[OpenBSD]

Using OpenBSD with VDSL


Table of Contents


Introduction

This document describes the modifications needed to a normal DSL firewall setup in order to use VDSL
and IPTV (T-Home Entertain) as offered by Deutsche Telekom.

The main differences to a normal DSL setup are:

Please make sure that your WAN Ethernet card is capable of acting as a VLAN parent. Not all interfaces may work.
At the time of writing I am using OpenBSD 4.2 -current because the vr(4) driver needed for my ALIX board seems
to have had added proper VLAN support after OpenBSD 4.2 -stable.

Itīs not mandatory, but you should consider getting network equipment capable of IGMP Snooping.
Otherwise you might slow down your LAN or W-LAN with Multicast traffic.

Setting up PPPoE over VLAN

Let´s start with the easy part, PPPoE via VLAN. In short you just have to create
a VLAN interface that listens for tagged packets on VLAN ID 7 and make it your PPPoE parent interface.
Assuming your PPPoE interface is vr1, use your favourite editor to create

/etc/hostname.vlan7

and put in the following

vlan 7 vlandev vr1 up

You could also call your VLAN interface vlan0 instead of vlan7 but as we have to use vlan id 7, I vote for vlan7.

Then configure the PPPoE pseudo device.
A VDSL login is constructed the same way as T-DSL:

Anschlusskennung: 11111111111
T-Onlinenummer: 222222222222
Mitbenutzer: 0001
Passwort: 12345678

So your

/etc/hostname.pppoe0

should look something like this. Note that pppoedev is vlan7.

inet 0.0.0.0 255.255.255.255 NONE \
        pppoedev vlan7 authproto pap \
        authname 1111111111112222222222220001@t-online.de authkey 12345678 \
        up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1

Remember to chmod 600 /etc/hostname.pppoe0 as it contains sensible data.

Add multicast_router=YES to /etc/rc.conf.local .

I am using the following modification to /etc/sysctl.conf

net.inet.tcp.mssdflt=1452
net.inet.tcp.recvspace=131072
net.inet.tcp.sendspace=131072
net.inet.udp.recvspace=139264
net.inet.udp.sendspace=32768
net.inet.ip.mforwarding=1
Multicast forwarding is mandatory for IPTV, the rest of the values have proven to speed up my connection.
Use them at your own risk, depending on your hardware things may get broken.
I am able to obtain full VDSL 50 speed with these, though.

That´s all for the data connection.
You can either reboot now to activate the changes or if you´re the non-rebooting type
just ifconfig it up by hand. Be careful with your login data!
If you mistype the password 9 times, T-Home will lock you out for 24 hours.

Choose some T-Home DNS servers from here and put them in your /etc/resolv.conf or set up your own caching nameserver.
You should now be able to

# ping www.heise.de
PING www.heise.de (193.99.144.85): 56 data bytes
64 bytes from 193.99.144.85: icmp_seq=0 ttl=250 time=23.687 ms
64 bytes from 193.99.144.85: icmp_seq=1 ttl=250 time=23.370 ms

Installing / configuring IGMP Proxy and special pf rules

Check out or untar a recent OpenBSD ports tree (gerenal info handling ports can be found here).
igmpproxy is part of the official OpenBSD ports since 2008-02-09.

# cd /usr/ports/net/igmpproxy
# make
# make install
then create /etc/igmpproxy.conf. My LAN interface is vr0, my WAN interface vr1 and I also have an unused spare interface vr2.
For safety reasons, we disable every interface not involved in IGMP/Multicast.
So I use the following configuration:
quickleave
phyint pppoe0 upstream ratelimit 0 threshold 1
altnet 217.0.119.0/24
altnet 193.158.35.0/24
altnet 239.35.0.0/16
phyint vr0 downstream ratelimit 0 threshold 1
phyint vr1 disabled
phyint vr2 disabled
The altnet nets are the T-Home multicast networks we need. Now we can start igmpproxy using
# /usr/local/bin/igmpproxy
To see what it´s doing you may want to start it with
# /usr/local/bin/igmpproxy -d
at first.

Nearly finished now, we just need a few extra pf rules to allow multicast/igmp traffic.
Add a variation of the following to your setup. You can always tighten the ruleset,
these are just to get you started. They do not reflect my actual ruleset.
You need to allow-opts on the igmp rules, keep state has been omitted as it is default now.

scrub on $LANINT
scrub on $WANINT random-id max-mss 1452 reassemble tcp fragment reassemble
[...]
pass in on $WANINT inet proto igmp to 224.0.0.0/4 allow-opts
pass in on $WANINT inet proto udp  to 224.0.0.0/4
[...]
pass out on $WANINT inet proto igmp from $WANIP to 224.0.0.0/4 allow-opts
[...]
pass in on $LANINT inet proto igmp from $SETTOPBOX to 224.0.0.0/4 allow-opts
pass in on $LANINT inet proto udp  from $SETTOPBOX
pass in on $LANINT inet proto tcp  from $SETTOPBOX
[...]
pass out on $LANINT inet proto igmp from $LANIP to 224.0.0.0/4 allow-opts
pass out on $LANINT inet proto udp to 224.0.0.0/4
Enjoy!

If you have any suggestions, found mistakes or whatever, contact me.
lists (at) underscore.de

Cheers,
Tobias

last modified 12 February 2008