This post details my experience with OpenBSD 7.3 on a SOPHOS sg105w Rev.1 from November 2014 as a router and firewall.

Preparation

The default BIOS settings didn’t let me install OpenBSD without issues. I got spammed with NMI Port messages. The culprit it the BIOS CSM (compatibility support module) which I completely disabled. I configured the whole system to use UEFI. I also enabled the speed stepping and enabled VMX/EPT.

I replaced the internal spinning disk with a 30 GB San-Disk SSD.

The installed WiFi module is not supported by OpenBSD so I used an Atheros AR9285 from an old laptop I had.

Generally one has to keep an eye on the WiFi module as not all are supported or support the Host-AP mode in general or in OpenBSD.

Installation

The install was easy and was performed with a VGA connected screen and attached keyboard. I did not use the disk encryption feature as the box is not moving and I didn’t want to enter the password after a power outage… I disabled the x* related packages and games from the install.

In order to be able to download software I configured em1 with dhcp.

Serial Access

In order to configure the machine via a serial connection I added the following to the /etc/boot.conf:

stty com0 115200
set tty com0

and the /etc/ttys has to be changed on line 6, to turn on the getty and use the correct speed:

console "/usr/libexec/getty std.115200" vt220   on  secure

To connect from my Laptop I used the BSD4.1 cu program: cu -l /dev/tty.usbserial-2120 -s 115200 --parity=none.

Fix hangs

The system was NOT running stable at first. Every 10s the system was notably hanging. This was also observable with a simple ping to any host in the network.

In order to find the problem I installed htop (pkg_add htop). The hang was directly visible as a high CPU load, but I could not see any related process, so I enabled to also show kernel threads. The process drmwq had high CPU load every time I also observed the hang.

Quick googling revealed that the issue is caused by the inteldrm due to no monitor is attached. The inteldrm is nice for wscons but I was not using it and as such disabled it with the help of this reddit.

echo "disable inteldrm" > /etc/bsd.re-config
chmod 0600 /etc/bsd.re-config
/usr/libexec/reorder_kernel
reboot

Disable defaults

Disable sound as there is no need for it (no speaker):

rcctl stop sndiod
rcctl disable sndiod

I leave the smtpd enabled as I might want to inform myself about issues with the box later (e.g. for S.M.A.R.T).

Enable Low Power mode

The hardware might be overkill for regular NAT and package processing. So reducing energy consumption for environmental purposes seems good. -L is the lowest profile, in case I need more I can switch to -H.

rcctl enable apmd
rcctl set apmd flags "-L"
rcctl start apmd

Using systctl hw.cpuspeed reveals the correct MHz speed: 532

Bridge setup

In order to use the ports of the sg105w as a bridge and have a LAN interface, vether is used.

LAN interface /etc/hostname.vether0:

lladdr da:ed:be:ef:13:37
inet 192.168.0.1 255.255.255.0

The physical interfaces /etc/hostname.em0, /etc/hostname.em2 and /etc/hostname.em3 all have the following configuration:

media autoselect up

Last but not least the bridge /etc/hostname.bridge0:

add em0
add em2
add em3
add vether0
up

Start the network with sh /etc/netstart.

I tried to turn on tso for the interfaces, but the driver didn’t let me.

In order to allow communication via the bridge I had to add the following set skip on bridge0 to /etc/pf.conf and reload with pfctl -f /etc/pf.conf.

In order to judge the performance of the bridge I tested with two computers directly connected first and then connected via the bridge. I measured with iperf v2 (pkg_add iperf), the tests where performed multiple times and the best result was taken.

Reference:

peer1 -> peer2				10.03 sec   862 MBytes   721 Mbits/sec

With 532 MHz mode (apmd -L):

peer1 -> sg105w				10.04 sec   206 MBytes   172 Mbits/sec
peer2 -> sg105w				10.1 sec    221 MBytes   184 Mbits/sec
peer1 -> sg105w -> peer2	10.04 sec   284 MBytes   237 Mbits/sec

With apmd disabled / apmd -H:

peer1 -> sg105w				10.1 sec   	552 MBytes   459 Mbits/sec
peer2 -> sg105w 			10.1 sec   	512 MBytes   426 Mbits/sec
peer1 -> sg105w -> peer2	10.02 sec   737 MBytes   617 Mbits/sec

Depending on these numbers you may decide to not use apmd to regulate the speed. I had no equipment to measure the actual power consumption so I can’t judge if the savings are actually helpful.

On Hardware Offloading

The information in man em and the ifconfig output suggests that hardware offloading of check-sums is in place for the device. But enabling with ifconfig em0 tso did not work:

# ifconfig em0 tso
ifconfig: SIOCSIFXFLAGS: Not supported

WiFi

The wireless network provided by the athn0 was easy to setup after the athn based card was installed. Edit the file /etc/hostname.athn0 and add something like:

media autoselect mode 11n mediaopt hostap chan 1
nwid AccessPointName wpakey VeryLongPassword
up

and bring up the interface. Notice I did not add an inet address. I want to add the network to the bridge with ifconfig bridge0 addm athn0. To persist the WiFi on the bridge, I added the interface to the list of interfaces in /etc/hostname.bridge0. More on bridging the wifi with the LAN in the router section down below.

The driver doesn’t have any offloads and the performance of the WiFi was not that great, even with the device next to the two antennas (70cm distance). Measurements:

phone -> sg105w 			36.6 sec  97.8 MBytes  22.4 Mbits/sec

Measurements with performance mode, so apmd disabled.

Router

The router was configured following the router guide ruffly. Since I bridged the WiFi instead of using a separate network the configuration is a bit simplified.

This is not a recommended setup, unless you are working with apple equipment that prefers to be in the same network, you should do the network as suggested in the router guide.

You might noticed that I did not configure the em1 besides the basic setup. This is the WAN interface according to the description on the device. So we will use a simple config here /etc/hostname.em1 with:

dhcp autoconf

Luckily my ISP provides direct ethernet and I don’t have to mess with PPP connections.

DHCP

Configure the DHCP server via /etc/dhcpd.conf:

subnet 192.168.0.0 netmask 255.255.255.0 {
        option routers 192.168.0.1;
        option domain-name-servers 192.168.0.1;
        range 192.168.0.100 192.168.0.254;
}

Start the DHCP server.

# rcctl enable dhcpd
# rcctl set dhcpd flags vether0

DNS

Configure the unbound part of the base install, adopt the /var/unbound/etc/unbound.conf and add the following to the server section:

server:
	# ...
	interface: 192.168.0.1
	access-control: 192.168.0.1/24 allow
	prefetch: yes
	do-not-query-localhost: no
	# ...

and on the forward-zone use:

forward-zone:
	name: "."
	forward-addr: 8.8.8.8 # or the address of your ISP

Enable and start unbound:

# rcctl enable unbound
# rcctl start unbound

PF

Simply edit /etc/pf.conf with:

wired = "vether0"
egress = "em1"

set skip on lo
set skip on bridge0

table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16     \
	 	   172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
	 	   192.168.0.0/16 198.18.0.0/15 198.51.100.0/24        \
	 	   203.0.113.0/24 }

set block-policy drop
set loginterface egress

match out on egress inet from !(egress:network) to any nat-to (egress:0)

antispoof quick for { egress $wired }

block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
block all

pass out quick inet
pass in on { $wired } inet

The firewall config is simple and only provides internet connections. My measurements show that the overhead of the firewall (pf) is about 12% compared to the previously measured line-speed.

peer -> sg105w -> wan-peer 10.06 sec   651 MBytes   543 Mbits/sec

TL; DR

The OpenBSD project provides all you need for a simple router. The included software has good documentation. Not everything was easy and some of the problems I could only resolve with the internet, e.g. CSM issue or the bug with i915 drm.

The performance of OpenBSD is decent on this old hardware with about half the line speed. If you have a 1GBit/s link, the router is simply not able to handle the load with the software/hardware mix. That might also be related to the missing TSO. In addition OpenBSD is no having support for the internal switch and the performance of the bridge is not line-speed either.

OpenBSD is not only about speed. Security and correctness play an important role. If speed is a concern, you may have to spend more for the hardware you are using.