Ok, things are back to normal, got all the computers behind the router. Just in case someone runs into this, here is a list of things that might be useful. I still have a bit of work to do as far as security and networking, etc..., but so far the network has:
1) openbsd router
2) NAT using pf
3) dns cache using unbound
4) web cache using squid
System Design:
[ISP router] 192.168.0.1 -[nic1/em0] 192.168.0.2 [OpenBSD] [nic2/em1] 192.168.1.2 - [Switch] - 192.168.1.21 [Linux] + other computers, printer, etc...
NOTE: make sure that the lan cable from em0 goes to the ISP router/cable modem, you might have to physically inspect the network cards, or in my case a dual lan nic.
OPENBSD
# cat sysctl.conf
Code:
net.inet.ip.forwarding=1
# cat rc.conf.local
Code:
check_quotas=NO
pf=YES
pf_rules=/etc/pf.conf
unbound=YES
unbound_flags=
apmd_flags=YES
# cat resolv.conf
Code:
nameserver 127.0.0.1
# cat rc.local
Code:
if [ -x /usr/local/sbin/squid ]; then
echo -n ' squid'
/usr/local/sbin/squid
fi
# cat mygate
# cat hosts
Code:
127.0.0.1 localhost
::1 localhost
192.168.1.2 bsdrouter bsdrouter.domain.net
192.168.0.2 bsdrouter bsdrouter.domain.net
192.168.1.21 linuxcomputer linuxcomputer.domain.net
# cat hostname.em0
Code:
inet 192.168.0.2 255.255.255.0
# cat hostname.em1
Code:
inet 192.168.1.2 255.255.255.0
# cat pf.conf
Code:
block return # block stateless traffic
pass # establish keep-state
ext_if="em0"
int_if="em1"
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \
203.0.113.0/24 }
set block-policy drop
set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
match log on $int_if all scrub (random-id min-ttl 64 reassemble tcp max-mss 1440)
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
# Redirect www to our transparent squid proxy.
pass in quick on $int_if proto tcp from $ext_if to any port { www } divert-to 127.0.0.1 port 3129
pass out quick from 127.0.0.1 divert-reply
pass out on $ext_if inet from $int_if:network to any nat-to $ext_if
# route show -inet
Code:
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 192.168.0.1 UGS 1 4697 - 8 em0
loopback localhost UGRS 0 0 32768 8 lo0
localhost localhost UHl 1 202 32768 1 lo0
192.168.0/24 bsdrouter UC 1 58 - 4 em0
192.168.0.1 d4:04:cd:fd:23:eb UHLc 1 257 - 4 em0
bsdrouter 00:15:17:d7:81:52 UHLl 0 1487 - 1 em0
192.168.0.255 bsdrouter UHb 0 0 - 1 em0
192.168.1/24 bsdrouter UC 3 18 - 4 em1
bsdrouter 00:15:17:d7:81:53 UHLl 0 361 - 1 em1
linuxcomputer 00:24:8c:7c:5f:53 UHLc 2 1792 - 4 em1
192.168.1.255 bsdrouter UHb 0 2 - 1 em1
base-address.mcast localhost URS 0 0 32768 8 lo0
LINUX
linuxcomputer:/etc# cat network/interfaces
Code:
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.1.21
netmask 255.255.255.0
gateway 192.168.1.2
linuxcomputer:/etc# cat resolv.conf
Code:
nameserver 192.168.1.2
linuxcomputer:/etc# route
Code:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default bsdrouter 0.0.0.0 UG 0 0 0 eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
You might have to reboot all systems, including the cable modem, because some modems cache the connections, and that could be bad. Also, there's a chance that rebooting might not reset the routing tables for some reason, apparently it didn't in my case, so doing:
in the bsd router machine should get things as expected.
if something goes wrong you could do tcpdump to see what kind of activity is going on, or not.