OpenBSD PF - Building a Router [Contents]

Background

Network Address Translation (NAT)

Handing out IP addresses to clients via DHCP

Allowing incoming connections to a local web server

Doing DNS caching for the LAN

Providing wireless connectivity (requires a supported card)

em0

em1

athn0

Networking

# echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf # echo 'dhcp' > /etc/hostname.em0 # if you have a static IP, use that instead # echo 'inet 192.168.1.1 255.255.255.0 192.168.1.255' > /etc/hostname.em1 # vi /etc/hostname.athn0

media autoselect mode 11n mediaopt hostap chan 1 nwid AccessPointName wpakey VeryLongPassword inet 192.168.2.1 255.255.255.0

DHCP

# rcctl enable dhcpd # rcctl set dhcpd flags em1 athn0 # vi /etc/dhcpd.conf

subnet 192.168.1.0 netmask 255.255.255.0 { option routers 192.168.1.1; option domain-name-servers 192.168.1.1; range 192.168.1.4 192.168.1.254; host myserver { fixed-address 192.168.1.2; hardware ethernet 00:00:00:00:00:00; } host mylaptop { fixed-address 192.168.1.3; hardware ethernet 11:11:11:11:11:11; } } subnet 192.168.2.0 netmask 255.255.255.0 { option routers 192.168.2.1; option domain-name-servers 192.168.2.1; range 192.168.2.2 192.168.2.254; }

domain-name-servers

Firewall

# vi /etc/pf.conf

wired = "em1" wifi = "athn0" table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \ 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \ 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \ 203.0.113.0/24 } set block-policy drop set loginterface egress set skip on lo0 match in all scrub (no-df random-id max-mss 1440) match out on egress inet from !(egress:network) to any nat-to (egress:0) antispoof quick for { egress $wired $wifi } block in quick on egress from <martians> to any block return out quick on egress from any to <martians> block all pass out quick inet pass in on { $wired $wifi } inet pass in on egress inet proto tcp from any to (egress) port { 80 443 } rdr-to 192.168.1.2

wired = "em1" wifi = "athn0"

table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \ 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \ 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \ 203.0.113.0/24 }

set block-policy drop set loginterface egress set skip on lo0

block-policy

loginterface

pfctl -si

egress

em0

skip

match in all scrub (no-df random-id max-mss 1440) match out on egress inet from !(egress:network) to any nat-to (egress:0)

match

egress

match

antispoof quick for { egress $wired $wifi } block in quick on egress from <martians> to any block return out quick on egress from any to <martians>

block all

pass out quick inet

pass in on { $wired $wifi } inet

pass in on egress inet proto tcp from any to (egress) port { 80 443 } rdr-to 192.168.1.2

DNS

# rcctl enable unbound # vi /var/unbound/etc/unbound.conf

server: interface: 192.168.1.1 interface: 192.168.2.1 interface: 127.0.0.1 access-control: 192.168.1.0/24 allow access-control: 192.168.2.0/24 allow do-not-query-localhost: no hide-identity: yes hide-version: yes forward-zone: name: "." forward-addr: 1.2.3.4 # IP of the upstream resolver

dnscrypt-proxy

If the router should also use the caching resolver, its /etc/resolv.conf file should contain nameserver 127.0.0.1 .

Once the changes are in place, reboot the system.