Cyber Security Expo
Networking and PPP with OpenBSD 3.4 by Dazzed on 18/04/04

This paper is a brief overview of setting up your OpenBSD system as a NAT server with firewalling capabilities using Packet Filter. I will also cover dialing into your ISP using PPP. After reading this paper you should be able to achieve the following:

  • Enable forwarding of IPv4 packets.
  • Setup and initialize Packet Filter and NAT.
  • Dial into your ISP via PPP.
  • Configure an interface with ifconfig.
  • Communicate with other computers via Ethernet.

Detecting the NIC

Ok, so you've probably just installed a fresh copy of OpenBSD, and you want to configure to communicate on a network. This can be achieved fairly easily. Firstly make sure OpenBSD has detected your NIC (Network Interface Card), you can confirm this via the dmesg command.

dmesg | less

OpenBSD assigns your NIC to a logical mapping called a device, remember unlike Linux (eth0, eth1) it is identified via that chipset (Realtek 8139 is rl0), If you have two NICS rl0 and rl1 and so on.

Once you know what you're looking for use the ifconfig command as the following:

ifconfig all (shows you all available devices)

ifconfig rl0 (shows your NIC configuration)

With ifconfig you can bring interfaces up and down, set media type (10BaseTX, 100BaseTX etc) and MTU which you may have to do if your using ADSL and numerous other configuration elements.

Configuring the NIC

So lets configure our NIC by assigning an IP, subnet mask, and bring it up.

ifconfig rl0 up

ifconfig rl0

rl0: flags=8843 mtu 1500
address: 00:05 :1c: 04:14:01
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::205:1cff:fe04:1401%rl0 prefixlen 64 scopeid 0x1
inet netmask 0xffff0000 broadcast

Now if we want this interface to be configured again after a reboot we need to make a file called hostname. where is your NIC, so hostname.rl0 would be used for the above configuration.

echo inet > /etc/hostname.rl0

Now when you reboot, that interface will automatically be configured and working, if no media is selected, auto-select will be the default. If you're using Ethernet MTU 1500 will be fine.
You may want to ping the system to make sure all is good.

Setting up NAT

Now it is configured you may want to use it as a NAT server, so you can share your PPP (Internet) connection with other systems on your network using non-routable IP's.
To do this we must enable routing of IPv4 packets on the OpenBSD system, and since that NAT rules are stored in /etc/pf.conf we need to enable PF (Packet Filter).

vi /etc/sysctl.conf

enable this line by removing the hash.

vi /etc/rc.local

And set pf=YES

After this reboot your system (shutdown r now). Now it's time to edit /etc/pf.conf and add our NAT rule:

nat on tun0 from to any -> tun0

That's a basic rule that will work, you can add variables to pf.conf but I will cover all that in another paper. Now tun0 is just a logical interface to your PPP connection, and since this if for a dial up connection to an ISP we most likely will be assigned a dynamic IP address, if you have a static IP however you can just use:

nat on from to any ->

Setting up PPP

Now lets setup our PPP connection to our ISP. We will use the already created /etc/ppp/ppp.conf.sample which has some nice examples of different scenarios you could use. This is only a basic PPP connection to an ISP using CHAP.


set log Phase Chat LCP IPCP CCP tun command
set device /dev/
set speed 115200

Everything under this default element will get loaded everytime, you will need to enter your serial port of which your modem is connected to, in this example cua00 is the first serial port on your motherboard thus cua01 would be the second. So:

set device /dev/cua00

set phone
set login
set authname
set authkey
set timeout 0
set ifaddr
add default HISADDR
enable dns

Strait forward here, enter in your dial up number of ISP, user name and password. The enable DNS option isn't always supported on the server side of things so you should have the DNS servers of your ISP, now these belong in /etc/resolv.conf so:

touch /etc/resolv.conf

then add the lines below.


now to dial up, we simply type:

ppp background ISP

or you can work in interactive mode, by typing ppp without quotes, then dial ISP you will know when your authenticated by the ppp prompt, ppp > Ppp > PPp > PPP.

Check your tun0 interface with ifconfig:

ifconfig tun0

You should have an IP and your next route. Now the pf.conf will have to be reloaded because as of now it has no idea that we have initiated a ppp connection to our ISP, before we connected tun0 was null. So we simply disable pf, force the pf.conf with our rules then enable it again.

pfctl d
pfctl f /etc/pf.conf
Pfctl e

Now if all went well you should be online and all your system providing you configured their default gateways and DNS will be able to communicate with the outside world via your OpenBSD system, this is also known as IP masquerading. The only system visible from the outside is the OpenBSD system. If reloading the rules bugs you about, it's probably easier to just make a script like:

ppp background ISP && pfctl d && pfctl f /etc/pf.conf && pfctl e

Or just add them to ppp.linkup and ppp.linkdown.

Any comments welcome, contact me:

Rate this article

All images, content & text (unless other ownership applies) are © copyrighted 2000 -  , All rights reserved. Comments are property of the respective posters.