Replace your KPN Experia Box with an OpenBSD gateway

Introduction

So you just got connected via Tweak, XMS, plinq or KPN to the local Fiber To The Home network. A friendly KPN engineer stopped by and installed this butt-ugly "modem" in your closet and left after finishing his bittorrent downloads. Yay, internet. Booh, "KPN Experia Box". WTF !? An Experia Box ? No way I'm letting KPN control my network like that. Their NATting sucks (changing the randomly chosen source ports of my outgoing traffic to predictable ones), it does DHCP for a network that I don't use at home and, worst of all, is under the control of KPN. They can log in remotely and upgrade firmware (hello, Big Brother) or change the configuration whenever they want. No way I'm going to let them do that. I went to Tweak for a reason - I don't want KPN and their crap in my network.

Of course this means that I'll have to find another solution. Luckily, I've dealt with this sort of nonsense before. I will replace the KPN Experia Box with a small, low-power, quiet OpenBSD box. Below you'll find instructions to do what I did. If you want to use another open source operating system such as FreeBSD, NetBSD or Linux (or maybe some other device such as a Juniper Netscreen or whatever else you may have), the below may not apply 100%, but should get you going in the right direction.

Experia Box

Let's see, what exactly does this piece of crap do ?

Most of these are quite easy to do with your own setup, so let's get crackin'.

Replacement hardware

I'll be replacing the Experia Box with a Liantec LPC-5740E1N4-512 machine. This machine contains a 1GHz VIA Eden processor with the VIA PadLock encryption engine extension, 4 Intel Gigabit Ethernet ports, 512MB of memory (expandable to 1.5GB), an onboard Compact Flash slot (to boot from) and a SATA port. For those interested, the dmesg is available here.

Connect to the internet

Turns out, the fiber carries three VLANs (802.1q) :

So we configure a vlan(4) interface on our OpenBSD machine by creating /etc/hostname.vlan6: 

vlan 6 vlandev em2
description "internet"

Since we're dealing with KPN (even though I'm a Tweak customer), of course it would be too easy to simply have a plain vlan with ethernet frames coming in and going out to carry your internet traffic. No, it's a lot more convenient to have a layer of PPPoE on top of the vlan for the actual IP connectivity. This is great, because it means you'll never be able to get native IPv6 (remember, this is KPN, the old Dutch telecom monopoly - and as we all know, telcos are afraid of IP, barely know how to spell it so anything more fancy will make them cry).

Fine then, pppoe is supported just fine in OpenBSD. Either via the userland pppoe(8) program or with the in-kernel pppoe(4) driver. I opted for the in-kernel solution and created another config file, /etc/hostname.pppoe0: 

inet 0.0.0.0 255.255.255.255 NONE
pppoedev vlan6
authproto pap
authname 'MY VERY SECRET USERNAME'
authkey 'MY VERY SECRET PASSWORD'
up
dest 0.0.0.1
description "Tweak"
!/sbin/route add default -ifp pppoe0 0.0.0.1

Watch television

The television signal is multicast over vlan 4. All you have to do is bridge that vlan to a network port where you plug in your set top box. As I have one cable to my media center switch (connecting my television, set top box, media player, etc) I've configured the port for the set top box on that switch in vlan 4 and made the following changes on the OpenBSD side: 
vlan 4 vlandev em2
description "TV up"
group tv

up
group lan
description "to media"

vlan 4 vlandev em1
description "TV down"
group tv

add vlan4
add vlan40
up
description "TV bridge"
One final change that is required applies to pf(4). Since pf will filter IP packets with options set by default, you'll have to allow these explicitly in your pf configuration. With the group 'tv' set up as in the above examples, you need to add the following to your pf.conf(5): 
pass on tv inet from any to any allow-opts
© 2010, 2011 Paul 'WEiRD' de Weerd Powered by OpenBSD