I've been using an OpenBSD box for NAT/firewall at home (with Verizon DSL) for a few months now. I switched to OpenBSD after Red Hat dropped their non-enterprise version (don't get me wrong, I still use Fedora on desktop machines). Although this is the first time I use OpenBSD, the installation/setup is actually quite simple. Here are some notes.
  1. My internal and external network interfaces are fxp0 and fxp1, respectively. Note that after PPPoE is done, fxp1 will be represented by tun0.
  2. Install OpenBSD 3.4 (see this), and configure the internal interface during the installation. After the installation, modify configuration files as follows.
  3. /etc/rc.conf: make sure "pf=NO" (will start pf after the DSL link is up).
  4. /etc/rc.local: put the following lines at the end to bring up the external interface and start ppp. 

        /sbin/ifconfig fxp1 up
    /usr/sbin/ppp -ddial pppoe

  5. /etc/sysctl.conf: make sure "net.inet.ip.forwarding=1" (enable IP forwarding).
  6. My /etc/ppp/ppp.conf is as follows: 

        default:
     set log Phase Chat LCP IPCP CCP tun command
     set timeout 0
     set redial 15 0
     set reconnect 15 10000
     set server /var/run/ppp.sock "" 0177

    pppoe:
     set device "!/usr/sbin/pppoe -i fxp1"
     set mtu max 1492
     set mru max 1492
     set speed sync
     enable lqr
     disable acfcomp protocomp
     deny acfcomp
     add! default HISADDR
     set authname <your_user_name>
     set authkey <your_password>

  7. My /etc/ppp/ppp.linkup is as follows: 

        MYADDR:
      ! sh -c "/sbin/pfctl -e -f /etc/pf.conf"

    This will start pf after the link is up.

  8. Finally, the NAT/firewall rules are specified in /etc/pf.conf (for more information about the rules, see here): 

        ext_if="tun0"
    int_if="fxp0"
    internal_net="192.168.0.0/24"
    scrub in all

    # for NAT
    nat on $ext_if from $internal_net to any -> ($ext_if)

    # for firewall
    block in all
    block out all
    pass quick on lo0 all
    pass out on $ext_if proto tcp all modulate state flags S/SA
    pass out on $ext_if proto { udp, icmp } all keep state
    pass in on $int_if from $internal_net to any
    pass out on $int_if from any to $internal_net

These are based on several online documents I've read. Since I'm new to OpenBSD, please let me know if you find something I missed. Thanks!

Last modified: Wed Mar 10 14:44:31 EST 2004 using Vim
by pach at cs.cmu.edu