« making patch cables
Superstruct »

OpenBSD firewall on Soekris 4501

Would you believe that a branch office of a certain unnamed organization hasn’t had a firewall (or even a router doing NAT) for close to a year? You could configure the printer from across the world and everything. That is, until the other day, when I got this little guy installed. Questions I had to answer in this project:

  1. Which soekris? Current needs are reasonably simple firewalling for a smaller office, so the 4501 answers nicely. Would consider 5501s for an office with more traffic / servers.
  2. What media? 2 GB CF cards are cheap as dirt now, I remember running OpenBSD on systems with smaller hard drives… the lower heat / power / footprint and higher reliability of CF is very attractive for this application, compared to a hard drive.
  3. What OS / distro? Initially, I’m going with what’s basically a default i386 OpenBSD installation. Commonly used for firewalls, and given the cheapness and reliability of CF these days, a generic setup should work for now. Once I’m comfortable with how things are running I’ll look into more options for minimizing writes, and possibly mounting some or all of the FSes ro. The most promising reference I’ve found so far is Michiel van Baak’s guide.
  4. What style of installation? Having serial access seems like a much better idea than just blindly booting CF cards, for troubleshooting purposes if nothing else. This also flows from the previous question, if I’d settled on a flashdist type approach, I’d be writing via a CF card. As it was, I got a keyspan USB-to-serial connector (drivers for OS X and linux!) & a null modem, and talked to the 4501 via screen /dev/cu.KeySerial1 19200 from my laptop. I then booted the Soekris from a convenient Debian server, with some helpful tips from here.

Stumbling blocks I ran into:

  • The whole TFTP booting situation was tricky due to a missing ‘next-server’ directive in my dhcpd conf file, which I fixed thanks to this.
  • After that, I got hung at 
    
boot> boot bsd.rd
booting tftp:bsd.rd: 4780308+874136 [52+178240+163973]=0x5b821c
entry point at 0x200120

    which was fixed by doing

    
boot> set tty com0
boot> stty com0 19200

    before booting bsd.rd (thanks to google’s cache of an mailing list discussion for that).

This entry was posted on Friday, October 10th, 2008 at 6:14 am and is filed under Tech Stuff with tag(s) , , . Both comments and pings are currently closed.

3 Responses to “OpenBSD firewall on Soekris 4501”

  1. Dave from Albury Says:
    November 17th, 2008 at 6:33 pm

    Hey Joe, I’m looking at doing something similar to this to replace my existing all in one adsl modem / router at home. My only concern is the ability of the 4501 to handle a bunch of traffic eg. bittorrent. Do you have any suggestions?

  2. joe Says:
    November 17th, 2008 at 7:37 pm

    http://doc.m0n0.ch/quickstartpc/hardware-selection.html has some sample throughput numbers for soekris and comparable hardware.

    Ours hasn’t really broken a sweat acting as a pretty simple bridge on a DSL connection, but I haven’t tried bittorent in particular.

  3. Dave from Albury Says:
    November 17th, 2008 at 8:12 pm

    Thanks Joe. I think I’ll go with the 4801 to give myself a little more headroom, that way I can look at adding extra services to the box down the track.