NetBSD as a Wired Router: replacing manageable routers with simplicity and control

•

NetBSD as a Wired Router: Replacing Managed Routers with Simplicity and Control

NetBSD as a Wired Router: Replacing Managed Routers with Simplicity and Control

For many years, the word router has been associated with expensive appliances, closed firmware, fragile web interfaces, and vendor-driven obsolescence cycles. This article shows that it does not have to be that way.

With modest hardware, NetBSD 10.x, and classic Unix principles, it is entirely possible to build a robust, predictable, fully controlled wired router, without relying on proprietary networking equipment.

This is not a hack.
It is simply Unix doing what Unix has always done.

Motivation

  • Avoid purchasing expensive managed routers
  • Maintain full control over routing, NAT, and policy
  • Separate routing from firewalling responsibilities
  • Use simple Layer-2 switches without embedded logic

Architecture: Clear Separation of Roles

  • NetBSD Router: routing and NAT
  • NetBSD Firewall: policy enforcement (enabled later)
  • L2 Switches: pure frame switching

The router and firewall are connected using a dedicated point-to-point /30 transit network. This link carries only traffic between those two systems.

1) NetBSD Router: Routing and Minimal NAT

1.1 Enable IP Forwarding (sysctl.conf)

Edit /etc/sysctl.conf on the router: 

net.inet.ip.forwarding=1
net.inet.ip.checkinterface=0

These settings allow IPv4 packet forwarding and prevent interface checks from interfering with routing behavior.

1.2 Interface and Service Configuration (rc.conf)

Example /etc/rc.conf for the router: 

rc_configured=YES

hostname=router.local
sshd=YES
ntpd=YES
ntpdate=YES
dhcpcd=NO

# WAN interface (connected to ISP or upstream modem)
ifconfig_wan_if="inet <WAN_IP> netmask <WAN_NETMASK>"

# Transit interface (point-to-point /30)
ifconfig_transit_if="inet <TRANSIT_ROUTER_IP> netmask 255.255.255.252"

# Enable NPF for NAT
npf=YES

1.3 Minimal NPF Configuration (NAT only)

The router uses NPF strictly for NAT at this stage. No firewall policy is enforced here. 

map wan_if dynamic <TRANSIT_NET>/30 -> <WAN_IP>

group default {
    pass all
}

Apply and verify: 

npfctl reload
npfctl start
npfctl stats

2) Firewall: Transit Ready, Policy Later

The firewall is initially configured only to ensure connectivity:

  • IP address on the /30 transit link
  • Default route pointing to the router
  • No firewall policy enforced yet

2.1 Firewall rc.conf

rc_configured=YES

hostname=firewall.local
sshd=YES
ntpd=YES
ntpdate=YES
dhcpcd=NO

# Transit interface
ifconfig_transit_if="inet <TRANSIT_FIREWALL_IP> netmask 255.255.255.252"

# Default route via router
defaultroute="<TRANSIT_ROUTER_IP>"

# NPF intentionally disabled at this stage
# npf=NO

3) Connectivity Validation

Instead of relying solely on ICMP, real connectivity was validated using: 

pkgin update

This confirms DNS resolution, TCP connectivity, and NAT functionality.

4) Persistence and Reboots

After configuration, both systems were rebooted to confirm:

  • Interfaces come up automatically
  • NAT resumes correctly
  • No manual intervention is required

Recommended reboot order:

  1. Router
  2. Firewall

Conclusion

NetBSD does not replace managed routers.
It eliminates the need for them.

With proper role separation, a /30 transit link, minimal NAT, and simple switches, you gain:

  • Predictable behavior
  • Full auditability
  • Lower cost
  • Long-term control

Nothing here is new.
It is simply Unix, applied with care.

•

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *