There are a lot of newly security conscious people out there, so today we’re going to attempt to build a fail closed firewall, and as a bonus we get a tiny workstation, too.

Attention Conservation Notice:

Hands on single board computers and Linux stuff will be found herein. I’m starting to suspect the savings in money and weight for the little Pi are not worth the headaches one gets trying to make it work.

Hardware:

We’re going to use an Orange Pi Zero 3 for this. The machine needs power via USB-C and I’ve pointedly not included that, because there are a number of variables as to how this is done, and most people have at least one idle USB wall wart power supply.

The 1GB machine is $25. A 4GB is $36. If you think you might actually make use of the workstation function, that additional $11 is money well spent.

The SanDisk Extreme cards with the red/gold colors are 30 mbyte/sec. The red/silver ones are limited to 10 mbytes/sec. If you’ve just got an old, small microSD lingering, that’ll do just fine for firewall duty. You’ll be much happier with red/gold if you’re going to use the workstation function.

If you’re going the workstation route you’ll need a keyboard, mouse, micro-HDMI to HDMI cable, and a USB hub. The little Pi has just one USB-A port free.

The aluminum armor leaves the WiFi antenna flopping around. If you’ve got half a dozen 4” zip ties you can rig a harness that will keep it attached. There are factory boxes that offer a place for the antenna, but I didn’t like the looks of any of them and I prefer silent passive cooling.

If you need ethernet to ethernet rather than ethernet/wifi, there are various SBCs that provide that, but they all cost much more than the Orange Pi Zero 3. This dongle is a cost effective solution for that problem that also solves the need for additional USB-A ports for keyboard/mouse.

Software:

The Orange PI Zero 3 manual provides a simple recipe for building a hotspot, which is found on pages 76 to 82. While the instructions are correct in principle, the create_ap tool used in the example is very end of life.

If you read the earlier articles, you know I just tried images from the Orange Pi Zero 3 support page until I got one that worked. The one that worked first is the very dated Orange PI OS - the builder’s internal Linux distro. There are Chinese surnames in the documentation and the English is at times clumsy. Orange is a mainland China company.

The official image stumbled badly when it came to checking to see all the packages needed for hotspot duty were present. Having slept a bit since I first touched these distros, I quickly got Ubuntu unpacked and on a microSD.

Given what is happening between the U.S. and China, in particular the part about banning TP-Link from operating here … once I started the OS update I got the feeling I’m going to have a LOT of work building a distro of my own. But until the testing portion of the process is complete, we’ll just accept what’s been given.

Hot Spottin’ :

There are two alternatives listed on the create_ap Github page. The linux-wifi-hotspot is aimed at … surprise … the Linux hotspot market. I’m making a mental note of that one, but linux-router seems to be a much better fit for what we’re trying to do here. We’re going to hotspot, certainly, but there’s also the small matter of TailScale, and some monitoring, and and and …

Trying to get linux-router running on Orange PiOS is not something I’d send a new Linux user out to do. Some of the required packages are not available to pacman, the Arch Linux package manager. It took me five minutes with Google to find what I needed, but those who are not a command line ninjas would likely retreat. This was an exercise in futility - start that package on PiOS and it wedges network activity until you kill it.

The switch to Ubuntu made things smooth - the requirements were already present. But then again we encounter this:

Since I have a couple Raspberry Pi 5 machines running Ubuntu, I changed over to one of those. I had to install hostapd and haveged, but otherwise the machines had what they needed from the Raspberry Ubuntu install. And they work just fine, issue this command and you’ve got yourself a working hotspot.

So what happened here? Some wifi controllers are just not able to do AP duty, but this model clearly has done it in the past, so it’s not some janky miniPC RealTek thing that will just never, ever work. The software is really old and sometimes a chip gets a revision and things stop working.

I spent a little time trying to get a look at what the hostapd binary was doing as it failed, but it wasn’t obvious where to slip strace into the lnxrouter script so I could keep an eye on it. Running hostapd on its own was also a no go - the script crafts a command line call to it, there’s nothing in /etc that provides enough information to start it in a similar fashion.

So for the moment this effort is much more theory than reality. The only win in this is that I now know what it takes to get a Raspberry Pi5 doing the desired work. They cost about double, weigh about triple, but they’re an order of magnitude faster, and I’d be dealing with one very well supported SBC instead of a diversifying flock of them.

Conclusion:

When you buy a Orange Pi, there will be a miniature OS on the SPI flash. I’ve never bothered to check but I probably should - does it phone home when booted without a microSD? Does it have any role in the boot process when you do have a microSD?

We’re not stuck with the vendor supported images, but not doing that means building your own from a generic ARM64 OS. I can probably get that done w/o much trouble, but the rest of you are going to want something involving Raspberry Pi Imager, as install process that just works.

This is a virtual supply chain problem and we’re liable to have some real ones at the physical layer. Orange Pi makes more money on their larger boards, but they’re all RockChip RK3588 based. If the rumors of that vendor exiting the SBC market completely are true, Orange Pi may go up in smoke.

And if the tariff noises we’ve been hearing turn into actual tariff policies, there may be a lot more than one unlucky SBC builder going missing in the coming days.

I don’t regret acquiring the little Pi - even though hotspot support is perhaps unattainable, it’s suitable for fail closed firewall duty so long as the machine to protect connects via ethernet, rather than by WiFi.

We’ll come back to this task again soon, probably using one of the big box Pi5s for the proof of concept, before I lay hands on another board to put in the empty Pi5 aluminum armor case lurking in my parts drawer.