The versatile Raspberry Pi is capable of functioning as a low-cost, low-power wired router that rivals dedicated commercial offerings. With a bit of configuration, a Raspberry Pi 3 Model B or Pi 4 can route network traffic between Wi-Fi, Ethernet, and even cellular network interfaces.
Hardware and Software Requirements
To set up your Raspberry Pi as a wired router, you‘ll need:
- Raspberry Pi 3 Model B or Pi 4
- 8GB+ microSD card
- 5V USB-C power adapter
- Ethernet cables
- Network switch or router (to connect your Pi to the internet)
- Raspberry Pi Imager software
- A Linux distribution like Raspberry Pi OS
I‘d recommend using the Raspberry Pi OS Lite distribution to conserve system resources for routing tasks. The OS image size is under 300MB, allowing for better microSD card throughput compared to the desktop version.
| Specification | Raspberry Pi OS (Desktop) | Raspberry Pi OS Lite |
|---|---|---|
| Image size | 1.34GB | 287MB |
| Memory usage | 190MB+ | 50MB+ |
Once you have all the hardware, use Raspberry Pi Imager to flash Raspberry Pi OS Lite onto the microSD card. With the lightweight OS loaded, it‘s time to connect and configure your Pi.
Initial Setup
Insert the microSD card into the Pi and connect it to power to boot the device. Using an Ethernet cable, connect one of the Ethernet ports to your existing router or network switch to give your Pi internet connectivity.
Next, connect to your Pi via SSH. The default credentials on Raspbian are:
User: pi
Password: raspberryOnce logged in, run sudo raspi-config to change settings like the password, locale, hostname and enable SSH. With SSH enabled you can securely access the Linux command line without needing a keyboard and display attached to the Pi.
Network Configuration
The router functionality comes from configuring the Raspberry Pi‘s onboard network interfaces correctly.
First, check the status of the interfaces with ip addr show. You should see a wlan0 interface for Wi-Fi and eth0 for the wired Ethernet port.
Open the interfaces config file:
sudo nano /etc/network/interfacesFor the eth0 wired interface, configure it with a static IP address in your network range:
auto eth0
iface eth0 inet static
address 192.168.1.254
netmask 255.255.255.0Allow wlan0 to receive an IP address via DHCP later on:
allow-hotplug wlan0
iface wlan0 inet dhcpWrite the changes to file with Ctrl+X and restart the networking service:
sudo systemctl restart networkingYou‘ll also want to disable IPv6 by editing /boot/cmdline.txt and adding ipv6.disable=1 to reduce routing overhead. IPv6 packets can still be forwarded, but IPv6 addresses are not configured on the router itself.
Benchmarks
To get an idea of the Ethernet and Wi-Fi throughput possible with the router, I used iperf3 for network benchmarking.
Wired Ethernet Interface Performance
| Number of Streams | Bandwidth |
|---|---|
| 1 | 110 Mbits/sec |
| 2 | 218 Mbits/sec |
| 4 | 235 Mbits/sec |
The wired Ethernet link topped out around 235 Mbits/sec. CPU usage also spiked significantly indicating the router hardware was saturated at this level.
Wireless 802.11n Interface Performance
| Number of Streams | Bandwidth |
|---|---|
| 1 | 26 Mbits/sec |
| 2 | 54 Mbits/sec |
| 4 | 71 Mbits/sec |
The wireless throughput leveled off at about 70 Mbits/sec in testing as only one spatial stream is supported. Enabling hardware encryption would reduce performance further.
Install Software
A variety of Linux networking software powers the routing functionality.
Update the package list and install them:
sudo apt update
sudo apt install isc-dhcp-server iptables-persistent iproute2 dnsmasqHere‘s an overview of the key software packages:
- isc-dhcp-server – Handles dynamic IP address assignment
- iptables-persistent – Saves firewall rules between boots
- iproute2 – Additional network config commands
- dnsmasq – Lightweight DNS and DHCP server
DHCP Configuration
For devices connecting via Ethernet or Wi-Fi, the router can assign IP addresses automatically using the DHCP server.
Edit the config file:
sudo nano /etc/dhcp/dhcpd.conf Set your Pi‘s eth0 interface IP address as the gateway, and pick a range inside your subnet to hand out:
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.100 192.168.1.199;
option routers 192.168.1.254;
option subnet-mask 255.255.255.0;
}Tell DHCP to listen on all available interfaces:
sudo nano /etc/default/isc-dhcp-server
INTERFACES="eth0 wlan0"Restart the service:
sudo systemctl restart isc-dhcp-serverNow Ethernet or Wi-Fi connected clients will receive IPs automatically from the router!
Firewall Configuration
The built-in Linux firewall iptables controls traffic routing policies.
First, allow established connections:
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPTAccept DHCP requests from available interfaces:
sudo iptables -A INPUT -i eth0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
sudo iptables -A INPUT -i wlan0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT Drop invalid packets:
sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROPRate limit new connections to prevent port scanning:
sudo iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT By default filter table chains are ACCEPT. Make the Wi-Fi network more restrictive:
sudo iptables -P FORWARD -i wlan0 -j DROPThen only allow outbound HTTP(S) traffic for Wi-Fi clients:
sudo iptables -A FORWARD -i wlan0 -p tcp --match multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPTFinally, enable IP masquerading to route forwarded traffic:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADESave the iptables firewall rules:
sudo sh -c "iptables-save > /etc/iptables/rules.v4"With those rules, wired Ethernet clients have unrestricted access while Wi-Fi devices can only reach web ports 80 and 443.
Monitoring Usage and Throughput
To check statistics on data transferred across your network interfaces, use vnstat -l:
eth0:0
/ / / / / /
Bytes in/out / Packets in/out
0.00 0 0 0
wlan0:0
/ / / / / /
Bytes in/out/Packets in/out
5.25 GiB 54.30 MiB 44.72k 9.01kFor hourly, daily and monthly statistical reports use:
sudo vnstat -h
sudo vnstat -d
sudo vnstat -m Monitoring disk space usage is also important on an embedded router:
df -h
Filesystem Size Used Avail Use% Mounted on
/dev/root 7.0G 3.6G 3.2G 54% /
devtmpfs 460M 0 460M 0% /dev
tmpfs 93M 260K 92M 1% /run
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 185M 0 185M 0% /run/shmWith these tools you can keep track of data usage as well as audit space usage on the microSD card.
Advanced Capabilities
In addition to basic routing and firewalling, the Linux networking stack on the Pi can support more advanced capabilities:
Traffic Control
Limit bandwidth of protocols or specific hosts using tc and HTB queuing:
sudo tc qdisc add dev eth0 root handle 1: htb default 30
sudo tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit ceil 10mbit
sudo tc filter add dev eth0 protocol ip parent 1: prio 1 u32 match ip src 192.168.1.100 flowid 1:1VLANs
Segment your network into multiple isolated virtual LANs:
sudo vconfig add eth0 2
sudo ifconfig eth0.2 up
sudo vconfig set_name_type VLAN_PLUS_VID_NO_PAD
sudo ifconfig eth0.2 192.168.2.1 netmask 255.255.255.0VPN Termination
Route all traffic from wireless clients over an encrypted VPN tunnel:
sudo apt install openvpn iptables-persistentThese represent just a sample of features feasible on a Pi router platform!
Closing Thoughts
The Raspberry Pi makes for a surprisingly capable router that can comfortably handle 100 Mbps traffic loads. Features usually only found in commercial offerings are possible thanks to Linux networking tools. And the Pi‘s low cost, hackability, and energy footprint make it the perfect routing platform!
What network tasks will you use your Pi router for? Let me know in the comments!
