Building firewall into Raspberry PI

Mohammed Hamada
Mohammed Hamada used Ask the Experts™
Dear Experts,
I am planning to buy Raspberry Pi and turn it into a home firewall. Do you think this is a good idea esp that I would like to also create a captive portal for wifi access and monitor network traffic .etc

If this works what kind do you recommend ? and what are the exact specs that I need?
Thank you
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Dr. KlahnPrincipal Software Engineer

In this situation I'd build on a more capable platform such as a used "thin client," e.g. HP T574x.  This architecture is closer to a real PC and is easier to support.

Remember that a firewall requires two (or more) hardware Ethernet interfaces, and a Pi is not an ideal platform for adding more network interfaces.
Software Engineer
Distinguished Expert 2018
A Raspberry PI  is effectively the same as the heart of all Consumer equipment, it might have more flexibility and a few drawbacks.
So it is a nice platform to toy around with various Distro's for firewalls.  For serious appliance then you will need to take care of some details.
As even the simplest of these devices have a hardware switching device onboard.

Also your deployment model matters. If you have a switch and ONE VLAN then  Anything below the external line speed is sufficient bandwidth.
With multiple VLAN's you need to support packets traveling twci the connection between  firewall and switch. (or multiple interface connected to router).

First some limitations:
USB is limited to ~500Mbps there is ONE shared  USB bus between all equipment. (The internal Ethernet is also connected to this same USB connection).
(The wireless device, does have a private connection to the cpu).  
This is a limit on available bandwidth.  So any USB ethernet addition will eat into this bandwidth budget.( and a bit to move data between them).

Pi 4B is probably the best choice here.   Look for USB-3 devices capable devices for serious work.

A Pine64 has a slightly better architecture. Ethernet is 1 Gbps and has a independant connection to the CPU.

A far better approach can be a Turris Omnia equipment built to be used in the role you ment for it. Open Sourced development.
It runs either OpenWRT or the OpenWRT derived Turris firmware. (they differ in update philosophy where Turris uses BTRFS for updates that can be undone. And the OpenWRT disaproval of any filesystem on routers.
(A viable option for old equipment, for modern stuff the turris approach might be more in line).
Mohammed HamadaSenior IT Consultant


Thanks everyone, I think I will go with the thin client instead of Raspberry Pi, The reason why I wanted to use it I thought it would be easy and cheap to setup a home firewall for my self but since it requires more time I am going to get a thin client for now.

As for Noci's comment, thanks a lot this gave me a better vision on what I need exactly to start this. I am planning to get a Raspberry Pi just for the sake of learning how to work on it nothing more.

Thanks a lot

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial