In my previous post, I described my current home-brewed router. In this post, I’ll describe my plan for the new router.

What OS?

While PiHole can be installed directly on Arch Linux or be run in a Docker container, I feel it is safer to use an officially supported OS. My choices are Debian, Ubuntu, Fedora, or CentOS.

I don’t want to use Ubuntu because even in ubuntu-server there are more bells and whistles than I need.

Fedora is out, because I am interested in long term stability. CentOS would be a good option if it wasn’t EOL at the end of 2021.

This leaves Debian, an OS which I do not have much experience with.

What Should it Do, and How?

NAT Routing

The router needs to not only forward packets between clients on the LAN and the Internet, it also needs to perform Network Address Translation because in my network only the router itself has a public IP address.

NAT can be enabled with systemd.network using the IPMasquerade flag.

Based on the man page, just enabling IPMasquerade on the LAN interface should be enough to also enable packet forwarding (IPForward). We will see if that’s really the case.

Since we want to use nftables instead of iptables on this system, systemd should be modifying nftables rather than using legacy iptables. See also here.

PiHole DNS

I want PiHole to run on the router. This is basically dnsmasq with some filter lists and a fancy GUI.

PiHole is supported on Debian, so we should be able to just install it using the installer script. However, the installation instructions mention that it will install dhcpcd5 and modify /etc/dhcpcd.conf to assign a static IP address. We don’t want this because we will be using systemd.networkd for interface management.

This means that I will potentially need to modify the installer script to skip this.

DHCP Server

The router should also run a DHCP server, optionally providing “static IPs” to known clients based on MAC address.

Since PiHole contains dnsmasq, we can just enable the DHCP server built in to pihole-FTL.service.

Firewall

All incoming traffic except SSH and Mosh should be blocked. We need connection tracking to allow clients to communicate with Internet hosts.

I’ve never used nftables, but since this is the immediate future I’ll take this as an opportunity to learn.

In the next post, I’ll set up some VMs and try setting this up before doing it on my physical network.