This is my first attempt at a router. Liberally borrowing from tutorials
and reading Absolute OpenBSD, 2nd Edition and Building Linux and OpenBSD
Firewalls, I decided on installing OpenBSD 6.4 on a PC Engines apu4. I
had previously been using an Asus RT-86U as both my router and wireless
access point. The apu4 can have wireless capability, but OpenBSD does
not support 802.11ac while the Asus does. So I decided to connect the
Asus to em3 of the apu4 so my wireless Windows 10 computers (both of
which have .ac) and Android phones could connect to the Asus instead of
the apu4 main router. Below is my stab at a network diagram (borrowed
and adapted) and the contents of my configuration files (again, borrowed
and adapted).
My question is: OK, I understand that people more knowledgeable than I
am say that commercially available consumer-grade routers are not
secure. However, will I still have security risks associated with using
the Asus router when it is behind the OpenBSD/apu4 router?
Also, any suggestions or comments would be appreciated.
Thanks
John
apu4 router (running OpenBSD 6.4 -stable)
------------------------------→
the internal interface
.-----------------.-----------.
| | em3 | -→ Asus router -→ Windows 10 and
| bridge0 | (no ip) | (RT-AC86U) Android clients
| '-----------'
| | em2 | static (fixed) via MAC address
'--------------. | (no ip) | -→ 192.168.1.3 OpenBSD only
| vether0 | '-----------'
| dhcpd | | em1 | static (fixed) via MAC address
| 192.168.1.1 | | (no ip) | -→ 192.168.1.2 OpenBSD only
'-------^------'--'-----------'
|
v
em0
dhcp
^
|
Arris Surfboard SB8200
Cable Modem DOCSIS 3.1
(external interface)
|
v
.-,( ),-.
-( )-.
( Internet )
'-( ).-'
'--.( ).'
_/etc_/hostname.bridge0
add vether0
add em1
add em2
add em3
blocknonip vether0
blocknonip em1
blocknonip em2
blocknonip em3
up
_/etc_/hostname.vether0
inet 192.168.1.1 255.255.255.0 192.168.1.255
_/etc/dhcpd.conf_
option domain-names-servers 192.168.1.1;
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;
range 192.168.1.4 192.168.1.254;
host x1carbon {
fixed-address 192.168.1.2;
hardware ethernet xx:xx:xx:xx:xx:xx;
}
host optiplex790 {
fixed-address 192.168.1.3;
hardware ethernet xx:xx:xx:xx:xx:xx;
}
}
_/var/unbound/etc/unbound.conf_
server:
interface: 192.168.1.1
interface: 127.0.0.1
do-ip6: no
access-control: 192.168.1.0/24 allow
do-not-query-localhost: no
hide-identity: yes
hide-version: yes
forward-zone:
name: "."
forward-addr: 127.0.0.1@40
_/etc/rc.conf.local_
dhcpd_flags="vether0"
unbound_flags=""
dnscrypt_proxy
dnscrypt_proxy_flags="-l /_dev/_null -R dnscrypt.ca-1 -a 127.0.0.1:40"
sndiod_flags=NO
apmd_flags="-A"
_/etc/dhclient.conf_
ignore domain-name-servers
/etc/fstab (this is the only change from the default)
/dev/sd0a / ffs rw,noatime,softdep 1 1
_/etc/pf.conf_
int_if="{ vether0 em1 em2 em3 }"
broken="224.0.0.22 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 \
10.0.0.0/8 169.254.0.0/16 192.0.2.0/24 \
198.51.100.0/25, 203.0,113.0/24, \
169.254,0.0/16 0.0.0.0/8 240.0.0.0/4 255.255.255.255/32"
set block-policy drop
set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
antispoof quick for (egress)
block in quick on egress from { $broken no-route urpf-failed } to any
block in quick inet6 all
block return out quick inet6 all
block return out quick log on egress proto { tcp udp } from any to any
port 53
block return out quick log on egress from any to { no-route $broken }
block in all
pass out quick inet keep state
pass in on $int_if inet
pass in on $int_if inet proto { tcp udp | from any to ! 192.168.1.1 port
53 rdr-to 192.168.1.1
pass in on egress inet proto tcp to (egress) port 222 rdr-to 192.168.1.2
pass in on egress inet proto tcp from any to (egress) port 2222