Thursday 26 November 2015

Setting up an OpenBSD router with TalkTalk FTTC

So a friend of mine wanted a low powered OpenBSD router, he bought a Micro ITX Quad core motherboard with two on board netword cards, 4Gb ram and a swish looking case, parts list will be below when I get them, which came to around £120 from This setup is cheaper and more powerful and the Soekris range we use at work, however the Soekris boards come with 4 NIC's now days, but with these Mini ITX and the right case you can add a second 1,2,3 or 4 port NIC - for less than a Soekris. Saying that Soekris boards are probably still lower powered as they use Atom CPU's.

He followed my OpenBSD router guide for BT Fibre connections, however that didn't work because unlike BT, TalkTalk use MPoA and not PPPoE for the their Fibre connections. He had tried what we thought would be his TalkTalk credentials, TalkTalk had told him there were no credentials ... which we didn't believe until we done some research. I believe TalkTalk ADSL would still require credentials and use a PPPoE connection.

What that means is that all you need to do with a TalkTalk FTTC/FTTH connection is to set your WAN adapter to get an IP via DHCP and setup the rest of the router in the same way as my other post. This applies to any router on a TalkTalk fibre connection, no credentials needed!

I'll include  the config files here.

OpenBSD router config, edit the files as below replacing re0 and re1 for your own NIC identifiers. The below config may be slightly incorrect as I've edited from memory based on the BT config, but I'm sure its fine.

File: /etc/hostname.re0   (reX's are Realtek NIC's)
    descr "WAN"

File: /etc/hostname.re1   (reX's are Realtek NIC's)
    descr "Internal Network"
    inet NONE

File: /etc/dhcpd.conf
    subnet netmask {
        option routers;
        option dhcp-lease-time 2592000;
        option domain-name-servers,,;

File: /etc/myname   (Setting the hostname of the router, this can be just about anything you want)

File: /etc/resolve.conf   (DNS resolvers in here, without configuring this you have no DNS)
nameserver   #TalkTalk Primary DNS server they may change in the future so check them!
nameserver  #TalkTalk Secondary DNS server  they may change in the future so check them!
nameserver            #Google DNS server1
nameserver            #Google DNS server2

File: /etc/rc.conf.local  (Daemon's / Services here, you may not need all, depending if you want VPN access into the network or not)
sshd_flags=""                    #Enables SSH access
dhcpd_flags=""                 #Enables DHCP Daemon/service
ntpd_flags="-s"                 #Enables Network Time Protocol server
ftpproxy_flags=""             #Enables the FTP Proxy service used in pf.conf

File: /etc/pf.conf    (This is the firewall config file)
    IF_WAN = "re0"        #creates a 'variable' for WAN, quicker updating by changing this only
    IF_LAN = "re1"             #Creates a 'variable' for LAN, in case I change the card/type later on

    set skip on { lo, enc }        #skips filtering loop back interface
    set block-policy drop        #drops any packets not dealt with below

    block in        #Blocks all incoming packets
    pass out       #Passes out any packets

    #FTP Proxy to allow FTP traffic correctly, this needs to be before your NAT rules
    anchor "ftp-proxy/*"         #Proxies all FTP traffic
    pass in log on $IF_LAN inet proto tcp from $IF_LAN:network to !$IF_LAN  \ port ftp flags S/SAFR modulate state divert-to port 8021

    #NAT's the LAN traffic to WAN, which is re0, also alters the MTU to 1440 as this seems to work best
    match out on $IF_WAN from $IF_LAN:network nat-to ($IF_WAN:0) scrub (no-df max-mss 1492)

    #Allows Anything on the LAN to talk to the router
    pass in on $IF_LAN from $IF_LAN:network

    #Allows response to pings
    pass in inet proto icmp to $IF_WAN icmp-type { echoreq, unreach }

File: /etc/sysctl.conf   (enabling different system calls)
    net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets
    net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4 multicast packets
    net.inet6.icmp6.rediraccept=1 # 1=Accept IPv6 ICMP redirects (for hosts)
    net.inet6.ip6.accept_rtadv=1 # 1=Permit IPv6 autoconf (forwarding must be 0)

Once you've edited your config files, connect the BT Openreach modem to your WAN port and reboot, looking for errors during boot. Yes TalkTalk FTTC uses MPoA and the BT Openreach modem you get on a BT FTTC connection.
Check ifconfig for re0 to make sure its got an ip via dhcp.
Do pings to external IP's and hostnames to check connectivitiy and DNS resolution is working, maybe ever hook up  a machine to the LAN port and see if it can connect to the internet before connecting the rest of your network.

The re0 section of ifconfig will look like this, this can be checked with the command:
 ifconfig re0
    re0: flags=8843 mtu 1500
        lladdr 40:8d:5c:1c:16:26
        description: WAN
        priority: 0
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet TALK.TALK.WAN.IP --> TALK.TALK.WAN.GW netmask 0xffffffff

No comments:

Post a Comment