OpenBSD router on apu2c4

Posted by nerdcoding on April 29, 2018

This guide describes how to install and configure a router running OpenBSD on an apu2c4 board.

Connect serial console

The apu2c4 does not provide a video interface like HDMI, DVI or VGA. But the apu2c4 has an old COM port, or to be more specific, a male DB9 serial port. We need a null modem cable (also crossover cable) and a DB9 to USB converter. Plug the null modem cable into the apu2c4 and th other end, with usage of the USB adapter, into a Linux laptop.

With lsusb all USB devices are listed. Here search for the serial port:

$ lsusb
Bus 001 Device 010: ID 052a:4251 Prolific Technology, Inc. PL2303 Serial Port

Here the vendor and product number (052a:4251) are relevant. And with these we can add the usbserial module into the kernel:

$ modprobe usbserial vendor=0x052a product=0x4251

Now search the appropriate ttyUSB* device (here ttyUSB0) and make it accessible:

$ dmesg | grep 'ttyUSB'
$ sudo chmod 777 /dev/ttyUSB0

Finally we can create a serial connection Putty. Under the category Connection → Serial enter:

Serial line to connect to:	/dev/ttyUSB0
Speed: 115200
Data bits: 8
Stop bits: 1
Parity: None
Flow Control: XON/XOFF

And open the connection. Connect the apu2c4 to power and the startup screen should be shown in the Putty window.

Create OpenBSD image

Download OpenBSD file system image installXX.fs (do NOT use the ISO image installXX.iso) and write the image to an USB drive:

$ sudo dd if=install<XX>.fs of=/dev/<device-name> bs=1M

Make absolutely sure to enter the correct device name. All data on that device are deleted and you properly do not want to erase your hard drive.

Install OpenBSD on apu2c4

Connect to serial terminal with Putty, insert USB stick and start the apu2c4. Press F10 to show the boot menu and boot from the USB drive. Then the boot> prompt should be shown.

The following settings are required for proper serial console output:

stty com0 115200
set tty com0

Enter them into the boot> prompt and then start the installation with the command boot.

Configure OpenBSD


The apu2c4 has three separate ethernet interfaces, whose device names could be shown with ifconfig (e.g. em0, em1 and em2). When there is a wireless card inserted into the apu2c4 then there should also be a additional device name (e.g. athn0).

Plug your DSL modem into the em0 device and add up into the file /etc/hostname.em0

$ echo "up" > /etc/hostname.em0

To connect with my ISP I used the PPPoE protocol. For the PPPoE connection create a file /etc/hostname.pppoe0 and enter:

inet NONE pppoedev em0 authproto pap authname '<isp-username>' authkey '<isp-password>' up
!/bin/sleep 5
!/sbin/route add default -ifp pppoe0

The remaining two ethernet devices and the wireless cloud be used to create three separated networks:

$ echo "inet" > /etc/hostname.em1
$ echo "inet" > /etc/hostname.em2
$ cat /etc/hostname.athn0
media autoselect mode 11n mediaopt hostap chan 1
nwid wpaid
wpakey mywpakey

Restart networking with sh /etc/netstart or the whole apu2c4 with shutdown -r now and after the reboot with an ifconfig the following should be shown:

$ ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
        index 5 priority 0 llprio 3
        groups: lo
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
        inet netmask 0xff000000
        lladdr 00:11:22:33:44:55
        index 1 priority 0 llprio 3
        media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
        status: active
        lladdr 00:11:22:33:44:55
        index 2 priority 0 llprio 3
        media: Ethernet autoselect (1000baseTX full-duplex,rxpause,txpause)
        status: active
        inet netmask 0xffffff00 broadcast
        lladdr 00:11:22:33:44:55
        index 3 priority 0 llprio 3
        media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
        status: active
        inet netmask 0xffffff00 broadcast
        lladdr 00:11:22:33:44:55
        index 4 priority 4 llprio 3
        groups: wlan
        media: IEEE802.11 autoselect (autoselect mode 11n hostap)
        status: active
        ieee80211: nwid wpaid chan 1 bssid 00:11:22:33:44:55 wpakey wpaprotos wpa2 wpaakms psk wpaciphers ccmp wpagroupcipher ccmp
        inet netmask 0xffffff00 broadcast
        index 6 priority 0 llprio 3
        dev: em0 state: session
        sid: 0x1936 PADI retries: 1 PADR retries: 1 time: 06:51:35
        sppp: phase network authproto pap authname "***"
        groups: pppoe egress
        status: active
        inet X.X.X.X --> X.X.X.X netmask 0xffffffff


The DHCP server is needed to assign an IP address dynamically to clients connected to our router. We just created three different networks (, and and for each of this networks the DHCP server is configured. First make sure DHCP is enabled:

$ rcctl enable dhcpd

Then add ther server configuration into the file /etc/dhcpd.conf:

option domain-name "";
option domain-name-servers;
option subnet-mask;

default-lease-time 86400;
max-lease-time 86400;

subnet netmask {
        option routers;


        host fixedip {
                hardware ethernet 00:11:22:33:44:55;


subnet netmask {
        option routers;


subnet netmask {
        option routers;


Anymore we need to configure on which devices DHCP should assign IP addresses:

$ echo "dhcpd_flags=\"em1 em2 athn0\"" > /etc/rc.conf.local

Finally the server could be started:

$ /etc/rc.d/dhcpd start


SSH should be working out of the box, so there is nothing to do here. With ps auxwww | grep sshd we could check if the SSH server is running. If not enable and start the server with:

$ rcctl enable sshd
$ rcctl start sshd

The server configuration clould be found in /etc/ssh/sshd_config.

PF (Packet Filter)

The last step is to enable and configure the firewall pf. All firewall rules are defined in the file /etc/pf.conf. Here I giva a example of a very basic firewall configuration in dependence on the offical OpenBSD FAQ.


table <martians> {     \ \        \ }
set block-policy drop
set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
antispoof quick for { egress $em1_if $em2_if $wifi_if }
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
block log all
pass out quick inet
pass in on { $em1_if $em2_if $wifi_if } inet

Enable PF with the just configured rules:

$ pfctl -ef /etc/pf.conf

Disbale PF:

$ pfctl -d

Check PF logs:

tcpdump -n -e -ttt -i pflog0