How To Set Up an OpenBSD Router – Step-by-Step Tutorial
This article is a step-by-step guide about how to set up OpenBSD system that will act as a network router that takes advantage of the OpenBSD's PF packet filter.
1. OpenBSD Installation
Install OpenBSD by using this tutorial.
Now that you have OpenBSD installed, lets proceed with the next step.
2. OpenBSD Network Configuration
The network interface is configured at boot time using the /etc/hostname.if files, where if will be replaced by the full name of your interface, for the example above, /etc/hostname.xl0.
The layout of this file is simple:
address_family address netmask broadcast [other options]
A typical interface configuration file, configured for an IPv4 address, would look like this:
cat /etc/hostname.xl0 inet 192.168.1.1 255.255.255.0 NONE
In this case, we have defined an IPv4 address, with an IP address of 192.168.1.1, a subnet mask of 255.255.255.0 and no specific broadcast address (which will default to 192.168.1.255 in this case).
You could also specify media types for Ethernet, for example 100baseTX ful duplex:
cat /etc/hostname.xl0 inet 192.168.1.1 255.255.255.0 NONE media 100baseTX mediaopt full-duplex
Or, you may want to use special flags specific to a certain interface:
cat /etc/hostname.vlan0 inet 172.21.0.31 255.255.255.0 NONE vlan 2 vlandev xl0
To use the DHCP client dhclient included with OpenBSD, edit /etc/hostname.xl0:
cat /etc/hostname.xl0 dhcp
Next, enable IP forwarding by editing /etc/sysctl.conf file and making the following change:
net.inet.ip.forwarding=1
3. Set Up a DHCP Server in OpenBSD
The main configuration file for dhcpd is /etc/dhcpd.conf. This file contains all of the client options, subnet definitions, and other options dhcpd recognizes. A sample configuration file is given below, and followed by an explanation of the various options.
# # DHCP server options. # See dhcpd.conf(5) and dhcpd(8) for more information. # # Network: 192.168.1.0/255.255.255.0 # Domain name: mydomain.tld # Name servers: 8.8.8.8 and 8.8.4.4 # Default router: 10.0.0.1 # Addresses: 192.168.1.10 - 192.168.1.250 # ############################ # this is to specify to the dhcpd server that # some of the subnets share the same network information ############################ shared-network MYDOMAIN-TLD { ############################ # The three lines below are to specify the shared resources # for all the subnets specified below # # order of options # Lease duration: one week (7 days) # domain name for DNS and such # DNS servers to use for lookups ############################ default-lease-time 604800; option domain-name "mydomain.tld"; option domain-name-servers 8.8.8.8, 8.8.4.4; #these are google public dns, make sure you change them with your own dns ############################ # Specify the subnet to give ips on and the netmask # given with the ip address ############################ subnet 192.168.1.0 netmask 255.255.255.0 { #specify the subnet again (see below NB***) option subnet-mask 255.255.255.0; #specify the broadcast address for the subnet option broadcast-address 192.168.1.255; #specify the gateway to use option routers 10.0.0.1; #specify the range of IPaddresses to lease range 192.168.1.10 192.168.1.250; } }
Now, we have to enable dhcpd at startup. Like most daemons, this can be done by editing the /etc/rc.conf. There will be a line labeled "dhcpd_flags". Set this argument as shown here:
dhcpd_flags="" # for normal use: ""
This will enable the DHCP server at boot; the /etc/rc file will make sure this option is not disabled and start it for any interfaces you have defined. To define the network interface(s) that dhcpd will listen for requests from, add the interfaces to /etc/dhcpd.interfaces:
# List of network interfaces served by dhcpd(8). xl0
4. Set up OpenBSD's PF packet filter for NAT
Next, we will configure the firewall for network address translation (NAT). Here’s a quick sample ruleset (do not forget to change your interface names):
# Set network interfaces ext_if=xl1 #internet int_if=xl0 #LAN # Allowed icmp type icmp_types=echoreq # Skip all loopback traffic set skip on lo # Scrub all traffic scrub in # Perform NAT on external interface nat on $ext_if from $int_if:network -> ($ext_if:0) # Define default behavior: block IN, pass OUT block in pass out keep state # Allow inbound traffic on internal interface pass quick on $int_if # Protect against spoofing antispoof quick for { lo $int_if } # Allow other traffic pass in on $ext_if proto tcp to ($ext_if) port ssh flags S/SA keep state pass in inet proto icmp from $allowed_hosts icmp-type $icmp_types keep state
5. Conclusion
This tutorial has just touched on the basics of using OpenBSD as a router. For more advanced configurations, I highly recommended reviewing the OpenBSD documentation.
Now you have to reboot the system for the changes to take effect.
# reboot
When the system comes back up, the LAN clients should be able to access the Internet through this OpenBSD router.
Print This Post