💾 Archived View for paritybit.ca › arboretum › sysadmin › openbsd-router.gmi captured on 2023-01-29 at 03:01:54. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
The machine is a Dell Optiplex 3010 SFF PC with the following specs:
There are three major software components to this router:
DHCP is handled by dhcpd, configuration is in `/etc/dhcpd.conf`.
This is the configuration:
option domain-name "paritybit.ca";
subnet 10.0.0.0 netmask 255.255.255.0 {
option routers 10.0.0.1;
option domain-name-servers 10.0.0.1;
range 10.0.0.51 10.0.0.254;
host hades {
fixed-address 10.0.0.2;
hardware ethernet 70:85:c2:54:98:92;
}
host hecate {
fixed-address 10.0.0.3;
hardware ethernet a4:1f:72:61:f4:fc;
}
host cerberus {
fixed-address 10.0.0.4;
hardware ethernet b0:83:fe:9b:8a:e3;
}
host eurynomos {
fixed-address 10.0.0.5;
hardware ethernet f8:bc:12:87:39:93;
}
}
subnet 10.0.1.0 netmask 255.255.255.0 {
option routers 10.0.1.1;
option domain-name-servers 10.0.1.1;
range 10.0.1.3 10.0.1.254;
}
There are two subnets, one for LAN (10.0.0.0/24) and one for WLAN (10.0.1.0/24).
There are reserved addresses for hades (my desktop), hecate (my test server), cerberus (my main server), and eurynomos (my NAS). The reserved addresses range for the LAN network is probably larger than it needs to be, but I won't have anywhere close to 200 devices/services anyways.
The firewall is handled by pf which stores its configuration at `/etc/pf.conf`.
This is the basic configuration, with port-forwarding rules appended if needed:
WAN = "em0"
LAN = "em1"
WLAN = "re0"
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \
203.0.113.0/24 }
# Set basic firewall settings
set block-policy drop
set loginterface egress
set skip on lo0
# Normalize incoming packets and perform NAT translation
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
# Protect from spoofed addresses and block traffic to/from non-routables
block in from no-route
block in quick from urpf-failed
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
# Default deny incoming traffic
block all
# Block all DNS requests not addressed to this router
block return in quick on $LAN proto { udp tcp } to ! $LAN port { 53 853 }
block return in quick on $WLAN proto { udp tcp } to ! $WLAN port { 53 853 }
# Allow all outbound traffic
pass out quick
# Allow internal LAN/WLAN traffic
pass in on { $LAN $WLAN }
# Allow ICMP pings
pass in quick on egress inet proto icmp icmp-type echoreq max-pkt-rate 100/10
# Example port forwarding rule
# pass in quick log on egress proto tcp from any to (egress) port 443 rdr-to 10.0.0.5
DNS is provided by unbound which keeps its configuration at `/var/unbound/etc/unbound.conf`.
Here is the configuration:
server: interface: 10.0.0.1 interface: 10.0.1.1 interface: 127.0.0.1 access-control: 127.0.0.1/8 allow access-control: 10.0.0.0/24 allow access-control: 10.0.1.0/24 allow do-not-query-localhost: no hide-identity: yes hide-version: yes cache-min-ttl: 3600 prefetch: yes # Perform DNSSEC validation. auto-trust-anchor-file: "/var/unbound/db/root.key" val-log-level: 2 # Synthesize NXDOMAINs from DNSSEC NSEC chains. # https://tools.ietf.org/html/rfc8198 aggressive-nsec: yes forward-zone: name: "." forward-addr: 1.1.1.1 remote-control: control-enable: yes control-interface: /var/run/unbound.sock
Optionally the following configuration can be added under 'server:' to configure whatever local DNS records are required:
# Serve zones authoritatively from Unbound to resolver clients. # Not for external service. local-zone: "paritybit.ca" transparent local-data: "yarr.paritybit.ca IN A 10.0.0.3" local-data: "actual.paritybit.ca IN A 10.0.0.3"
Note that, because the WAN address is acquired with DHCP, the following is required in `/etc/dhclient.conf`:
interface "em0" {
ignore domain-name-servers;
}