with dual GbE + eMMC (no SD card!)
**Chosen approach:** Raspberry Pi OS Lite + Pi-hole (manual install)
- Full control
- Well-documented
- eMMC more reliable than SD
- Dual GbE enables passthrough or bridge mode
**Rejected:**
- Pre-built images (outdated, inflexible)
- DietPi (good but less common for troubleshooting)
- Docker (overkill for dedicated hardware)
---
## TODO (When Ready)
- [ ] Flash Raspberry Pi OS Lite (64-bit) to eMMC
- [ ] Enable SSH, set hostname before first boot
- [ ] First boot + network config
- [ ] Install Pi-hole: `curl -sSL https://install.pi-hole.net | bash`
- [ ] Configure upstream DNS (Cloudflare/Google/Quad9)
- [ ] Decide network mode: passthrough vs bridge vs VLAN
- [ ] Point router DNS to Pi-hole IP
- [ ] Test + document
---
## Network Config Notes (Dual GbE)
**Goal:** Transparent filtering for entire network
### Option 1: Single Port + Router DNS Redirect (Recommended) ⭐
```
Modem → Existing Router → Pi-hole (eth0 only) → All devices
↳ Time Machine (same port)
```
**How:** Router forces all port 53 traffic to Pi-hole IP
**Pros:**
- Simplest setup
- Existing router handles DHCP/NAT (less to break)
- Time Machine works on same network
- Dual GbE not needed, but harmless
**Cons:**
- Devices can bypass with hardcoded DNS (8.8.8.8)
- Router must support DNS redirect/forced DNS
**Best for:** Most home setups, transparent operation
---
### Option 2: Bridge Mode (Dual GbE Active)
```
Router → eth0 ─┬─ Pi-hole (bridged) ─┬─ eth1 → Switch/House
└─ Time Machine share ─┘
```
**How:** Both ports bridged at OS level, Pi acts as Layer 2 device
**Pros:**
- All traffic passes through (harder to bypass)
- Time Machine visible to all devices
- Existing router still handles DHCP/NAT
**Cons:**
- More complex network config (bridge interfaces)
- Pi becomes network dependency (if it dies, network dies)
**Best for:** Maximum coverage, willing to troubleshoot bridging
---
### Option 3: Full Inline Router (Dual GbE)
```
Modem → eth0 (WAN) → Pi-hole routes/NAT → eth1 (LAN) → House
↳ Time Machine on LAN side
```
**How:** Pi replaces your router entirely
**Pros:**
- Complete control, can't bypass
- Full firewall/NAT control
- True network segmentation possible
**Cons:**
- Most complex (DHCP, NAT, firewall rules)
- Single point of failure
- Time Machine only visible to LAN side
- Need to reconfigure entire network
**Best for:** Advanced users, want full network control
---
## Decision Log
### 2026-04-04 — Final Decisions
**Network Mode:** Option 1 — Single Port + Router DNS Redirect ⭐
- Existing router handles DHCP/NAT
- Router forces DNS to Pi-hole
- Time Machine on same network (no complications)
- Can upgrade to bridge mode later if needed
**Add-ons Confirmed:**
- ✅ Pi-hole (DNS ad-blocking)
- ✅ Unbound (recursive DNS, privacy)
- ✅ Time Machine (Mac backups via Samba + Avahi)
- ✅ Wireshark/tcpdump lab (packet capture for learning)
- ❌ WireGuard — SKIP (Tailscale already covers remote access)
**Location:** HOME (separate from brewery setup)
**Dual GbE Verdict:** NOT overkill — enables bridge mode for packet capture learning lab 🎓
**Rejected:**
- Pre-built Pi-hole images (outdated, inflexible)
- DietPi (less common for troubleshooting)
- Docker (overkill for dedicated hardware)
- Full inline router mode (too complex for v1)
- WireGuard (Tailscale = WireGuard, redundant)
---
## Learning/Lab Use Cases (Dual GbE Bonus!)
### Packet Capture & Analysis (Wireshark/tcpdump)
**Bridge mode = perfect learning lab:**
```
Router → eth0 → Pi (bridged) → eth1 → House
Full packet capture
```
**What you can learn:**
- Wireshark filters and display rules
- Protocol analysis (DNS, HTTP, SMB, etc.)
- Network troubleshooting
- Security analysis (spot suspicious traffic)
- IoT device behavior (what's my Roomba actually doing?)
**Tools to install:**
- `wireshark` (GUI, needs X11/VNC) or `tshark` (CLI)
- `tcpdump` (lightweight CLI capture)
- `nethogs` (bandwidth by process)
- `iftop` / `ntopng` (real-time traffic visualization)
**Example commands:**
```bash
# Capture all traffic on eth0
sudo tcpdump -i eth0 -w capture.pcap
# Live DNS query monitoring
sudo tshark -i eth0 -Y "dns" -T fields -e dns.qry.name
# Real-time bandwidth by host
sudo nethogs -t -c 5 eth0
```
**Privacy note:** You'll see EVERYTHING on your network — passwords in plaintext (HTTP), browsing history, device fingerprints. Great for learning, serious responsibility.
---
### Other Lab Scenarios
| Scenario | Setup | Learning Value |
|----------|-------|----------------|
| **Network segmentation** | VLANs on dual NIC | Enterprise networking |
| **Firewall rules** | iptables/nftables | Security hardening |
| **QoS testing** | Traffic shaping | Bandwidth management |
| **MITM analysis** | ARP spoofing detection | Security awareness |
| **Service monitoring** | Port scanning, service discovery | Network mapping |
---
**Verdict:** Dual GbE is NOT overkill if you want a learning lab. Bridge mode + packet capture = home network university. 🎓
---
## Add-on Modules (Optional)
### Confirmed Interest (2026-04-04)
| Add-on | Purpose | Notes |
|--------|---------|-------|
| **Time Machine Target** | Network backup for Macs | Samba + Avahi, ~50MB RAM |
| **Grafana + TILT Data** | Fermentation visualization | Pipe TILT data → InfluxDB → Grafana |
| **Fire Stick Display** | Brew house monitoring screen | Display Grafana dashboard on Fire Stick |
### Architecture Clarification (2026-04-04)
**Location split:**
- **Pi-hole CM4:** HOME (with dual GbE)
- **TILT Bridge:** BREWERY (ESP32)
- **Home Assistant:** BREWERY (separate instance)
- **Fire Stick:** BREWERY (display)
**Implication:** TILT data already lives at brewery HA. Fire Stick should just display brewery HA directly!
### Simplified Brew House Display
```
TILT → ESP32 Bridge → Brewery HA → Fire Stick (kiosk browser)
```
**No need to pipe to home!** Fire Stick points at `http://brewery-ha:8123/lovelace/fermentation-dashboard`
### Home Pi-hole Box Add-ons (Final)
| Add-on | Purpose | Priority |
|--------|---------|----------|
| Pi-hole | DNS ad-blocking | Core |
| Unbound | Recursive DNS (privacy) | High |
| Time Machine | Mac backups | High |
| Wireshark/tcpdump | Packet capture lab | Medium (learning) |
| Grafana (home metrics) | Network monitoring | Low (optional) |
---
## Time Machine Backup — Detailed Specs
### Requirements
| Item | Details |
|------|---------|
| **OS** | Raspberry Pi OS Lite (any version) |
| **Services** | Samba (SMB), Avahi (mDNS/Bonjour) |
| **Storage** | USB drive (SSD recommended) or network share |
| **RAM** | ~50MB overhead |
| **CPU** | Minimal (compression is client-side) |
### How It Works
```
Mac → Bonjour discovery (Avahi) → Samba share → USB drive on Pi
```
1. Avahi advertises `_adisk._tcp` service (Mac sees it as Time Machine destination)
2. Samba provides SMB share with Time Machine extensions
3. Mac backs up over network automatically
---
### Limitations
| Limitation | Impact | Workaround |
|------------|--------|------------|
| **Network speed** | First backup slow (hours), subsequent faster | Use Ethernet, not WiFi |
| **USB drive speed** | HDD = slow, SSD = fast | Use SSD for better experience |
| **Single user** | One Mac per sparsebundle (by default) | Can configure multi-user but tricky |
| **Backup size** | Limited by USB drive capacity | Use large drive (1TB+ recommended) |
| **No encryption** | Backups unencrypted on disk | Enable FileVault on Mac instead |
| **Pi must be on** | No backup if Pi is off | Set static IP, ensure uptime |
---
### Nice-to-Haves
| Feature | Why | How |
|---------|-----|-----|
| **SSD storage** | 10-20× faster than HDD | USB 3.0 SSD enclosure |
| **Dedicated partition** | Isolate backups from OS | Separate USB drive or partition |
| **Backup quotas** | Prevent one Mac from filling drive | `tmutil` setquota per Mac |
| **Auto-mount** | Survive reboots | `/etc/fstab` entry |
| **Monitoring** | Alert if backup fails | HA integration or cron check |
| **Multiple destinations** | Redundancy | Rotate between 2 USB drives |
---
### Setup Commands (Reference)
```bash
# Install Samba + Avahi
sudo apt install samba avahi-daemon
# Create backup share
sudo mkdir -p /srv/timemachine
sudo chown nobody:nogroup /srv/timemachine
sudo chmod 2777 /srv/timemachine
# Configure Samba (/etc/samba/smb.conf)
# Configure Avahi (/etc/avahi/services/timemachine.service)
# Restart services
sudo systemctl restart smbd avahi-daemon
```
---
### Estimated Setup Time
- **Fresh install:** ~30 minutes
- **First Mac backup:** 2-8 hours (depends on data size)
- **Subsequent backups:** 10-30 minutes (incremental)
---
*Created: 2026-04-04*
---
*Created: 2026-04-04*
````
## Notes
<!-- openclaw:human:start -->
<!-- openclaw:human:end -->
## Related
<!-- openclaw:wiki:related:start -->
- No related pages yet.
<!-- openclaw:wiki:related:end -->
Reference in New Issue View Git Blame Copy Permalink