e92734c17cba30c4fc9b4dccf1709edb49dbe31f
howto/OpenBGPD.md
| ... | ... | @@ -32,17 +32,23 @@ nexthop to a "global" address (i.e., one from our dn42 IPv6 |
| 32 | 32 | allocation) assigned to each peering (Wireguard) interface |
| 33 | 33 | (each interface gets its own). |
| 34 | 34 | |
| 35 | -To avoid burning a dn42 IPv4 address for each peering, we'll |
|
| 36 | -put the router's dn42 IPv4 address on the loopback interface |
|
| 37 | -and peer using an RFC1918 subnet (192.168.42/24) NATed to |
|
| 38 | -the loopback address (the NAT is only used in case of |
|
| 39 | -actively opening an IPv4 BGP session, it does not affect |
|
| 40 | -routing or incoming connections). |
|
| 35 | +To avoid burning a dn42 IPv4 address for each peering, we |
|
| 36 | +put the router's dn42 IPv4 address on a loopback interface |
|
| 37 | +and have `bgpd` bind to that address (`local-address` in |
|
| 38 | +`bgpd.conf`) when opening IPv4 BGP sessions; each peering |
|
| 39 | +interface gets an IPv4 address from an RFC1918 subnet |
|
| 40 | +(192.168.42/24), and a static route to the corresponding |
|
| 41 | +peer via that address. |
|
| 41 | 42 | |
| 42 | -## `/etc/hostname.lo0` |
|
| 43 | +## `/etc/hostname.lo42` |
|
| 43 | 44 | |
| 44 | 45 | ```conf |
| 45 | -inet alias <YOUR-ROUTER-DN42-IPv4> |
|
| 46 | +inet <YOUR-ROUTER-DN42-IPv4> |
|
| 47 | +inet6 <YOUR-ROUTER-DN42-IPv6> |
|
| 48 | +# add a fallback route for our prefixes to discard traffic to |
|
| 49 | +# targets without a more specific route |
|
| 50 | +!route -qn add -blackhole <YOUR-DN42-IPv4-PREFIX> 127.0.0.1 |
|
| 51 | +!route -qn add -blackhole <YOUR-DN42-IPv6-PREFIX> ::1 |
|
| 46 | 52 | ``` |
| 47 | 53 | |
| 48 | 54 | ## `/etc/hostname.wg1234` |
| ... | ... | @@ -75,12 +81,12 @@ dn42_self = <YOUR-ROUTER-DN42-IPv4> |
| 75 | 81 | table <dn42etc> const {172.20/14 172.31/16 10/8 fd00::/8 fe80::/64} |
| 76 | 82 | table <dn42peers> const {<PEER1-IPv4> fe80::/64} |
| 77 | 83 | pass in quick on egress proto udp to port 21234 |
| 84 | +pass out quick on my_dn proto tcp to <dn42peers> port bgp !received-on any |
|
| 78 | 85 | pass in quick on my_dn proto tcp from <dn42peers> \ |
| 79 | 86 | to {$dn42_self (my_dn)} port bgp |
| 80 | 87 | # block everything (except for ICMP above) destined to the |
| 81 | 88 | # router itself; only dn42 transit and BGP sessions are allowed |
| 82 | 89 | block in log quick on my_dn to {$dn42_self (my_dn)} |
| 83 | -pass out on my_dn from 192.168.42/24 nat-to $dn42_self |
|
| 84 | 90 | # 'no state' as we might not see both directions of transit traffic |
| 85 | 91 | pass on my_dn from <dn42etc> to <dn42etc> no state |
| 86 | 92 | ``` |
| ... | ... | @@ -88,9 +94,10 @@ pass on my_dn from <dn42etc> to <dn42etc> no state |
| 88 | 94 | ## `/etc/bgpd.conf` |
| 89 | 95 | ```conf |
| 90 | 96 | ASN = "<YOUR-AS-NUMBER>" |
| 97 | +ID = "<YOUR-ROUTER-DN42-IPv4>" |
|
| 91 | 98 | |
| 92 | 99 | AS $ASN |
| 93 | -router-id <YOUR-ROUTER-DN42-IPv4> |
|
| 100 | +router-id $ID |
|
| 94 | 101 | |
| 95 | 102 | # list of networks that may be originated by our ASN |
| 96 | 103 | prefix-set mydn42 { |
| ... | ... | @@ -127,7 +134,7 @@ network prefix-set mydn42 set { |
| 127 | 134 | large-community $ASN:1:1 |
| 128 | 135 | } |
| 129 | 136 | |
| 130 | -listen on <YOUR-ROUTER-DN42-IPv4> |
|
| 137 | +listen on $ID |
|
| 131 | 138 | listen on <PEER1-IPv6-LOCAL> # e.g. fe80::1%wg1234 |
| 132 | 139 | |
| 133 | 140 | group dn42peers { |
| ... | ... | @@ -139,6 +146,7 @@ group dn42peers { |
| 139 | 146 | neighbor <PEER1-IPv4> { |
| 140 | 147 | descr peer1_4 |
| 141 | 148 | remote-as <PEER1-ASN> |
| 149 | + local-address $ID |
|
| 142 | 150 | } |
| 143 | 151 | neighbor <PEER1-IPv6-REMOTE> { # e.g. fe80::2%wg1234 |
| 144 | 152 | descr peer1_6 |