My idea is to run the latest OpenBSD in FreeBSD as a guest using bhyve. Then pass a network interface to the OpenBSD guest using PCI pass through. So we can use the OpenBSD guest as the firewall of the host FreeBSD system. I got this idea from reading the following thread. I had learned a lot from the handbook, wiki and the article Intel Wifi Via Bhyve on FreeBSD. And I had also learned from many other sources. Let us now proceed to the howto.
First, we identify the network interface that we would like to pass through to OpenBSD. In the following example, I use an Intel 82576L network interface. Identifying the interface:
Here I will use em1@pci0:5:0:0.
Now add the following lines to /boot/loader.conf.
We need to reboot for PCI pass through to work. During boot, instead of attaching the em driver to the interface, we see the following.
Next, we need a working image of OpenBSD. Because of current limitation of bhyve, we have to obtain it using other virtualization software. Moreover, as we are interested in using OpenBSD as a firewall, we need only to install the basic components of OpenBSD. See post #4 for how to install OpenBSD in bhyve.
Also, remember to check /etc/ttys in OpenBSD to allow serial console. Otherwise, booting the OpenBSD image will stuck at the TIME and DATE line.
After obtaining such an image, say, obsd56.img, I put it in /root/bhyve/openbsd. Also create the following two files:
Now, install sysutils/grub2-bhyve and prepare the network interfaces.
Run the following commands:
You should be able to see OpenBSD booting. Log into the OpenBSD system at the login prompt. In OpenBSD, you should see two network drivers, vio0 and em0. First, create the following file /etc/hostname.vio0
Now run
Test the connection between the host and the guest. In FreeBSD, run
If there is no problem, set up em0 as your main gateway in OpenBSD. See the OpenBSD FAQ for further information. Then set up firewall in the guest OpenBSD. Finally, rerun
Return to the host FreeBSD system. We need to add the following lines to /etc/rc.conf.
and add net.link.tap.up_on_open=1 to /etc/sysctl.conf.
We also have to make changes to /etc/resolv.conf if you are using dhcp. We can test our setting here by restarting network in FreeBSD. A simple test is to look up www.freebsd.org. And then ping www.freebsd.org.
Finally, create the following file, /etc/rc.local.
Note that we replace stdio with nmdm0A in the above script. Reboot the host system to test that it works. Enjoy using a OpenBSD firewall in FreeBSD.
First, we identify the network interface that we would like to pass through to OpenBSD. In the following example, I use an Intel 82576L network interface. Identifying the interface:
Code:
# pciconf -lv
snippet
em1@pci0:5:0:0: class=0x020000 card=0x00000000 chip=0x10d38086 rev=0x00 hdr=0x00
vendor = 'Intel Corporation'
device = '82574L Gigabit Network Connection'
class = network
subclass = ethernet
snippet
Now add the following lines to /boot/loader.conf.
Code:
vmm_load="YES"
nmdm_load="YES"
if_tap_load="YES"
if_bridge_load="YES"
pptdevs="5/0/0"
Code:
pcib5: <ACPI PCI-PCI bridge> irq 19 at device 28.3 on pci0
pci5: <ACPI PCI bus> on pcib5
ppt0 port 0xb000-0xb01f mem 0xf7a00000-0xf7a1ffff,0xf7a20000-0xf7a23fff irq 19 at device 0.0 on pci5
Also, remember to check /etc/ttys in OpenBSD to allow serial console. Otherwise, booting the OpenBSD image will stuck at the TIME and DATE line.
After obtaining such an image, say, obsd56.img, I put it in /root/bhyve/openbsd. Also create the following two files:
Code:
1. /root/bhyve/openbsd/obsd56.map:
(hd0) /root/bhyve/openbsd/obsd56.img
2. /root/bhyve/openbsd/obsd56.in:
kopenbsd -h com0 -r sd0a (hd0,openbsd1)/bsd
boot
Code:
# ifconfig tap0 create
# sysctl net.link.tap.up_on_open=1
# ifconfig bridge0 create
# ifconfig bridge0 addm tap0 up
# ifconfig bridge0 inet 192.168.0.1 netmask 255.255.255.0
Code:
# grub-bhyve -m /root/bhyve/openbsd/obsd56.map -r hd0 \
> -M 256M obsd56 < /root/bhyve/openbsd/obsd56.in > /dev/null
# bhyve -m 256M -A -H -P -s 0:0,amd_hostbridge -s 1:0,lpc \
> -s 2:0,passthru,5/0/0 -s 3:0,virtio-net,tap0 \
> -s 4:0,virtio-blk,/root/bhyve/openbsd/obsd56.img \
> -l com1,stdio -W obsd56
Code:
inet 192.168.1.2 255.255.255.0
sh /etc/netstart
in OpenBSD.Test the connection between the host and the guest. In FreeBSD, run
ping -c 2 192.168.1.2
and in OpenBSD run ping -c 2 192.168.1.1
.If there is no problem, set up em0 as your main gateway in OpenBSD. See the OpenBSD FAQ for further information. Then set up firewall in the guest OpenBSD. Finally, rerun
sh /etc/netstart
.Return to the host FreeBSD system. We need to add the following lines to /etc/rc.conf.
Code:
cloned_interfaces="bridge0 tap0"
ifconfig_bridge0="inet 192.168.1.1 netmask 255.255.255.0 addm tap0 up"
defaultrouter="192.168.1.2"
We also have to make changes to /etc/resolv.conf if you are using dhcp. We can test our setting here by restarting network in FreeBSD. A simple test is to look up www.freebsd.org. And then ping www.freebsd.org.
Finally, create the following file, /etc/rc.local.
Code:
#/bin/sh
/usr/local/sbin/grub-bhyve -m /root/bhyve/openbsd/obsd56.map -r hd0 \
> -M 256M obsd56 < /root/bhyve/openbsd/obsd56.in > /dev/null
/usr/sbin/bhyve -m 256M -A -H -P -s 0:0,amd_hostbridge -s 1:0,lpc \
> -s 2:0,passthru,5/0/0 -s 3:0,virtio-net,tap0 \
> -s 4:0,virtio-blk,/root/bhyve/openbsd/obsd56.img \
> -l com1,nmdm0A -W obsd56
Last edited: