There are a lot of newly security conscious people out there, so today weโre going to attempt to build a fail closed firewall, and as a bonus we get a tiny workstation, too.
Attention Conservation Notice:
Hands on single board computers and Linux stuff will be found herein. Iโm starting to suspect the savings in money and weight for the little Pi are not worth the headaches one gets trying to make it work.
Hardware:
Weโre going to use an Orange Pi Zero 3 for this. The machine needs power via USB-C and Iโve pointedly not included that, because there are a number of variables as to how this is done, and most people have at least one idle USB wall wart power supply.
The 1GB machine is $25. A 4GB is $36. If you think you might actually make use of the workstation function, that additional $11 is money well spent.
The SanDisk Extreme cards with the red/gold colors are 30 mbyte/sec. The red/silver ones are limited to 10 mbytes/sec. If youโve just got an old, small microSD lingering, thatโll do just fine for firewall duty. Youโll be much happier with red/gold if youโre going to use the workstation function.
If youโre going the workstation route youโll need a keyboard, mouse, micro-HDMI to HDMI cable, and a USB hub. The little Pi has just one USB-A port free.
The aluminum armor leaves the WiFi antenna flopping around. If youโve got half a dozen 4โ zip ties you can rig a harness that will keep it attached. There are factory boxes that offer a place for the antenna, but I didnโt like the looks of any of them and I prefer silent passive cooling.
If you need ethernet to ethernet rather than ethernet/wifi, there are various SBCs that provide that, but they all cost much more than the Orange Pi Zero 3. This dongle is a cost effective solution for that problem that also solves the need for additional USB-A ports for keyboard/mouse.
Software:
The Orange PI Zero 3 manual provides a simple recipe for building a hotspot, which is found on pages 76 to 82. While the instructions are correct in principle, the create_ap tool used in the example is very end of life.
If you read the earlier articles, you know I just tried images from the Orange Pi Zero 3 support page until I got one that worked. The one that worked first is the very dated Orange PI OS - the builderโs internal Linux distro. There are Chinese surnames in the documentation and the English is at times clumsy. Orange is a mainland China company.
The official image stumbled badly when it came to checking to see all the packages needed for hotspot duty were present. Having slept a bit since I first touched these distros, I quickly got Ubuntu unpacked and on a microSD.
Given what is happening between the U.S. and China, in particular the part about banning TP-Link from operating here โฆ once I started the OS update I got the feeling Iโm going to have a LOT of work building a distro of my own. But until the testing portion of the process is complete, weโll just accept whatโs been given.
Hot Spottinโ :
There are two alternatives listed on the create_ap Github page. The linux-wifi-hotspot is aimed at โฆ surprise โฆ the Linux hotspot market. Iโm making a mental note of that one, but linux-router seems to be a much better fit for what weโre trying to do here. Weโre going to hotspot, certainly, but thereโs also the small matter of TailScale, and some monitoring, and and and โฆ
Trying to get linux-router running on Orange PiOS is not something Iโd send a new Linux user out to do. Some of the required packages are not available to pacman, the Arch Linux package manager. It took me five minutes with Google to find what I needed, but those who are not a command line ninjas would likely retreat. This was an exercise in futility - start that package on PiOS and it wedges network activity until you kill it.
The switch to Ubuntu made things smooth - the requirements were already present. But then again we encounter this:
Since I have a couple Raspberry Pi 5 machines running Ubuntu, I changed over to one of those. I had to install hostapd and haveged, but otherwise the machines had what they needed from the Raspberry Ubuntu install. And they work just fine, issue this command and youโve got yourself a working hotspot.
So what happened here? Some wifi controllers are just not able to do AP duty, but this model clearly has done it in the past, so itโs not some janky miniPC RealTek thing that will just never, ever work. The software is really old and sometimes a chip gets a revision and things stop working.
I spent a little time trying to get a look at what the hostapd binary was doing as it failed, but it wasnโt obvious where to slip strace into the lnxrouter script so I could keep an eye on it. Running hostapd on its own was also a no go - the script crafts a command line call to it, thereโs nothing in /etc that provides enough information to start it in a similar fashion.
So for the moment this effort is much more theory than reality. The only win in this is that I now know what it takes to get a Raspberry Pi5 doing the desired work. They cost about double, weigh about triple, but theyโre an order of magnitude faster, and Iโd be dealing with one very well supported SBC instead of a diversifying flock of them.
Conclusion:
When you buy a Orange Pi, there will be a miniature OS on the SPI flash. Iโve never bothered to check but I probably should - does it phone home when booted without a microSD? Does it have any role in the boot process when you do have a microSD?
Weโre not stuck with the vendor supported images, but not doing that means building your own from a generic ARM64 OS. I can probably get that done w/o much trouble, but the rest of you are going to want something involving Raspberry Pi Imager, as install process that just works.
This is a virtual supply chain problem and weโre liable to have some real ones at the physical layer. Orange Pi makes more money on their larger boards, but theyโre all RockChip RK3588 based. If the rumors of that vendor exiting the SBC market completely are true, Orange Pi may go up in smoke.
And if the tariff noises weโve been hearing turn into actual tariff policies, there may be a lot more than one unlucky SBC builder going missing in the coming days.
I donโt regret acquiring the little Pi - even though hotspot support is perhaps unattainable, itโs suitable for fail closed firewall duty so long as the machine to protect connects via ethernet, rather than by WiFi.
Weโll come back to this task again soon, probably using one of the big box Pi5s for the proof of concept, before I lay hands on another board to put in the empty Pi5 aluminum armor case lurking in my parts drawer.