about software and freediving

OpenBSD 5.9: VDSL and VLANs

I currently use a 50 Mbit/s / 10 Mbit/s VDSL plan from O2 (Telefonica) to connect to the internet. The plan includes a FritzBox 7490 which might be okay for the average user but did not allow me to configure more sophisticated networks.

I operate a Freifunk node to share my uplink with others (guests/strangers/neighbors) since in Germany you can still be held accountable for actions others do from within your network.

Freifunk circumvents this problem by connecting each node to a gateway outside of Germany through a VPN. I do trust the people who operate the Freifunk network in my city but nonetheless the device can still be compromised by a malicious attacker from within the Freifunk network. Therefore I wanted to seperate my home network into virtual LANs using 802.1q.

Also I do not trust devices that are configured, updated and rebooted remotely by any manufacturer, in this case AVM GmbH. How do I know they are not flashing a firmware that is able to do deep packet inspection? It’s all closed source!

So I bought a rather cheap hardware platform that features two Gigabit NICs - one will be used for the PPPoE uplink to an Allnet ALL126AS2 VDSL2 modem and the other one is a trunked link to a managed switch which serves as an “port expander”. The internal VLAN configuration will maybe be explained in another article.

Modem Configuration

First I needed to configure the modem for my connection. In the VDSL2->Profile Config section I selected Additional POTS Filter and B43. Also one should check that the device is in Switch Mode.

OpenBSD PPPoE Config

As previously stated, the first NIC will be used for the PPPoE connection. Since the chip is a Realtek 8168, the interface name is consequently re0.

This file brings up re0:


O2 (Telefonica) is in most parts of Germany only a reseller of VDSL2 products by Deutsche Telekom. I did not pay attention in school, is that capitalism or socialism? This is the reason why you need to experiment to find the correct VLAN for your connection.

I simply used my laptop running Arch Linux and pppoe-discovery to find the correct VLAN. You should try VLAN IDs 7,8,11,12,13 for Telefonica connections. If you end up with 7 or 8, you know that in reality you are using a T-DSL (Deutsche Telekom) connection. Once you know the VLAN you can create a file similar to this one:

inet NONE descr O2DSL vlan 7 vlandev re0

Only the PPPoE config is now missing:

inet NONE \
pppoedev vlan7 authproto pap \
authname 'fnord@reseller' authkey 'secret23'
!/sbin/route add default

After a reboot or sh /etc/netstart the PPPoE connection should be established.

Secure your device before connecting to the internet:

  • Enable pf (always use protection, kids!)
  • limit sshd to your internal network, disallow root, disallow password authentification