How To Set Up an OpenBSD Router – Step-by-Step Tutorial

This article is a step-by-step guide about how to set up OpenBSD system that will act as a network router that takes advantage of the OpenBSD's PF packet filter.

1. OpenBSD Installation

Install OpenBSD by using this tutorial.

Now that you have OpenBSD installed, lets proceed with the next step.

2. OpenBSD Network Configuration

The network interface is configured at boot time using the /etc/hostname.if files, where if will be replaced by the full name of your interface, for the example above, /etc/hostname.xl0.

The layout of this file is simple:

address_family   address   netmask   broadcast   [other options]

A typical interface configuration file, configured for an IPv4 address, would look like this:

cat /etc/hostname.xl0
inet 192.168.1.1 255.255.255.0 NONE

In this case, we have defined an IPv4 address, with an IP address of 192.168.1.1, a subnet mask of 255.255.255.0 and no specific broadcast address (which will default to 192.168.1.255 in this case).

You could also specify media types for Ethernet, for example 100baseTX ful duplex:

cat /etc/hostname.xl0
inet 192.168.1.1 255.255.255.0 NONE media 100baseTX mediaopt full-duplex

Or, you may want to use special flags specific to a certain interface:

cat /etc/hostname.vlan0
inet 172.21.0.31 255.255.255.0 NONE vlan 2 vlandev xl0

To use the DHCP client dhclient included with OpenBSD, edit /etc/hostname.xl0:

cat /etc/hostname.xl0
dhcp

Next, enable IP forwarding by editing /etc/sysctl.conf file and making the following change:

net.inet.ip.forwarding=1

3. Set Up a DHCP Server in OpenBSD

The main configuration file for dhcpd is /etc/dhcpd.conf. This file contains all of the client options, subnet definitions, and other options dhcpd recognizes. A sample configuration file is given below, and followed by an explanation of the various options.

#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#

# Network:              192.168.1.0/255.255.255.0
# Domain name:          mydomain.tld
# Name servers:         8.8.8.8 and 8.8.4.4
# Default router:       10.0.0.1
# Addresses:            192.168.1.10 - 192.168.1.250
#

############################
# this is to specify to the dhcpd server that
# some of the subnets share the same network information
############################
shared-network MYDOMAIN-TLD {

        ############################
        # The three lines below are to specify the shared resources
        #  for all the subnets specified below
        #
        # order of options
        # Lease duration: one week (7 days)
        # domain name for DNS and such
        # DNS servers to use for lookups
        ############################
        default-lease-time 604800;
        option  domain-name "mydomain.tld";
        option  domain-name-servers 8.8.8.8, 8.8.4.4; #these are google public dns, make sure you change them with your own dns

        ############################
        # Specify the subnet to give ips on and the netmask
        #  given with the ip address
        ############################
        subnet 192.168.1.0 netmask 255.255.255.0 {
                #specify the subnet again (see below NB***)
                option subnet-mask 255.255.255.0;
                #specify the broadcast address for the subnet
                option broadcast-address 192.168.1.255;
                #specify the gateway to use
                option routers 10.0.0.1;

                #specify the range of IPaddresses to lease
                range 192.168.1.10 192.168.1.250;
        }
}

Now, we have to  enable dhcpd at startup. Like most daemons, this can be done by editing the /etc/rc.conf. There will be a line labeled "dhcpd_flags". Set this argument as shown here:

dhcpd_flags=""        # for normal use: ""

This will enable the DHCP server at boot; the /etc/rc file will make sure this option is not disabled and start it for any interfaces you have defined. To define the network interface(s) that dhcpd will listen for requests from, add the interfaces to  /etc/dhcpd.interfaces:

# List of network interfaces served by dhcpd(8).
xl0

4. Set up OpenBSD's PF packet filter for NAT

Next, we will configure the firewall for network address translation (NAT). Here’s a quick sample ruleset (do not forget to change your interface names):

# Set network interfaces
ext_if=xl1 #internet
int_if=xl0  #LAN
# Allowed  icmp type
icmp_types=echoreq

# Skip all loopback traffic
set skip on lo

# Scrub all traffic
scrub in

# Perform NAT on external interface
nat on $ext_if from $int_if:network -> ($ext_if:0)

# Define default behavior: block IN, pass OUT
block in
pass out keep state

# Allow inbound traffic on internal interface
pass quick on $int_if

# Protect against spoofing
antispoof quick for { lo $int_if }

# Allow other traffic
pass in on $ext_if proto tcp to ($ext_if) port ssh flags S/SA keep state
pass in inet proto icmp from $allowed_hosts icmp-type $icmp_types keep state

5. Conclusion

This tutorial has just touched on the basics of using OpenBSD as a router. For more advanced configurations, I highly recommended reviewing the OpenBSD documentation.

Now you have to reboot the system for the changes to take effect.

# reboot

When the system comes back up, the LAN clients should be able to access the Internet through this OpenBSD router.