OpenBSD Routing with PF

Last summer, I inhereited the bulk of the sysadmin duties at WUVT, the campus radio station, and have been in the process of improving their infrastructure. One project I've been working on is migrating our current router (pfsense, which I would not recommend) to an OpenBSD box. OpenBSD tends to work very well for pretty much any router application that's not consumer-grade or ISP-grade because hardware tends to be comparatively cheaper, incredibly secure, and much more extensible. The main downside tends to be lack of support contracts, but OpenBSD tends to be incredibly well-documented compared to Linux.

My favorite feature in OpenBSD (and other BSDs) is probably PF (the packet filter) which controls routing/NATing and the firewall. On Linux, this would involve using iptables instead, which is a major pain as you have to use its confusing shell interface rather than a simple config file. PF also eliminates the complex "chain" style that iptables uses, and allows you to update rules on the fly by simply rewriting the config file. Additionally, it supports anchors, which are essentially functions you can call on a ruleset.

Quality-of-service support is also built-in, which is a nice way to prevent a single user or service (bittorrent, for example) from hogging the entire pipe. Essentially, you can set different priority queues which are selected by the service, port, or interface using a connection. I haven't tested this in OpenBSD, but it works great for dealing with the congestion management practices of horrible ISPs.