Obsd router » History » Version 1
Evil Ham, 06/01/2019 09:35 AM
| 1 | 1 | Evil Ham | h1. OpenBSD IPv6-only router |
|---|---|---|---|
| 2 | |||
| 3 | h2. Physical Setup (see attachment) |
||
| 4 | |||
| 5 | <pre> |
||
| 6 | Outside |
||
| 7 | Window: ---------- |
||
| 8 | Inside: apu-obsd2 | apu-obsd1 | Netgear |
||
| 9 | (Links) | (Rechts) | switch |
||
| 10 | </pre> |
||
| 11 | |||
| 12 | |||
| 13 | h2. Ethernet ports (emX) |
||
| 14 | <pre> |
||
| 15 | ________ |
||
| 16 | | | |
||
| 17 | | APU | |
||
| 18 | | | |
||
| 19 | | | | |
||
| 20 | 0 1 2 |
||
| 21 | </pre> |
||
| 22 | |||
| 23 | h1. Network layout |
||
| 24 | |||
| 25 | h2. apu-obsd2 (Links) |
||
| 26 | |||
| 27 | <pre> |
||
| 28 | * em0: uplink |
||
| 29 | gateway: 2a0a:e5c0:1:7::7/64 |
||
| 30 | transfer: 2a0a:e5c0:1:7::23/64 |
||
| 31 | net: 2a0a:e5c0:111::1/48 |
||
| 32 | * em1: Netz1 |
||
| 33 | net: 2a0a:e5c0:111:1::1/64 |
||
| 34 | * em2: Netz2 |
||
| 35 | net: 2a0a:e5c0:111:2::1/64 |
||
| 36 | </pre> |
||
| 37 | |||
| 38 | h2. apu-obsd1 (Rechts) |
||
| 39 | |||
| 40 | <pre> |
||
| 41 | * em0: uplink |
||
| 42 | gateway: 2a0a:e5c0:1:7::7/64 |
||
| 43 | transfer: 2a0a:e5c0:1:7::22/64 |
||
| 44 | net: 2a0a:e5c0:110::1/48 |
||
| 45 | * em1: Netz1 |
||
| 46 | net: 2a0a:e5c0:110:1::1/64 |
||
| 47 | * em2: Netz2 |
||
| 48 | net: 2a0a:e5c0:110:2::1/64 |
||
| 49 | </pre> |
||
| 50 | |||
| 51 | h1. Firewall |
||
| 52 | |||
| 53 | * Forwarding all ipv6 traffic |
||
| 54 | * Accepting only icmp6 + ssh to self |
||
| 55 | * Not filtering packages to other machines in the network |
||
| 56 | |||
| 57 | h1. Setup |
||
| 58 | |||
| 59 | 1. Install OpenBSD |
||
| 60 | 1.0. Flash USB (dd, whatever) |
||
| 61 | 1.1. Boot from USB |
||
| 62 | 1.2. Setup serial installation |
||
| 63 | <pre> |
||
| 64 | boot> stty com0 115200 |
||
| 65 | boot> set tty com0 |
||
| 66 | boot> *enter* |
||
| 67 | </pre> |
||
| 68 | 1.3. Follow friendly instructions from awesome shell code |
||
| 69 | 1.4. Reboot into OpenBSD |
||
| 70 | |||
| 71 | 2. Setup gateway: |
||
| 72 | <pre> |
||
| 73 | > echo $Gateway_IPv6 > /etc/mygate |
||
| 74 | </pre> |
||
| 75 | |||
| 76 | 3. Setup each network interface: |
||
| 77 | <pre> |
||
| 78 | > man hostname.if |
||
| 79 | > # Hint: write ifconfig to /etc/hostname.$INTERFACE |
||
| 80 | > man ifconfig |
||
| 81 | </pre> |
||
| 82 | |||
| 83 | 4. Setup route advertisement |
||
| 84 | <pre> |
||
| 85 | > man rad |
||
| 86 | > man rad.conf |
||
| 87 | > # Enable rad |
||
| 88 | > rcctl enable rad |
||
| 89 | > vi /etc/rad.conf |
||
| 90 | > # Start rad |
||
| 91 | > rcctl start rad |
||
| 92 | </pre> |
||
| 93 | |||
| 94 | 5. Setup firewall |
||
| 95 | <pre> |
||
| 96 | > man pf |
||
| 97 | > man pf.conf |
||
| 98 | > # Care: don't get fancy with the ipv6 handling |
||
| 99 | > vi /etc/pf.conf |
||
| 100 | > # Load pf config |
||
| 101 | > pfctl -f /etc/pf.conf |
||
| 102 | </pre> |
||
| 103 | |||
| 104 | 6. Add SSH keys to authorized_keys as usual |
||
| 105 | Currently [*]: evilham + roli have access to root user. |
||
| 106 | [*]: 9.20 am Sunday of H4G_SE2019 [working short-title] |
||
| 107 | |||
| 108 | h1. Put routers on the net of netz via fiber |
||
| 109 | |||
| 110 | h2. Test a MikroTic router |
||
| 111 | h3. Fail at its clicky click interface |
||
| 112 | |||
| 113 | h2. Test a Ubiquiti Edge Router |
||
| 114 | h3. Fail at its clicky click interface |
||
| 115 | |||
| 116 | h2. Test the Netgear switch that doesn't try to be smart |
||
| 117 | h3. Succeed after 2 minutes |
||
| 118 | h3. Setup cables and devices in a neat fashion |
||
| 119 | |||
| 120 | h1. Further |
||
| 121 | |||
| 122 | * Ask roli for access if needed |
||
| 123 | * Wakeup evilham if state of things is blocking |
||
| 124 | * Before that, ask $InsertAwesomeBSDPersonHere for help with pf if needed (e.g. for separation of the networks). |