Custom router based on OpenBSD

My home internet connection recently got an upgrade to 1gbit symmetric fiber to the home.
I had been using a Cisco 1812 as my router, however that will not handle gigabit.
Next logical step was to get another Cisco, so I got a second hand 1941. Only to find out it tops out in NAT mode at around 350mbit. Ouch.
So where to now?
I take a look at some offerings from other vendors.
They either can't handle 1gbit in NAT mode or sound like a jet engine. Given this is for my home the noise needs to be taken into consideration. Also power usage is a concern, but more so noise.

I had also been using an older Sun Sparc Netra X1 as my SSH and OpenVPN gateway running OpenBSD.
It would be nice to combine the two, so I decided to build my own router.
I also wanted to have a nice way to see some vital stats, so I built a little LCD to display some information.

You can find an updated rack image here.

The main goals for this project are :

• Open source
• Off the shelf hardware
• 1gbit synchronous NAT throughput
• Simple LCD hardware to display stats
• Act as my SSH and OpenVPN gateway

Hardware

• Asrock C2750D4I Intel Atom motherboard combo
• Two Kingston 4gb DDR3 1600 ECC memory modules
• Two Plextor M6S 128gb SSD's
• Silverstone ML06 case
• Silverstone ST30SF SFX 300w PSU
• Intel X520-DA2 10gbit PCie network card. 10g card has a 1000baseT SFP installed to connect to the ISP's ONT.
• Some custom hardware for an LCD display. Another blog post will explain this custom hardware and software in more detail.

Software

• OpenBSD (at the time of this post version 5.9)
• PF
• OpenVPN
• My collection of scripts/tools

OpenBSD

I did nothing special for the install of OpenBSD aside from use bioctl to RAID1 the two SSD's.

PF

My PF config is quite simple. Following the PF FAQ

OpenVPN

Certificate based authentication. Works with Linux/BSD and Android clients.

Custom tools/scripts

• IPv6 Hurricane Electric updater. This simple script checks if my WAN IP has changed. If it has changed since the last check the script will update the HE IP end point and update the local IPv6 Tunnel. It depends on two things : A crontab entry to run the script at set intervals A line in /etc/rc.local to save the current WAN IP after boot.

• OpenBSD Errata Checker Another simple shell script that checks the OpenBSD Errata page and complies a list of saved patches on disk. This then emails out if there is a difference. Depends on a custom file structure under /root and a contab job.