3de93fd80cecb16b8a4d654a9f55bd91522ef830
howto/vyos1.4.x.md
| ... | ... | @@ -7,18 +7,18 @@ It can be downloaded here <https://www.vyos.io/rolling-release/>. |
| 7 | 7 | We will configure firewall access lists for inbound connections on our peer Wireguard interfaces as well as block all inbound connections to our router with the exception of BGP. This should be a good baseline firewall ruleset to filter inbound traffic on your network's edge. Modifications may be needed depending on your specific goals. If your router has an uplink back to a larger internal network (outside of DN42), an outbound firewall ruleset will need to be applied to that interface. |
| 8 | 8 | |
| 9 | 9 | By default, VyOS is a **stateless** firewall. To enable **stateful** packet inspection globally enter the following commands. |
| 10 | -``` |
|
| 10 | +```shell |
|
| 11 | 11 | set firewall state-policy established action 'accept' |
| 12 | 12 | set firewall state-policy related action 'accept' |
| 13 | 13 | ``` |
| 14 | 14 | |
| 15 | 15 | We also need to accept invalids on our network's edge. However, this should not become common practice elsewhere. |
| 16 | -``` |
|
| 16 | +```shell |
|
| 17 | 17 | set firewall state-policy invalid action 'accept' |
| 18 | 18 | ``` |
| 19 | 19 | |
| 20 | 20 | The below commands create **in** and **local** baseline templates to be applied to all Wireguard interfaces that are facing peers. In this example, **172.20.20.0/24** and **fd88:9deb:a69e::/48** are your assigned address spaces. |
| 21 | -``` |
|
| 21 | +```shell |
|
| 22 | 22 | #Create Groups v4 |
| 23 | 23 | set firewall group network-group Allowed-Transit-v4 network '10.0.0.0/8' |
| 24 | 24 | set firewall group network-group Allowed-Transit-v4 network '172.20.0.0/14' |
| ... | ... | @@ -127,14 +127,14 @@ vyos@vyos-home# show interfaces wireguard wg4242424242 |
| 127 | 127 | To retrieve keys later, use the op-mode command `show interfaces wireguard wg4242424242 public-key`. |
| 128 | 128 | |
| 129 | 129 | Example: |
| 130 | -``` |
|
| 130 | +```shell |
|
| 131 | 131 | vyos@vyos$ show interfaces wireguard wg4242424242 public-key |
| 132 | 132 | UcqcZsJvq1MlYgo3gObjaJ8FH+N7wkfV+EH3YDAMyRE= |
| 133 | 133 | ``` |
| 134 | 134 | |
| 135 | 135 | ### Configure First Peer's tunnel |
| 136 | 136 | This example assumes that your ASN is 4242421234 and your peer's ASN is 4242424242 |
| 137 | -``` |
|
| 137 | +```shell |
|
| 138 | 138 | set interfaces wireguard wg4242424242 description 'AS4242424242 - My First Peer' |
| 139 | 139 | |
| 140 | 140 | # Common practice on DN42 is for peers to use 2+the last four digits of your peer's ASN as the port. |
| ... | ... | @@ -168,13 +168,12 @@ set firewall interface wg4242424242 interface-group ipv6-name 'Tunnels_In_v6' |
| 168 | 168 | set firewall interface wg4242424242 interface-group name 'Tunnels_In_v4' |
| 169 | 169 | set firewall interface wg4242424242 local ipv6-name 'Tunnels_Local_v6' |
| 170 | 170 | set firewall interface wg4242424242 local name 'Tunnels_Local_v4' |
| 171 | - |
|
| 172 | 171 | ``` |
| 173 | 172 | |
| 174 | 173 | ## BGP |
| 175 | 174 | Now that we have a tunnel to our peer and theoretically can ping them, we can setup BGP. |
| 176 | 175 | ### Initial Router Setup |
| 177 | -``` |
|
| 176 | +```shell |
|
| 178 | 177 | # Set your ASN and IP blocks |
| 179 | 178 | set protocols bgp system-as '4242421234' |
| 180 | 179 | |
| ... | ... | @@ -192,7 +191,7 @@ set protocols bgp parameters router-id '172.20.20.1' |
| 192 | 191 | ### Neighbor Up With Peers |
| 193 | 192 | #### Option 1: MP-BGP (with Multi Protocol) - with Extended Next-Hop |
| 194 | 193 | MP-BGP peerings over IPv6 are recommended on DN42. |
| 195 | -``` |
|
| 194 | +```shell |
|
| 196 | 195 | # For these examples, your peer's link-local address is fe80::4242 |
| 197 | 196 | |
| 198 | 197 | set protocols bgp neighbor fe80::4242 update-source 'wg4242424242' |
| ... | ... | @@ -205,7 +204,7 @@ set protocols bgp neighbor fe80::4242 address-family ipv6-unicast |
| 205 | 204 | |
| 206 | 205 | ``` |
| 207 | 206 | #### Option 2: BGP (no Multi Protocol) - no Extended Next-Hop |
| 208 | -``` |
|
| 207 | +```shell |
|
| 209 | 208 | # First, we set the ipv6 part. |
| 210 | 209 | set protocols bgp neighbor fe80::4242 remote-as '4242424242' |
| 211 | 210 | set protocols bgp neighbor fe80::4242 address-family ipv6-unicast |
| ... | ... | @@ -226,8 +225,8 @@ set protocols bgp neighbor 172.20.x.y ebgp-multihop 20 |
| 226 | 225 | |
| 227 | 226 | You can now check your BGP summary: |
| 228 | 227 | |
| 229 | -``` |
|
| 230 | -vyos@vyos$ show ip bgp summary |
|
| 228 | +```shell |
|
| 229 | +show ip bgp summary |
|
| 231 | 230 | |
| 232 | 231 | IPv4 Unicast Summary (VRF default): |
| 233 | 232 | BGP router identifier 172.20.20.1, local AS number 4242421234 vrf-id 0 |
| ... | ... | @@ -252,7 +251,7 @@ fe80::4242 4 4242424242 1031 6 0 0 0 00:04 |
| 252 | 251 | |
| 253 | 252 | Setting up peer-groups might help standardize multiple peerings: |
| 254 | 253 | |
| 255 | -``` |
|
| 254 | +```shell |
|
| 256 | 255 | # One peer group for all IPv6 MP-BGP link-local extended-nexthop peers |
| 257 | 256 | set protocols bgp peer-group dn42 address-family ipv4-unicast |
| 258 | 257 | set protocols bgp peer-group dn42 address-family ipv6-unicast |
| ... | ... | @@ -268,27 +267,60 @@ delete protocols bgp neighbor fe80::4242 address-family |
| 268 | 267 | delete protocols bgp neighbor fe80::4242 capability |
| 269 | 268 | ``` |
| 270 | 269 | |
| 271 | - |
|
| 272 | 270 | ## RPKI/ROA Checking |
| 273 | -### Setup RPKI Caching Server |
|
| 274 | -Burble has made this super easy. More info can be found [here](/howto/ROA-slash-RPKI) on this wiki. Get started by running the below command on a Linux server with Docker installed (VyOS now supports containers, but doesn't yet supports commands to pass to them... so we still need another machine to run GoRTR) |
|
| 271 | +Burble has made this super easy. More info can be found [here](/howto/ROA-slash-RPKI) on this wiki. |
|
| 272 | +You can achieve this by running docker on a seperate server in the network but as of Vyos 1.4 2023-02-28 its possible to do it on the vyos machine itself. This setup is using Cloudflare's GoRTR and automatically reaching out and downloading a custom JSON file generated by Burble just for the DN42 network. |
|
| 273 | + |
|
| 274 | +### Setup RPKI Caching Server on the Vyos machine |
|
| 275 | 275 | |
| 276 | -``` |
|
| 277 | -sudo docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082 |
|
| 276 | +Run this command in operation mode to pull the container image to the vyos machine. |
|
| 277 | +```shell |
|
| 278 | +add container image cloudflare/gortr |
|
| 278 | 279 | ``` |
| 279 | 280 | |
| 280 | -This will start a docker container that listens on the host server's IP at port 8082. This setup is using Cloudflare's GoRTR and automatically reaching out and downloading a custom JSON file generated by Burble just for the DN42 network. |
|
| 281 | +Run the following commands in configuration mode: |
|
| 281 | 282 | |
| 282 | -### Point VyOS Router at RPKI Caching Server |
|
| 283 | +To create the network for the prki container so it is only reachable on the vyos machine. |
|
| 284 | +```shell |
|
| 285 | +set container network rpki |
|
| 286 | +set container network rpki prefix 172.16.2.0/24 |
|
| 283 | 287 | ``` |
| 288 | + |
|
| 289 | +To create the container itself |
|
| 290 | +```shell |
|
| 291 | +set container name gortr image cloudflare/gortr |
|
| 292 | +set container name gortr command "-cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082" |
|
| 293 | +set container name gortr network rpki address 172.16.2.10 |
|
| 294 | +set container name gortr restart on-failure |
|
| 295 | +``` |
|
| 296 | + |
|
| 297 | +### Setup RPKI Caching Server on a seperate server |
|
| 298 | +But its also possible to setup the container on a seperate machine. |
|
| 299 | +Run the following docker command to setup the clouflare gortr container on a seperate server with docker installed. |
|
| 300 | + |
|
| 301 | +```shell |
|
| 302 | +docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082 |
|
| 303 | +``` |
|
| 304 | +This will start a docker container that listens on the host server's IP at port 8082. |
|
| 305 | + |
|
| 306 | +### Point VyOS Router at RPKI Caching Server |
|
| 307 | + |
|
| 308 | +```shell |
|
| 284 | 309 | set protocols rpki cache <ip address of your GoRTR instance> port '8082' |
| 285 | 310 | set protocols rpki cache <ip address of your GoRTR instance> preference '1' |
| 286 | 311 | ``` |
| 287 | 312 | |
| 288 | -You can check the connection with `show rpki cache-connection` and the received prefix-table with `show rpki prefix-table`. |
|
| 313 | +You can check the connection with `show rpki cache-connection` the output will look like this: |
|
| 314 | +```shell |
|
| 315 | +show rpki cache-connection |
|
| 316 | +Connected to group 1 |
|
| 317 | +rpki tcp cache <ip address of your GoRTR instance> 8082 pref 1 (connected) |
|
| 318 | +``` |
|
| 319 | + |
|
| 320 | +You can also see the received prefix-table with `show rpki prefix-table`. |
|
| 289 | 321 | |
| 290 | 322 | ### Create Route Map |
| 291 | -``` |
|
| 323 | +```shell |
|
| 292 | 324 | set policy route-map DN42-ROA rule 10 action 'permit' |
| 293 | 325 | set policy route-map DN42-ROA rule 10 match rpki 'valid' |
| 294 | 326 | set policy route-map DN42-ROA rule 20 action 'permit' |
| ... | ... | @@ -302,7 +334,7 @@ You can also consider to "deny" the "notfound" prefixes, for better control. |
| 302 | 334 | You can also consider to combine within the same route-map the RPKI and one or more a prefix lists containing your internal network prefixes, as described later (The example "No RPKI/ROA and Internal Network Falls Into DN42 Range"). |
| 303 | 335 | |
| 304 | 336 | ### Assign Route Map to Neighbor |
| 305 | -``` |
|
| 337 | +```shell |
|
| 306 | 338 | set protocols bgp neighbor fe80::1234 address-family ipv4-unicast route-map export 'DN42-ROA' |
| 307 | 339 | set protocols bgp neighbor fe80::1234 address-family ipv4-unicast route-map import 'DN42-ROA' |
| 308 | 340 | set protocols bgp neighbor fe80::1234 address-family ipv6-unicast route-map export 'DN42-ROA' |
| ... | ... | @@ -312,7 +344,7 @@ _Remember to do that for all your new peerings!_ |
| 312 | 344 | |
| 313 | 345 | ## Example Route Map |
| 314 | 346 | ### No RPKI/ROA and Internal Network Falls Into DN42 Range |
| 315 | -``` |
|
| 347 | +```shell |
|
| 316 | 348 | ##Build prefix list to match personal internal network |
| 317 | 349 | set policy prefix-list BlockIPConflicts description 'Prevent Conflicting Routes' |
| 318 | 350 | set policy prefix-list BlockIPConflicts rule 10 action 'permit' |
| ... | ... | @@ -371,7 +403,7 @@ set protocols bgp peer-group dn42 address-family ipv6-unicast route-map import ' |
| 371 | 403 | |
| 372 | 404 | |
| 373 | 405 | # Add your VyOS router to the [Global Route Collector](/services/Route-Collector)! |
| 374 | -``` |
|
| 406 | +```shell |
|
| 375 | 407 | # The route collector should never export routes, so let's make a route-map to reject them if it does. |
| 376 | 408 | set policy route-map Deny-All rule 1 action deny |
| 377 | 409 | set protocols bgp neighbor fd42:4242:2601:ac12::1 address-family ipv4-unicast route-map import 'Deny-All' |
| ... | ... | @@ -393,4 +425,4 @@ The commands in this page have been adapted to be compatible with the new versio |
| 393 | 425 | If you have any questions or suggestions please reach out. |
| 394 | 426 | |
| 395 | 427 | ## See also |
| 396 | -[WireGuard](https://docs.vyos.io/en/latest/configuration/interfaces/wireguard.html) and [BGP](https://docs.vyos.io/en/latest/configuration/protocols/bgp.html) in the official VyOS documentation. |
|
| ... | ... | \ No newline at end of file |
| 0 | +[WireGuard](https://docs.vyos.io/en/latest/configuration/interfaces/wireguard.html) and [BGP](https://docs.vyos.io/en/latest/configuration/protocols/bgp.html) in the official VyOS documentation. |