Hey all, I've been enjoying my RPi 4 router and it seems to be a popular topic so I thought I'd write up a quick article to help people get started with their own setup. If you have any feedback or would like to propose an edit please feel free to open an issue or PR on GitHub.

So You Want To Build a Raspberry Pi Router

With the increasing prevalence of gigabit-speed home internet connections in the US and elsewhere comes the need for routing hardware with greater performance than many "all-in-one" devices can offer. This is especially true for users who wish to take advantage of advanced traffic shaping technologies like SQM which is notoriously CPU-intensive. The Raspberry Pi 4 single-board computer is affordable, ubiquitous, and runs circles around any consumer device near its price point. All of these qualities make it an ideal candidate to become the next foundation of your home network.

What It's Good For

• Full gigabit routing performance with SQM disabled. The CPU is certainly capable of much more, limited only by the speed of the network interfaces.
• ~800 Mbps up/down with SQM enabled.
• Oodles of extra RAM and processing power for running additional services if you're so inclined.
• Doing all of the above with no moving parts, low power consumption and in a very compact footprint, at a very competitive price.

What It's Not So Good For

• Servicing your wireless devices. The Pi's onboard WiFi implementation is truly pitiful compared to a decent all-in-one consumer router. Instead, plan on supplementing the Pi with another device to serve as a wireless access point.

What You'll Need

• A Raspberry Pi 4 board. 1GB of RAM will be plenty for this application but more won't hurt.
• Power supply or PoE hat.
• A quality microSD card of any commonly available size; even 8GB is an enormous amount of space compared to your average plastic consumer network router.
• A case designed for passive cooling. Here are a few options you might consider:
  • Flirc
  • Argon40 One
  • Argon40 Neo
  • Geekworm Armor
• A USB-to-Ethernet interface. Any dongle based on the RTL8153 chipset will do. The TP-Link UE300 is a popular choice and works very well.

It's possible to use the Pi in a so-called "router-on-a-stick" configuration using only the single onboard Ethernet port in conjunction with VLANs. This configuration requires the use of a managed switch and is beyond the scope of this guide.

Example Build and Total Cost

• Raspberry Pi 4 2GB: $35
• Inland USB-C power supply: $6
• Micro Center 64GB microSD card: $7
• Argon Neo case: $15
• TP-Link UE300: $14

Total: $77

Note that due to the ongoing global unpleasantness the 2GB Pi 4 recently suffered a price bump to $45. This is said to be a temporary measure but for the time being I feel the 4GB version is a better value at $55. Opting for the 4GB board will bring the total build cost to $97.

Getting Started

With your Pi assembled it's time to write an OpenWrt image to your microSD card. One option is to use wulfy23's excellent build which should get you up and running with minimum fuss. Another is to use the stock image OpenWrt provides; however the stock image lacks a driver for the USB dongle. The last, and the one we'll explore here, is to build a customized image with the needed packages. Luckily for us the OpenWrt firmware selector website makes it easy to request such an image.

To get started, navigate to the firmware selector server at https://firmware-selector.openwrt.org/. Start typing Raspberry Pi 4 into the search field and select Raspberry Pi 4B/400/4CM (64bit). Now expand the Customize accordion.

We are now free to add additional packages to our firmware image. Nice! Go ahead and add these three packages to the end of the list: kmod-usb-net-rtl8152 luci luci-ssl. This will ensure that both the USB Ethernet driver and the LuCI web interface are baked into our custom image.

Click Request Build and go top up your coffee while you wait for your image to be built. Once it's ready, download the FACTORY (EXT4) image. Decompress the gzipped image and finally flash it to your microSD card using the tool of your choice.

Getting Online

Connect your Pi's onboard Ethernet port to your LAN. Connect your WAN connection to the USB dongle, but DO NOT connect it to the Pi just yet. Navigate to http://192.168.1.1 in your browser and log in without a password. Immediately do the following:

• Navigate to System -> Administration -> Router Password and configure a strong password.
• Navigate to System -> Administration -> SSH Access and configure the SSH server to listen only on the LAN interface.
• If desired, provide a public key for SSH login in System -> Administration -> SSH-Keys

Now that LuCI (OpenWrt's web-based configuration interface) and SSH have both been locked down you may connect the USB Ethernet dongle. Navigate to Network -> Interfaces -> Devices and confirm that you see a new eth1 device. If you don't, restart your router from System -> Reboot.

Click back to the Interfaces tab. Add a new interface called WAN using the correct protocol for your internet service and attach it to the new eth1 interface. Complete any additional configuration steps based on your chosen protocol, then save and apply your changes.

If your ISP requires your WAN device to communicate over a specific VLAN, use the "custom" device field to provide the VLAN ID in the form DEVICE.VLANID, e.g. eth1.10.

Navigate to Firewall Settings and confirm that the new WAN interface is set as the firewall zone.

During this step, you also need to navigate to the "Firewall Settings" tab, and assign "WAN" as the firewall zone.

You should now be connected to the Internet!

Maximizing Performance

In its current configuration your router will effortlessly route a symmetric gigabit connection. However, there are a handful of things we can do to wring even more performance out of the Pi.

Configuration Tweaks

• Navigate to Network -> Interfaces -> Global network options and enable Packet Steering. This feature helps ensure that all packets belonging to a particular flow are handled by the same processing core, enhancing performance. See here for a helpful introduction to the concept.

• Navigate to Network -> Firewall and verify the Software flow offloading setting. If you intend to use SQM you will want to leave this feature disabled. If you will not be using SQM go ahead and enable it now.

Enabling irqbalance

IRQs are the mechanism by which your network interfaces inform the operating system that there is work to be done. By default these requests will be handled by a single CPU core which can result in a bottleneck in situations where the lone core can't keep up.

This is where the irqbalance package comes in. This daemon monitors processor load and IRQ volume and distributes the IRQs across different CPU cores, easing the bottleneck.

Using irqbalance is as straightforward as it gets: just install it from System -> Software and either reboot the router or manually start the service from System -> Startup to ensure that the daemon is running. You should now see an irqbalance process in Status -> Processes.

Overclocking the CPU

Your new router's CPU can be overclocked to 2 GHz with a simple configuration change. Do the math - that's a 33% performance bump across all cores for free! While the higher frequency will necessarily translate to more heat, a quality case designed for passive cooling or any active cooling solution should have no trouble keeping your Pi at a comfortable temperature.

While even higher overclocks are possible (and despite conventional wisdom will no longer void your warranty as of the Pi 4) I think the extra juice is unlikely to be worth the squeeze for most.

To enable the overclock simply add the following lines to the bottom of /boot/config.txt, then reboot:

over_voltage=6
arm_freq=2000

Putting it all together

Here are a handful of Ookla speedtests and Waveform bufferbloat tests to give you an idea of what you can expect both with and without SQM enabled.

Without SQM

With SQM

Settings:

sqm.eth1=queue
sqm.eth1.qdisc='cake'
sqm.eth1.debug_logging='0'
sqm.eth1.verbosity='5'
sqm.eth1.linklayer='ethernet'
sqm.eth1.overhead='44'
sqm.eth1.script='piece_of_cake.qos'
sqm.eth1.interface='pppoe-WAN'
sqm.eth1.download='850000'
sqm.eth1.upload='850000'
sqm.eth1.enabled='1

image1152×542 120 KB

Once my NanoPi R4S shows up I thought it might be cool to do a roundup comparing the Pi, the R4S, and maybe a Belkin RT3200 as well. Let me know if you'd be interested in that and I'll see what I can do.

hi @aporétique very good tutorial

for more conventional reasons and to have a decent wifi I tested the RT3200 in optical fiber which gave me very good results, with irq balance and packet steering enabled

Capture d’écran 2022-01-06 à 15.24.511276×509 71.9 KB

Capture d’écran 2022-01-06 à 17.03.141260×428 58.8 KB

Capture d’écran 2022-01-06 à 17.05.231277×584 66.1 KB

Thanks so much for sharing this! The RT3200/E8450 is definitely a terrific option (shoutout to @daniel for all of his hard work) and there's no contest if you need the onboard radios. If you get a chance I'd love to see what sort of numbers your setup can push with SQM enabled.

You welcome i'm on vdsl2 for the moment but if i remember max sqm is about 500 500

I has fiber on 2 month now

We in Europe (Sweden) now after 20years welcome you in the US to the normal every day standard in the big league of internet😃

A post was split to a new topic: Add OpenFlow to OpenWrt on Raspberry Pi

I am using the Raspberry Pi 3 as a portable router and have to say that the onboard Wifi works great. I use it as an access point and never had any trouble. Ok, I never looked at it's speed, but stable it is.

I wonder if the reduced bandwidth with SQM enabled is due to the WAN interface being USB3 based. DFRobot now makes a carrier board for the Raspberry Pi 4 Compute Module that removes the USB3 controller and instead utilizes the Compute Module’s PCIe lane for connecting a second Gigabit Ethernet controller to the CPU. A Raspberry Pi 4 Compute Module installed into this carrier board should be able to provide better throughout with SQM enabled. DFRobot also has a plastic case for this carrier board.

This is the only carrier board I have found so far that has a second Gigabit Ethernet controller connected via the PCIe lane rather than via the USB3 controller. Other carrier boards with a second Gigabit Ethernet port utilize the USB3 controller, which is the same thing as plugging a USB3 Gigabit Ethernet dongle in the Raspberry Pi 4b’s USB3 port.

Great guide! I'm getting 750mbit down with SQM enabled!

An important note to make is: do not use ASIX based ethernet dongle. I started this with a ASIX dongle, but I was limited to 400mbit and the driver kept crashing every few hours, replaced it with a RTL dongle, and I'm getting much higher speeds

when I initially read OP, I scanned for subject matter... (comprehensive, touches most bases, not too much bias)

reading a second time i'm in awe of just how well written it actually is... irregardless of subject matter

irqbalance has to be enabled in config. Otherwise it won't start automatically.

Thank yo for putting together this great tutorial.

There is one step that was missing and it would be really helpful for newcomers like myself:

During this step, you also need to navigate to the "Firewall Settings" tab, and assign "WAN" as the firewall zone.

Seemed super obvious on hindsight but I thought this setting was under Firewall Settings and it took a lot of reading to finally get here.

I also needed a restart to get everything to work after setting up the firewall zone. Probably a restart for the firewall service would do. Not sure if this should be mentioned in this guide or I tripped up on some error.

I found a weird problem with IRQBalance's install script:

under /etc/rc.d

K10S90irqbalance -> ../init.d/S90irqbalance
S90irqbalance -> ../init.d/S90irqbalance

That is incorrect. They should be pointing to /etc/init.d/irqbalance

So I need to run

root@OpenWrt:/etc/rc.d# rm S90irqbalance 
root@OpenWrt:/etc/rc.d# rm K10S90irqbalance 
root@OpenWrt:/etc/rc.d# ln -s ../init.d/irqbalance S90irqbalance 
root@OpenWrt:/etc/rc.d# ln -s ../init.d/irqbalance K10S90irqbalance

This issue would cause IRQBalance to not load if the OpenWRT is rebooted.

No, OpenWrt doesn’t write logs if you don’t set it up to do so. It only saves them in RAM and they are lost at reboot.

Thanks for pointing this out! This was not necessary in my setup (not sure why?) but I'll add a note to double-check that setting after configuring the interface. Hope your new setup is treating you well so far.

I switched SD card and started a fresh install shortly after my first. I ended up having to assign the WAN port again, and I still needed to reboot to see everything working. Wonder if it's the version of my server. Thank you for getting back to us!

Not sure if these instructions are still current? I followed them, in relation to the custom image, burnt it and booted my RPi4 with just eth0 connected. I can ssh onto it with no issues but there's no web access via http://192.168.1.1 at all. netstat seeming shows no web server running. Looking at the logs I can't see any obvious issues.

This is the default configuration.

root@OpenWrt:/etc/config# cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda8:6b17:596f::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

Hi there! It looks like it may now be necessary to explicitly request the luci and luci-ssl packages when you build a custom firmware image even using a non-snapshot version. You can verify that LuCI is present in the generated image by searching STDOUT for a string similar to:

Installing luci (git-20.074.84698-ead5e81) to root...

Alternatively since you've already flashed the image you can install it yourself with the following commands:

opkg update
opkg install luci
opkg install luci-ssl
/etc/init.d/uhttpd restart

Thanks for the heads-up, I'll update the guide!

Yes that sorted it (I started a-fresh and added the luci and luci-ssl packages to the build), thanks for the prompt response