I consider the residential gateway overloaded. Your ISP is in the business of selling you the cheapest possible computer component to be a gateway device. Current devices also include a WiFi radio to double as home access point. By setting up a Raspberry Pi as your DHCP server and DNS forwarder, you can remove that burden from the residential gateway and just let it pass packets.
Your standard residential gateway might have a 802.11 a/b/g/n 1×1 radio; maybe a 2×2 radio. This doesn’t obviously cripple your residential gateway, but the radio reception might be poor, and it probably won’t cover your whole house. You will likely get much better reception by getting one or more inexpensive 802.11 a/b/g/n 3×3 MIMO radio access points. The three antennas (when pointed in different directions) are much more effective.
Even more effective WiFi coverage comes from putting multiple APs in common areas at medium power to spread the coverage out. There are a lot of WiFi planning applications you can use to get to help you. One of the basic techniques is a “hex cell” design, and the idea is that you can choose three channels that are not near each other. Channel 1, Channel 6, Channel 11 are the common choices. As long as two adjacent hex cells are not on the same channel, you should have reasonable protection from channel interference. Using medium power means that people right next to an AP won’t suffer from over-driven signal strength, which also cripples performance.
More DHCP Tricks
There are a lot of things you can do with DHCP. And if you avidly tinker with your computers (and I encourage you to tinker), dnsmasq is a good way to explore what you can do with your DHCP server. Different network interfaces on your dhcp server can be granted different address pools. Specific MAC addresses can be given persistent IP addresses outside of an address pool. You can manage machine names from the /etc/hosts file of the dhcp server. At the same time, this approach allows computers to announce their own name. This allows you to connect to hamster1 by name on the network, where hamster1 is the name set locally on the machine. You can also publish multiple routes to networks outside of your LAN, such as your VPNed networks.
This might also be useful for separating your own “IoT” network. Most of the wee devices that want to connect to a WiFi controller typically join your default network. A shrewd network administrator will create a separate DHCP leases pool for MAC address patterns used by their devices and assign them a completely different network range that has no gateway address. Don’t use your APs to serve DHCP. Your AP doesn’t care how many different addresses it passes through it, so use your Raspberry Pi dnsmasq server to serve your DHCP addresses.
There is a wonderful project: hBlock, which is a curated list of adware/malware addresses. You can create a hosts file where all the ad server names can get mapped to 127.0.0.1 or 0.0.0.0.
In your /etc/dnsmasq.conf file, you would add an ‘addn-hosts’ directive to point to the hBlock output file. You have to edit the hBlock output file a bit, but it’s not difficult. I separate my own network hosts files up into three files:
- Entries for 127/8 and localnet and own hostname:
- Entries for my LAN hostnames:
- Entries to block:
This keeps things pretty organized. It also protects all members of my home network from getting things from crapware sites.
Are Proxies Worth the Effort?
Back in 2010, before HTTPS Everywhere was not a Firefox plugin, a squid proxy was a great way to save on bandwidth. You can configure your DHCP server to announce a WPAD address and every browser on your network should have auto-configured itself to use your local http proxy. Now, with most popular sites using HTTPS, the value of a HTTP proxy is diminished as a form of acceleration…for those sites. You can create a certificate for your own proxy and install that certificate on your machine if you want to proxy https on your local network, but it won’t help guests. Also, in a public setting, these proxies can become a ripe target.
There are still many sites that are plain HTTP. Notably, Linux distribution repositories. All those .deb and .rpm files are mostly still available over plain HTTP, and caching them does your distribution a favor. If you regularly do updates, play with VM images of Linux, or have an office of linux machines, you might even consider installing IntelligentMirror on your squid server. You can edit your /etc/apt/apt.conf or /etc/dnf/dnf.conf files with proxy entries.
Access Control and Virus Scanning on Proxies
It is also possible to kick your kids off the internet at certain times of day using squid. This is possible by setting access control rules by IP where certain times of day are permissible to browse the Internet. Getting this working effectively might be difficult.
It is also possible to make squid use ClamAV to scan the files requested. I’ve not done this before, but there are how-to’s out there on how to do that. This would be a very effective complement to using hBlock.