I want to use a Raspberry Pi 4 Model B as a Gateway to separate my Home network from my Home Lab network.
Internet Service Provider
My consulting business utilises a small business NBN plan (100/40 Mbps) and the provider supplied a Modem / Router combination with support for FTTN.
The Modem / Router's IP address is 192.168.20.1
Devices connected to my ISP's Modem / Router will be allocated addresses in the range 192.168.20.2 - 192.168.20.254.
I purchased two USB 3.0 to Ethernet Adapters (a Cable Matters and a UGREEN) and a Okdo ABS case for my RPi 4:
Devices connected to my Home Lab Gateway's eth1 port will be allocated addresses in the range 192.168.101.2 - 192.168.101.254.
Devices connected to my Home Lab Gateway's eth2 port will be allocated addresses in the range 192.168.102.2 - 192.168.102.254.
ISP Modem / Router (192.168.20.1) Gateway eth0 (192.168.20.2) Gateway eth1 (192.168.101.1) -> (192.168.101.0/24) Gateway eth2 (192.168.102.1) -> (192.168.102.0/24)
Home Lab Gateway
I used the Raspberry Pi Imagr (v1.7.1) to create a fresh install of Raspberry Pi OS Lite 64 bit (a port of Debian Bullseye with no Desktop environment).
I used the Imagr's Advanced options to: set a hostname (home-lab-gateway); enable SSH (public key only), set a username and password; set the locale settings and to skip the first-run wizard.
Then I used SSH to connect to the device and updated the operating system:
sudo apt update sudo apt full-upgrade
Enable IP Forwarding
IP forwarding is also known as routing, to enable it we need to use the
sudo sysctl -w net.ipv4.ip_forward=1
To make the change persistent, we need to edit the
sudo nano /etc/sysctl.conf
And add the following line to the bottom of the file:
net.ipv4.ip_forward = 1
Optional: To disable IPv6 add the following lines to the bottom of the file:
net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1
The DHCP Daemon
The Raspberry Pi uses
dhcpcd to configure TCP/IP across all of its network interfaces. We want to assign a static IP to each of the Home Lab Gateway's interfaces.
sudo nano /etc/dhcpcd.conf
And add the following lines to the bottom of the file:
... # Home Lab Gateway configuration interface eth0 inform ip_address=192.168.20.2/24 static routers=192.168.20.1 static domain_name_servers=192.168.20.1 interface eth1 static ip_address=192.168.101.1/24 interface eth2 static ip_address=192.168.102.1/24
We also need to update (if it does not exist, you must create it)
sudo nano /etc/iftab
eth1 mac 11:22:33:44:55:66 eth2 mac aa:bb:cc:dd:ee:ff
You can use the following command to obtain the MAC addresses of the ethernet adapters:
sudo systemctl daemon-reload && sudo systemctl restart dhcpcd
dnsmasq is a lightweight service that we can use to issue IP addresses to devices in each of the Home Lab's subnets.
To install dnsmasq:
sudo apt install dnsmasq
To configure dnsmasq:
sudo nano /etc/dnsmasq.conf
... interface=eth1 bind-dynamic domain-needed bogus-priv dhcp-range=192.168.101.3,192.168.101.254,255.255.255.0,24h interface=eth2 bind-dynamic domain-needed bogus-priv dhcp-range=192.168.102.3,192.168.102.254,255.255.255.0,24h
sudo service dnsmasq restart
Use the following command to ensure that dnsmasq starts up (automagically) if you reboot the RPi:
sudo systemctl enable dnsmasq
To install iptables:
sudo apt install iptables
To save your iptables rules:
sudo apt install iptables-persistent
Packets arriving at the Gateway's eth1 interface from my Home Lab devices have to be modified such that the source address is equal to the Gateway's eth0 address:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
We also need to route outbound traffic from the eth1 interface to the eth0 interface and allow inbound traffic (established connections) from the eth0 interface to the eth1 interface (return traffic from the Internet):
sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT sudo iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
Check the rules:
sudo iptables -S
Save the changes:
sudo netfilter-persistent save
ISP Modem / Router - Static Routes
I used the ISP Modem / Router's web UI (Advanced -> Routing) to configure a static route to the each subnet, for example:
Note: The 'Gateway' setting is for the next hop (i.e., if the ISP Modem / Router's IP address is: 192.168.20.1 the next hop is 192.168.20.2).
You can use nmap to check which devices have been allocated IP addresses in a subnet, for example:
sudo nmap -sn 192.168.101.0/24