OpenBSD veb style router

From WTFwiki
Jump to navigation Jump to search

Scenario

OpenBSD 7.8 (any 7.0+ release should work, probably) on small fanless Intel Celeron N5105 router with 4x igc(4) NICs

  • igc0: plugged into uplink, cablemodem port 1 (WAN)
  • igc1: plugged into switch preserving 802.1q vlan tags, port 1 (LAN)
  • igc2: not used, but works identically to igc1
  • igc3: not used, but works identically to igc2
  • vlans with Layer 3/IP routing presence: 2, 3, 4, 99
    • vlan2 is as close to "trusted" as they come, and clients there can manage this router
    • vlan3, vlan4 are random untrusted client vlans
    • vlan99 is a "device management" net, which does not need to reach the internet

/etc/hostname.* configs

^:jontow@gw:~% for file in /etc/hostname.*; do echo ${file}: ; cat ${file} ; done
/etc/hostname.igc0:
description "WAN/to cablemodem:port1"
inet autoconf
inet6 autoconf
/etc/hostname.igc1:
description "LAN/tagged to switch:port1"
up
/etc/hostname.igc2:
up
/etc/hostname.igc3:
up
/etc/hostname.veb0:
description "LAN port bridge"
add igc1
add igc2
add igc3
add vport0
link0
link1
up
/etc/hostname.vlan2:
vlan 2 vlandev vport0
inet 10.10.2.1 255.255.255.0 NONE
up
/etc/hostname.vlan3:
vlan 3 vlandev vport0
inet 10.10.3.1 255.255.255.0 NONE
up
/etc/hostname.vlan4:
vlan 4 vlandev vport0
inet 10.10.4.1 255.255.255.0 NONE
up
/etc/hostname.vlan99:
vlan 99 vlandev vport0
inet 10.10.99.1 255.255.255.0 NONE
up
/etc/hostname.vport0:
up

/etc/pf.conf

ext_if="igc0"

## table of external hosts that may solicit us on WAN interface
table <ssh-mgmt> {
  1.2.3.4/32, \
  5.6.7.8/32
}

set skip on lo
block drop log          # block stateless traffic

match out on $ext_if from any to any nat-to ($ext_if:0)
pass out on $ext_if # establish keep-state
pass in on $ext_if proto icmp from <ssh-mgmt> to ($ext_if)
pass in on $ext_if proto tcp from <ssh-mgmt> to port 22

################################################################################
pass out on vlan2
pass in on vlan2 from any to !(vlan2)
## icmp
pass in on vlan2 proto icmp from any to (vlan2)
## ssh
pass in on vlan2 proto tcp from any to (vlan2) port 22
## mosh
pass in on vlan2 proto udp from any to (vlan2) port 60000:61000
## dhcp
pass in on vlan2 proto udp from any to { vlan2, 255.255.255.255 } port { 67, 68 }
## dns
pass in on vlan2 proto { tcp, udp } from any to (vlan2) port 53

################################################################################
pass out on vlan3
pass in on vlan3 from any to !(vlan3)
pass in on vlan3 proto udp from any to { vlan3, 255.255.255.255 } port { 67, 68 }
pass in on vlan3 proto { tcp, udp } from any to (vlan3) port 53

################################################################################
pass out on vlan4
pass in on vlan4 from any to !(vlan4)
pass in on vlan4 proto udp from any to { vlan4, 255.255.255.255 } port { 67, 68 }
pass in on vlan4 proto { tcp, udp } from any to (vlan4) port 53

################################################################################
pass out on vlan99
pass in on vlan99 proto udp from any to { vlan99, 255.255.255.255 } port { 67, 68 }
pass in on vlan99 proto { tcp, udp } from any to (vlan99) port 53
Retrieved from "http://wtf.hijacked.us/wiki/index.php?title=OpenBSD_veb_style_router&oldid=1560"