OpenBSD Powered Wireless Network Router

Back

18 Aug 2013

I have been using my ALIX PC-Engine as home wireless network router for years. In that time I have exchanged in role of OS all main flavours of BSD and Debian Linux. So far I had most pleasant experience with OpenBSD. In fact so pleasant, that I feel urge to spread a word on how easy is to configure OpenBSD for networking scenarios like this.

Why OpenBSD

I personally love OpenBSD. One of OpenBSD project main efforts is keeping base system free of vulnerabilities by maintaining high quality source base. As result OpenBSD is reliable, secure and for someone who is familiar with UNIX-like OS very intuitive to use. In fact OpenBSD team members put so much faith in their approach, that they refuse to provide tools like FreeBSD's jail system. In my opinion this decision kind of disqualifies OpenBSD in roles where you need to deploy software, which is not part of system distribution. None of OpenBSD guaranties applies in that case and you have limited means to isolate potentially vulnerable software from the rest of the system. Although it still makes OpenBSD great choice for networking applications like firewall or router, because all you need is usually available within base system. Providing you have some UNIX-like OS experience, you will find everything very easy to configure. Everything is simple, well designed and documented. And I mean really well documented. Even in more complicated scenarios like multi-path routing or traffic shaping, you will not need more than FAQ document and man pages.

Hardware

With ALIX you get PC-like hardware, that means you have x86 architecture with BIOS. Most of Linux distributions or BSDs should run on ALIX flawlessly and without hasle (Personally tried Debian, NetBSD and FreeBSD). Depending on version of ALIX you get one or two miniPCI slots ideal for wireless network adapter. Here is a list of suported hardware among which you will find also supported wireless network adapters. Take extra care while choosing network adapters not many of them will work with OpenBSD properly. I personally have good experience with Ralink RT2561 based cards. I also tried Atheros based cards, but only got them working with 11a and 11b modes. 500 MHz CPU doesn't sound like much, but it is enough firepower for a router/firewall. There is a variety of ALIX versions to choose from. I recommend to pick one of configurations without VGA and with 2 or 3 LAN interfaces.

OpenBSD 5.3 Instalation

ALIX have second IDE interfaces on board, so you can connect CDROM, if you posses such relic. Although I have never successfully booted operating system from CDROM on ALIX. Most straight forward approach here seems to use virtual machine to install OS directly to CF card configure network and serial port and then stick it into ALIX and boot it. To do it this way you will need following:

  • Linux box with CF card reader
  • QEMU installed
  • Image of OpenBSD installation CD
  • CF card with capacity at least 1 GB

To start QEMU with OpenBSD installation type following command as root:

# qemu -curses -net nic -hda /dev/{cf_device} -cdrom ./install53.iso -boot cd

Use -curses because you wont need graphic interface to virtual machine since whole installation process is text only. In case you get error messages with missing KVM kernel module adding -no-kvm parameter should fix it. You wont need KVM for this procedure.

In case you just want to play with OpenBSD, you may create sparse file and use it as disk image:

$ dd if=/dev/zero of=./disk.img count=0 bs=1 seek=1G

It should not take more than a minute to boot installation CD. Just wait until you see this message:

Welcome to the OpenBSD/i386 5.3 installation program.
(I)nstall, (U)pgrade or (S)hell?

After you hit "I" and "enter" installation program will take care of you from there. Here are hints for few important questions:

  • Redirect console to com0: yes
  • Serial line rate: 38400
  • UUID in fstab: no
  • SSH daemon: yes
  • Plan to run X window system: no
  • Unless you have good reason, choose 'whole disk' and add just one disklabel with '/' mount point
  • When asked to select installation packages deselect all packages starting with 'x', with -x*. They will just take up space on CF.

It should be quick and smooth ride. Only writing to flash card will probably take some time. In case I'm proved wrong and you ran into dead end, look at my console output of successful installation. In the end you should see this message:

CONGRATULATIONS! Your OpenBSD install has been successfully completed!
To boot the new system, enter 'reboot' at the command prompt.
When you login to your new system the first time, please read your mail
using the 'mail' command.

Rather than reboot, write halt, wait until shutdown and stop QEMU, because we need to adjust QEMU parameters before advancing through next section.

First Boot and Networking

First we need to enable TAP networking to get the Internet working inside virtual machine. We also need to access machine through serial line because we chose to forward system console there during installation. "-nographic" option instead of "-curses" is most likely easiest way to do it. By default this option redirect COM0 of virtual machine to stdio of console with which QEMU was executed.

# tunctl -t tap0
# qemu -nographic -net nic -net tap,ifname=tap0,script=no -hda /dev/{cf_device}

While virtual machine is booting, you may configure IP on tap0 interface at host side:

# ifconfig tap0 192.168.10.1 netmask 255.255.255.0

Enable IP forwarding between host interfaces and NAT for interface with Internet connection.

# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

Login into your fresh OpenBSD installation as root and setup network interface:

# ifconfig em0 192.168.10.2 netmask 255.255.255.0
# route add default 192.168.10.1

After that you should be able to access to Internet within virtual machine.

# ping 8.8.8.8
# ping google.com

If your connection isn't working double check your OpenBSD configuration. If you didn't spot problem there, it's most likely outside virtual machine. You should be able at least ping 192.168.10.2 from your host machine. If that works check your IPTables and forwarding settings on host machine.

Now when you got your connection working, you can try to connect via SSH to get full featured color terminal.

$ ssh root@192.168.10.2

Now you can set path to repository and install few packages to make your system more comfortable to use:

# PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/5.3/packages/i386/
# export PKG_PATH

Let's start with text editor. I prefer VIM:

# pkg_add -v -i vim

Choose no_x11 version. Vim comes bare and savage so you might want to copy your .vimrc file to /usr/local/share/vim/vimrc or use this one:

set nocompatible
set et
set sw=4
set smarttab
set number

filetype plugin on
syntax on

set background=dark
colorscheme desert

By default root account has Korn shell and there is also csh available by default. If you prefer zsh or bash you will need to install them too.

# pkg_add -v -i zsh

... and so on. Continue until your system will suit you.

There is no need to make current network configuration permanent since you plan to run this system on real hardware. It make more sense to make permanent configuration of networking to match ALIX hardware. At least it will save you from fooling around with null-modem cable.

ALIX depending on which version you have might have up to three VIA Rhine adapters. The closet one to power connector will be seen by system as vr0. Each interface has its own configuration file at /etc/hostname.{name-of-interface}, in this case /etc/hostname.vr0.

If you need dynamic configuration by DHCP, enter this four letters:

dhcp

For static configuration you may enter exactly what you would write after ifconfig command:

inet 194.160.28.53 255.255.255.128

If you have one more interface, assign local IP to it so ALIX might become default router for this network /etc/hostname.vr1:

inet 192.168.1.1 255.255.255.128

Wireless Networking

Like I mentioned, you have to choose your mini-PCI wireless network card wisely. There are many cards, which would not work at all with OpenBSD and only few chipsets will work in IEEE802.11g mode. Name of network interface and thus configuration file for wireless network card will depend on driver name for your card. Mine RaLink runs with ral driver so interface name is ral0 and config is /etc/hostname.ral0. If you are not sure about interface name make a guess. You may correct it later after you boot your system on ALIX. To configure wireless card as access point put this into your configuration file:

To setup wireless ap on mini-PCI

inet 192.168.43.129 255.255.255.128
mode 11g
media OFDM54
mediaopt hostap
nwid miesivata
wpakey openbsdwifi

That's it. The same would work for ifconfig command options.

NAT and Firewall

NAT firewall and QoS facilities are in OpenBSD provided by PF - Packet Filter. If you are unfamiliar to PF you may look at it as alternative to IPTables in Linux. To block all incoming traffic from Internet except ICMP echo and enable NAT for both LAN and WIFI interface put following into /etc/pf.conf.

# interface definitions
isp_if = "vr0"
lan_if = "vr1"
wifi_if = "ral0"

# skip looback interface
set skip on lo

# enable state-full firewall
pass

# block all incoming connections
block in on $isp_if

# allow incoming ICMP on all interfaces
pass in inet proto icmp all icmp-type echoreq

# NAT rule for LAN (if you have one)
pass out on $isp_if from $lan_if:network to any nat-to ($isp_if)

# NAT rule for WIFI network
pass out on $isp_if from $wifi_if:network to any nat-to ($isp_if)

# block SSH connections from outside world
block in on $isp_if proto tcp to port 22

You will also need enable IP forwarding between interfaces. To do so uncomment coresponding line in/etc/sysctl.conf

net.inet.ip.forwarding=1

Configuration become active after boot system on ALIX. Starting up PF with this configuration within QEMU does not make sense, since referenced network interfaces are not available here.

DHCP Server Setup

For convenience is good idea have DHCP daemon running for both networks to assign IP adresses to connected machines.

option  domain-name "my.domain";
option  domain-name-servers 217.75.71.141, 217.75.71.142;

# ethernet network
subnet 192.168.43.0 netmask 255.255.255.128 {
        option routers 192.168.43.1;
        range 192.168.43.32 192.168.43.127;
}

# wireless network
subnet 192.168.43.128 netmask 255.255.255.128 {
        option routers 192.168.43.129;
        range 192.168.43.132 192.168.43.200;
}

To make dhcpd start on system startup and listen on both interfaces put this line into /etc/rc.conf.local.

dhcpd_flags="vr1 ral0"

You might want omit wireless interface in the list in case you are not sure whether you guessed correct name of interface. In case you were wrong, dhcpd will not start.

Boot ALIX

Now is time to finally halt (via halt command) virtual machine. Put CF card with your fresh OpenBSD installation and power it on. Connect your PC with ALIX vr1 interface via patch cable (vr1 interface is second when you are counting from power plug). Providing you have correct setup you should get IP via DHCP and be able to log to 192.168.43.1 as root from your PC.

$ dhclient eth0
$ ssh root@192.168.43.1

List interfaces via ifconfig command to see if all interfaces are configured correctly.

# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33196
        priority: 0
        groups: lo
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
        inet 127.0.0.1 netmask 0xff000000
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:0d:b9:13:ae:44
        priority: 0
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::20d:b9ff:fe13:ae44%vr0 prefixlen 64 scopeid 0x1
        inet 188.167.185.22 netmask 0xfffffc00 broadcast 188.167.187.255
vr1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:0d:b9:13:ae:45
        priority: 0
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 192.168.43.1 netmask 0xffffff80 broadcast 192.168.43.127
        inet6 fe80::20d:b9ff:fe13:ae45%vr1 prefixlen 64 scopeid 0x2
enc0: flags=0<>
        priority: 0
        groups: enc
        status: active
ral0: flags=8c43<UP,BROADCAST,RUNNING,OACTIVE,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:19:db:9a:70:7d
        priority: 4
        groups: wlan
        media: IEEE802.11 autoselect hostap (autoselect mode 11b hostap)
        status: active
        ieee80211: nwid miesivata chan 1 bssid 00:19:db:9a:70:7d wpakey 0x275c129801957c2f07a86ed85e1911df26827c07b3998bc53da7f4daae9793e wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip 100dBm
        inet 192.168.43.129 netmask 0xffffff80 broadcast 192.168.43.255
        inet6 fe80::219:dbff:fe9a:707d%ral0 prefixlen 64 scopeid 0x5
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33196
        priority: 0
        groups: pflog

If you havent guest name of your wireless interface correctly your name would be missing and another unconfigured interface would show up. In that case do following:

  • correct name of config file /etc/hostname.ifname to wireless network interface
  • correct wlan_if variable value at top of /etc/pf.conf
  • add wireless network interface to dhcpd_flags in /etc/rc.conf.local

Reboot to chect if everything works correctly after startup. Here is check list of features which should work.

  • DHCP on LAN network (already checked)
  • Internet connection on LAN network
  • Wireless network with WPA encryption
  • DHCP on wireless network
  • Internet connection on wireless network
  • Console access through serual port (see next section)

Test Serial Port Console

Most of ALIX boards don't have graphics adapter, so in case of emergency serial port will be only way to communicate with the machine. It's a good idea to test it before you will needed it for real. Login as root and prepare minicom configuration file ~/.minicom.alix:

pu port             /dev/ttyS0
pu baudrate         38400
pu bits             8
pu parity           N
pu stopbits         1
pu rtscts           No

Connect your PC and ALIX with null-modem cable and start minicom.

# minicom alix

If your connection is working correctly standard login prompt should appear (if not try hit enter).

OpenBSD/i386 (miesivata.my.domain) (tty00)

login:

Conclusion

I hope that you enjoyed straightforwardness of OpenBSD like I do. Final system is still far from perfect. Consider this state rather functional minimum and starting point for further customization to fit your specific needs. There are plenty applications for further consideration e.g. low-performance NAS, CUPS print server, DNS for your local network or MPD music player.

.