
The ultimate OpenBSD router - fcambus
http://www.bsdnow.tv/tutorials/openbsd-router
======
blfr
That's a very ambitious take on this problem. It is pretty cool (and
definitely more secure) to run OpenBSD but you can probably get most of the
upside by slapping OpenWRT on the consumer router you already have. A $50
WDR3600 happily handles several VPNs, custom VLANs, an IPv6 tunnel, exotic
routing, an external drive, and a Samba server while doing the typical SOHO
router-y stuff, like wifi.

BTW Running my own name server has solved a lot of weird slowdowns I used to
experience when browsing the web or sshing. According to namebench[1], my
router doesn't even crack the top three when it comes to response time so I
used to have it forward queries but in practice, after it warms up, it's more
reliable and delivers a smoother experience than either my ISP or Google.

[1]
[https://code.google.com/p/namebench/](https://code.google.com/p/namebench/)

~~~
wtallis
A typical $50 consumer router running OpenWRT will do everything you want
except traffic shaping. The cheap consumer stuff all uses slow single-core
MIPS CPUs that can only do traffic shaping at tens of megabits and
consequently cannot do QoS for a fast DOCSIS or fiber connection. Of course,
even if you _do_ go to the trouble of getting an Intel-powered router, you
still wouldn't use OpenBSD (or anything other than Linux) for QoS.

~~~
dfc

      > you still wouldn't use OpenBSD (or anything other 
      > than Linux) for QoS.
    

Is this still the case? Especially in regards to OpenBSD managing a fast
residential cable connection? I thought 5.6 yanked out the slow ALTQ code and
brought OBSD close to linux QoS performance, especially for residential
traffic management.

~~~
wtallis
From a quick skim of the manpages and a few google searches, it looks like pf
is a really poor substitute for tc. Without CoDel and friends, OpenBSD can at
best implement half of a good QoS system.

~~~
dfc
Your categorical rejection of openbsd+pf is based on a cursory google search
and man page comparison? I have not seen any QoS comparisons of OpenBSD 5.6
versus Linux. Did you find any?

~~~
wtallis
There's nothing to compare. OpenBSD just plain doesn't have any active queue
management. They _used_ to have RED in the altq module, but it's been removed
and I haven't found any mention of any other form of support for any of the
common AQM algorithms. If it supports anything more advanced than classifying
packets into a fixed set of priority queues with fixed packet count limits,
it's well-hidden. What functionality _is_ exposed and advertised through their
man pages is simply not enough to put together a fully functional QoS system,
regardless of how efficient it is with CPU time. There isn't even the
theoretical possibility of OpenBSD doing good QoS unless they've got a large
amount of complexity hidden and misleadingly glossed over by their
documentation. In this case, running a dumb algorithm arbitrarily fast can
never compete with the smarter algorithms.

------
windlep
So... $337 for a decent soekris board and 'ok' case... or $340 for this:
[http://www.amazon.com/Ubiquiti-Networks-Edgerouter-Router-
ER...](http://www.amazon.com/Ubiquiti-Networks-Edgerouter-Router-
ERPro-8/dp/B00IA5J8M8/)

The latter has a complete open-source OS, you can ssh in and re-flash it
yourself easily, a great community, the same TCP hardware offload, etc. I have
been spec'ing out a BSD+soekris board setup for years, but when the Edgerouter
came on the market it was a no-brainer. The fact that it works-out-of-box with
little effort (for someone experienced with networking) is a big win, and that
its quite easy to re-flash it and tweak as desired sure doesn't hurt.

While I really dig the DIY-router stuff, and was about to do it myself,
Ubiquiti has sure made it hard to go that route when they can supply dang good
products for the same price or less.

Edit: Added bit that this isn't a "zero effort for newbs" type product. If
you've never setup a router, there'll be some research in your future to setup
an Edgerouter, or BSD router.

~~~
thirsteh
It turns out a lot of the processing is offloaded to proprietary drivers on
the EdgeRouter board. It's great for running their stock firmware, but not so
great running OpenBSD. Ended up going with the new PC Engines apu1d4 board
([http://www.pcengines.ch/apu.htm](http://www.pcengines.ch/apu.htm)) rather
than a Soekris. I believe it's the best of the options for an OpenBSD router.

~~~
INTPenis
I've been using the APU board with great success at home for a good while. I
upgraded from the Alix board to make full use of my 1G/1G broadband.

Doing some speed tests I've seen speeds fluctuate around 500/700\. Never
really reached 1Gbit on any public speed test yet but it's helluva lot better
than my old alix router.

I love the fact that the APU has an open bootloader, and as far as I can
remember it was cheaper than what is mentioned of soekris here. I seem to
remember the whole package costing me around 100 eur.

------
mdewinter
This is a seriously awesome podcast. Consider listening to it, the amount of
knowledge combined with two bsd-loving hosts is amazing!

~~~
jstanek
In my experience, everything from Jupiter Broadcasting [0] is extrememly top-
notch and informative. I'd highly recommend all of their shows (including BSD
Now!)

[0] [http://jupiterbroadcasting.com](http://jupiterbroadcasting.com)

~~~
tux
Yeah, I've been Jupiter listerner for some time now mainly "Linux Action Show"
[http://www.jupiterbroadcasting.com/show/linuxactionshow/](http://www.jupiterbroadcasting.com/show/linuxactionshow/)
they have a lot of useful info. Highly recommended podcast, and if you can
support them with anything you can. I'm also thinking on building my own next
DIY router. I'm tired of how limited the routers you buy off the shelf are.
Currently running Asus RT-N56U with Padavan F/W
[https://code.google.com/p/rt-n56u/](https://code.google.com/p/rt-n56u/) I've
also always wanted to switch to BSD distro but ports are not updated as often
as "Arch Linux". If there where BSD rolling distro similar to well updated
Arch Linux packages, I would consider switching.

~~~
talideon
Which ports system? I can't say anything about OpenBSD ports, but aside from
some stuff that gets very little love from people, most of the FreeBSD ports
tree is kept bang up to date, and binary packages appear shortly thereafter.
pkgsrc, OTOH, is only released quarterly, though if you want, you can sync
with their CVS repo, though, y'know, CVS.

The BSDs aren't distros, though some do have what might be called distros,
such as PC BSD, pfSense, &c. being distros of FreeBSD, EdgeBSD being a distro
of NetBSD.

The ports system _is_ a rolling release system for non-base software though,
though the base OS isn't. The closest BSD to come to having a rolling release
schedule for the base OS is OpenBSD, with its six-month release cycle. The
thing is that the BSDs can't have a rolling release schedule as is found in
some Linux distros because the base OS is managed separately from the
ports/packages: the core OS components aren't packaged, so there's no sense in
which they can 'roll'.

Personally, I'd never use an OS with a rolling release cycle on a server. Too
much can go wrong.

------
nathanvanfleet
Personally I like to get a consumer router and put OpenWRT on it. It used to
be a lot harder but it's gotten a lot more simple and effective. I have a few
reflashed Netgear WNDR3700s but there are probably better ones out there that
are pretty cheap too.

It takes more research and work but it's more simple than having to install
everything onto a clean OS install.

------
dfc
Does Soekris have any competition in this space? Any time I check I can never
find any viable competitors. Soekris seems to have hit the "IDA Pro sweet
spot," AKA unbelievable product priced just low enough to scare away any new
competitors.

~~~
sarnowski
Actually, soekris were pretty good but they are kinda outdated. I just got an
apu1d4 from pcengines[0] and OpenBSD works like a charm on it. Half the price,
much more power.

[0] [http://www.pcengines.ch/apu1d4.htm](http://www.pcengines.ch/apu1d4.htm)

~~~
zmyrgel
You need to look a bit closer to see the difference. APU uses cheaper realtek
NIC and soekris uses Intel's. Soekris gives Intel QuickAssist to help
encryption (VPN etc.). And soekris is showing up a new model later this year:
[http://soekris.com/products/net6801.html](http://soekris.com/products/net6801.html)

But PC-engines boards are nice for their price. I'm considering to get one at
home. That or spend a bit more on soekris box/

~~~
gcb0
damn. you people are like audiophiles for network. ...is there a name for that
already?

those two boards have more CPU power than my home theater PC... which crunches
720p video all day long without a decent GPU.

~~~
wtallis
This is nothing like the absurdities of the audiophile community. Routing
traffic just isn't as trivial as you think it is, and going with cheap NICs
that are missing important features and have lower-quality drivers _will_
produce measurable and significant differences in objective benchmarks. If you
have something like a 100Mbps cable connection, you can't use just any off-
the-shelf hardware and expect to solve any problems in software.

~~~
gcb0
Thats what an audiophile would say

;)

~~~
wtallis
It's also what the IETF says. Don't belittle those who are trying to fix the
problems you're frustrated with but can't be bothered to understand.

------
cies
And for the rest of us there is:
[http://routerboard.com](http://routerboard.com)

Which as-far-as-I-know comes with all open source software, it very well
supported by a large community.

~~~
fencepost
That's the Mikrotik hardware, and I don't believe RouterOS is open source. The
"L3", "L4", "L5" you see on the product listings are the RouterOS license
levels which control available features.

You can also run OpenWRT though installing it is described as "Not
straightforward."

------
pcunite
I've been using MikroTik lately because I wanted to identify my traffic and
Qos it differently for VoIP installations. It seems to do well with this.

------
chrissnell
Allow me to save all of you who follow this guide $14 and hours of headaches:
don't waste your time with the internal USB port on the Soekris net6501. The
little Sandisk Cruzer drives that fit inside the case are total crap. The two
that I bought lasted less than a day each. I think that writing the 4GB
PFsense image to them was enough to kill them. Unfortunately for me, it didn't
kill them in an obvious way. In my case, strange things started happening in
PFsense. DNS became half-broken, DHCP for new clients didn't function, etc. I
finally realized what was wrong and threw the USB drives in the trash and
bought some of these guys and the problem was solved:

[http://amzn.com/B00ELQZD10](http://amzn.com/B00ELQZD10)

------
hobarrera
Most consumer routers include an access point too nowadays.

The downside of this OpenBSD setup, is that you still need a consumer grade AP
next to your router (that's exactly the setup I have).

OpenBSD still doesn't support 802.11 > g, regrettably.

------
pibefision
I'm using an ASUS RT-AC68U with totally open source firmware, supported by
asus, with timely updateds to fix security issues. It's a 802.11ac. I really
recommend it. Works very well.

~~~
wtallis
[https://wireless.wiki.kernel.org/en/users/drivers/b43](https://wireless.wiki.kernel.org/en/users/drivers/b43)
says that the BCM4360 802.11ac chip in that is unsupported. So what open-
source driver are you using for that?

------
fmajid
I just added an OpenBSD firewall in bridge mode between my Comcast router and
the rest of my network. It's implemented on a Shuttle DS57U (dual-core 1.5GHz
Broadwell Celeron 3205U), with 16GB Crucial DDR3L RAM and a 128GB Crucial SSD
(leftover parts). Total price: $358. It's a pretty sweet box: fanless, metal
chassis, dual Intel Gigabit Ethernet. The only (minor) quibble is the CPU
doesn't have AES-NI.

------
obisw4n
Thats an aweful lot of work to roll out your own router. What does this have
over, say installing pfsense to a box?

~~~
tux
Save money on power cost for one! If you installing pfSense consider small
booksize or itx case.

~~~
zf00002
Neither one will be much different if the hardware is the same.

------
pcunite
Here is the link to the relevant section ...

[https://youtu.be/a-wtYUKoBa0?t=3662](https://youtu.be/a-wtYUKoBa0?t=3662)

------
brunoqc
Is DNS caching still relevant these days (since we have fast connections now)?

~~~
hueving
Yes, unfortunately the speed of light has remained constant over recent years.

------
rasz_pl
>Atom E6xx series processor

no

------
ericcumbee
My only concern would be the use of a SSD for something like this. I know with
PFSense and Untangle, applications like this will shred a ssd in fairly short
period of time.

~~~
detaro
The only thing such a system should write in bigger amounts are logfiles,
unless you keep very detailed logs/packet captures you shouldn't get close to
the write limitations of a modern SSD, which is tens of GB per day. (You might
want to change the fsync-behaviour though to limit write amplification, e.g.
syslog syncs the logfile to disk after every log line, which might become a
problem if you have very active logs?)

~~~
ericcumbee
I'm not sure of the exact details. I've only done a couple untangle boxes
(using NexGen appliances). 6-8 months ago colleagues that do a lot more of
them were still seeing a much higher failure rate across all SSDs than with
spinning disks in Untangle boxes. Although I see now that NexGen offers a SSD
Option on their boxes now. so things might have improved.

