Changes in 9281fbf: New HowTo for VyOS 1.4.x (sagitta)

howto/vyos1.4.x.md

@@ -0,0 +1,305 @@

+# VyOS 1.4.x sagitta

+VyOS is an open source software router. It is feature rich and supports multiple deployment options such as physical hardware (Old PC's) or a VPC/VM. The developers have a nightly rolling release that includes all the latest features such as Wireguard.

+

+It can be downloaded here https://www.vyos.io/rolling-release/. 

+

+## Firewall Baseline

+We will configure firewall access lists for inbound connections on our peer Wireguard interfaces as well as block all inbound connections to our router with the exception of BGP. This should be a good baseline firewall ruleset to filter inbound traffic on your network’s edge. Modifications may be needed depending on your specific goals. If your router has an uplink back to a larger internal network (outside of DN42), an outbound firewall ruleset will need to be applied to that interface.

+

+By default, VyOS is a **stateless** firewall. To enable **stateful** packet inspection globally enter the following commands.

+```

+set firewall state-policy established action 'accept'

+set firewall state-policy related action 'accept'

+```

+

+We also need to accept invalids on our network’s edge. However, this should not become common practice elsewhere.

+```

+set firewall state-policy invalid action 'accept'

+```

+

+The below commands create **in** and **local** baseline templates to be applied to all Wireguard interfaces that are facing peers. In this example, **172.20.20.0/24** and **fd88:9deb:a69e::/48** are your assigned address spaces.

+```

+#Create Groups v4

+set firewall group network-group Allowed-Transit-v4 network '10.0.0.0/8'

+set firewall group network-group Allowed-Transit-v4 network '172.20.0.0/14'

+set firewall group network-group Allowed-Transit-v4 network '172.31.0.0/16'

+

+set firewall group network-group My-Assigned-Space-v4 network '172.20.20.0/24'

+

+#Create Groups v6

+set firewall group ipv6-network-group Allowed-Transit-v6 network 'fd00::/8'

+

+set firewall group ipv6-network-group My-Assigned-Space-v6 network 'fd88:9deb:a69e::/48'

+

+

+#Inbound Connections v4

+set firewall name Tunnels_In_v4 default-action 'drop'

+set firewall name Tunnels_In_v4 enable-default-log

+set firewall name Tunnels_In_v4 rule 68 action 'drop'

+set firewall name Tunnels_In_v4 rule 68 description 'Block Traffic to Operator Assigned IP Space'

+set firewall name Tunnels_In_v4 rule 68 destination group network-group 'My-Assigned-Space-v4'

+set firewall name Tunnels_In_v4 rule 68 log 'enable'

+set firewall name Tunnels_In_v4 rule 68 action 'drop'

+set firewall name Tunnels_In_v4 rule 70 action 'accept'

+set firewall name Tunnels_In_v4 rule 70 description 'Allow Peer Transit'

+set firewall name Tunnels_In_v4 rule 70 destination group network-group 'Allowed-Transit-v4'

+set firewall name Tunnels_In_v4 rule 70 source group network-group 'Allowed-Transit-v4'

+set firewall name Tunnels_In_v4 rule 70 log 'enable'

+set firewall name Tunnels_In_v4 rule 99 action 'drop'

+set firewall name Tunnels_In_v4 rule 99 description 'Black Hole'

+set firewall name Tunnels_In_v4 rule 99 log 'enable'

+

+#Inbound Connections v6

+set firewall ipv6-name Tunnels_In_v6 default-action 'drop'

+set firewall ipv6-name Tunnels_In_v6 enable-default-log

+set firewall ipv6-name Tunnels_In_v6 rule 68 action 'drop'

+set firewall ipv6-name Tunnels_In_v6 rule 68 description 'Block Traffic to Operator Assigned IP Space'

+set firewall ipv6-name Tunnels_In_v6 rule 68 destination group network-group 'My-Assigned-Space-v6'

+set firewall ipv6-name Tunnels_In_v6 rule 68 log 'enable'

+set firewall ipv6-name Tunnels_In_v6 rule 70 action 'accept'

+set firewall ipv6-name Tunnels_In_v6 rule 70 description 'Allow Peer Transit'

+set firewall ipv6-name Tunnels_In_v6 rule 70 destination group network-group 'Allowed-Transit-v6'

+set firewall ipv6-name Tunnels_In_v6 rule 70 log 'enable'

+set firewall ipv6-name Tunnels_In_v6 rule 70 source group network-group 'Allowed-Transit-v6'

+set firewall ipv6-name Tunnels_In_v6 rule 99 action 'drop'

+set firewall ipv6-name Tunnels_In_v6 rule 99 description 'Black Hole'

+set firewall ipv6-name Tunnels_In_v6 rule 99 log 'enable'

+

+#Local Connections v4

+set firewall name Tunnels_Local_v4 default-action 'drop'

+set firewall name Tunnels_Local_v4 rule 50 action 'accept'

+set firewall name Tunnels_Local_v4 rule 50 icmp

+set firewall name Tunnels_Local_v4 rule 50 protocol 'icmp'

+set firewall name Tunnels_Local_v4 rule 61 action 'accept'

+set firewall name Tunnels_Local_v4 rule 61 description 'Allow BGP'

+set firewall name Tunnels_Local_v4 rule 61 destination port '179'

+set firewall name Tunnels_Local_v4 rule 61 protocol 'tcp'

+set firewall name Tunnels_Local_v4 rule 98 action 'drop'

+set firewall name Tunnels_Local_v4 rule 98 description 'Black Hole'

+set firewall name Tunnels_Local_v4 rule 98 log 'enable'

+set firewall name Tunnels_Local_v4 rule 98 state invalid 'enable'

+set firewall name Tunnels_Local_v4 rule 99 action 'drop'

+set firewall name Tunnels_Local_v4 rule 99 description 'Black Hole'

+set firewall name Tunnels_Local_v4 rule 99 log 'enable'

+

+#Local Connections v6

+set firewall ipv6-name Tunnels_Local_v6 default-action 'drop'

+set firewall ipv6-name Tunnels_Local_v6 rule 50 action 'accept'

+set firewall ipv6-name Tunnels_Local_v6 rule 50 icmpv6

+set firewall ipv6-name Tunnels_Local_v6 rule 50 protocol 'ipv6-icmp'

+set firewall ipv6-name Tunnels_Local_v6 rule 61 action 'accept'

+set firewall ipv6-name Tunnels_Local_v6 rule 61 description 'Allow BGP'

+set firewall ipv6-name Tunnels_Local_v6 rule 61 destination port '179'

+set firewall ipv6-name Tunnels_Local_v6 rule 61 protocol 'tcp'

+set firewall ipv6-name Tunnels_Local_v6 rule 98 action 'drop'

+set firewall ipv6-name Tunnels_Local_v6 rule 98 description 'Black Hole'

+set firewall ipv6-name Tunnels_Local_v6 rule 98 log 'enable'

+set firewall ipv6-name Tunnels_Local_v6 rule 98 state invalid 'enable'

+set firewall ipv6-name Tunnels_Local_v6 rule 99 action 'drop'

+set firewall ipv6-name Tunnels_Local_v6 rule 99 description 'Black Hole'

+set firewall ipv6-name Tunnels_Local_v6 rule 99 log 'enable'

+```

+

+## Wireguard

+### Setup Keys

+You can choose to generate a unique keypair and use it for every wireguard peering, or you can choose to generate a different one for each new peering.

+```

+generate pki wireguard key-pair

+

+#Output example:

+Private key: SOoPQdMdmXE3ssp0/vwwoIMhQqvcQls+DhDjmaLw03U=

+Public key: ArkXeK1c0pCWCouePcRRBCQpXfi4ZIvRFFwTxO60dxs=

+```

+_In any case you'll have to take note of the generated keys, because they won't be saved into the system after generation and you'll need them later. The public key will be shared with your peers. Keep secret the secret key!_ 

+### Configure First Peer

+```

+set interfaces wireguard wg1234 description 'ASnnnnnnn - My First Peer'

+set interfaces wireguard wg1234 port '41234'

+set interfaces wireguard wg1234 private-key 'SOoPQdMdmXE3ssp0/vwwoIMhQqvcQls+DhDjmaLw03U='

+

+# One of your DN42 IPv4 addresses (not really needed if you'll enable extended next-hop)

+set interfaces wireguard wg1234 address '172.20.20.1/32'

+

+# An arbitrary link-local IPv6 address

+set interfaces wireguard wg1234 address 'fe80::1234/128'

+

+

+set interfaces wireguard wg1234 peer location1 address '<clearnet ipv6 or ipv4 address of your peer wireguard endpoint>'

+set interfaces wireguard wg1234 peer location1 port '<wireguard endpoint port of your peer>'

+

+# You can allow everything here and relay on your firewall

+set interfaces wireguard wg1234 peer location1 allowed-ips '0.0.0.0/0'

+set interfaces wireguard wg1234 peer location1 allowed-ips '::/0'

+set interfaces wireguard wg1234 peer location1 public-key '<wireguard public key of your peer>'

+

+# (persistent-keepalive option could be optional, but in my case I noticed that helps starting BGP session)

+set interfaces wireguard wg1234 peer location1 persistent-keepalive '60'

+

+# Configure firewall

+set firewall interface wg1234 in ipv6-name 'Tunnels_In_v6'

+set firewall interface wg1234 in name 'Tunnels_In_v4'

+set firewall interface wg1234 local ipv6-name 'Tunnels_Local_v6'

+set firewall interface wg1234 local name 'Tunnels_Local_v4'

+

+```

+

+## BGP

+Now that we have a tunnel to our peer and theoretically can ping them, we can setup BGP. 

+### Initial Router Setup

+`set protocols bgp system-as '424242XXXX'`

+

+_Insert your ASN_

+

+`set protocols bgp address-family ipv4-unicast network 172.20.20.0/24` 

+`set protocols bgp address-family ipv6-unicast network fd88:9deb:a69e::/48`

+

+_Insert your assigned network blocks. Note that they should match your exact prefix as listed in the registry; if you try to advertise a subnet of your assigned block it could get filtered by some peers._ 

+

+`set protocols bgp parameters router-id '172.20.20.1'` 

+

+_To keep it simple just make your router ID match your lower IP within the DN42 registered space._ 

+

+### Neighbor Up With Peers

+#### Option 1: MP-BGP (with Multi Protocol) - with Extended Next-Hop

+```

+set protocols bgp neighbor fe80::1234 interface remote-as '<your peer ASN>'

+set protocols bgp neighbor fe80::1234 interface source-interface 'wg1234'

+set protocols bgp neighbor fe80::1234 remote-as '<your peer ASN>'

+

+set protocols bgp neighbor fe80::1234 capability extended-nexthop

+

+set protocols bgp neighbor fe80::1234 address-family ipv4-unicast 

+set protocols bgp neighbor fe80::1234 address-family ipv6-unicast 

+```

+#### Option 2: BGP (no Multi Protocol) - no Extended Next-Hop

+```

+# First we need to add a static ipv4 route to our peer tunneled ipv4 address

+set protocols static route 172.20.x.y interface wg1234

+

+set protocols bgp neighbor fe80::1234 interface remote-as '<your peer ASN>'

+set protocols bgp neighbor fe80::1234 interface source-interface 'wg1234'

+set protocols bgp neighbor fe80::1234 remote-as '<your peer ASN>'

+set protocols bgp neighbor fe80::1234 address-family ipv6-unicast 

+

+# 172.20.x.y is your peer tunneled IPv4

+set protocols bgp neighbor 172.20.x.y remote-as '<your peer ASN>'

+set protocols bgp neighbor 172.20.x.y address-family ipv4-unicast 

+

+# This setting may need to be adjusted depending on circumstances

+set protocols bgp neighbor 172.20.x.y ebgp-multihop 20

+```

+

+You can now check your BGP summary

+

+`show ip bgp summary`

+

+## RPKI/ROA Checking

+### Setup RPKI Caching Server

+Burble has made this super easy. More info can be found [here](https://wiki.dn42/howto/ROA-slash-RPKI) on this wiki. Get started by running the below command on a Linux server with Docker installed (VyOS now supports containers, but doesn't yet supports commands to pass to them... so we still need another machine to run GoRTR) 

+

+``` 

+sudo docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082

+```

+

+This will start a docker container that listens on the host server's IP at port 8082. This setup is using Cloudflare's GoRTR and automatically reaching out and downloading a custom JSON file generated by Burble just for the DN42 network. 

+

+### Point VyOS Router at RPKI Caching Server

+```

+set protocols rpki cache <ip address of your GoRTR instance> port '8082'

+set protocols rpki cache <ip address of your GoRTR instance> preference '1' 

+```

+

+You can check the connection with `show rpki cache-connection` and the received prefix-table with `show rpki prefix-table`. 

+

+### Create Route Map

+```

+set policy route-map DN42-ROA rule 10 action 'permit'

+set policy route-map DN42-ROA rule 10 match rpki 'valid'

+set policy route-map DN42-ROA rule 20 action 'permit'

+set policy route-map DN42-ROA rule 20 match rpki 'notfound'

+set policy route-map DN42-ROA rule 30 action 'deny'

+set policy route-map DN42-ROA rule 30 match rpki 'invalid'

+```

+This example allows all routes in unless they are marked invalid or in other words possibly been a victim of BGP hijacking.

+You can also consider to "deny" the "notfound" prefixes, for better control.

+

+You can also consider to combine within the same route-map the RPKI and one or more a prefix lists containing your internal network prefixes, as described later (The example "No RPKI/ROA and Internal Network Falls Into DN42 Range").

+

+### Assign Route Map to Neighbor

+```

+set protocols bgp neighbor fe80::1234 address-family ipv4-unicast route-map export 'DN42-ROA'

+set protocols bgp neighbor fe80::1234 address-family ipv4-unicast route-map import 'DN42-ROA'

+set protocols bgp neighbor fe80::1234 address-family ipv6-unicast route-map export 'DN42-ROA'

+set protocols bgp neighbor fe80::1234 address-family ipv6-unicast route-map import 'DN42-ROA' 

+```

+_Remember to do that for all your new peerings!_

+

+## Example Route Map

+### No RPKI/ROA and Internal Network Falls Into DN42 Range

+```

+##Build prefix list to match personal internal network

+set policy prefix-list BlockIPConflicts description 'Prevent Conflicting Routes'

+set policy prefix-list BlockIPConflicts rule 10 action 'permit'

+set policy prefix-list BlockIPConflicts rule 10 description 'Internal IP Space'

+set policy prefix-list BlockIPConflicts rule 10 le '32'

+set policy prefix-list BlockIPConflicts rule 10 prefix '10.10.0.0/16'

+

+

+##Build prefix list to match personal internal network

+set policy prefix-list6 BlockIPConflicts-v6 description 'Prevent Conflicting Routes'

+set policy prefix-list6 BlockIPConflicts-v6 rule 10 action 'permit'

+set policy prefix-list6 BlockIPConflicts-v6 rule 10 description 'Internal IP Space'

+set policy prefix-list6 BlockIPConflicts-v6 rule 10 le '128'

+set policy prefix-list6 BlockIPConflicts-v6 rule 10 prefix 'fd42:4242:1111::/48'

+

+

+

+##Build prefix list to match DN42's IPv4 network

+set policy prefix-list DN42-Network rule 10 action 'permit'

+set policy prefix-list DN42-Network rule 10 le '32'

+set policy prefix-list DN42-Network rule 10 prefix '172.20.0.0/14'

+set policy prefix-list DN42-Network rule 20 action 'permit'

+set policy prefix-list DN42-Network rule 20 le '32'

+set policy prefix-list DN42-Network rule 20 prefix '10.0.0.0/8'

+

+

+##Build prefix list to match DN42's IPv6 network

+set policy prefix-list6 DN42-Network-v6 rule 10 action 'permit'

+set policy prefix-list6 DN42-Network-v6 rule 10 le '128'

+set policy prefix-list6 DN42-Network-v6 rule 10 prefix 'fd00::/8'

+

+

+

+

+##Block prefixes within internal network range, then allow everything else within DN42, then block everything else.

+set policy route-map Default-Peering rule 10 action 'deny'

+set policy route-map Default-Peering rule 10 description 'Prevent IP Conflicts'

+set policy route-map Default-Peering rule 10 match ip address prefix-list 'BlockIPConflicts'

+set policy route-map Default-Peering rule 11 action 'deny'

+set policy route-map Default-Peering rule 11 description 'Prevent IP Conflicts'

+set policy route-map Default-Peering rule 11 match ip address prefix-list6 'BlockIPConflicts-v6'

+set policy route-map Default-Peering rule 20 action 'permit'

+set policy route-map Default-Peering rule 20 description 'Allow DN42-Network'

+set policy route-map Default-Peering rule 20 match ip address prefix-list 'DN42-Network-Network'

+set policy route-map Default-Peering rule 21 action 'permit'

+set policy route-map Default-Peering rule 21 description 'Allow DN42-Network'

+set policy route-map Default-Peering rule 21 match ip address prefix-list6 'DN42-Network-Network-v6'

+set policy route-map Default-Peering rule 99 action 'deny'

+

+

+##Apply the route-map on import/export

+

+set protocols bgp neighbor x.x.x.x address-family ipv4-unicast route-map export 'Default-Peering'

+set protocols bgp neighbor x.x.x.x address-family ipv4-unicast route-map import 'Default-Peering'

+set protocols bgp neighbor x.x.x.x address-family ipv6-unicast route-map export 'Default-Peering'

+set protocols bgp neighbor x.x.x.x address-family ipv6-unicast route-map import 'Default-Peering' 

+```

+

+## Credits

+This page is based on the original one made by Owens Research [How-To/VyOS](howto/vyos).

+

+The commands have been adapted to be compatible with the new version of VyOS 1.4.x (sagitta) and to include configurations for IPv6 (MP-BGP over link-local and extended next-hop).

+

+This page has to be considered a work-in-progress by Matwolf. 

+

+If you have any questions or suggestions please reach me out.

\ No newline at end of file

...	...	@@ -0,0 +1,305 @@
	1	+# VyOS 1.4.x sagitta
	2	+VyOS is an open source software router. It is feature rich and supports multiple deployment options such as physical hardware (Old PC's) or a VPC/VM. The developers have a nightly rolling release that includes all the latest features such as Wireguard.
	3	+
	4	+It can be downloaded here https://www.vyos.io/rolling-release/.
	5	+
	6	+## Firewall Baseline
	7	+We will configure firewall access lists for inbound connections on our peer Wireguard interfaces as well as block all inbound connections to our router with the exception of BGP. This should be a good baseline firewall ruleset to filter inbound traffic on your network’s edge. Modifications may be needed depending on your specific goals. If your router has an uplink back to a larger internal network (outside of DN42), an outbound firewall ruleset will need to be applied to that interface.
	8	+
	9	+By default, VyOS is a stateless firewall. To enable stateful packet inspection globally enter the following commands.
	10	+```
	11	+set firewall state-policy established action 'accept'
	12	+set firewall state-policy related action 'accept'
	13	+```
	14	+
	15	+We also need to accept invalids on our network’s edge. However, this should not become common practice elsewhere.
	16	+```
	17	+set firewall state-policy invalid action 'accept'
	18	+```
	19	+
	20	+The below commands create in and local baseline templates to be applied to all Wireguard interfaces that are facing peers. In this example, 172.20.20.0/24 and fd88:9deb:a69e::/48 are your assigned address spaces.
	21	+```
	22	+#Create Groups v4
	23	+set firewall group network-group Allowed-Transit-v4 network '10.0.0.0/8'
	24	+set firewall group network-group Allowed-Transit-v4 network '172.20.0.0/14'
	25	+set firewall group network-group Allowed-Transit-v4 network '172.31.0.0/16'
	26	+
	27	+set firewall group network-group My-Assigned-Space-v4 network '172.20.20.0/24'
	28	+
	29	+#Create Groups v6
	30	+set firewall group ipv6-network-group Allowed-Transit-v6 network 'fd00::/8'
	31	+
	32	+set firewall group ipv6-network-group My-Assigned-Space-v6 network 'fd88:9deb:a69e::/48'
	33	+
	34	+
	35	+#Inbound Connections v4
	36	+set firewall name Tunnels_In_v4 default-action 'drop'
	37	+set firewall name Tunnels_In_v4 enable-default-log
	38	+set firewall name Tunnels_In_v4 rule 68 action 'drop'
	39	+set firewall name Tunnels_In_v4 rule 68 description 'Block Traffic to Operator Assigned IP Space'
	40	+set firewall name Tunnels_In_v4 rule 68 destination group network-group 'My-Assigned-Space-v4'
	41	+set firewall name Tunnels_In_v4 rule 68 log 'enable'
	42	+set firewall name Tunnels_In_v4 rule 68 action 'drop'
	43	+set firewall name Tunnels_In_v4 rule 70 action 'accept'
	44	+set firewall name Tunnels_In_v4 rule 70 description 'Allow Peer Transit'
	45	+set firewall name Tunnels_In_v4 rule 70 destination group network-group 'Allowed-Transit-v4'
	46	+set firewall name Tunnels_In_v4 rule 70 source group network-group 'Allowed-Transit-v4'
	47	+set firewall name Tunnels_In_v4 rule 70 log 'enable'
	48	+set firewall name Tunnels_In_v4 rule 99 action 'drop'
	49	+set firewall name Tunnels_In_v4 rule 99 description 'Black Hole'
	50	+set firewall name Tunnels_In_v4 rule 99 log 'enable'
	51	+
	52	+#Inbound Connections v6
	53	+set firewall ipv6-name Tunnels_In_v6 default-action 'drop'
	54	+set firewall ipv6-name Tunnels_In_v6 enable-default-log
	55	+set firewall ipv6-name Tunnels_In_v6 rule 68 action 'drop'
	56	+set firewall ipv6-name Tunnels_In_v6 rule 68 description 'Block Traffic to Operator Assigned IP Space'
	57	+set firewall ipv6-name Tunnels_In_v6 rule 68 destination group network-group 'My-Assigned-Space-v6'
	58	+set firewall ipv6-name Tunnels_In_v6 rule 68 log 'enable'
	59	+set firewall ipv6-name Tunnels_In_v6 rule 70 action 'accept'
	60	+set firewall ipv6-name Tunnels_In_v6 rule 70 description 'Allow Peer Transit'
	61	+set firewall ipv6-name Tunnels_In_v6 rule 70 destination group network-group 'Allowed-Transit-v6'
	62	+set firewall ipv6-name Tunnels_In_v6 rule 70 log 'enable'
	63	+set firewall ipv6-name Tunnels_In_v6 rule 70 source group network-group 'Allowed-Transit-v6'
	64	+set firewall ipv6-name Tunnels_In_v6 rule 99 action 'drop'
	65	+set firewall ipv6-name Tunnels_In_v6 rule 99 description 'Black Hole'
	66	+set firewall ipv6-name Tunnels_In_v6 rule 99 log 'enable'
	67	+
	68	+#Local Connections v4
	69	+set firewall name Tunnels_Local_v4 default-action 'drop'
	70	+set firewall name Tunnels_Local_v4 rule 50 action 'accept'
	71	+set firewall name Tunnels_Local_v4 rule 50 icmp
	72	+set firewall name Tunnels_Local_v4 rule 50 protocol 'icmp'
	73	+set firewall name Tunnels_Local_v4 rule 61 action 'accept'
	74	+set firewall name Tunnels_Local_v4 rule 61 description 'Allow BGP'
	75	+set firewall name Tunnels_Local_v4 rule 61 destination port '179'
	76	+set firewall name Tunnels_Local_v4 rule 61 protocol 'tcp'
	77	+set firewall name Tunnels_Local_v4 rule 98 action 'drop'
	78	+set firewall name Tunnels_Local_v4 rule 98 description 'Black Hole'
	79	+set firewall name Tunnels_Local_v4 rule 98 log 'enable'
	80	+set firewall name Tunnels_Local_v4 rule 98 state invalid 'enable'
	81	+set firewall name Tunnels_Local_v4 rule 99 action 'drop'
	82	+set firewall name Tunnels_Local_v4 rule 99 description 'Black Hole'
	83	+set firewall name Tunnels_Local_v4 rule 99 log 'enable'
	84	+
	85	+#Local Connections v6
	86	+set firewall ipv6-name Tunnels_Local_v6 default-action 'drop'
	87	+set firewall ipv6-name Tunnels_Local_v6 rule 50 action 'accept'
	88	+set firewall ipv6-name Tunnels_Local_v6 rule 50 icmpv6
	89	+set firewall ipv6-name Tunnels_Local_v6 rule 50 protocol 'ipv6-icmp'
	90	+set firewall ipv6-name Tunnels_Local_v6 rule 61 action 'accept'
	91	+set firewall ipv6-name Tunnels_Local_v6 rule 61 description 'Allow BGP'
	92	+set firewall ipv6-name Tunnels_Local_v6 rule 61 destination port '179'
	93	+set firewall ipv6-name Tunnels_Local_v6 rule 61 protocol 'tcp'
	94	+set firewall ipv6-name Tunnels_Local_v6 rule 98 action 'drop'
	95	+set firewall ipv6-name Tunnels_Local_v6 rule 98 description 'Black Hole'
	96	+set firewall ipv6-name Tunnels_Local_v6 rule 98 log 'enable'
	97	+set firewall ipv6-name Tunnels_Local_v6 rule 98 state invalid 'enable'
	98	+set firewall ipv6-name Tunnels_Local_v6 rule 99 action 'drop'
	99	+set firewall ipv6-name Tunnels_Local_v6 rule 99 description 'Black Hole'
	100	+set firewall ipv6-name Tunnels_Local_v6 rule 99 log 'enable'
	101	+```
	102	+
	103	+## Wireguard
	104	+### Setup Keys
	105	+You can choose to generate a unique keypair and use it for every wireguard peering, or you can choose to generate a different one for each new peering.
	106	+```
	107	+generate pki wireguard key-pair
	108	+
	109	+#Output example:
	110	+Private key: SOoPQdMdmXE3ssp0/vwwoIMhQqvcQls+DhDjmaLw03U=
	111	+Public key: ArkXeK1c0pCWCouePcRRBCQpXfi4ZIvRFFwTxO60dxs=
	112	+```
	113	+_In any case you'll have to take note of the generated keys, because they won't be saved into the system after generation and you'll need them later. The public key will be shared with your peers. Keep secret the secret key!_
	114	+### Configure First Peer
	115	+```
	116	+set interfaces wireguard wg1234 description 'ASnnnnnnn - My First Peer'
	117	+set interfaces wireguard wg1234 port '41234'
	118	+set interfaces wireguard wg1234 private-key 'SOoPQdMdmXE3ssp0/vwwoIMhQqvcQls+DhDjmaLw03U='
	119	+
	120	+# One of your DN42 IPv4 addresses (not really needed if you'll enable extended next-hop)
	121	+set interfaces wireguard wg1234 address '172.20.20.1/32'
	122	+
	123	+# An arbitrary link-local IPv6 address
	124	+set interfaces wireguard wg1234 address 'fe80::1234/128'
	125	+
	126	+
	127	+set interfaces wireguard wg1234 peer location1 address '<clearnet ipv6 or ipv4 address of your peer wireguard endpoint>'
	128	+set interfaces wireguard wg1234 peer location1 port '<wireguard endpoint port of your peer>'
	129	+
	130	+# You can allow everything here and relay on your firewall
	131	+set interfaces wireguard wg1234 peer location1 allowed-ips '0.0.0.0/0'
	132	+set interfaces wireguard wg1234 peer location1 allowed-ips '::/0'
	133	+set interfaces wireguard wg1234 peer location1 public-key '<wireguard public key of your peer>'
	134	+
	135	+# (persistent-keepalive option could be optional, but in my case I noticed that helps starting BGP session)
	136	+set interfaces wireguard wg1234 peer location1 persistent-keepalive '60'
	137	+
	138	+# Configure firewall
	139	+set firewall interface wg1234 in ipv6-name 'Tunnels_In_v6'
	140	+set firewall interface wg1234 in name 'Tunnels_In_v4'
	141	+set firewall interface wg1234 local ipv6-name 'Tunnels_Local_v6'
	142	+set firewall interface wg1234 local name 'Tunnels_Local_v4'
	143	+
	144	+```
	145	+
	146	+## BGP
	147	+Now that we have a tunnel to our peer and theoretically can ping them, we can setup BGP.
	148	+### Initial Router Setup
	149	+`set protocols bgp system-as '424242XXXX'`
	150	+
	151	+_Insert your ASN_
	152	+
	153	+`set protocols bgp address-family ipv4-unicast network 172.20.20.0/24`
	154	+`set protocols bgp address-family ipv6-unicast network fd88:9deb:a69e::/48`
	155	+
	156	+_Insert your assigned network blocks. Note that they should match your exact prefix as listed in the registry; if you try to advertise a subnet of your assigned block it could get filtered by some peers._
	157	+
	158	+`set protocols bgp parameters router-id '172.20.20.1'`
	159	+
	160	+_To keep it simple just make your router ID match your lower IP within the DN42 registered space._
	161	+
	162	+### Neighbor Up With Peers
	163	+#### Option 1: MP-BGP (with Multi Protocol) - with Extended Next-Hop
	164	+```
	165	+set protocols bgp neighbor fe80::1234 interface remote-as '<your peer ASN>'
	166	+set protocols bgp neighbor fe80::1234 interface source-interface 'wg1234'
	167	+set protocols bgp neighbor fe80::1234 remote-as '<your peer ASN>'
	168	+
	169	+set protocols bgp neighbor fe80::1234 capability extended-nexthop
	170	+
	171	+set protocols bgp neighbor fe80::1234 address-family ipv4-unicast
	172	+set protocols bgp neighbor fe80::1234 address-family ipv6-unicast
	173	+```
	174	+#### Option 2: BGP (no Multi Protocol) - no Extended Next-Hop
	175	+```
	176	+# First we need to add a static ipv4 route to our peer tunneled ipv4 address
	177	+set protocols static route 172.20.x.y interface wg1234
	178	+
	179	+set protocols bgp neighbor fe80::1234 interface remote-as '<your peer ASN>'
	180	+set protocols bgp neighbor fe80::1234 interface source-interface 'wg1234'
	181	+set protocols bgp neighbor fe80::1234 remote-as '<your peer ASN>'
	182	+set protocols bgp neighbor fe80::1234 address-family ipv6-unicast
	183	+
	184	+# 172.20.x.y is your peer tunneled IPv4
	185	+set protocols bgp neighbor 172.20.x.y remote-as '<your peer ASN>'
	186	+set protocols bgp neighbor 172.20.x.y address-family ipv4-unicast
	187	+
	188	+# This setting may need to be adjusted depending on circumstances
	189	+set protocols bgp neighbor 172.20.x.y ebgp-multihop 20
	190	+```
	191	+
	192	+You can now check your BGP summary
	193	+
	194	+`show ip bgp summary`
	195	+
	196	+## RPKI/ROA Checking
	197	+### Setup RPKI Caching Server
	198	+Burble has made this super easy. More info can be found [here](https://wiki.dn42/howto/ROA-slash-RPKI) on this wiki. Get started by running the below command on a Linux server with Docker installed (VyOS now supports containers, but doesn't yet supports commands to pass to them... so we still need another machine to run GoRTR)
	199	+
	200	+```
	201	+sudo docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082
	202	+```
	203	+
	204	+This will start a docker container that listens on the host server's IP at port 8082. This setup is using Cloudflare's GoRTR and automatically reaching out and downloading a custom JSON file generated by Burble just for the DN42 network.
	205	+
	206	+### Point VyOS Router at RPKI Caching Server
	207	+```
	208	+set protocols rpki cache <ip address of your GoRTR instance> port '8082'
	209	+set protocols rpki cache <ip address of your GoRTR instance> preference '1'
	210	+```
	211	+
	212	+You can check the connection with `show rpki cache-connection` and the received prefix-table with `show rpki prefix-table`.
	213	+
	214	+### Create Route Map
	215	+```
	216	+set policy route-map DN42-ROA rule 10 action 'permit'
	217	+set policy route-map DN42-ROA rule 10 match rpki 'valid'
	218	+set policy route-map DN42-ROA rule 20 action 'permit'
	219	+set policy route-map DN42-ROA rule 20 match rpki 'notfound'
	220	+set policy route-map DN42-ROA rule 30 action 'deny'
	221	+set policy route-map DN42-ROA rule 30 match rpki 'invalid'
	222	+```
	223	+This example allows all routes in unless they are marked invalid or in other words possibly been a victim of BGP hijacking.
	224	+You can also consider to "deny" the "notfound" prefixes, for better control.
	225	+
	226	+You can also consider to combine within the same route-map the RPKI and one or more a prefix lists containing your internal network prefixes, as described later (The example "No RPKI/ROA and Internal Network Falls Into DN42 Range").
	227	+
	228	+### Assign Route Map to Neighbor
	229	+```
	230	+set protocols bgp neighbor fe80::1234 address-family ipv4-unicast route-map export 'DN42-ROA'
	231	+set protocols bgp neighbor fe80::1234 address-family ipv4-unicast route-map import 'DN42-ROA'
	232	+set protocols bgp neighbor fe80::1234 address-family ipv6-unicast route-map export 'DN42-ROA'
	233	+set protocols bgp neighbor fe80::1234 address-family ipv6-unicast route-map import 'DN42-ROA'
	234	+```
	235	+_Remember to do that for all your new peerings!_
	236	+
	237	+## Example Route Map
	238	+### No RPKI/ROA and Internal Network Falls Into DN42 Range
	239	+```
	240	+##Build prefix list to match personal internal network
	241	+set policy prefix-list BlockIPConflicts description 'Prevent Conflicting Routes'
	242	+set policy prefix-list BlockIPConflicts rule 10 action 'permit'
	243	+set policy prefix-list BlockIPConflicts rule 10 description 'Internal IP Space'
	244	+set policy prefix-list BlockIPConflicts rule 10 le '32'
	245	+set policy prefix-list BlockIPConflicts rule 10 prefix '10.10.0.0/16'
	246	+
	247	+
	248	+##Build prefix list to match personal internal network
	249	+set policy prefix-list6 BlockIPConflicts-v6 description 'Prevent Conflicting Routes'
	250	+set policy prefix-list6 BlockIPConflicts-v6 rule 10 action 'permit'
	251	+set policy prefix-list6 BlockIPConflicts-v6 rule 10 description 'Internal IP Space'
	252	+set policy prefix-list6 BlockIPConflicts-v6 rule 10 le '128'
	253	+set policy prefix-list6 BlockIPConflicts-v6 rule 10 prefix 'fd42:4242:1111::/48'
	254	+
	255	+
	256	+
	257	+##Build prefix list to match DN42's IPv4 network
	258	+set policy prefix-list DN42-Network rule 10 action 'permit'
	259	+set policy prefix-list DN42-Network rule 10 le '32'
	260	+set policy prefix-list DN42-Network rule 10 prefix '172.20.0.0/14'
	261	+set policy prefix-list DN42-Network rule 20 action 'permit'
	262	+set policy prefix-list DN42-Network rule 20 le '32'
	263	+set policy prefix-list DN42-Network rule 20 prefix '10.0.0.0/8'
	264	+
	265	+
	266	+##Build prefix list to match DN42's IPv6 network
	267	+set policy prefix-list6 DN42-Network-v6 rule 10 action 'permit'
	268	+set policy prefix-list6 DN42-Network-v6 rule 10 le '128'
	269	+set policy prefix-list6 DN42-Network-v6 rule 10 prefix 'fd00::/8'
	270	+
	271	+
	272	+
	273	+
	274	+##Block prefixes within internal network range, then allow everything else within DN42, then block everything else.
	275	+set policy route-map Default-Peering rule 10 action 'deny'
	276	+set policy route-map Default-Peering rule 10 description 'Prevent IP Conflicts'
	277	+set policy route-map Default-Peering rule 10 match ip address prefix-list 'BlockIPConflicts'
	278	+set policy route-map Default-Peering rule 11 action 'deny'
	279	+set policy route-map Default-Peering rule 11 description 'Prevent IP Conflicts'
	280	+set policy route-map Default-Peering rule 11 match ip address prefix-list6 'BlockIPConflicts-v6'
	281	+set policy route-map Default-Peering rule 20 action 'permit'
	282	+set policy route-map Default-Peering rule 20 description 'Allow DN42-Network'
	283	+set policy route-map Default-Peering rule 20 match ip address prefix-list 'DN42-Network-Network'
	284	+set policy route-map Default-Peering rule 21 action 'permit'
	285	+set policy route-map Default-Peering rule 21 description 'Allow DN42-Network'
	286	+set policy route-map Default-Peering rule 21 match ip address prefix-list6 'DN42-Network-Network-v6'
	287	+set policy route-map Default-Peering rule 99 action 'deny'
	288	+
	289	+
	290	+##Apply the route-map on import/export
	291	+
	292	+set protocols bgp neighbor x.x.x.x address-family ipv4-unicast route-map export 'Default-Peering'
	293	+set protocols bgp neighbor x.x.x.x address-family ipv4-unicast route-map import 'Default-Peering'
	294	+set protocols bgp neighbor x.x.x.x address-family ipv6-unicast route-map export 'Default-Peering'
	295	+set protocols bgp neighbor x.x.x.x address-family ipv6-unicast route-map import 'Default-Peering'
	296	+```
	297	+
	298	+## Credits
	299	+This page is based on the original one made by Owens Research [How-To/VyOS](howto/vyos).
	300	+
	301	+The commands have been adapted to be compatible with the new version of VyOS 1.4.x (sagitta) and to include configurations for IPv6 (MP-BGP over link-local and extended next-hop).
	302	+
	303	+This page has to be considered a work-in-progress by Matwolf.
	304	+
	305	+If you have any questions or suggestions please reach me out.
...	...	\ No newline at end of file