I did a similar thing in order to implement network segregation via VLANs and VPN routing.<p>Personally I think Alpine Linux is one of the better distributions to use for routers because it uses musl which is ultra small. <a href="https://www.etalabs.net/compare_libcs.html" rel="nofollow">https://www.etalabs.net/compare_libcs.html</a><p>I have separate VLANs:<p>• VLAN 1: Management (no tag, null route)<p>• VLAN 2: Untrusted (routes direct to ISP via ppp0)<p>• VLAN 3: Trusted (routes direct to ISP via ppp0)<p>• VLAN 4: Trusted (routes via tun0 - VPN connection for private browsing etc)<p>• VLAN 5: Null route for devices that do not require internet access of any kind, desk phones printers etc.<p>(Doesn't have to be a Raspberry Pi, you can use anything that Alpine Linux runs on which is x86_64, x86, ppc64le, s390x, armhf, aarch64 (ARM8 like Raspberry Pi 3), armv7 (Raspberry Pi 2, and friends).[1]<p>[0] <a href="https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a_Raspberry_Pi_(IPv6)" rel="nofollow">https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a...</a><p>[1] <a href="https://alpinelinux.org/downloads/" rel="nofollow">https://alpinelinux.org/downloads/</a><p>The idea is that anything on VLAN2 is completely segregated at the switch and router level from the rest of my network.
I update the router about once a month, just to ensure all the relevant packages are kept current with upstream. So far the only breakages have been in kernel incompatibilities with the ipt-netflow module, but I think that’s only happened once so far - any Arch updates to shorewall, dnsmasq, etc. have been stable.