Router - OpenBSD

From AAISP Support Site
Revision as of 00:17, 18 August 2018 by Reedy (talk | contribs) (clean up, typos fixed: e.g → e.g.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

You can use a computer running OpenBSD as your AAISP router, and make use of its simple configuration and powerful 'pf' firewall.

I'll assume your box has two NICs, re0 and re1 - and that re0 is connected to something providing PPPoE (either a BT VDSL modem or AA router in bridging/modem-only mode). This is tested with FTTC and a BT VDSL modem.

You don't need any software other than the base distribution, which comes with everything necessary to do PPPoE, mini jumbo frames, firewalling, DHCP, NAT, IPv6 RA, DNS Caching and 6to4/DNS64 if you need it.

Setup

Note that "re0" is used with a realtek NIC, you may have a different NIC driver name based on your hardware.

/etc/hostname.re0:

up

/etc/hostname.pppoe0:

inet 0.0.0.0 255.255.255.255 NONE pppoedev re0 \
authproto chap authname 'aa11@a.1' authkey 'yourpasswordgoeshere' up
dest 0.0.0.1
inet6 autoconf
!/sbin/route add default -ifp pppoe0 0.0.0.1

Once this is all done, you should be able to just run: sh /etc/netstart and have your PPPoE connect (watch the syslog for details). It should automatically reconnect if there's a dropout.

Routing

To enable routing, you need to set the following lines in /etc/sysctl.conf:

net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1

You'll also have to configure IPv6 RA and DHCPD. For IPv6, you'll need to configure a static IPv6 address (from your /64 range) on your internal LAN interface (via /etc/hostname.xxN) and add this to rc.conf.local: rtadvd_flags=re1 (replace xxN with the name of your internal LAN interface, e.g. re1). Configuring DHCPD is the same as Linux (ISC SANS DHCP server).

You'll need to add a line to your firewall configuration (/etc/pf.conf) to enable NAT (replace the range with your chosen IPv4 NAT range):

match out on egress inet from 192.168.0.0/24 nat-to (egress:0)

Don't forget to add firewall rules to block any unwanted inbound IPv6 traffic!

Mini Jumbo Frames

If you want a 1500 byte MTU on an FTTC connection, it's as simple as changing up in hostname.re0 to up mtu 1508 and adding mtu 1500 to the hostname.pppoe0 line on the first line, before the word "pppoedev". See the pppoe manpage for details, although with the realtek driver (reN), note that you may need to be running OpenBSD 5.8 for the right driver support.