What you need:

1)     Get NetBSD

  1. This process works for NetBSD 5x and 6x. I’ve updated this doc for NetBSD 6.0.1.
  2. Download the ISO image from the site nearest you: http://www.netbsd.org/mirrors/#iso
  3. Note: your CPU architecture choice determines what version of NetBSD you use.  Regular 32 bit x86 hardware from AMD and Intel use the i386cd iso file. As you can see, NetBSD runs on just about everything, including toasters http://www.embeddedarm.com/software/arm-netbsd-toaster.php
  4. A computer with two NIC’s, two CAT5 network cables and switch for your internal network.
  5. An Internet connection. This doc is based on a DHCP connection to the external Verizon FIOS network.
  6. External network = DHCP internet connection from Verizon FIOS in-home router
  7. Internal network = Local static IP connection to internal home network

2)     Minimum hardware specs:

  1. Good enough – 200 Mhz with 256 Mb of RAM, 9 Gig or larger hard drive
  2. Fast: AMD Athlon or Pentium 4, 2 Gigs of RAM, 40 Gig hard drive
  3. Note that the above PC specs are very old. NetBSD is great for repurposing Mom’s old computer.
  4. The PC I used?  A Dell GX270, Intel P4, 2 Gigs RAM, 40 Gig disk drive, two 10/100/1000 NICs (1 Intel, 1 Dlink). You can find one on Ebay.com for under $100. Note that your NIC device IDs will differ based on hardware vendor. http://shop.ebay.com/?_from=R40&_trksid=p5197.m570.l1313&_nkw=Dell+GX270&_sacat=See-All-Categories
  5. Caffeinated drink of choice.

Layout of the System and Network

1)     The list below depicts the example network and PC that I used to make this work.

Internal network:, mask, gateway

Internal NIC device ID: wm0

Internal IP:

Hostname: gateway

External Network: Internet connection via FIOS DHCP connection from Actiontek router provided by Verizon.

External NIC device ID: sk0

External IP: provided by DHCP

Install NetBSD

1)     Install NetBSD on you system.  Just follow the prompts. It’s easy. When asked, install all of the X packages. If you can’t figure that out, don’t worry. Installing xfce later in this doc will take care of it.

2)     When done with the installation, log in as root and perform the following.

–> /usr/bin/passwd

Changing local password for root.

New password:

Retype new password:

–> useradd -m -G wheel <your new user name>

–> passwd <your new user name>

–> echo “sshd=YES” >> /etc/rc.conf

–> echo “inetd=NO” >> /etc/rc.conf

–> /etc/rc.d/sshd restart

Enable and configure Networking Services.

1)     Since you have two NICs, you have to manually define the NIC with the static IP for the internal network.

–> vi /etc/ifconfig.wm0 and add:


media autoselect netmask media autoselect  (use the IP you want to be your internal network interface)

–> wq!

Note: you will not create /etc/ifconfig.sk0 because it’s not static. You’ll get DHCP from FIOS.

2)     Enable packet forwarding/routing and performance tweaks.

–> vi /etc/sysctl.conf and add:





–> wq!

3)     Since you get your public IP address assignment dynamically through DHCP, enable it in /etc/rc.conf.

–> vi /etc/rc.conf


dhclient_flags=sk0   (this is the NIC that attaches to the FIOS router)

–> wq!

4)     Edit /etc/dhclient.conf so the DHCP client can query the DHCP service.

–> vi /etc/dhclient.conf and add:

send host-name “gateway”;                    <=== Put your hostname here.

send dhcp-client-identifier “gateway”;      <=== Put your host identifier here. Usually same as hostname.

request subnet-mask, broadcast-address, routers, domain-name-servers;

timeout 30;

retry 60;

select-timeout 5;

script “/sbin/dhclient-script”;

lease {

interface “sk0”;                                    <=== put your FIOS facing NIC device here.

option host-name “gateway”;               <=== put your hostname here

option subnet-mask;

#  option domain-name “my.domain”;

#  option domain-name-servers;

renew 2 2000/1/12 00:00:01;

rebind 2 2000/1/12 00:00:01;

expire 2 2000/1/12 00:00:01;


–> wq!

5)     Prevent dhclient from nuking your /etc/resolv.conf.

–> vi /etc/dhclient-enter-hooks  (and paste in the lines below)

make_resolv_conf() {

echo “doing nothing to resolv.conf”


–> wq!

6)     Edit your IP Filter rules.

–> vi /etc/ipf.conf and add:

pass in from any to any

pass out from any to any

–> wq!

Note: for a more secure setup see http://www.netbsd.org/docs/network/nsps/config_ipf.html for advanced firewall filtering rules and options. You can also Google it. You could also install Webmin and use the Ipf module.

7)     Enter your Network Address Translation (NAT) rules for the NIC facing the FIOS router.

–> vi /etc/ipnat.conf and add:

map sk0 -> proxy port ftp ftp/tcp

map sk0 -> portmap tcp/udp 40000:60000

map sk0 ->

–> wq!

8)     Enable your NAT/firewall features and NTP for time sync.

–> vi /etc/rc.conf

ipfilter=YES      #Stateful firewall

ipnat=YES        #Network Address Translation

ipmon=YES      #Firewall logging

ntpdate=yes ntpdate_hosts=”0.pool.ntp.org”


–> wq!

–> reboot

9)     During the reboot it should discover its DHCP IP from the FIOS router. It will probably be, 3 or 4. If it doesn’t pick it up try switching the cables on the back of your PC to the other NIC and reboot. Also, if DHCP does not work, log in as root and try running the following:

–> dhclient sk0

Listening on BPF/sk0/1c:bd:b9:85:b9:03

Sending on   BPF/sk0/1c:bd:b9:85:b9:03

Sending on   Socket/fallback

DHCPDISCOVER on sk0 to port 67 interval 7

DHCPDISCOVER on sk0 to port 67 interval 13


DHCPREQUEST on sk0 to port 67


doing nothing to resolv.conf

bound to — renewal in 36425 seconds.

Watch your NAT table with:

–> ipmon -o N

To manually load the NAT rules if you make a change:

–> ipnat -CF -f /etc/ipnat.conf

10)  Add the NetBSD package location to the root profile.

For 5x:

export PKG_PATH=”http://ftp.NetBSD.org/pub/pkgsrc/packages/NetBSD/i386/5.1_2010Q3/All&#8221;

For 6x:

export PKG_PATH=”http://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/6.0/All”

–> vi /root/.shrc

# Package location on the ftp server.

export PKG_PATH=”<your path from above, either 5x or 6x>”

export PKG_PATH

–> wq!

–> reboot

Login as root and install additional packages.

–> pkg_add -uv bash-4.2nb2
–> pkg_add -uv p5-Crypt-SSLeay
–> pkg_add -uv p5-Net-SSLeay
–> pkg_add -uv less-418
–> pkg_add -uv xfce4    (or xfce4-4.6.1nb5 if xfce4 doesn’t work)
–> pkg_add -uv firefox
–> pkg_add -uv nmap htop iftop lsof
–> reboot

Reboot to seat the changes.  Login as root and start the new GUI desktop.

–> bash
–> startxfce4

You now have a nice lightweight desktop, firefox and xterms. You are welcome.

11)  Setup your clients. Clients behind the NetBSD NAT/router should be configured for DNS resolution and the proper default gateway. Note that if you have internal DNS and possibly Active Directory running in your internal network and it’s forwarding to your external FIOS DNS servers, use your local DNS server in the steps below.  If not, you can use the FIOS DNS on your internal clients.