Getting started

From securityrouter.org, an OpenBSD-based firewall
Jump to: navigation, search

First of all, thank you for using the security router. We hope that this getting started guide will help you get going as smoothly as possible. Please contact us on [email protected] in case you have any problems.

Installation

The first boot screen, as shown in a VMware console

There's a list of supported hardware, although any x86 machine is likely to work. The steps boils down to downloading a raw or virtual-machine disk image, booting the disk image, accessing the video/serial console to possibly change network settings, and finally accessing the system's web administration.

  1. Download the appropriate software image from http://dl2.halon.se/vsr/
    • Use the architecture amd64 (64-bit, works on Intel CPUs as well) if you need AES-NI encryption acceleration
    • Use the console type serial if you prefer serial console (RS-232) rather than video (a screen)
    • Both the vmware and video version can be used on various virtualization platforms such as KVM or Parallels
  2. Prepare the system for booting
    • For virtualization
      • Add the download software as a guest as you usually do, with at least 128 MB RAM, and power it up (vSphere users can use "Deploy OVF Template" with the OVA version)
      • Go to step 3
    • For dedicated hardware
      • Find a suitable x86 hardware
      • Write the file to a disk (USB stick, CompactFlash, etc) using this guide
      • Plug the disk into the hardware and power it up
      • Go to step 3
  3. Follow the instructions on the console (which might be a serial console).
    • By default, the systems tries to get an IP address using DHCP on its first ethernet port
    • If that fails, you can configure a static IP in a guide
    • The URL on which you can access the web administration is printed in the welcome message, like https://X.X.X.X
    • If the system has multiple network interfaces, you can connect to the second ethernet port and access it on https://192.168.1.1
  4. Steer your browser of choice to that address (HTTPS only)
  5. Sign in with username and password admin
  6. Connect additional interfaces, and go to Network > Basic setup where one of them can be selected as LAN

Where to go next

Once logged in, change the password on the System > Users page. It's also a good idea to create a second user which can be given to personnel which is trusted with administration, but not full appliance access (since the admin user is capable of, for example, enabling root access). Then, most users will go to the Network > Basic settings page and configure the WAN and LAN addresses. Advanced users will probably head directly to the Network > Interfaces page, or start reading about the configuration file format.

Default configuration

Before the router's first boot, it has no configuration. Upon boot, a program called bootcfgmgr will create an initial configuration according to hardware parameters such as physical interface configuration. It's party described in the getting started sections above. Although the default configuration is dynamically generated, and differs between routers, it usually boils down to:

  • An "admin" user with password "admin" (the "admin" user is capable of creating other users, including root access, and is therefore to be considered a "power user")
  • An HTTPS server on port 443 and an SSH server on port 22, for administration access other than console
  • The first physical Ethernet port is configured as a WAN (Internet) port, with NAT translation, an outbound firewall rule and possibly a DHCP client
  • Management is allowed in on the first (WAN) port
  • The second physical Ethernet port is configured as LAN, with network 192.168.1.1/24 (netmask 255.255.255.0) and a DHCP server
  • The third (or last) physical Ethernet port is configured as a zero-configuration cluster port