howto/OpenBGPD.md
... ...
@@ -32,17 +32,23 @@ nexthop to a "global" address (i.e., one from our dn42 IPv6
32 32
allocation) assigned to each peering (Wireguard) interface
33 33
(each interface gets its own).
34 34
35
-To avoid burning a dn42 IPv4 address for each peering, we'll
36
-put the router's dn42 IPv4 address on the loopback interface
37
-and peer using an RFC1918 subnet (192.168.42/24) NATed to
38
-the loopback address (the NAT is only used in case of
39
-actively opening an IPv4 BGP session, it does not affect
40
-routing or incoming connections).
35
+To avoid burning a dn42 IPv4 address for each peering, we
36
+put the router's dn42 IPv4 address on a loopback interface
37
+and have `bgpd` bind to that address (`local-address` in
38
+`bgpd.conf`) when opening IPv4 BGP sessions; each peering
39
+interface gets an IPv4 address from an RFC1918 subnet
40
+(192.168.42/24), and a static route to the corresponding
41
+peer via that address.
41 42
42
-## `/etc/hostname.lo0`
43
+## `/etc/hostname.lo42`
43 44
44 45
```conf
45
-inet alias <YOUR-ROUTER-DN42-IPv4>
46
+inet <YOUR-ROUTER-DN42-IPv4>
47
+inet6 <YOUR-ROUTER-DN42-IPv6>
48
+# add a fallback route for our prefixes to discard traffic to
49
+# targets without a more specific route
50
+!route -qn add -blackhole <YOUR-DN42-IPv4-PREFIX> 127.0.0.1
51
+!route -qn add -blackhole <YOUR-DN42-IPv6-PREFIX> ::1
46 52
```
47 53
48 54
## `/etc/hostname.wg1234`
... ...
@@ -75,12 +81,12 @@ dn42_self = <YOUR-ROUTER-DN42-IPv4>
75 81
table <dn42etc> const {172.20/14 172.31/16 10/8 fd00::/8 fe80::/64}
76 82
table <dn42peers> const {<PEER1-IPv4> fe80::/64}
77 83
pass in quick on egress proto udp to port 21234
84
+pass out quick on my_dn proto tcp to <dn42peers> port bgp !received-on any
78 85
pass in quick on my_dn proto tcp from <dn42peers> \
79 86
to {$dn42_self (my_dn)} port bgp
80 87
# block everything (except for ICMP above) destined to the
81 88
# router itself; only dn42 transit and BGP sessions are allowed
82 89
block in log quick on my_dn to {$dn42_self (my_dn)}
83
-pass out on my_dn from 192.168.42/24 nat-to $dn42_self
84 90
# 'no state' as we might not see both directions of transit traffic
85 91
pass on my_dn from <dn42etc> to <dn42etc> no state
86 92
```
... ...
@@ -88,9 +94,10 @@ pass on my_dn from <dn42etc> to <dn42etc> no state
88 94
## `/etc/bgpd.conf`
89 95
```conf
90 96
ASN = "<YOUR-AS-NUMBER>"
97
+ID = "<YOUR-ROUTER-DN42-IPv4>"
91 98
92 99
AS $ASN
93
-router-id <YOUR-ROUTER-DN42-IPv4>
100
+router-id $ID
94 101
95 102
# list of networks that may be originated by our ASN
96 103
prefix-set mydn42 {
... ...
@@ -127,7 +134,7 @@ network prefix-set mydn42 set {
127 134
large-community $ASN:1:1
128 135
}
129 136
130
-listen on <YOUR-ROUTER-DN42-IPv4>
137
+listen on $ID
131 138
listen on <PEER1-IPv6-LOCAL> # e.g. fe80::1%wg1234
132 139
133 140
group dn42peers {
... ...
@@ -139,6 +146,7 @@ group dn42peers {
139 146
neighbor <PEER1-IPv4> {
140 147
descr peer1_4
141 148
remote-as <PEER1-ASN>
149
+ local-address $ID
142 150
}
143 151
neighbor <PEER1-IPv6-REMOTE> { # e.g. fe80::2%wg1234
144 152
descr peer1_6