Monday, 27 July 2015

OpenBSD router - BT Home hub 5 replacement

As we deploy OpenBSD based routers at work I decided to pimp up my home broadband in the same style! At work we use purpose built, low power devices, at home, I'm using an old Dell Optiplex 760 Core2Duo with a second NIC.

The onboard NIC is an Intel 1Gbps unit and the secondary is a Broadcom 1Gbps unit I salvaged.
Fortunately both have good support with OpenBSD.

At home I have Fibre to the Premise/Home from BT, currently on the mid level package 160Mbps - I'm not paying over the odds for the current 300Mbps package which is £50 at present. I am looking forward to BT's rollout of G.FAST which they're  about to trial out in Swansea which still uses copper to the distribution point, the new product will be called FTTdp. What exactly this means for those of us with FTTP, I'm not sure, but I hope we get matching speeds or more than FTTdp.

So I installed OpenBSD 5.7 on  the Dell, it's pretty easy, but not covered here. Once installed I wrote the following files to get the box 'dialled' up to BT, they're the generic BT credentials anyone with a non-BT Home Hub can use, they are the authname and password is BT, you apparently use your BT account login credentials.

Thus far I'm getting slightly faster speeds than I was with the BT Home Hub 5 in operation.

If you're not using a home brew OpenBSD router and some other router, then skip on down a bit to find out how to use the BT Hub's as a wireless access point to extend your wifi, you can use this with BT Hub 3,4 and 5's - so if you've got your old ones laying around you can use those to give you better wifi in areas where you may have sketchy wifi in your home.

OpenBSD router config, edit the files as below replacing em0 and bge0 for your own NIC identifiers.

File: /etc/hostname.em0   (em0 is a Intel NIC)
    descr "WAN"

File: /etc/hostname.bge0   (bge0 is a Broadcom NIC, this is a PCIe card)
    descr "Internal Network"
    inet NONE

File: /etc/hostname.pppoe0   (ppp "dial up" interface)
    inet NONE \
        pppoedev em0 authproto chap \
        authname authkey BT up
    !/sbin/route add default -ifp pppoe0

File: /etc/dhcpd.conf
    subnet netmask {
        option routers;
        option dhcp-lease-time 2592000;
        option domain-name-servers,,,,;

File: /etc/myname   (Setting the hostname of the router, this can be just about anything you want)

File: /etc/resolve.conf   (DNS resolvers in here, without configuring this you have no DNS)
nameserver   #BT DNS server
nameserver  #BT DNS server
nameserver            #Google DNS server1
nameserver            #Google DNS server2

File: /etc/rc.conf.local  (Daemon's / Services here, you may not need all, depending if you want VPN access into the network or not)
sshd_flags=""                    #Enables SSH access
dhcpd_flags=""                 #Enables DHCP Daemon/service
ntpd_flags="-s"                 #Enables Network Time Protocol server
isakmpd_flags="-K"         #Enables VPN Daemon, I'll be using this!
ipsec=YES                         #Enables IPSEC
ftpproxy_flags=""             #Enables the FTP Proxy service used in pf.conf

File: /etc/pf.conf    (This is the firewall config file)
    IF_WAN = "pppoe0"        #creates a variable for WAN, quicker updating by changing this only
    IF_LAN = "bge0"             #Creates a variable for LAN, in case I change the card/type later on

    set skip on { lo, enc }        #skips filtering loop back interface
    set block-policy drop        #drops any packets not dealt with below

    block in        #Blocks all incoming packets
    pass out       #Passes out any packets

    #FTP Proxy to allow FTP traffic correctly, this needs to be before your NAT rules
    anchor "ftp-proxy/*"         #Proxies all FTP traffic
    pass in log on $IF_LAN inet proto tcp from $IF_LAN:network to !$IF_LAN  \ port ftp flags S/SAFR modulate state divert-to port 8021

    #NAT's the LAN traffic to WAN, which is pppoe0 NOT em0 as its the dialling interface, also alters the MTU to 1440 as I had issues with a higher MTU
    match out on $IF_WAN from $IF_LAN:network nat-to ($IF_WAN:0) scrub (no-df max-mss 1492)

    #Allows Anything on the LAN to talk to the router
    pass in on $IF_LAN from $IF_LAN:network

    #Allows response to pings
    pass in inet proto icmp to $IF_WAN icmp-type { echoreq, unreach }

File: /etc/sysctl.conf   (enabling different system calls)
    net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets
    net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4 multicast packets
    net.inet6.icmp6.rediraccept=1 # 1=Accept IPv6 ICMP redirects (for hosts)
    net.inet6.ip6.accept_rtadv=1 # 1=Permit IPv6 autoconf (forwarding must be 0)

Once you've edited your config files, connect the BT Openreach modem to your WAN port and reboot, looking for errors during boot.
Check ifconfig for pppoe0 to make sure its 'dialled up'.
do pings to external IP's and hostnames to check connectivitiy, maybe ever hook up  a machine to the LAN port and see if it can connect to the internet.

The pppoe0 section of ifconfig will look like this, this can be checked with the command:
 ifconfig pppoe0

    pppoe0: flags=8851 mtu 1492
        priority: 0
        dev: em0 state: session
        sid: 0xf PADI retries: 4 PADR retries: 0 time: 02:51:40
        sppp: phase network authproto chap authname ""
        groups: pppoe egress
        status: active
        inet MY.BT.WAN.IP --> netmask 0xffffffff

BT Homehub config

Now that I have the OpenBSD box connected to BT's network, I still need WIFI, dammit!!!

So to re-purpose the BT Hub's all you need to do is:
  1. connect a PC/Laptop to the hub via ethernet
  2. Set a static IP on your ethernet adapter on the PC itself, make sure its in the same range as your LAN.
  3. Goto its webpage
  4. Goto Advanced settings and login
  5. Goto Firewall, configuration, and set to disabled.
  6. Goto Home Network, IP Addresses, turn off DHCP
  7. Change IP from .254 to say .200, conveniently out of the DHCP scope I set on the OpenBSD router
  8. Wait a couple minutes and try get to to, if you can't then yank out the BT Hub's power and plug it back in and try again, if you've done the above correctly you'll get into the Hub.
  9. Connect the Hub to your LAN port on the OpenBSD router, and any other devices to your Hub.
  10. Confirm your network works and you can get online.
  11. Remove the static IP you set and confirm you get a DHCP lease and can still get online.
Providing I've not missed anything and you've followed my directions, you should now be up and running with a home brew OpenBSD router, using your BT Hub as a WIFI access point, if neither of those are at fault then the stars aren't aligned with the planets in our neighbouring galaxy Andromeda.

Installing extra software on your router

To install binary packages, the preferred method of installing software not in the base install you should use pkg_add, however to do this you need to tell it where to get the packages from and to do this you simply type:

echo "export PKG_PATH=" >> .profile

You will probably want to change the ftp server, I've tested the speeds of each UK server and found exonetric's to be the "closest" in terms of hops on the internet, yes, I live in Oxford but there are 7 more hops from myself to the Oxford Uni's mirror than there are from myself to exonetric's mirror, this is just how my ISP and no doubt most ISP's route traffic back to London first then back out to the internet.

Now to install software you just type the below with < and > and choose from the list if asked relating to the software you want to install:


PS: Thanks go to the guys at the BSD Now podcast for linking to my BSD blog articles :) Keep up the good work guys, I am an occasional listener!

No comments:

Post a Comment