howto/vyos1.4.x.md
... ...
@@ -7,18 +7,18 @@ It can be downloaded here <https://www.vyos.io/rolling-release/>.
7 7
We will configure firewall access lists for inbound connections on our peer Wireguard interfaces as well as block all inbound connections to our router with the exception of BGP. This should be a good baseline firewall ruleset to filter inbound traffic on your network's edge. Modifications may be needed depending on your specific goals. If your router has an uplink back to a larger internal network (outside of DN42), an outbound firewall ruleset will need to be applied to that interface.
8 8
9 9
By default, VyOS is a **stateless** firewall. To enable **stateful** packet inspection globally enter the following commands.
10
-```
10
+```shell
11 11
set firewall state-policy established action 'accept'
12 12
set firewall state-policy related action 'accept'
13 13
```
14 14
15 15
We also need to accept invalids on our network's edge. However, this should not become common practice elsewhere.
16
-```
16
+```shell
17 17
set firewall state-policy invalid action 'accept'
18 18
```
19 19
20 20
The below commands create **in** and **local** baseline templates to be applied to all Wireguard interfaces that are facing peers. In this example, **172.20.20.0/24** and **fd88:9deb:a69e::/48** are your assigned address spaces.
21
-```
21
+```shell
22 22
#Create Groups v4
23 23
set firewall group network-group Allowed-Transit-v4 network '10.0.0.0/8'
24 24
set firewall group network-group Allowed-Transit-v4 network '172.20.0.0/14'
... ...
@@ -127,14 +127,14 @@ vyos@vyos-home# show interfaces wireguard wg4242424242
127 127
To retrieve keys later, use the op-mode command `show interfaces wireguard wg4242424242 public-key`.
128 128
129 129
Example:
130
-```
130
+```shell
131 131
vyos@vyos$ show interfaces wireguard wg4242424242 public-key
132 132
UcqcZsJvq1MlYgo3gObjaJ8FH+N7wkfV+EH3YDAMyRE=
133 133
```
134 134
135 135
### Configure First Peer's tunnel
136 136
This example assumes that your ASN is 4242421234 and your peer's ASN is 4242424242
137
-```
137
+```shell
138 138
set interfaces wireguard wg4242424242 description 'AS4242424242 - My First Peer'
139 139
140 140
# Common practice on DN42 is for peers to use 2+the last four digits of your peer's ASN as the port.
... ...
@@ -168,13 +168,12 @@ set firewall interface wg4242424242 interface-group ipv6-name 'Tunnels_In_v6'
168 168
set firewall interface wg4242424242 interface-group name 'Tunnels_In_v4'
169 169
set firewall interface wg4242424242 local ipv6-name 'Tunnels_Local_v6'
170 170
set firewall interface wg4242424242 local name 'Tunnels_Local_v4'
171
-
172 171
```
173 172
174 173
## BGP
175 174
Now that we have a tunnel to our peer and theoretically can ping them, we can setup BGP.
176 175
### Initial Router Setup
177
-```
176
+```shell
178 177
# Set your ASN and IP blocks
179 178
set protocols bgp system-as '4242421234'
180 179
... ...
@@ -192,7 +191,7 @@ set protocols bgp parameters router-id '172.20.20.1'
192 191
### Neighbor Up With Peers
193 192
#### Option 1: MP-BGP (with Multi Protocol) - with Extended Next-Hop
194 193
MP-BGP peerings over IPv6 are recommended on DN42.
195
-```
194
+```shell
196 195
# For these examples, your peer's link-local address is fe80::4242
197 196
198 197
set protocols bgp neighbor fe80::4242 update-source 'wg4242424242'
... ...
@@ -205,7 +204,7 @@ set protocols bgp neighbor fe80::4242 address-family ipv6-unicast
205 204
206 205
```
207 206
#### Option 2: BGP (no Multi Protocol) - no Extended Next-Hop
208
-```
207
+```shell
209 208
# First, we set the ipv6 part.
210 209
set protocols bgp neighbor fe80::4242 remote-as '4242424242'
211 210
set protocols bgp neighbor fe80::4242 address-family ipv6-unicast
... ...
@@ -226,8 +225,8 @@ set protocols bgp neighbor 172.20.x.y ebgp-multihop 20
226 225
227 226
You can now check your BGP summary:
228 227
229
-```
230
-vyos@vyos$ show ip bgp summary
228
+```shell
229
+show ip bgp summary
231 230
232 231
IPv4 Unicast Summary (VRF default):
233 232
BGP router identifier 172.20.20.1, local AS number 4242421234 vrf-id 0
... ...
@@ -252,7 +251,7 @@ fe80::4242 4 4242424242 1031 6 0 0 0 00:04
252 251
253 252
Setting up peer-groups might help standardize multiple peerings:
254 253
255
-```
254
+```shell
256 255
# One peer group for all IPv6 MP-BGP link-local extended-nexthop peers
257 256
set protocols bgp peer-group dn42 address-family ipv4-unicast
258 257
set protocols bgp peer-group dn42 address-family ipv6-unicast
... ...
@@ -268,27 +267,60 @@ delete protocols bgp neighbor fe80::4242 address-family
268 267
delete protocols bgp neighbor fe80::4242 capability
269 268
```
270 269
271
-
272 270
## RPKI/ROA Checking
273
-### Setup RPKI Caching Server
274
-Burble has made this super easy. More info can be found [here](/howto/ROA-slash-RPKI) on this wiki. Get started by running the below command on a Linux server with Docker installed (VyOS now supports containers, but doesn't yet supports commands to pass to them... so we still need another machine to run GoRTR)
271
+Burble has made this super easy. More info can be found [here](/howto/ROA-slash-RPKI) on this wiki.
272
+You can achieve this by running docker on a seperate server in the network but as of Vyos 1.4 2023-02-28 its possible to do it on the vyos machine itself. This setup is using Cloudflare's GoRTR and automatically reaching out and downloading a custom JSON file generated by Burble just for the DN42 network.
273
+
274
+### Setup RPKI Caching Server on the Vyos machine
275 275
276
-```
277
-sudo docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082
276
+Run this command in operation mode to pull the container image to the vyos machine.
277
+```shell
278
+add container image cloudflare/gortr
278 279
```
279 280
280
-This will start a docker container that listens on the host server's IP at port 8082. This setup is using Cloudflare's GoRTR and automatically reaching out and downloading a custom JSON file generated by Burble just for the DN42 network.
281
+Run the following commands in configuration mode:
281 282
282
-### Point VyOS Router at RPKI Caching Server
283
+To create the network for the prki container so it is only reachable on the vyos machine.
284
+```shell
285
+set container network rpki
286
+set container network rpki prefix 172.16.2.0/24
283 287
```
288
+
289
+To create the container itself
290
+```shell
291
+set container name gortr image cloudflare/gortr
292
+set container name gortr command "-cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082"
293
+set container name gortr network rpki address 172.16.2.10
294
+set container name gortr restart on-failure
295
+```
296
+
297
+### Setup RPKI Caching Server on a seperate server
298
+But its also possible to setup the container on a seperate machine.
299
+Run the following docker command to setup the clouflare gortr container on a seperate server with docker installed.
300
+
301
+```shell
302
+docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082
303
+```
304
+This will start a docker container that listens on the host server's IP at port 8082.
305
+
306
+### Point VyOS Router at RPKI Caching Server
307
+
308
+```shell
284 309
set protocols rpki cache <ip address of your GoRTR instance> port '8082'
285 310
set protocols rpki cache <ip address of your GoRTR instance> preference '1'
286 311
```
287 312
288
-You can check the connection with `show rpki cache-connection` and the received prefix-table with `show rpki prefix-table`.
313
+You can check the connection with `show rpki cache-connection` the output will look like this:
314
+```shell
315
+show rpki cache-connection
316
+Connected to group 1
317
+rpki tcp cache <ip address of your GoRTR instance> 8082 pref 1 (connected)
318
+```
319
+
320
+You can also see the received prefix-table with `show rpki prefix-table`.
289 321
290 322
### Create Route Map
291
-```
323
+```shell
292 324
set policy route-map DN42-ROA rule 10 action 'permit'
293 325
set policy route-map DN42-ROA rule 10 match rpki 'valid'
294 326
set policy route-map DN42-ROA rule 20 action 'permit'
... ...
@@ -302,7 +334,7 @@ You can also consider to "deny" the "notfound" prefixes, for better control.
302 334
You can also consider to combine within the same route-map the RPKI and one or more a prefix lists containing your internal network prefixes, as described later (The example "No RPKI/ROA and Internal Network Falls Into DN42 Range").
303 335
304 336
### Assign Route Map to Neighbor
305
-```
337
+```shell
306 338
set protocols bgp neighbor fe80::1234 address-family ipv4-unicast route-map export 'DN42-ROA'
307 339
set protocols bgp neighbor fe80::1234 address-family ipv4-unicast route-map import 'DN42-ROA'
308 340
set protocols bgp neighbor fe80::1234 address-family ipv6-unicast route-map export 'DN42-ROA'
... ...
@@ -312,7 +344,7 @@ _Remember to do that for all your new peerings!_
312 344
313 345
## Example Route Map
314 346
### No RPKI/ROA and Internal Network Falls Into DN42 Range
315
-```
347
+```shell
316 348
##Build prefix list to match personal internal network
317 349
set policy prefix-list BlockIPConflicts description 'Prevent Conflicting Routes'
318 350
set policy prefix-list BlockIPConflicts rule 10 action 'permit'
... ...
@@ -371,7 +403,7 @@ set protocols bgp peer-group dn42 address-family ipv6-unicast route-map import '
371 403
372 404
373 405
# Add your VyOS router to the [Global Route Collector](/services/Route-Collector)!
374
-```
406
+```shell
375 407
# The route collector should never export routes, so let's make a route-map to reject them if it does.
376 408
set policy route-map Deny-All rule 1 action deny
377 409
set protocols bgp neighbor fd42:4242:2601:ac12::1 address-family ipv4-unicast route-map import 'Deny-All'
... ...
@@ -393,4 +425,4 @@ The commands in this page have been adapted to be compatible with the new versio
393 425
If you have any questions or suggestions please reach out.
394 426
395 427
## See also
396
-[WireGuard](https://docs.vyos.io/en/latest/configuration/interfaces/wireguard.html) and [BGP](https://docs.vyos.io/en/latest/configuration/protocols/bgp.html) in the official VyOS documentation.
... ...
\ No newline at end of file
0
+[WireGuard](https://docs.vyos.io/en/latest/configuration/interfaces/wireguard.html) and [BGP](https://docs.vyos.io/en/latest/configuration/protocols/bgp.html) in the official VyOS documentation.