Segregating Interfaces on OpenBSD

I have an annoying problem, a number of evil devices (specifically a smart TV) keep banging around my network, attempting to connect to Port 35 for no reason. Likely sending data to nefarious groups.

At first, I tried using “guest wifi” to deal with this problem. It didn’t work, and my router only has two ethernet ports. “VLANS” aren’t really going to work when all I have is a dumb switch, and I don’t think they would have helped me anyways. So what am I do to do?

Well, I remebered I have USB Ethernet adapters!

I got to setting up a new subnet in dhcpd.conf

subnet 192.168.3.0 netmask 255.255.255.0 {
       option routers 192.168.3.1;
       option domain-name-servers 192.168.3.1;

       range 192.168.3.40 192.168.3.253;
}

Created a new interface…

/etc/hostname.axen0

inet 192.168.3.1 255.255.255.0 192.168.3.255

Plugged my Wifi AP into the USB adapter, changed its static IP, and voila!

Connected to Wifi, I saw I had a 192.168.3.XX address and to test out it I tried pinging a device in 192.168.0.XX aaaand I was able to ping across the subnet. 😔

Yep. Turns out by default on OpenBSD all interfaces are in the same rdomain and share the same routing table, so its incredibly easy for packets to cross interfaces and subnets.

At first I was worried I would need to use rdomains and retool my network from the ground up. I was all ready to write a blog post about rdomains but then I had an idea;

I simply added this pf rule to my pf.conf

block in on $wifi from any to 192.168.0.0/24

Is this solid? Not, sure. And I’m certain you can get around it with ip-spoofing, but this is just meant to stop all the evil devices connected to the wifi from completing their scans.

This setup is neat too, theoretically devices in the 192.168.0.0/24 subnet can connect to devices in the 192.168.3.1/24 subnet but not vice-versa. Some might call this a glaring security hole; I say it lets me keep using my printer.

Thanks for reading!