Small Office Deployment Guide

Deploy Pimeleon router in office network

Small Office Deployment Guide

Deploy Pimeleon router in a small office environment to provide enterprise-grade network filtering, monitoring, and management for 20-100 users. This guide focuses on reliability, professional features, and business requirements.

Office Network Requirements

Typical office needs:

  • 20-100 concurrent devices
  • Internet speeds: 500-1000 Mbps
  • Separate trusted and guest networks
  • Content filtering for productivity
  • Network monitoring and logging
  • 24/7 reliable operation
  • Professional support expectations

What Pimeleon provides:

  • Enterprise DNS filtering
  • Network segmentation (trusted vs guest)
  • DHCP with reservations
  • Firewall and access controls
  • Comprehensive logging
  • Real-time monitoring

Small Office Setup ($170-220)

For: 20-50 devices, professional reliability

  • Raspberry Pi 4 (4GB) ($55) - Extra RAM for logging
  • SanDisk High Endurance 64GB ($25) - 24/7 rated
  • Official 3A USB-C power ($8)
  • Premium tower cooler ($18) - Active cooling required
  • DIN rail case ($25) - Cabinet mounting
  • USB Ethernet adapter ($20) - Separate WAN/LAN
  • UPS battery backup ($40) - Power protection
  • Ethernet cables ($10)

Total cost: $191-220 Performance: 900+ Mbps, 50-100 devices, reliable 24/7

Medium Office Setup ($250-350)

For: 50-100+ devices, maximum reliability

  • Raspberry Pi 4 (8GB) ($75)
  • Industrial SD card 128GB ($50)
  • PoE HAT ($20) + PoE injector ($15)
  • High-performance cooling ($25)
  • Rack mount case ($50)
  • Dual USB Ethernet adapters ($40)
  • Enterprise UPS ($60)
  • Professional cables ($20)

Total cost: $305-355 Performance: 900+ Mbps, 100-200 devices, enterprise-grade

Office Deployment Architecture

Network Topology

Recommended setup:

Internet
    │
ISP Modem (bridge mode)
    │
Pimeleon router [primary gateway]
    ├── eth0: WAN (ISP)
    ├── eth1: Trusted LAN (192.168.76.0/24) - Workstations, servers
    └── wlan0: Guest WiFi (192.168.77.0/24) - Visitors, BYOD

With managed switch (recommended for offices):

Internet → Modem → Pimeleon router
                        │
                   Managed switch
                        ├── VLAN 10: Management (192.168.70.0/24)
                        ├── VLAN 20: Workstations (192.168.76.0/24)
                        ├── VLAN 30: Servers (192.168.80.0/24)
                        └── VLAN 40: IoT/Printers (192.168.90.0/24)

Step-by-Step Office Deployment

Phase 1: Planning (Before Installation)

  1. Document existing network:
    • Current IP scheme and DHCP ranges
    • Static IPs and reservations
    • Port forwards and firewall rules
    • VPN configurations
    • Critical services and dependencies
  2. Schedule deployment window:
    • After hours or weekend
    • Notify all staff
    • Plan 4-6 hour window
    • Have rollback plan ready
  3. Prepare backup equipment:
    • Keep old router accessible
    • Have backup internet (mobile hotspot)
    • Spare ethernet cables
    • USB Ethernet adapters tested

Phase 2: Hardware Installation (30 minutes)

  1. Professional mounting:
    • Install DIN rail case in network cabinet
    • Ensure adequate ventilation (minimum 2U space)
    • Cable management with velcro ties
    • Label all cables clearly
  2. Power redundancy:
    • Connect to UPS
    • Test UPS battery capacity (should last 15+ minutes)
    • Configure UPS monitoring (optional)
  3. Physical security:
    • Cabinet locked when unattended
    • Console access restricted
    • Consider camera monitoring

Phase 3: Network Configuration (60-90 minutes)

Primary Gateway Configuration:

  1. WAN Interface:
    sudo nano /etc/dhcpcd.conf

interface eth0
# Static IP from ISP or DHCP
static ip_address=<ISP_PROVIDED>/24
static routers=<ISP_GATEWAY>
static domain_name_servers=1.1.1.1
  2. Trusted LAN (eth1):
    interface eth1
static ip_address=192.168.76.1/24
  3. Guest WiFi (wlan0):
    interface wlan0
static ip_address=192.168.77.1/24
  4. DHCP Configuration:
    sudo nano /etc/dhcp/dhcpd.conf

# Trusted network
subnet 192.168.76.0 netmask 255.255.255.0 {
  range 192.168.76.100 192.168.76.200;
  option routers 192.168.76.1;
  option domain-name-servers 192.168.76.1;
  option domain-name "office.local";
  default-lease-time 28800;  # 8 hours
  max-lease-time 86400;       # 24 hours
}

# Guest network - restricted
subnet 192.168.77.0 netmask 255.255.255.0 {
  range 192.168.77.100 192.168.77.200;
  option routers 192.168.77.1;
  option domain-name-servers 192.168.77.1;
  default-lease-time 3600;    # 1 hour
  max-lease-time 7200;         # 2 hours
}

# Static assignments for servers/printers
host fileserver {
  hardware ethernet aa:bb:cc:dd:ee:ff;
  fixed-address 192.168.76.10;
}

host printer1 {
  hardware ethernet 11:22:33:44:55:66;
  fixed-address 192.168.76.20;
}

Phase 4: Firewall Rules (30 minutes)

Shorewall configuration for office:

sudo nano /etc/shorewall/zones

# Define zones
fw      firewall
net     ipv4
lan     ipv4
guest   ipv4

sudo nano /etc/shorewall/policy

# Default policies
$FW     net     ACCEPT
lan     net     ACCEPT
lan     $FW     ACCEPT
guest   net     ACCEPT    # Internet only
guest   $FW     DROP      # No admin access
guest   lan     DROP      # No LAN access
net     all     DROP      # Block incoming
all     all     REJECT

sudo nano /etc/shorewall/rules

# Allow management from specific workstation only
ACCEPT  lan:192.168.76.50  $FW  tcp  22,80,443  # Admin workstation

# Block guest access to router
DROP    guest  $FW  all

# Allow printers on LAN (from any zone)
ACCEPT  all  lan:192.168.76.20  tcp  9100,515,631

# Port forwards for services (if needed)
DNAT    net  lan:192.168.76.10:80  tcp  80  # Web server
DNAT    net  lan:192.168.76.10:443  tcp  443  # HTTPS

Phase 5: DNS Filtering Configuration (20 minutes)

Office-appropriate filtering:

  1. Access admin interface:
    http://192.168.76.1/admin
  2. Configure upstream DNS:
    • Primary: Cloudflare for Business (1.1.1.2)
    • Secondary: Google DNS (8.8.8.8)
    • Enable DNSSEC
  3. Add business blocklists:
    • Social media (Facebook, Twitter, Instagram) - if policy requires
    • Streaming (Netflix, YouTube) - during work hours only
    • Malware and tracking domains
    • Cryptocurrency mining domains
  4. Create groups:
    • Admin Group: Minimal filtering
    • Staff Group: Standard business filtering
    • Guest Group: Strict filtering + bandwidth limits
  5. Configure conditional forwarding:
    • Enable for local domain (office.local)
    • Allows reverse DNS for DHCP devices

Phase 6: Monitoring and Logging (20 minutes)

Enable comprehensive logging:

  1. Syslog to external server (optional but recommended):
    sudo nano /etc/rsyslog.conf

# Add remote logging
*.* @@log-server.office.local:514
  2. DNS filter long-term data:
    # Increase database retention
sudo nano /etc/pihole/pihole-FTL.conf

MAXDBDAYS=90  # Keep 90 days of logs
  3. Network monitoring:
    # Install monitoring tools
sudo apt install vnstat iftop

# Enable vnstat for all interfaces
sudo vnstat -i eth0 -u
sudo vnstat -i eth1 -u

Office-Specific Features

Content Filtering by Schedule

Block social media during work hours:

# Create cron job to modify DNS filter groups
sudo crontab -e

# Block social media 9 AM - 5 PM weekdays
0 9 * * 1-5 /usr/local/bin/enable-work-hours.sh
0 17 * * 1-5 /usr/local/bin/disable-work-hours.sh

Script example:

#!/bin/bash
# /usr/local/bin/enable-work-hours.sh

# Enable "Work Hours" blocklist group
sqlite3 /etc/pihole/gravity.db \
  "UPDATE 'group' SET enabled=1 WHERE name='WorkHours'"

pihole restartdns reload

Bandwidth Management

Prioritize business traffic:

# Using tc (traffic control)
sudo tc qdisc add dev eth1 root handle 1: htb default 30

# High priority: VoIP, video conferencing
sudo tc class add dev eth1 parent 1: classid 1:1 htb rate 100mbit

# Medium priority: normal traffic
sudo tc class add dev eth1 parent 1: classid 1:2 htb rate 50mbit

# Low priority: streaming, social media
sudo tc class add dev eth1 parent 1: classid 1:3 htb rate 10mbit

Compliance and Logging

GDPR/compliance considerations:

  • Document retention policies in admin interface
  • User consent for monitoring (consult legal)
  • Secure log storage
  • Regular log backups
  • Access controls on logs
# Automated log backup
sudo crontab -e

# Daily backup of DNS filter database
0 2 * * * tar -czf /backup/pihole-$(date +\%Y\%m\%d).tar.gz /etc/pihole/

Office Maintenance Schedule

Daily (Automated)

  • Monitor temperature and system health
  • Check internet connectivity
  • Verify all services running
  • Review critical alerts

Weekly

  • Update blocklists: pihole -g
  • Review DNS query logs for anomalies
  • Check firewall logs
  • Verify backup integrity

Monthly

  • System updates: sudo apt update && sudo apt upgrade
  • Review and rotate logs
  • Test UPS battery
  • Clean physical hardware (dust)
  • Review access logs

Quarterly

  • Full security audit
  • Review and update firewall rules
  • Capacity planning (are we outgrowing Pi?)
  • Update documentation
  • Test disaster recovery procedure

Business Considerations

SLA and Uptime

Target: 99.5% uptime (3.6 hours downtime/month)

Achieve through:

  • UPS for power protection
  • Spare hardware on-site
  • Automated monitoring and alerts
  • Regular maintenance windows
  • Documented recovery procedures

Support and Documentation

Create runbooks for:

  • Common troubleshooting scenarios
  • Restart procedures
  • Adding new devices
  • Modifying firewall rules
  • Responding to alerts

Cost Analysis

Initial investment: $191-355

Ongoing costs: $0/month (no subscriptions!)

Compare to commercial alternatives:

Commercial enterprise firewall solutions typically require:

  • Significant upfront hardware costs
  • Ongoing annual subscription fees for updates and support
  • Vendor lock-in with proprietary management platforms

ROI: Pimeleon's open-source model eliminates subscription costs

When to Consider Upgrading

Move to enterprise hardware if:

  • 100+ concurrent devices
  • Multi-gigabit internet (1 Gbps+)
  • Complex VPN requirements
  • Compliance mandates specific hardware
  • Budget allows for redundancy

Troubleshooting Office Deployment

Issue: Performance Degradation

Symptoms: Slow internet, high latency

Solutions:

  1. Check CPU usage: htop
  2. Monitor network: iftop -i eth0
  3. Review DNS query load
  4. Check for DNS bottlenecks
  5. Consider Pi 4 8GB upgrade

Issue: Guest Network Access to LAN

Symptoms: Guests can access internal resources

Solutions:

# Verify firewall rules
sudo shorewall check

# Test from guest network
ping 192.168.76.1  # Should timeout

# Check nftables rules
sudo nft list ruleset

Issue: VPN Connection Problems

Symptoms: VPN clients can't connect

Solutions:

  • Check port forwards
  • Verify NAT traversal enabled
  • Test with UPnP disabled
  • Check VPN server logs
  • Review VPN Configuration Guide for detailed setup and troubleshooting

Next Steps

  1. Backup Procedures - Protect configuration
  2. Security Hardening - Enhance protection

Professional network management doesn't require enterprise pricing. Pimeleon router provides business-grade features at a fraction of the cost.

ON THIS PAGE
Office Network Requirements
Recommended Hardware
Office Deployment Architecture
Step-by-Step Office Deployment
Office-Specific Features
Office Maintenance Schedule
Business Considerations
Troubleshooting Office Deployment
Next Steps
Related Documentation