Creating a simple shaping router using OpenBSD and PF
So to start with, lets complete a simple and straight-forward OpenBSD install:
This tiny manual is for boot cd installs
1. Setting up disks
1.1. Select use all disk for OpenBSD
1.2. MBR record for OPENBSD is created proceed with OpenBSD partition creation
1.3. create the following partitions
# wd0a: / (root) - 150M. Should be more than enough.
commands to exec:
>d a
>a a
>input size ~300000 whould give you 146.5Mb
> mount point: /
# wd0b: (swap) - 300M.
commands to exec:
>a b
input size: 1200000 ~585.9Mb for swap usage
# wd0d: /tmp - 120M. /tmp is used for building some software, 120M will probably be enough for most things.
>a d
> set sie 300Mb ~600000
>mount point:/tmp
>
# wd0e: /var - 80M. If this were to be a web or mail server, we'd have made this partition much larger, but, that's not what we are doing.
>a e
>set size:80Mb ~200000
>mount point: /var
# wd0g: /usr - 2G. We want this partition to be large enough to load a few user applications, plus be able to update and rebuild the system by source if desired or needed. The Ports tree will be here as well, which will take almost 100M of this space before ports are built. If one was planning on building many applications from source using ports rather than pre-built packages, you might want a lot more space here.
>a f
>size all the rest
>mount point: /usr
# wd0h: /home - 4G. This will allow plenty of user file space.
command> p m - to parse created partitions
1.4. Confirm changes by typing: q
confirm all other changes too, by typeing: done
confirm changes write proces
1.5. Configure network interfaces
1.6. Input a root password
1.7. Specify install sets(CDROM)
1.8. Input path to the sets
1.9. Choose sets to install confirm by typing: done
1.10. Set sshd to start by default{yes}
1.11. Xwindow conf -> {no}
1.12. default console to com0 -> {no}
1.13. Input time zone: Europe/Riga
1.14. Installation completed type: halt
1.15. Reboot system, install is complete
Example of sysctl.conf file for enabling routing of packets (just uncomment the following line)
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets
Some intro about the PF (Packet Filter) http://www.openbsd.org/faq/pf/
Example pf.conf configuration
This example is showing us the usage of PF functionality to do traffic shaping based on destination ports. (services based). Configuration example is not performing any NAT or firewalling, but it is not difficult to add some rules to accomplish NAT, Firewall with shaping enabled.
############## MACROS ##############
ext_if="em1" #Define external interface name, interface connected to the uplink ISP
int_if="em0" #Define internal interface name, interface is connected to your PC or routed network
me="my.ip.addr.ess" #Define router external IP address, to allow overall router connectivity later
#Priority ports, let's create 4 group of ports; definition of groups is straightforward, so no additional comments on that
ports_l1= "{ 22 }"
ports_l2= "{ 80, 8080, 443 }"
ports_l3= "{ 6688 }"
ports_l4= "{ !=22, !=80, !=8080, !=443, !=6688 }"
#Bandwidth definitions, define MAX available upload and download bandwidth, this is required, because we'll use shaping based on cbq sheduling mechanism, that technic guaranty the requested bandwidth. (warrantied bandwidth)
avail_up="1Mb"
avail_down="1Mb"
#Network definitions, define networks behind the router
x_net="any"
###############TABLE ########
#Define table from file, table contains a list of IPs not allowed to enter our $x_net
table <badhosts> persist file "/etc/badhosts"
############### OPTIONS #################
#Options to clean up incoming and outgoing packets
scrub in all
scrub out all
############## QUEUES #################
#Defining upload queues with appropriate percentage values
######## Upload queues #####
altq on $ext_if cbq bandwidth $avail_up queue { quWWW, quPEER, quINTERACTIVE, qudefault, quICMP }
queue quWWW bandwidth 23% cbq(borrow red)
queue quPEER bandwidth 1% cbq(borrow red)
queue quINTERACTIVE bandwidth 2% cbq(borrow red)
queue qudefault bandwidth 61% cbq(default borrow)
queue quICMP bandwidth 3% cbq
######## Download queues ####
#Defining download queues with appropriate percentage values
altq on $int_if cbq bandwidth $avail_down queue { qdWWW, qdPEER, qdINTERACTIVE, qddefault, qdICMP }
queue qdWWW bandwidth 23% cbq(borrow red)
queue qdPEER bandwidth 1% cbq(borrow red)
queue qdINTERACTIVE bandwidth 2% cbq(borrow red)
queue qddefault bandwidth 61% cbq(default borrow)
queue qdICMP bandwidth 3% cbq
############### FILTER ################
antispoof log for $ext_if
block in quick on $ext_if from <badhosts> to any
##### Allow all traffic for communication with $me #####
pass quick on lo0 all
pass in quick on $ext_if from any to $me
pass out quick on $ext_if from $me to any
### Downlaod traffic at int_if
#Permit traffic to go though our queues and that is it
pass in on $int_if proto {tcp, udp} from $x_net to any port $ports_l1 queue qdINTERACTIVE
pass in on $int_if proto {tcp, udp} from $x_net to any port $ports_l2 queue qdWWW
pass in on $int_if proto {tcp, udp} from $x_net to any port $ports_l3 queue qdPEER
pass in on $int_if proto {tcp, udp} from $x_net to any port $ports_l4 queue qddefault
pass in on $int_if proto {esp, gre} from $x_net to any queue qddefault
pass in on $int_if proto icmp from $x_net to any queue qdICMP
### Upload traffic at int_if
block in on $ext_if
pass in on $ext_if proto {tcp, udp} from any to $x_net port $ports_l1 queue quINTERACTIVE
pass in on $ext_if proto {tcp, udp} from any to $x_net port $ports_l2 queue quWWW
pass in on $ext_if proto {tcp, udp} from any to $x_net port $ports_l3 queue quPEER
pass in on $ext_if proto {tcp, udp} from any to $x_net port $ports_l4 queue qudefault
pass in on $ext_if proto {esp, gre} from any to $x_net queue qudefault
pass in on $ext_if proto icmp from any to $x_net queue quICMP
############## DEFAULT POLICY ###############
#block in all
#block out all