I was in the same position about 18 months ago when I reached the
conclusion that I didn't trust my RT-AC88U. I spent about a month
teaching myself iptables before learning about OpenBSD and PF and never
looked back. I have read and reread OpenBSD for Dummies and The Book of
PF multiple times, and spent many an hour on the OpenBSD website as well
as lurking on this mailing list filling in holes from outdated material.
I am using a mini PC from Qotom for my router and I took an old D-Link
router, set it to AP mode, disabled the DHCP server and connected it to
one NIC on it's own subnet as guest wifi. All traffic not heading to the
internet is blocked so guests never even see my network. {And thanks to
queuing, which I finally figured out, they have no idea how fast my
internet speed actually is :) } For the ASUS unit, like you I wasn't
willing to give up the wifi speeds so I set it to AP mode, disabled the
DHCP server, and am using dhcpd address reservation on the Router to
assign it an address that I block in the firewall.
Any devices connected to it have their own IPs that pass through just
fine, but traffic originating from the router itself gets nowhere. I did
a factory reset and flashed the latest Merlin Firmware when I made this
change and it has never been exposed to the internet since. Even if it
does get compromised somehow I believe this should keep it from phoning
home or otherwise causing meaningful harm.
The only "issue" is that I can't automatically update firmware. That
seems to me the lesser of evils. I check fairly regularly for updates
and can easily update it manually when required and I think this setup
also makes running older firmware a bit less of a liability.
Good luck!
Judah
On 1/24/19 5:55 PM, John Page wrote:
> This is my first attempt at a router. Liberally borrowing from tutorials
> and reading Absolute OpenBSD, 2nd Edition and Building Linux and OpenBSD
> Firewalls, I decided on installing OpenBSD 6.4 on a PC Engines apu4. I
> had previously been using an Asus RT-86U as both my router and wireless
> access point. The apu4 can have wireless capability, but OpenBSD does
> not support 802.11ac while the Asus does. So I decided to connect the
> Asus to em3 of the apu4 so my wireless Windows 10 computers (both of
> which have .ac) and Android phones could connect to the Asus instead of
> the apu4 main router. Below is my stab at a network diagram (borrowed
> and adapted) and the contents of my configuration files (again, borrowed
> and adapted).
>
> My question is: OK, I understand that people more knowledgeable than I
> am say that commercially available consumer-grade routers are not
> secure. However, will I still have security risks associated with using
> the Asus router when it is behind the OpenBSD/apu4 router?
> Also, any suggestions or comments would be appreciated.
> Thanks
> John
> apu4 router (running OpenBSD 6.4 -stable)
> ------------------------------→
> the internal interface
> .-----------------.-----------.
> | | em3 | -→ Asus router -→ Windows 10 and
> | bridge0 | (no ip) | (RT-AC86U) Android clients
> | '-----------'
> | | em2 | static (fixed) via MAC address
>
> '--------------. | (no ip) | -→ 192.168.1.3 OpenBSD only
> | vether0 | '-----------'
> | dhcpd | | em1 | static (fixed) via MAC address
>
> | 192.168.1.1 | | (no ip) | -→ 192.168.1.2 OpenBSD only
> '-------^------'--'-----------'
> |
> v
> em0
> dhcp
> ^
> |
> Arris Surfboard SB8200
> Cable Modem DOCSIS 3.1
> (external interface)
> |
> v
> .-,( ),-.
> -( )-.
> ( Internet )
> '-( ).-'
> '--.( ).'
> _/etc_/hostname.bridge0
> add vether0
> add em1
> add em2
> add em3
> blocknonip vether0
> blocknonip em1
> blocknonip em2
> blocknonip em3
> up
> _/etc_/hostname.vether0
> inet 192.168.1.1 255.255.255.0 192.168.1.255
> _/etc/dhcpd.conf_
> option domain-names-servers 192.168.1.1;
> subnet 192.168.1.0 netmask 255.255.255.0 {
> option routers 192.168.1.1;
> range 192.168.1.4 192.168.1.254;
> host x1carbon {
> fixed-address 192.168.1.2;
> hardware ethernet xx:xx:xx:xx:xx:xx;
> }
> host optiplex790 {
> fixed-address 192.168.1.3;
> hardware ethernet xx:xx:xx:xx:xx:xx;
> }
> }
> _/var/unbound/etc/unbound.conf_
> server:
> interface: 192.168.1.1
> interface: 127.0.0.1
> do-ip6: no
> access-control: 192.168.1.0/24 allow
> do-not-query-localhost: no
> hide-identity: yes
> hide-version: yes
> forward-zone:
> name: "."
> forward-addr: 127.0.0.1@40
> _/etc/rc.conf.local_
> dhcpd_flags="vether0"
> unbound_flags=""
> dnscrypt_proxy
> dnscrypt_proxy_flags="-l /_dev/_null -R dnscrypt.ca-1 -a 127.0.0.1:40"
> sndiod_flags=NO
> apmd_flags="-A"
> _/etc/dhclient.conf_
> ignore domain-name-servers
> /etc/fstab (this is the only change from the default)
>
> /dev/sd0a / ffs rw,noatime,softdep 1 1
> _/etc/pf.conf_
> int_if="{ vether0 em1 em2 em3 }"
> broken="224.0.0.22 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 \
> 10.0.0.0/8 169.254.0.0/16 192.0.2.0/24 \
> 198.51.100.0/25, 203.0,113.0/24, \
> 169.254,0.0/16 0.0.0.0/8 240.0.0.0/4 255.255.255.255/32"
> set block-policy drop
> set loginterface egress
> set skip on lo0
> match in all scrub (no-df random-id max-mss 1440)
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
>
>
> antispoof quick for (egress)
> block in quick on egress from { $broken no-route urpf-failed } to any
> block in quick inet6 all
> block return out quick inet6 all
> block return out quick log on egress proto { tcp udp } from any to any
> port 53
> block return out quick log on egress from any to { no-route $broken }
> block in all
> pass out quick inet keep state
> pass in on $int_if inet
> pass in on $int_if inet proto { tcp udp | from any to ! 192.168.1.1 port
> 53 rdr-to 192.168.1.1
> pass in on egress inet proto tcp to (egress) port 222 rdr-to 192.168.1.2
>
>
> pass in on egress inet proto tcp from any to (egress) port 2222
