e92734c17cba30c4fc9b4dccf1709edb49dbe31f
howto/OpenBGPD.md
... | ... | @@ -32,17 +32,23 @@ nexthop to a "global" address (i.e., one from our dn42 IPv6 |
32 | 32 | allocation) assigned to each peering (Wireguard) interface |
33 | 33 | (each interface gets its own). |
34 | 34 | |
35 | -To avoid burning a dn42 IPv4 address for each peering, we'll |
|
36 | -put the router's dn42 IPv4 address on the loopback interface |
|
37 | -and peer using an RFC1918 subnet (192.168.42/24) NATed to |
|
38 | -the loopback address (the NAT is only used in case of |
|
39 | -actively opening an IPv4 BGP session, it does not affect |
|
40 | -routing or incoming connections). |
|
35 | +To avoid burning a dn42 IPv4 address for each peering, we |
|
36 | +put the router's dn42 IPv4 address on a loopback interface |
|
37 | +and have `bgpd` bind to that address (`local-address` in |
|
38 | +`bgpd.conf`) when opening IPv4 BGP sessions; each peering |
|
39 | +interface gets an IPv4 address from an RFC1918 subnet |
|
40 | +(192.168.42/24), and a static route to the corresponding |
|
41 | +peer via that address. |
|
41 | 42 | |
42 | -## `/etc/hostname.lo0` |
|
43 | +## `/etc/hostname.lo42` |
|
43 | 44 | |
44 | 45 | ```conf |
45 | -inet alias <YOUR-ROUTER-DN42-IPv4> |
|
46 | +inet <YOUR-ROUTER-DN42-IPv4> |
|
47 | +inet6 <YOUR-ROUTER-DN42-IPv6> |
|
48 | +# add a fallback route for our prefixes to discard traffic to |
|
49 | +# targets without a more specific route |
|
50 | +!route -qn add -blackhole <YOUR-DN42-IPv4-PREFIX> 127.0.0.1 |
|
51 | +!route -qn add -blackhole <YOUR-DN42-IPv6-PREFIX> ::1 |
|
46 | 52 | ``` |
47 | 53 | |
48 | 54 | ## `/etc/hostname.wg1234` |
... | ... | @@ -75,12 +81,12 @@ dn42_self = <YOUR-ROUTER-DN42-IPv4> |
75 | 81 | table <dn42etc> const {172.20/14 172.31/16 10/8 fd00::/8 fe80::/64} |
76 | 82 | table <dn42peers> const {<PEER1-IPv4> fe80::/64} |
77 | 83 | pass in quick on egress proto udp to port 21234 |
84 | +pass out quick on my_dn proto tcp to <dn42peers> port bgp !received-on any |
|
78 | 85 | pass in quick on my_dn proto tcp from <dn42peers> \ |
79 | 86 | to {$dn42_self (my_dn)} port bgp |
80 | 87 | # block everything (except for ICMP above) destined to the |
81 | 88 | # router itself; only dn42 transit and BGP sessions are allowed |
82 | 89 | block in log quick on my_dn to {$dn42_self (my_dn)} |
83 | -pass out on my_dn from 192.168.42/24 nat-to $dn42_self |
|
84 | 90 | # 'no state' as we might not see both directions of transit traffic |
85 | 91 | pass on my_dn from <dn42etc> to <dn42etc> no state |
86 | 92 | ``` |
... | ... | @@ -88,9 +94,10 @@ pass on my_dn from <dn42etc> to <dn42etc> no state |
88 | 94 | ## `/etc/bgpd.conf` |
89 | 95 | ```conf |
90 | 96 | ASN = "<YOUR-AS-NUMBER>" |
97 | +ID = "<YOUR-ROUTER-DN42-IPv4>" |
|
91 | 98 | |
92 | 99 | AS $ASN |
93 | -router-id <YOUR-ROUTER-DN42-IPv4> |
|
100 | +router-id $ID |
|
94 | 101 | |
95 | 102 | # list of networks that may be originated by our ASN |
96 | 103 | prefix-set mydn42 { |
... | ... | @@ -127,7 +134,7 @@ network prefix-set mydn42 set { |
127 | 134 | large-community $ASN:1:1 |
128 | 135 | } |
129 | 136 | |
130 | -listen on <YOUR-ROUTER-DN42-IPv4> |
|
137 | +listen on $ID |
|
131 | 138 | listen on <PEER1-IPv6-LOCAL> # e.g. fe80::1%wg1234 |
132 | 139 | |
133 | 140 | group dn42peers { |
... | ... | @@ -139,6 +146,7 @@ group dn42peers { |
139 | 146 | neighbor <PEER1-IPv4> { |
140 | 147 | descr peer1_4 |
141 | 148 | remote-as <PEER1-ASN> |
149 | + local-address $ID |
|
142 | 150 | } |
143 | 151 | neighbor <PEER1-IPv6-REMOTE> { # e.g. fe80::2%wg1234 |
144 | 152 | descr peer1_6 |