Making your own OpenBSD Router

So I recently changed my router from pfSense to OpenBSD. Why do I enjoy pain so much? Well, pfSense 2.0 has a PPPoE bug in it, and I'm tired of a limitation in the 1.x versions. So I downloaded the latest release(4.9) and did a typical OpenBSD setup.

Ok so to make an OpenBSD router, you'll need:

  • Copy of offline(install_49) installation media for OpenBSD
  • At least two network cards in your router machine
  • Basic working knowledge of OpenBSD(particularly, how to do initial install, which I don't cover)

You'll have to tweak your setup if you're trying to accomplish something different from me. What I'm doing is making a general NAT router for multiple machines and connected to the internet via PPPoE(which is bridged across from a modem)

So first things first, install OpenBSD. You can leave the network connections not setup.

few days later

Oh good, you're back. Ok, now I know you could avoid some reboots in this tutorial, but I don't care enough to cover the "hot" methods.

First, /etc/sysctl.conf. Uncomment the line net.inet.ip.forwarding=1

Second, /etc/hostname.pppoe0(new file). Here, you put the PPPoE configuration.

inet 0.0.0.0 255.255.255.255 NONE pppoedev EXT_IF authproto pap \
authname 'pppoe_username' authkey 'pppoe_password' up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1

Make sure to replace EXT_IF with the external(wan) network interface. Also, fill in the username and password for your PPPoE connection.

Now, go skim through /etc/dhcpd.conf. It's out of the box a working configuration, but I recommend changing the domain name. Also, change the nameservers if you're like me and prefer google's nameservers(8.8.8.8, 8.8.4.4)

Now, edit /etc/rc.conf.local to enable dhcpd

dhcpd_flags=

Ok, now just put up in hostname.EXT_IF

And then, in hostname.INT_IF put a static configuration. Mine looks like this:

inet 192.168.1.1 255.255.255.0

This determines the IP address of your router from the client computers.

Now then, in pf.conf you'll have to put two new rules.

match on pppoe0 scrub (max-mss 1440)
match out on pppoe0 inet from INT_IF:network to any nat-to (pppoe0:0)

The first one will scrub pppoe packets so that there isn't an MTU issue when going from PPPoE to ethernet. The second line will basically make pf behave as a NAT on our internal network, and allow outward access to the pppoe0(internet) network.

Tags: openbsd howto
Posted: 5/17/2011 7:03:42 PM