OpenBSD to the rescue
This weekend I've been at my girlfriend parent's. The father of one of our close friends died last week, so we went there to be with her.
Anyway, we (specially my girlfriend) had a lot of work to be finished before monday, so we carried on our laptops. At home they had a cable modem and a computer connected to it. We needed Internet access, but that computer couldn't be disconnected from the Internet.
Luckily, I had there a soekris box with me, with OpenBSD 4.2 installed on it. On less than 15 minutes, I had a functional firewall, gateway and Wireless Access Point up and running, and sharing the Internet connection between two laptops and a desktop computer.
First, I got access to the soekris box from my MacBook using an usb-to-serial adapter and a null-modem cable.
OpenBSD/i386 (Arvak.e-shell.org) (tty00) login:
Then I logged into the OpenBSD 4.2 system.
# uname -ap
OpenBSD Arvak.e-shell.org 4.2 GENERIC#375 i386 Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class)
#
Once there, I set up the configuration files for the network interfaces:
# cat /etc/hostname.vr1 dhcp # cat /etc/hostname.vr2 inet 192.168.1.1 255.255.255.0 NONE # cat /etc/hostname.ral0 inet 10.0.1.1 255.255.255.0 NONE mediaopt hostap mode 11g nwid OpenBSD_AP chan 11 -nwkey #
being vr1 the interface connected to the cable modem (will get all the settings from a dhcp server), vr2 the interface connected to the windows computer and ral0 the interface that will act as the wireless access point link.
Next, I needed to set up a dhcp server for vr2, so the windows computer still get's the network settings from dhcp (as if it was still connected to the cable-modem). Easy, just opened /etc/dhcpd.conf and change the default settings a little bit:
shared-network LOCAL-NET {
option domain-name "codigo23.net";
option domain-name-servers 212.51.32.254, 212.51.33.110, 212.51.33.73;
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;
range 192.168.1.32 192.168.1.127;
}
}
I only added the domain name, and three nameserver ip addresses from the ISP.
After edited the dhcpd configuration I edited /etc/rc.conf to change that line:
dhcpd_flags=NO # for normal use: ""
to
dhcpd_flags="" # for normal use: ""
(so dhcpd will be started at boot time)
Now I was editing rc.conf, I decided to change one more line:
pf=NO # Packet filter / NAT
to
pf=YES # Packet filter / NAT
(to enable the OpenBSD packet filter)
Ok, next step was to activate ipv4 packet forwarding, changing one line in /etc/sysctl.conf:
#net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets
to
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets
Fine, only one more step to go, I needed to set up PF, so I opened /etc/pf.conf and wrote some lines in it:
ext_if="vr1" int_if="vr2" wi_if="ral0" set optimization normal set block-policy return scrub in on $ext_if all nat on $ext_if from $int_if:network to any -> ($ext_if) nat on $ext_if from $wi_if:network to any -> ($ext_if) block in all pass in quick on $int_if from $int_if:network to any keep state pass out quick on $int_if from any to $int_if:network pass in quick on $wi_if from $wi_if:network to any pass out quick on $int_if from any to $wi_if:network pass out quick on $ext_if from ($ext_if) to any keep state
Which basically means map all packets coming from the wireless link and from the internal network to the Internet as if they were from the firewall itself. Block all packets coming from the Internet that weren't a reply to the outgoing packets.
After a reboot, everything was running smoothly, the windows computer didn't notice the change and both laptops had Internet access.
Well, I only had one problem, it seems like the house walls were made of some material that block the Wireless radio signal, so we found some problems to connect to the wireless access point on some points of the house.
As wiwi would tell, it's OpenBSD, it's easy!