12

I would like to start a "Firewall" project. This will require intercepting data on the network processing it and passing it on it way.

Has anyone tried (or theorised) how to add a second Ethernet port to the Model B?

Possible Solutions

  • USB Ethernet adapter
syb0rg
  • 8,188
  • 4
  • 37
  • 51
Richard Stelling
  • 221
  • 1
  • 2
  • 8

3 Answers3

5

As an alternative to buying a USB Ethernet adapter you can create two interfaces on a single NIC. One will be facing your local subnet and the other will receive its ip from your ISP. A concept called "Router on a Stick" or "One-Armed Router".

But for that you will need a switch that supports vlan in order to segregate the two networks. Most don't. This one does.

To create a second interface on the RPi NIC you can use the ip link command (from the package iproute) like this:

    # vlan with mac tag
    ip link add link eth0 address <mac address> name mywan type macvlan

    # vlan with id tag (IEEE 802.1q)
    ip link add link eth0 name mywan type vlan id <xx>

    # set interface up
    ip link set up dev mywan

    # get an public ip from your ISP (assuming dhcp protocol is used)
    dhclient -v mywan

I will do some testing and update this post if successful.

Edit: I confirm that the above setup works fine. The single RPi nic and the modem should be members of the same vlan. The modem should be connected as "trunk" or "Access" (untagged modes).

ripat
  • 305
  • 2
  • 6
  • 1
    I tend to use similar setup but instead of using macvlan module, I use different VLAN ids on each port. This way packets from port1 will be visible on, say, vlan1 interface and packets from port2 will be visible on vlan2, etc. BTW, it should also be possible to just use macvlan without VLAN switch. – Krzysztof Adamski Dec 17 '13 at 13:07
  • Correct, +1 for your comment. That's a better solution than using a mac tag. And IEEE compliant too. I added the ip command command for that. Concerning the use of macvlan on a non VLAN switch, the two networks will not be segregated and any hosts could than directly access the modem bypassing the One-Armed Router/Firewall. – ripat Dec 17 '13 at 13:09
3

Here's a similar discussion on the official forums.

i tried the "Wintech USB 2.0 LanCard Model: LAU-15 (CK0049C) successful. They are working with the mcs7830 driver.

I dont know if the (unmodified) RPi can provide enough power. On my RPi i shortened both USB-fuses and use an unfused separate power supply/input (5V 1,5A).

From the second comment you may need to use a powered hub if your Pi is unmodified, but other than that there shouldn't be an issue.

Tom Medley
  • 4,089
  • 8
  • 31
  • 46
berry120
  • 10,924
  • 10
  • 51
  • 62
  • Do you simply mean to connect the USB ethernet adaptor to a powered hub and then the hub to the RPi? – User7391 Sep 10 '12 at 01:17
0

There is at least one option you can use that does not require adding additional Ethernet port to your RaspberryPi - using VLAN switch. This can be quite expensive since the cheapest VLAN switches I know costs something like 35$. But it has some additional benefits (even more ethernet ports, way more to learn, etc). You can configure them to tag each port with different VLAN id, and then create multiple VLAN interfaces on your Pi. Each packet that is tagged, will be visible on proper tagged interface on your Pi, effectively providing something many virtual interfaces.

Krzysztof Adamski
  • 9,615
  • 1
  • 37
  • 53