I've been using an OpenBSD box for NAT/firewall at home (with Verizon DSL) for a while now. I switched to OpenBSD after Red Hat dropped their non-enterprise version (don't get me wrong, I still use Fedora on desktop machines). The installation/setup is actually quite simple. Here are some notes.
Update(20040708): The notes have been updated for OpenBSD 3.5.

1. My internal and external network interfaces are fxp0 and fxp1, respectively. Note that after PPPoE is done, fxp1 will be represented by tun0.

2. Follow this to install OpenBSD 3.5 and configure the internal interface during the installation. After the installation, modify configuration files as follows.
   Note: Section 4.5.2 of the installation guide says "It is important that the first partition skips the first track of the disk, in this case, starting on sector 63". However, I'm using the first partition for OpenBSD, and I had to make the partition start on sector 0 (otherwise, it seems that the bootloader won't be installed correctly). Of course, YMMV.

3. /etc/rc.conf: make sure "pf=NO" (will start pf after the DSL link is up).

4. /etc/rc.local: put the following lines at the end to bring up the external interface and start ppp.

       /sbin/ifconfig fxp1 up
       /usr/sbin/ppp -ddial pppoe
       

5. /etc/sysctl.conf: make sure "net.inet.ip.forwarding=1" (enable IP forwarding).

6. My /etc/ppp/ppp.conf is as follows:

       default:
        set log Phase Chat LCP IPCP CCP tun command
        set timeout 0
        set redial 15 0
        set reconnect 15 10000
        set server /var/run/ppp.sock "" 0177
   
       pppoe:
        set device "!/usr/sbin/pppoe -i fxp1"
        set mtu max 1492
        set mru max 1492
        set speed sync
        enable lqr
        disable acfcomp protocomp
        deny acfcomp
        add! default HISADDR
        set authname <your_user_name>
        set authkey <your_password>
       

   Note: you can remove "LCP" from the first line of "default" if it's generating too many log messages.

7. My /etc/ppp/ppp.linkup is as follows:

       MYADDR:
         ! sh -c "/sbin/pfctl -e -f /etc/pf.conf"
       

   This will start pf after the link is up.

8. Finally, the NAT/firewall rules are specified in /etc/pf.conf (for more information about the rules, see here):

       ext_if="tun0"
       int_if="fxp0"
       internal_net="192.168.0.0/24"
       scrub in all
   
       # for NAT
       nat on $ext_if from $internal_net to any -> ($ext_if)
   
       # for firewall
       block in all
       block out all
       pass quick on lo0 all
       pass out on $ext_if proto tcp all modulate state flags S/SA
       pass out on $ext_if proto { udp, icmp } all keep state
       pass in on $int_if from $internal_net to any
       pass out on $int_if from any to $internal_net
       

These are based on several online documents I've read. Please let me know if you find something I missed. Thanks!

Last modified: Thu Jul 8 22:57:33 EDT 2004 using
by pach at cs.cmu.edu