OpenBSD as an Edge Router

So I bought a new router, not that I needed one, but at the same time the one I have has a CPU from 2015, and it really falls one report after another about security flaws in both Intel’s and AMD’s processors. This router did I bought from Amazon, you may search for it: HUNSN RJ03. It is a router with a four core Celeron N5105 and with four Intel 2.5GbE I226-V interfaces.

The OpenBSD firewall I have today works perfectly, passively cooled, only the disk might be in danger of being destroyed through log writings. It has six gigabit interfaces and a pf.conf that works perfectly.

As stated above, the new router has only four interfaces and the CPU is from 2021, so I were wondering while waiting for it how to use it in the best possible way. And I saw a blog post about using OpenBSD as an edge firewall, so that is what I am striving for.

So my old firewall will be a core firewall that will filter everything inside, where the packets are allowed to travel within. The edge firewall, on the other hand, will be a very simple OpenBSD machine with very few packages, it will run pf, snmpd, ddclient, and pftop, and nothing else.

When I got it I tried it with different operating systems. I first started with OPNsense, but I thought the unit reached to high temperatures around 58 C. This happens to my old and trusted router also. It is a big difference to run a router OS with CLI only or with some kind of Web-UI. Furthermore, I also tested it with Alpine Linux and Debian, and it hovered around 41, but the goal was OpenBSD. From the beginning with APM -A the temperature was hovering around 44-48 degrees which I thought a little high, then I found the installable package obsdfreqd, which I installed with the flags: -d 10,100 -i 30,5 -m 100,99 -l 30,0 -r 20,25 -s 100,15 -t 80 -T 70, and since it is hovering around 41-42 degrees @ 1100MHz which I am satisfied with; my old router has better passive cooling it seems, it is hovering around 38 degrees.

Let us view the network configuration, only two interfaces are going to be used for now.

hostname.igc0
inet autoconf

hostname.igc1 
inet 172.16.100.2 0xfffffffc NONE description "LAN"
!route add -net 192.168.0.0/29	172.16.100.1
!route add -net 192.168.4.0/28	172.16.100.1
!route add -net 192.168.5.0/29	172.16.100.1
!route add -net 192.168.7.0/27	172.16.100.1
!route add -net 192.168.8.0/29	172.16.100.1
!route add -net 192.168.10.0/30	172.16.100.1
!route add -net 192.168.40.0/30	172.16.100.1
!route add -net 10.7.20.0/28	172.16.100.1
!route add -net 10.7.35.0/28	172.16.100.1
!route add -net 10.10.10.0/29	172.16.100.1
!route add -net 10.20.30.0/30	172.16.100.1

hostname.pflow0
flowsrc 172.16.100.2 flowdst 192.168.4.4:2525

As you can see I prefer not to make my subnets too big. It is easy enough to increase if need would arise.

The interface igc0 is the wan interface; igc1 is directly connected to my core router with OpenBSD with IP 172.16.100.1, and its interface is the default gateway on the core router. I have also added all the static routes back to the core router. Below hostname.em5 on the core router and its gateway printed out.

inet 172.16.100.1 255.255.255.252 NONE description "LAN"
group services
group smtp
group syslog
group netflow

cat /etc/mygate
172.16.100.2

These groups on the interface allows the edge firewall to use DNS, NTP, SMTP and syslog on the internal net, and to send netflow traffic to my netflow collector. These are the only allowed connection and services from the edge router to the inside, all else is rejected. The netstat -na -f inet looks like this:

tcp          0      0  172.16.100.2.22        *.*                    LISTEN
tcp          0      0  127.0.0.1.25           *.*                    LISTEN
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address          Foreign Address
udp          0      0  172.16.100.2.46611     192.168.4.1.123
udp          0      0  127.0.0.1.123          *.*
udp          0      0  172.16.100.2.161       *.*

No ports are listening on the wan side.

Firewall rules as follows (with comments):

########################
### pf.conf for edge ###
########################

### INTERFACES ¤###
lan="igc1"

### CLIENTS ###
librenms="192.168.4.7"
netflow="192.168.4.4"
fw="172.16.100.1"
edge="172.16.100.2"

#############
### PORTS ###
#############
server_tcp_ports=" { 22, 80, 443, 873, 9418, 11371 } "
media_tcp_ports=" { 80, 443, 587, 993, 5222:5223, 5228, 8000, 8080 } "
essential_tcp_ports=" { 80, 443 } "
icmp= " { echoreq, unreach } "

##############
### TABLES ###
##############
table <bruteforce> persist
table <sweden> persist file "/etc/sweden"
table <broken> { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 224.0.0.0/3, 192.168.0.0/16, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24 }
table <blocked> { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }
table <trusted_nets> { 10.7.20.0/29, 10.10.10.0/29 }
table <servers> { 192.168.4.0/28, 192.168.5.0/29 }
table <media> { 192.168.7.0/27 }
table <gaming> { 192.168.8.0/29 }
table <vpn> { 10.20.30.2 }
table <unifi> { 192.168.0.0/29 }
table <untrusted> { 10.7.35.0/28 }

#######################
### RUNTIME OPTIONS ###
#######################
set block-policy drop
set loginterface egress
set skip on lo0
set reassemble yes
set syncookies adaptive (start 25%, end 12%)
set state-defaults pflow

#############
### SCRUB ###
#############
match in all scrub (no-df random-id max-mss 1440)
match out on egress scrub (random-id)

###########
### NAT ###
###########
match out on egress inet from any to any nat-to (egress:0) port 1024:65535 set prio (5, 6 )

##################
### FILTRATION ###
##################
#### block rules ###
### We have aintispoof rules for both interfaces, we block ipv6 traffic and a block log all
antispoof quick for { egress, $lan }
block quick from <bruteforce>
block in quick log on egress from <broken> to any label "block in from BROKEN"
block return out log quick on egress from any to <broken> label "block out to BROKEN"
block quick inet6 label "block all ipv6"
block in log quick on egress proto icmp all label "BLOCK PING on wan"
block log all label "BLOCK ALL"

### pass out all ###
### we pass out all traffic, we will only be filtering in one direction
pass out on inet proto { tcp, udp, icmp } 

### pass in wireguard ###
### Twice my WireGuard server has stopped responding, I don't know why, therefore I  have as a backup solution SSH open, only accepting keys, and only Swedish IPs which lessens the source of attack and on a different port.
### WireGuard traffic are port sent to the WireGuard server on the core router via DNAT
pass in log on egress inet proto udp to egress port 51820 rdr-to $fw port 51820 keep state set prio (3, 5) label "WIREGUARD_MGMT"
pass in log on egress inet proto udp to egress port 51821 rdr-to $fw port 51821 keep state set prio (3, 5) label "WIREGUARD_VPN"
pass in log on egress inet proto tcp from <sweden> to egress port 777 flags S/SA synproxy state (max-src-conn 5, max-src-conn-rate 5/15, overload <bruteforce> flush global) rdr-to $fw port 22 label "SSH_FW"


###########
### LAN ###
###########
### FOR THE INTERNAL ###
### We pass everything that comes from the core router
pass in on $lan from $fw
### we are allowing SNMP and SSH traffic from within
pass in on $lan inet proto udp from $librenms to $edge port 161 keep state
pass in on $lan inet proto tcp from <trusted_nets> to $edge port 22 modulate state
### FOR THE EXTERNAL ###
### My trusted net has free pass to internet
pass in on $lan inet proto tcp from <trusted_nets> to !<blocked> modulate state
pass in on $lan inet proto udp from <trusted_nets> to !<blocked> port 1024:65535 keep state
### My servers are allowed some destination ports
pass in on $lan inet proto tcp from <servers> to !<blocked> port $server_tcp_ports modulate state
pass in on $lan inet proto udp from $librenms to !<blocked> port 51820 keep state
### My media network are also allowed some destination ports
pass in on $lan inet proto tcp from { <media>, <vpn> } to !<blocked> port $media_tcp_ports modulate state
### Gaming network has full pass
pass in on $lan inet proto { tcp, udp } from <gaming> to !<blocked> modulate state
### My untrusted IOT net cannot use anything on the inside, and only few destination ports on the internet, with low priority.
pass in on $lan inet proto udp from <untrusted> to !<blocked> port { 53, 123 } keep state set prio 2
pass in on $lan inet proto tcp from <untrusted> to !<blocked> port $essential_tcp_ports modulate state set prio 2
### We allow ping and traceroute
pass inet proto icmp all icmp-type $icmp keep state label "ICMP - allow internal ping"
pass inet proto udp to port 33433 >< 33626 keep state label "ICMP - allow traceroute"

Everything seems to work perfectly now. It was harder than I thought, because I am no networking wizard, trial and error and a lot of time helped me finish it. It is easier when you filter only in one direction. It feels safe to have an edge router that secures the border, which have only the base system and a couple of packages, the attack surface is rather small. And within I have a very segregated network system with very clear rules for what is allowed and not.

To reach the management network you will either have to have physical access, or know the VPN keys; to reach the management net via WiFi you need to be near and have a certificate; the same is true for the gaming network. The other networks have rather strict rules for what it is allowed to do, and the IOT network has no access at all inside.

For the interested: dmesg from the router HUNSN RJ03.

Links used for this project:
Edge OpenBSD PF Firewall
Obsdfreqd
Config help for obsdfreqd
https://www.openbsd.org

This article was updated on December 2, 2023