The setup below describes an older configuration. I have since moved to a situation with a Soekris 5501-70 with a 'regular' access point behind one of its ethernet ports. The nameserver given out over DHCP does not use the trick described below anymore. In stead, I have configured pf to redirect all requests to external IP's on port 80 to the local webserver for non-authenticated clients.

Yes, this allows users to use DNS-tunneling techniques to circumvent the firewall. They, however, will not originate from my IP address which is what I intend to prevent with this solution.


After my Dell TrueMobile Residential Gateway died a couple of weeks ago, I decided to go for the locally hosted approach with a wireless NIC in my router. This particular Residential Gateway (RG) was giving me headaches anyway - it was only configurable through some obnoxious Windows JAVA program and was performing quite badly the last months.

I disassembled the RG which turned out to contain a small logicboard with a Dell TrueMobile 1150 PCMCIA NIC on it. The NIC was the same as the one I already had, the only difference was in the firmware revision. Fortunately, this NIC is supported by OpenBSD, it gets detected as :

	wi0 at pcmcia0 function 0 "Dell, TrueMobile 1150 Series PC Card, Version 01.01" port 0xa000/64
	wi0: Firmware 6.10 variant 1, address 00:02:2d:XX:XX:XX

Since my router does not have PCMCIA slots readily available, I went out and purchased a simple PCI to Cardbus adapter from Conceptronic. This card is fully supported by OpenBSD, it gets detected as :

	cbb0 at pci0 dev 13 function 0 "Ricoh 5C475 CardBus" rev 0x80: irq 10
	cardslot0 at cbb0 slot 0 flags 0
	cardbus0 at cardslot0: bus 1 device 0 cacheline 0x0, lattimer 0x20
	pcmcia0 at cardslot0

Unfortunately, although this card is supported in OpenBSD/i386 (and possibly amd64 and other platforms), it is not supported on OpenBSD/alpha. So for now, I'll just use this card in an old i386 machine. Maybe I'll just go out and buy a new AP which I'll then put on a separate VLAN to my router (an Alpha), but until that time, this solution works sufficiently.

So now I have all the hardware I need :

After installing OpenBSD, I made the following changes to the default setup :

That's it. For all authorized users I create an authpf-account, add their MAC address to /etc/dhcpd.conf (I left one in the example above) and off we go.

This was very easy to configure (the hardest part was the exact RewriteRule for apache to make sure it always loads /index.html except when you request /openbsd_pb.gif). My thanks (and support) go to the OpenBSD developers. I recommend everyone to use OpenBSD and to make a donation.

Back to OpenBSD stuff

Powered by OpenBSD