Building an OpenBSD Wireless Access Point/Firewall/LAN Bridge

PB

What follows is an introduction guide for building a wireless access point on OpenBSD, with a built in firewall and bridge, using the vether and bridge devices on OpenBSD.


Hardware Required

Of course, you're free to choose whatever hardware is supported by OpenBSD (which is plenty!) for this project, though I decided to go for something which fits the requirements beautifully, a PC Engines apu1c. This piece of kit has a lot of features, but my main reasons for choosing this was that it has the following features:

It also has other nice features (e.g. USB ports, GPIO pinout, I2C bus, etc.). Check the documentation PDF for all the details, or check the product web page.

OpenBSD Installation

I bought an m-SATA SSD, 30GB, for about £20. I am pleasantly surprised with it's performance, size and price. I used this as the target to install OpenBSD.

I've decided, as I have over a decade of experience with OpenBSD, to use -current as it has some other features I wish to use. The stable release of OpenBSD is currently 5.5, for a novice I'd recommend using this, although I am using Unbound instead of Bind/Named (which doesn't come with 5.5). These instructions assume you are using -current, but should apply to 5.5 and certainly to 5.6, when it is released in November 2014.

Firstly, find a USB stick and install the FS boot image, http://ftp.nluug.nl/OpenBSD/5.5/amd64/install55.fs

Now, do the dd foo, e.g. "dd if=install55.fs of=/dev/sdb" on a linux box with only one USB stick inserted. Caveat Emptor, you can overwrite your system drive if you're not careful. Google if unsure. On Windows boxes, I've had good results with Win 32 Disk Imager.

Connect up a serial cable, to your serial port. Insert USB stick. Boot, and install over serial. You may need to make some changes to the PCEngines BIOS Settings to re-arrange the boot order. The default baud rate for the APU1 is 115200, while the OpenBSD baud rate is 9600 for the installer. You may need to flip between the two to get it working and displaying correctly. Also, if keyboard strokes are not appearing, try changing your hardware/software flow control settings.

LAN Setup

Setup your LAN interface, as you would normally, just to get it working, e.g. as outlined in the FAQ. Once this is done, and you are happy it's working, it's now time to get the wireless set up. However first we will change the hostname.if file to be part of a bridge and vether group. To do this, change the hostname.re1 (which is my LAN interface) to contain the following lines:

  up
  

The `up' statement simply puts the card up, with no specific network configuration applied. This is because we will be using it as part of a bridge interface. Now, create the /etc/hostname.bridge0 file and add in the following:

  add re1
  add athn0
  add vether0
  up
  

Where re1 is your LAN interface, athn0 is your wireless card and vether0 is a new virtual device we will spin up next. To create this vether0 device, create the /etc/hostname.vether0 file with the appropriate contents, e.g.:

  inet 192.168.50.251 255.255.255.0 NONE
  up
  

At this point, you have a configured bridge, but the wireless host AP is not yet configured. Let's do that next...

Wireless Setup

You are fre to choose whatever you wish here - I went for an Atheros Chipset based card, the Atheros AR9281. This is supported by the athn driver on OpenBSD (but, as yet, there is no actual support for the N based technology).

We need to set the card into AP mode. Beware, the ordering of the lines in the hostname.athn0 file needs to be set up correctly, or you will get strange errors (as in, can't change channel, assign channel, etc). For some unknown as yet reason, my card was opertaing in 802.11a mode - even though I don't beleive the card supports it...

So, here's the contents of /etc/hostname.athn0.

  up
  nwid examplessid
  media autoselect mode 11g mediaopt hostap chan 1
  wpaprotos wpa2
  wpakey changeme
  

This spins up a new AP. Use another device to check that, you can see it. You can't connect to it, as you need to set up DHCPd.

Setting up DHCPd

We need to also set up dhcpd to handle requests on the interface. I'm not going through that here, as it's outlined far better in the FAQ. One change however - where the FAQ says to :

   # echo 'dhcpd_flags=""' >>/etc/rc.conf.local
   

use the following, instead, so that the DHCP server listens on the vether0 device, on the bridge interface:

   echo 'dhcpd_flags="vether0"' >> /etc/rc.conf.local
   

PF / Packet Filter Setup

If you haven't already, you should set up PF. This, again, is best covered in the OpenBSD FAQ Example, which also covers how you set up NAT'ing. Don't forget to also edit /etc/sysctl.conf to enable IP Packet Forwarding, e.g.:

  net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of IPv4 packets
  net.inet.ip.mforwarding=1       # 1=Permit forwarding (routing) of IPv4 multicast packets
  net.inet6.ip6.forwarding=1      # 1=Permit forwarding (routing) of IPv6 packets
  net.inet6.ip6.mforwarding=1     # 1=Permit forwarding (routing) of IPv6 multicast packets
  

You should now set up your /etc/pf.conf, using NAT or however you wish to. Take particular note that the bridge device needs to be accounted for, e.g. the same data flows through both interfaces, so you only need to filter on one interface. Your default "Pass all" statements would look something like this:

  # default allow...
  # on a bridge we only need to filter on one interface, in this case it will be
  # vether0 - http://www.openbsd.org/faq/faq6.html#Bridge
  pass in on $int_if
  pass in on $wlan_if
  pass in log on $vether_if
  

You may wish to tighten the filters then, on the $vether_if interface, obviously.

Conclusions

Moment of truth - reboot time! As so much can go wrong at this stage, you would be wise to leave your serial console connected so you can get into the box should it go wrong.

I've been very happy with my setup, it seems very stable and I've not encounted any issues. The range of the AP is good - better than with my previous Buffalo Access Point.