I've been using an OpenBSD box for NAT/firewall at home (with Verizon DSL) for a few months now. I switched to OpenBSD after Red Hat dropped their non-enterprise version (don't get me wrong, I still use Fedora on desktop machines). Although this is the first time I use OpenBSD, the installation/setup is actually quite simple. Here are some notes.
  1. My internal and external network interfaces are fxp0 and fxp1, respectively. Note that after PPPoE is done, fxp1 will be represented by tun0.
  2. Install OpenBSD 3.4 (see this), and configure the internal interface during the installation. After the installation, modify configuration files as follows.
  3. /etc/rc.conf: make sure "pf=NO" (will start pf after the DSL link is up).
  4. /etc/rc.local: put the following lines at the end to bring up the external interface and start ppp.

        /sbin/ifconfig fxp1 up
        /usr/sbin/ppp -ddial pppoe
        

  5. /etc/sysctl.conf: make sure "net.inet.ip.forwarding=1" (enable IP forwarding).
  6. My /etc/ppp/ppp.conf is as follows:

        default:
         set log Phase Chat LCP IPCP CCP tun command
         set timeout 0
         set redial 15 0
         set reconnect 15 10000
         set server /var/run/ppp.sock "" 0177
    
        pppoe:
         set device "!/usr/sbin/pppoe -i fxp1"
         set mtu max 1492
         set mru max 1492
         set speed sync
         enable lqr
         disable acfcomp protocomp
         deny acfcomp
         add! default HISADDR
         set authname <your_user_name>
         set authkey <your_password>
        

  7. My /etc/ppp/ppp.linkup is as follows:

        MYADDR:
          ! sh -c "/sbin/pfctl -e -f /etc/pf.conf"
        

    This will start pf after the link is up.

  8. Finally, the NAT/firewall rules are specified in /etc/pf.conf (for more information about the rules, see here):

        ext_if="tun0"
        int_if="fxp0"
        internal_net="192.168.0.0/24"
        scrub in all
    
        # for NAT
        nat on $ext_if from $internal_net to any -> ($ext_if)
    
        # for firewall
        block in all
        block out all
        pass quick on lo0 all
        pass out on $ext_if proto tcp all modulate state flags S/SA
        pass out on $ext_if proto { udp, icmp } all keep state
        pass in on $int_if from $internal_net to any
        pass out on $int_if from any to $internal_net
        

These are based on several online documents I've read. Since I'm new to OpenBSD, please let me know if you find something I missed. Thanks!


Last modified: Wed Mar 10 14:44:31 EST 2004 using Vim
by pach at cs.cmu.edu