
Building an OpenBSD Router - fcambus
http://www.openbsd.org/faq/pf/example1.html
======
jrcii
I run OpenBSD routers in production. When getting the lay of the land to set
these up I came across OP's link as well as
[http://www.bsdnow.tv/tutorials/openbsd-
router](http://www.bsdnow.tv/tutorials/openbsd-router) and a few others like
[http://geodsoft.com/howto/harden/](http://geodsoft.com/howto/harden/)

~~~
mulander
OP's link was written by the same guy who wrote the bsdnow tutorial. The one
on openbsd.org should be considered the canonical source now.

------
VLM
Its a reasonable start.

It provided an example of a static nat forwarding for incoming traffic.

Another common task is blocking certain outgoing traffic

block return out quick on egress from any to any port smtp

to block all outgoing email if your internal machines are all windows (to
block spambots or whatever).

Or to block outgoing traffic from one device (perhaps your laser printer, or
abandoned smart TV, or an "internet of powned things" device).

block return out quick on egress from 10.1.2.3

You can have huge fun with tables. So make a table of addresses to block from
the internet (much like the martians table in the example), and a pile of
crontab that pfctl add and pfctl delete the kids i-devices around bed time or
homework time or whatever.

As a starter, its pretty good, but there should be commentary on
troubleshooting tools. Here's the care and feeding of the log command to
figure out what you're actually doing vs what you think you're doing. Here's
how you see the current NAT table using pfctl, stuff like that. As with many
security issues, its easier to enable uPNP than it is to correctly debate if
you should enable uPNP, its easier to enable your whole lan to access the
internet rather than blocking the laserprinter, so that's a fun topic in
general.

Also it's been a tradition in linux and presumably bsd software firewalls
since the mid 90s to add endless complication and logging that serves no
useful purpose and is never examined or acted upon after installation until a
hardware limit for hardware of that year is reached, then complain software
firewalls are too slow and maybe a couple years of hardware advances will make
them practical, repeat endlessly. You can shove a couple megs/sec using a 486,
I certainly did in the 90s, although you can also clutter up a top of the line
desktop today such that the CPU and disk IO will flood about a couple hundred
K if you try hard enough by writing every packet to disk and having pages of
firewall rules.

~~~
geggam
Labels... dont forget labels.

It makes pftop so pretty :)

------
zdw
If you want hardware to run this on, I really like the PCEngines APU
([http://www.pcengines.ch/apu1d4.htm](http://www.pcengines.ch/apu1d4.htm)),
which is surprisingly powerful (dual AMD64 cores, 4GB RAM, multiple miniPCIe
ports), and inexpensive given the capabilities.

~~~
scw
The APU is great. The APU2 was recently released:
[http://pcengines.ch/apu2b4.htm](http://pcengines.ch/apu2b4.htm)

Improvements over the first version: quad core, Intel Gigabit NICS, new CPU
supports AES-NI and AVX (AMD-V), ECC memory, and a USB 3.0 bus. Still some
issues being ironed out, but will make excellent router hardware. Note that
WiFi is a relative weakness on BSD, and you'll need to carefully choose a
chipset to support hostap mode. The Atheros abgn cards are generally the best.

~~~
ZoFreX
An APU with Intel ethernet? This changes everything!

(Lack of Intel ethernet ruled out the APU out for me)

Also - How did you know about this? I can't find that page by browsing their
site and I didn't even know this existed!

~~~
scw
The board has been in beta testing for a few months, folks were discussing it
on the OpenBSD -tech list.

------
ris
I used to run openbsd routers, but the lack of _real_ package management or a
decent manageable upgrade story made it more trouble than it's worth.

(That said, I'm still quite fond of openbsd, but from afar)

~~~
INTPenis
I used to agree with you, while still running an openbsd router for home use,
but the last upgrade went quite smoothly so I would say they've put a lot of
work into that aspect.

Yes there were manual steps to perform but they worked so well and were so
simple that I couldn't help but think about automating them in a simple
script. And finishing up I just did a pkg_add -u to upgrade all packages.

The only thing missing from the example imo is dnsmasq, much easier and
lighter to use.

------
Decade
Any router guide that does not cover IPv6 is sadly obsolete.

~~~
nickpsecurity
And yet I still don't use IPv6 despite always making sure it's supported. Its
takeover is like the Duke Nukem Forever of networking protocols.

~~~
mitchty
Which I find funny because I've been using ipv6 at home for 3 years now with
no real issues. At least ipv6 is useful, unlike DNF.

Comcast gets a lot of heat, but they at least have done ipv6 right.

~~~
nickpsecurity
That's what I have, too. Yeah, they both work fine on Comcast.

------
pyvpx
I particularly like the inclusion of DNSCrypt

~~~
zdw
It's too bad that DJB's full dnscurve
([http://dnscurve.org](http://dnscurve.org)) suite didn't take off like
dnscrypt did, but that does require changing the DNS server names at the
registrar to include the key in the domain name, and having support throughout
the resolver chain.

That said, I've been running dnscurve for a few years on my authoritative
internet-facing servers ( `dig ns artcs.net` to see what it looks like), and I
generally see between 5-10% of requests coming in as wanting encryption. Most
of these are requests from OpenDNS, which supports the protocol.

------
ksec
I actually want all my internet Appliance to run on OpenBSD. But I guess due
to drivers problem I may never see that happen.

~~~
jlgaddis
Out of curiosity, what kind of hardware are you wanting to use that OpenBSD
doesn't have drivers for?

