Using OpenBSD with VDSL

Table of Contents


This document describes the modifications needed to a normal DSL firewall setup in order to use VDSL
and IPTV (T-Home Entertain) as offered by Deutsche Telekom.

The main differences to a normal DSL setup are:

Please make sure that your WAN Ethernet card is capable of acting as a VLAN parent. Not all interfaces may work.
At the time of writing I am using OpenBSD 4.2 -current because the vr(4) driver needed for my ALIX board seems
to have had added proper VLAN support after OpenBSD 4.2 -stable.

Itīs not mandatory, but you should consider getting network equipment capable of IGMP Snooping.
Otherwise you might slow down your LAN or W-LAN with Multicast traffic.

Setting up PPPoE over VLAN

Let´s start with the easy part, PPPoE via VLAN. In short you just have to create
a VLAN interface that listens for tagged packets on VLAN ID 7 and make it your PPPoE parent interface.
Assuming your PPPoE interface is vr1, use your favourite editor to create


and put in the following

vlan 7 vlandev vr1 up

You could also call your VLAN interface vlan0 instead of vlan7 but as we have to use vlan id 7, I vote for vlan7.

Then configure the PPPoE pseudo device.
A VDSL login is constructed the same way as T-DSL:

Anschlusskennung: 11111111111
T-Onlinenummer: 222222222222
Mitbenutzer: 0001
Passwort: 12345678

So your


should look something like this. Note that pppoedev is vlan7.

inet NONE \
        pppoedev vlan7 authproto pap \
        authname 1111111111112222222222220001@t-online.de authkey 12345678 \
!/sbin/route add default -ifp pppoe0

Remember to chmod 600 /etc/hostname.pppoe0 as it contains sensible data.

Add multicast_router=YES to /etc/rc.conf.local .

I am using the following modification to /etc/sysctl.conf

Multicast forwarding is mandatory for IPTV, the rest of the values have proven to speed up my connection.
Use them at your own risk, depending on your hardware things may get broken.
I am able to obtain full VDSL 50 speed with these, though.

That´s all for the data connection.
You can either reboot now to activate the changes or if you´re the non-rebooting type
just ifconfig it up by hand. Be careful with your login data!
If you mistype the password 9 times, T-Home will lock you out for 24 hours.

Choose some T-Home DNS servers from here and put them in your /etc/resolv.conf or set up your own caching nameserver.
You should now be able to

# ping www.heise.de
PING www.heise.de ( 56 data bytes
64 bytes from icmp_seq=0 ttl=250 time=23.687 ms
64 bytes from icmp_seq=1 ttl=250 time=23.370 ms

Installing / configuring IGMP Proxy and special pf rules

Check out or untar a recent OpenBSD ports tree (gerenal info handling ports can be found here).
igmpproxy is part of the official OpenBSD ports since 2008-02-09.

# cd /usr/ports/net/igmpproxy
# make
# make install
then create /etc/igmpproxy.conf. My LAN interface is vr0, my WAN interface vr1 and I also have an unused spare interface vr2.
For safety reasons, we disable every interface not involved in IGMP/Multicast.
So I use the following configuration:
phyint pppoe0 upstream ratelimit 0 threshold 1
phyint vr0 downstream ratelimit 0 threshold 1
phyint vr1 disabled
phyint vr2 disabled
The altnet nets are the T-Home multicast networks we need. Now we can start igmpproxy using
# /usr/local/bin/igmpproxy
To see what it´s doing you may want to start it with
# /usr/local/bin/igmpproxy -d
at first.

Nearly finished now, we just need a few extra pf rules to allow multicast/igmp traffic.
Add a variation of the following to your setup. You can always tighten the ruleset,
these are just to get you started. They do not reflect my actual ruleset.
You need to allow-opts on the igmp rules, keep state has been omitted as it is default now.

scrub on $LANINT
scrub on $WANINT random-id max-mss 1452 reassemble tcp fragment reassemble
pass in on $WANINT inet proto igmp to allow-opts
pass in on $WANINT inet proto udp  to
pass out on $WANINT inet proto igmp from $WANIP to allow-opts
pass in on $LANINT inet proto igmp from $SETTOPBOX to allow-opts
pass in on $LANINT inet proto udp  from $SETTOPBOX
pass in on $LANINT inet proto tcp  from $SETTOPBOX
pass out on $LANINT inet proto igmp from $LANIP to allow-opts
pass out on $LANINT inet proto udp to

If you have any suggestions, found mistakes or whatever, contact me.
lists (at) underscore.de


last modified 12 February 2008