eth0 - WAN Interface (Internet Gateway)

Overview

The eth0 interface provides WAN (Wide Area Network) connectivity to the Internet via your ISP. This is the primary uplink interface that connects Pimeleon to your cable modem, DSL modem, or upstream network gateway. All internal traffic from LAN interfaces is masqueraded (NAT) through this interface to provide internet access.

Built-in Hardware: The eth0 interface uses the Raspberry Pi's built-in Gigabit Ethernet port, providing reliable WAN connectivity without requiring additional hardware. This is the primary WAN interface for all Pimeleon deployments.

Hardware Details

• Type: Built-in Gigabit Ethernet (Raspberry Pi 3B+/4)
• Connection: Direct connection to ISP modem/gateway
• Speed: Up to 1000 Mbps (Gigabit)
• Driver: bcmgenet (built-in kernel module)
• MAC Address: Unique per device (e.g., b8:27:eb:xx:xx:xx)

Network Configuration

• Type: WAN (Wide Area Network) - Internet Gateway
• IP Address: Dynamic (DHCP assigned by ISP) - typical
• Example IP: 203.0.113.x/24 (assigned by your ISP)
• Gateway: Assigned by ISP DHCP server
• DNS: Configured via DHCP or static override
• Status: DHCP client mode (default)

Device Classification

• Security Zone: WAN (Untrusted)
• Direction: Inbound internet traffic
• Firewall: Strict inbound filtering via nftables
• NAT: All internal networks (192.168.76.0/24) masqueraded through eth0
• Default Policy: DROP (all unsolicited inbound traffic blocked)

Monitoring Commands

# Interface status
ip addr show eth0

# Link speed verification
cat /sys/class/net/eth0/speed

# Gateway and routing table
ip route show default

# DNS servers
cat /etc/resolv.conf

# Interface statistics (packets/bytes/errors)
ip -s link show eth0

# Test internet connectivity
ping -I eth0 -c 4 8.8.8.8

# View firewall rules for WAN
sudo nft list chain inet filter input | grep eth0

Network Address Translation (NAT)

All internal traffic from LAN interfaces is translated through eth0 using IP masquerading (SNAT):

# Example NAT rule (configured automatically via nftables)
table ip nat {
    chain postrouting {
        type nat hook postrouting priority srcnat;
        oifname "eth0" masquerade
    }
}

This allows internal devices (192.168.76.0/24) to access the internet using Pimeleon's public IP address.

NAT Behavior

• LAN Masquerading: 192.168.76.0/24 → Public IP (eth0)
• Connection Tracking: Stateful bidirectional communication maintained automatically
• Port Translation: Dynamic source port allocation for connection multiplexing
• Typical Capacity: Thousands of concurrent connections supported

Note: NAT configuration is handled automatically by Pimeleon. Manual configuration is typically not needed.

Troubleshooting

No Internet Connection

1. Check physical connection: Verify ethernet cable between Pimeleon and ISP modem
2. Verify link status: ip link show eth0 (should show UP,LOWER_UP)
3. Check IP assignment: ip addr show eth0 (should have public IP from ISP)
4. Test gateway reachability:

   ping $(ip route | grep default | awk '{print $3}')
   

5. Verify DNS resolution: nslookup google.com
6. Restart DHCP client:

   sudo dhclient -r eth0  # Release DHCP lease
   sudo dhclient eth0     # Request new lease
   

DHCP Issues

1. Check DHCP client service: systemctl status dhcpcd or systemctl status NetworkManager
2. Manual DHCP renewal: sudo dhclient -v eth0 (verbose mode for debugging)
3. Check ISP modem: Ensure modem has internet connectivity (check modem status lights)
4. MAC address registration: Some ISPs require MAC address registration/approval
5. Review DHCP logs: journalctl -u dhcpcd -f or journalctl -u NetworkManager -f

Performance Issues

1. Verify gigabit link: cat /sys/class/net/eth0/speed (should show 1000)
2. Check for errors: ip -s link show eth0 (look for RX/TX errors)
3. Test bandwidth: Use speedtest-cli or browser-based speed test
4. MTU optimization: Some ISPs require MTU < 1500 (common: 1492 for PPPoE)

   # Check current MTU
   ip link show eth0 | grep mtu
   
   # Test optimal MTU (adjust size until no fragmentation)
   ping -M do -s 1472 -c 4 8.8.8.8
   

5. Cable quality: Use CAT5e or CAT6 ethernet cable (avoid CAT5)

Firewall Debugging

# View nftables ruleset with packet counters
sudo nft list ruleset

# List WAN-specific rules for input chain
sudo nft list chain inet filter input

# View NAT rules
sudo nft list table ip nat

# Monitor kernel logs for firewall events
sudo dmesg | tail -50

Common Use Cases

ISP Modem Connection (Most Common)

ISP Network → Cable/DSL Modem → [eth0] Pimeleon → Internal Networks

• Configuration: DHCP client (automatic)
• IP Assignment: Dynamic public IP from ISP
• DNS: Provided by ISP or configured statically

Upstream Gateway Connection

Corporate Network → Gateway Router → [eth0] Pimeleon → Segmented LAN

• Configuration: DHCP client or static IP
• IP Assignment: Private IP from upstream network
• Use Case: Adding Pimeleon filtering to existing network

Static IP Configuration

For ISPs providing static IP addresses, configure eth0 manually:

# Example static IP configuration (replace with ISP-provided values)
sudo ip addr add 203.0.113.50/24 dev eth0
sudo ip route add default via 203.0.113.1
sudo sh -c 'echo "nameserver 8.8.8.8" > /etc/resolv.conf'

# Make persistent - edit /etc/dhcpcd.conf or /etc/network/interfaces

Hardware Specifications

Raspberry Pi 3B+

• Ethernet Controller: Built-in Gigabit Ethernet via USB 2.0 bus
• Theoretical Maximum: ~300 Mbps (limited by USB 2.0 bandwidth)
• Practical Throughput: 200-250 Mbps sustained
• Latency: Typically <1ms to ISP gateway
• CPU Usage: 15-25% at full WAN speed

Raspberry Pi 4

• Ethernet Controller: True Gigabit Ethernet (dedicated bus)
• Theoretical Maximum: ~940 Mbps (near-line-rate)
• Practical Throughput: 800-900 Mbps sustained
• Latency: Typically <1ms to ISP gateway
• CPU Usage: 10-15% at full WAN speed

Security Considerations

The WAN interface requires strict inbound filtering to protect against external threats:

• Stateful Firewall: Connection tracking with ESTABLISHED/RELATED acceptance
• Default Policy: DROP all unsolicited inbound traffic
• TCP Validation: Malformed packet detection and dropping
• fail2ban Integration: Dynamic IP blocking for brute-force attempts

See Firewall Architecture for complete nftables configuration and security features.

Related Configuration Files

# DHCP client configuration
/etc/dhcpcd.conf

# Network interface configuration
/etc/network/interfaces

# DNS resolver configuration
/etc/resolv.conf

# nftables firewall rules
/etc/nftables.conf

Service Management

# View nftables service status
sudo systemctl status nftables.service

# Reload firewall rules (without dropping connections)
sudo systemctl reload nftables.service

# Restart networking (will drop connections)
sudo systemctl restart networking

# View DHCP client status
sudo systemctl status dhcpcd

Related Documentation:

• Network Topology - Overall network architecture
• IP Allocation - Network addressing and NAT configuration
• eth1 - LAN Interface - LAN interface configuration
• wlan0 - WiFi Interface - Wireless interface configuration
• Firewall Architecture - nftables firewall design and security features

← Network Topology | [🏠 Documentation Home//) | Dashboard →