I've been using an OpenBSD box for NAT/firewall at home (with Verizon DSL) for a while now. I switched to OpenBSD after Red Hat dropped their non-enterprise version (don't get me wrong, I still use Fedora on desktop machines). The installation/setup is actually quite simple. Here are some notes.
Update(20040708): The notes have been updated for OpenBSD 3.5.

  1. My internal and external network interfaces are fxp0 and fxp1, respectively. Note that after PPPoE is done, fxp1 will be represented by tun0.

  2. Follow this to install OpenBSD 3.5 and configure the internal interface during the installation. After the installation, modify configuration files as follows.
    Note: Section 4.5.2 of the installation guide says "It is important that the first partition skips the first track of the disk, in this case, starting on sector 63". However, I'm using the first partition for OpenBSD, and I had to make the partition start on sector 0 (otherwise, it seems that the bootloader won't be installed correctly). Of course, YMMV.

  3. /etc/rc.conf: make sure "pf=NO" (will start pf after the DSL link is up).

  4. /etc/rc.local: put the following lines at the end to bring up the external interface and start ppp.

        /sbin/ifconfig fxp1 up
        /usr/sbin/ppp -ddial pppoe
  5. /etc/sysctl.conf: make sure "net.inet.ip.forwarding=1" (enable IP forwarding).

  6. My /etc/ppp/ppp.conf is as follows:

         set log Phase Chat LCP IPCP CCP tun command
         set timeout 0
         set redial 15 0
         set reconnect 15 10000
         set server /var/run/ppp.sock "" 0177
         set device "!/usr/sbin/pppoe -i fxp1"
         set mtu max 1492
         set mru max 1492
         set speed sync
         enable lqr
         disable acfcomp protocomp
         deny acfcomp
         add! default HISADDR
         set authname <your_user_name>
         set authkey <your_password>
    Note: you can remove "LCP" from the first line of "default" if it's generating too many log messages.

  7. My /etc/ppp/ppp.linkup is as follows:

          ! sh -c "/sbin/pfctl -e -f /etc/pf.conf"
    This will start pf after the link is up.

  8. Finally, the NAT/firewall rules are specified in /etc/pf.conf (for more information about the rules, see here):

        scrub in all
        # for NAT
        nat on $ext_if from $internal_net to any -> ($ext_if)
        # for firewall
        block in all
        block out all
        pass quick on lo0 all
        pass out on $ext_if proto tcp all modulate state flags S/SA
        pass out on $ext_if proto { udp, icmp } all keep state
        pass in on $int_if from $internal_net to any
        pass out on $int_if from any to $internal_net

These are based on several online documents I've read. Please let me know if you find something I missed. Thanks!

Last modified: Thu Jul 8 22:57:33 EDT 2004 using Vim
by pach at cs.cmu.edu