# Pi-hole Blocker Project**Status:** Planning / Not started**Hardware:** Seeed Studio Dual-GbE Carrier Board with 4GB RAM + 32GB eMMC (CM4)**URL:** https://www.seeedstudio.com/Dual-GbE-Carrier-Board-with-4GB-RAM-32GB-eMMC-RPi-CM4-Case-p-5029.html---## Decision Log### 2026-04-04 — Initial Research**Hardware selected:** CM4 with dual GbE + eMMC (no SD card!)**Chosen approach:** Raspberry Pi OS Lite + Pi-hole (manual install)- Full control- Well-documented- eMMC more reliable than SD- Dual GbE enables passthrough or bridge mode**Rejected:**- Pre-built images (outdated, inflexible)- DietPi (good but less common for troubleshooting)- Docker (overkill for dedicated hardware)---## TODO (When Ready)- [ ] Flash Raspberry Pi OS Lite (64-bit) to eMMC- [ ] Enable SSH, set hostname before first boot- [ ] First boot + network config- [ ] Install Pi-hole: `curl -sSL https://install.pi-hole.net | bash`- [ ] Configure upstream DNS (Cloudflare/Google/Quad9)- [ ] Decide network mode: passthrough vs bridge vs VLAN- [ ] Point router DNS to Pi-hole IP- [ ] Test + document---## Network Config Notes (Dual GbE)**Goal:** Transparent filtering for entire network### Option 1: Single Port + Router DNS Redirect (Recommended) ⭐```Modem → Existing Router → Pi-hole (eth0 only) → All devices ↳ Time Machine (same port)```**How:** Router forces all port 53 traffic to Pi-hole IP**Pros:** - Simplest setup- Existing router handles DHCP/NAT (less to break)- Time Machine works on same network- Dual GbE not needed, but harmless**Cons:**- Devices can bypass with hardcoded DNS (8.8.8.8)- Router must support DNS redirect/forced DNS**Best for:** Most home setups, transparent operation---### Option 2: Bridge Mode (Dual GbE Active)```Router → eth0 ─┬─ Pi-hole (bridged) ─┬─ eth1 → Switch/House └─ Time Machine share ─┘```**How:** Both ports bridged at OS level, Pi acts as Layer 2 device**Pros:**- All traffic passes through (harder to bypass)- Time Machine visible to all devices- Existing router still handles DHCP/NAT**Cons:**- More complex network config (bridge interfaces)- Pi becomes network dependency (if it dies, network dies)**Best for:** Maximum coverage, willing to troubleshoot bridging---### Option 3: Full Inline Router (Dual GbE)```Modem → eth0 (WAN) → Pi-hole routes/NAT → eth1 (LAN) → House ↳ Time Machine on LAN side```**How:** Pi replaces your router entirely**Pros:**- Complete control, can't bypass- Full firewall/NAT control- True network segmentation possible**Cons:**- Most complex (DHCP, NAT, firewall rules)- Single point of failure- Time Machine only visible to LAN side- Need to reconfigure entire network**Best for:** Advanced users, want full network control---## Decision Log### 2026-04-04 — Final Decisions**Network Mode:** Option 1 — Single Port + Router DNS Redirect ⭐- Existing router handles DHCP/NAT- Router forces DNS to Pi-hole- Time Machine on same network (no complications)- Can upgrade to bridge mode later if needed**Add-ons Confirmed:**- ✅ Pi-hole (DNS ad-blocking)- ✅ Unbound (recursive DNS, privacy)- ✅ Time Machine (Mac backups via Samba + Avahi)- ✅ Wireshark/tcpdump lab (packet capture for learning)- ❌ WireGuard — SKIP (Tailscale already covers remote access)**Location:** HOME (separate from brewery setup)**Dual GbE Verdict:** NOT overkill — enables bridge mode for packet capture learning lab 🎓**Rejected:**- Pre-built Pi-hole images (outdated, inflexible)- DietPi (less common for troubleshooting)- Docker (overkill for dedicated hardware)- Full inline router mode (too complex for v1)- WireGuard (Tailscale = WireGuard, redundant)---## Learning/Lab Use Cases (Dual GbE Bonus!)### Packet Capture & Analysis (Wireshark/tcpdump)**Bridge mode = perfect learning lab:**```Router → eth0 → Pi (bridged) → eth1 → House ↓ Full packet capture```**What you can learn:**- Wireshark filters and display rules- Protocol analysis (DNS, HTTP, SMB, etc.)- Network troubleshooting- Security analysis (spot suspicious traffic)- IoT device behavior (what's my Roomba actually doing?)**Tools to install:**- `wireshark` (GUI, needs X11/VNC) or `tshark` (CLI)- `tcpdump` (lightweight CLI capture)- `nethogs` (bandwidth by process)- `iftop` / `ntopng` (real-time traffic visualization)**Example commands:**```bash# Capture all traffic on eth0sudo tcpdump -i eth0 -w capture.pcap# Live DNS query monitoringsudo tshark -i eth0 -Y "dns" -T fields -e dns.qry.name# Real-time bandwidth by hostsudo nethogs -t -c 5 eth0```**Privacy note:** You'll see EVERYTHING on your network — passwords in plaintext (HTTP), browsing history, device fingerprints. Great for learning, serious responsibility.---### Other Lab Scenarios| Scenario | Setup | Learning Value ||----------|-------|----------------|| **Network segmentation** | VLANs on dual NIC | Enterprise networking || **Firewall rules** | iptables/nftables | Security hardening || **QoS testing** | Traffic shaping | Bandwidth management || **MITM analysis** | ARP spoofing detection | Security awareness || **Service monitoring** | Port scanning, service discovery | Network mapping |---**Verdict:** Dual GbE is NOT overkill if you want a learning lab. Bridge mode + packet capture = home network university. 🎓---## Add-on Modules (Optional)### Confirmed Interest (2026-04-04)| Add-on | Purpose | Notes ||--------|---------|-------|| **Time Machine Target** | Network backup for Macs | Samba + Avahi, ~50MB RAM || **Grafana + TILT Data** | Fermentation visualization | Pipe TILT data → InfluxDB → Grafana || **Fire Stick Display** | Brew house monitoring screen | Display Grafana dashboard on Fire Stick |### Architecture Clarification (2026-04-04)**Location split:**- **Pi-hole CM4:** HOME (with dual GbE)- **TILT Bridge:** BREWERY (ESP32)- **Home Assistant:** BREWERY (separate instance)- **Fire Stick:** BREWERY (display)**Implication:** TILT data already lives at brewery HA. Fire Stick should just display brewery HA directly!### Simplified Brew House Display```TILT → ESP32 Bridge → Brewery HA → Fire Stick (kiosk browser)```**No need to pipe to home!** Fire Stick points at `http://brewery-ha:8123/lovelace/fermentation-dashboard`### Home Pi-hole Box Add-ons (Final)| Add-on | Purpose | Priority ||--------|---------|----------|| Pi-hole | DNS ad-blocking | Core || Unbound | Recursive DNS (privacy) | High || Time Machine | Mac backups | High || Wireshark/tcpdump | Packet capture lab | Medium (learning) || Grafana (home metrics) | Network monitoring | Low (optional) |---## Time Machine Backup — Detailed Specs### Requirements| Item | Details ||------|---------|| **OS** | Raspberry Pi OS Lite (any version) || **Services** | Samba (SMB), Avahi (mDNS/Bonjour) || **Storage** | USB drive (SSD recommended) or network share || **RAM** | ~50MB overhead || **CPU** | Minimal (compression is client-side) |### How It Works```Mac → Bonjour discovery (Avahi) → Samba share → USB drive on Pi```1. Avahi advertises `_adisk._tcp` service (Mac sees it as Time Machine destination)2. Samba provides SMB share with Time Machine extensions3. Mac backs up over network automatically---### Limitations| Limitation | Impact | Workaround ||------------|--------|------------|| **Network speed** | First backup slow (hours), subsequent faster | Use Ethernet, not WiFi || **USB drive speed** | HDD = slow, SSD = fast | Use SSD for better experience || **Single user** | One Mac per sparsebundle (by default) | Can configure multi-user but tricky || **Backup size** | Limited by USB drive capacity | Use large drive (1TB+ recommended) || **No encryption** | Backups unencrypted on disk | Enable FileVault on Mac instead || **Pi must be on** | No backup if Pi is off | Set static IP, ensure uptime |---### Nice-to-Haves| Feature | Why | How ||---------|-----|-----|| **SSD storage** | 10-20× faster than HDD | USB 3.0 SSD enclosure || **Dedicated partition** | Isolate backups from OS | Separate USB drive or partition || **Backup quotas** | Prevent one Mac from filling drive | `tmutil` setquota per Mac || **Auto-mount** | Survive reboots | `/etc/fstab` entry || **Monitoring** | Alert if backup fails | HA integration or cron check || **Multiple destinations** | Redundancy | Rotate between 2 USB drives |---### Setup Commands (Reference)```bash# Install Samba + Avahisudo apt install samba avahi-daemon# Create backup sharesudo mkdir -p /srv/timemachinesudo chown nobody:nogroup /srv/timemachinesudo chmod 2777 /srv/timemachine# Configure Samba (/etc/samba/smb.conf)# Configure Avahi (/etc/avahi/services/timemachine.service)# Restart servicessudo systemctl restart smbd avahi-daemon```---### Estimated Setup Time- **Fresh install:** ~30 minutes- **First Mac backup:** 2-8 hours (depends on data size)- **Subsequent backups:** 10-30 minutes (incremental)---*Created: 2026-04-04*---*Created: 2026-04-04*