You are here

Creating a simple shaping router using OpenBSD and PF

shroman's picture

Creating a simple shaping router using OpenBSD and PF

 

So to start with, lets complete a simple and straight-forward OpenBSD install:

This tiny manual is for boot cd installs

1. Setting up disks

 

1.1. Select use all disk for OpenBSD

 

1.2. MBR record for OPENBSD is created proceed with OpenBSD partition creation

 

1.3. create the following partitions

 

# wd0a: / (root) - 150M. Should be more than enough.

 

commands to exec:

 

>d a

 

>a a

 

>input size ~300000 whould give you 146.5Mb

 

> mount point: /

 

# wd0b: (swap) - 300M.

 

commands to exec:

 

>a b

 

input size: 1200000 ~585.9Mb for swap usage

# wd0d: /tmp - 120M. /tmp is used for building some software, 120M will probably be enough for most things.

 

>a d

 

> set sie 300Mb ~600000

 

>mount point:/tmp

 

>

 

# wd0e: /var - 80M. If this were to be a web or mail server, we'd have made this partition much larger, but, that's not what we are doing.

 

>a e

 

>set size:80Mb ~200000

 

>mount point: /var

 

# wd0g: /usr - 2G. We want this partition to be large enough to load a few user applications, plus be able to update and rebuild the system by source if desired or needed. The Ports tree will be here as well, which will take almost 100M of this space before ports are built. If one was planning on building many applications from source using ports rather than pre-built packages, you might want a lot more space here.

 

>a f

 

>size all the rest

 

>mount point: /usr

 

# wd0h: /home - 4G. This will allow plenty of user file space.

 

command> p m - to parse created partitions

 

1.4. Confirm changes by typing: q

 

confirm all other changes too, by typeing: done

 

confirm changes write proces

 

1.5. Configure network interfaces

 

1.6. Input a root password

 

1.7. Specify install sets(CDROM)

 

1.8. Input path to the sets

 

1.9. Choose sets to install confirm by typing: done

 

1.10. Set sshd to start by default{yes}

 

1.11. Xwindow conf -> {no}

 

1.12. default console to com0 -> {no}

 

1.13. Input time zone: Europe/Riga

 

1.14. Installation completed type: halt

 

1.15. Reboot system, install is complete

Example of sysctl.conf file for enabling routing of packets (just uncomment the following line)

net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets

Some intro about the PF (Packet Filter) http://www.openbsd.org/faq/pf/

Example pf.conf configuration

This example is showing us the usage of PF functionality to do traffic shaping based on destination ports. (services based). Configuration example is not performing any NAT or firewalling, but it is not difficult to add some rules to accomplish NAT, Firewall with shaping enabled.

############## MACROS ##############

 

ext_if="em1" #Define external interface name, interface connected to the uplink ISP

 

int_if="em0" #Define internal interface name, interface is connected to your PC or routed network

 

me="my.ip.addr.ess" #Define router external IP address, to allow overall router connectivity later

#Priority ports, let's create 4 group of ports; definition of groups is straightforward, so no additional comments on that

 

ports_l1= "{ 22 }"

 

ports_l2= "{ 80, 8080, 443 }"

 

ports_l3= "{ 6688 }"

 

ports_l4= "{ !=22, !=80, !=8080, !=443, !=6688 }"

#Bandwidth definitions, define MAX available upload and download bandwidth, this is required, because we'll use shaping based on cbq sheduling mechanism, that technic guaranty the requested bandwidth. (warrantied bandwidth)

 

avail_up="1Mb"

 

avail_down="1Mb"

#Network definitions, define networks behind the router

 

x_net="any"

###############TABLE ########

 

#Define table from file, table contains a list of IPs not allowed to enter our $x_net

 

table <badhosts> persist file "/etc/badhosts"

############### OPTIONS #################

 

#Options to clean up incoming and outgoing packets

 

scrub in all

 

scrub out all

############## QUEUES #################

 

#Defining upload queues with appropriate percentage values

 

######## Upload queues #####

 

altq on $ext_if cbq bandwidth $avail_up queue { quWWW, quPEER, quINTERACTIVE, qudefault, quICMP }

 

queue quWWW bandwidth 23% cbq(borrow red)

 

queue quPEER bandwidth 1% cbq(borrow red)

 

queue quINTERACTIVE bandwidth 2% cbq(borrow red)

 

queue qudefault bandwidth 61% cbq(default borrow)

 

queue quICMP bandwidth 3% cbq

######## Download queues ####

 

#Defining download queues with appropriate percentage values

 

altq on $int_if cbq bandwidth $avail_down queue { qdWWW, qdPEER, qdINTERACTIVE, qddefault, qdICMP }

 

queue qdWWW bandwidth 23% cbq(borrow red)

 

queue qdPEER bandwidth 1% cbq(borrow red)

 

queue qdINTERACTIVE bandwidth 2% cbq(borrow red)

 

queue qddefault bandwidth 61% cbq(default borrow)

 

queue qdICMP bandwidth 3% cbq

############### FILTER ################

 

antispoof log for $ext_if

 

block in quick on $ext_if from <badhosts> to any

##### Allow all traffic for communication with $me #####

 

pass quick on lo0 all

 

pass in quick on $ext_if from any to $me

 

pass out quick on $ext_if from $me to any

### Downlaod traffic at int_if

 

#Permit traffic to go though our queues and that is it

 

pass in on $int_if proto {tcp, udp} from $x_net to any port $ports_l1 queue qdINTERACTIVE

 

pass in on $int_if proto {tcp, udp} from $x_net to any port $ports_l2 queue qdWWW

 

pass in on $int_if proto {tcp, udp} from $x_net to any port $ports_l3 queue qdPEER

 

pass in on $int_if proto {tcp, udp} from $x_net to any port $ports_l4 queue qddefault

 

pass in on $int_if proto {esp, gre} from $x_net to any queue qddefault

 

pass in on $int_if proto icmp from $x_net to any queue qdICMP

### Upload traffic at int_if

 

block in on $ext_if

 

pass in on $ext_if proto {tcp, udp} from any to $x_net port $ports_l1 queue quINTERACTIVE

 

pass in on $ext_if proto {tcp, udp} from any to $x_net port $ports_l2 queue quWWW

 

pass in on $ext_if proto {tcp, udp} from any to $x_net port $ports_l3 queue quPEER

 

pass in on $ext_if proto {tcp, udp} from any to $x_net port $ports_l4 queue qudefault

 

pass in on $ext_if proto {esp, gre} from any to $x_net queue qudefault

 

pass in on $ext_if proto icmp from any to $x_net queue quICMP

############## DEFAULT POLICY ###############

 

#block in all

 

#block out all