On Thu, Nov 12, 2020 at 2:33 PM Douglas Fischer <fischerdoug...@gmail.com> wrote:
> Hello All! > I'm using BSRP with BIRD to create a distributed routing scenario. > > And for security and reliability reasons I will dedicate an interface to > In-Band-Management. > > My Objective is to use that interface, with a specific VRF(FIB) to SSH, > SNMP, Netflow, LDAP queries, DNS Lookups, RTR client, and everything else > related to MGMT. > > The initial idea is to use FIB 0 to MGMT. > (I can reconsider this if it’s not an idea) > > And the Other FIBs, use to dataplane, and BGP/OSPF/BFD/ICMP listeners. > > I trying to avoid use firewall rules for that... > I would like to force the listener of MGMT services(and caller-outs) to > use the specific In-Band-Management interface. > > > Any suggestions on how to do that? > Or maybe better than that... > > Hi, I don't have lot of experience with FIB, but I would try first the usage of jail/vnet in place of fib: To be compliant with fib (FreeBSD and OpenBSD feature), the userland software had to support this feature (socket option SO_SETFIB). So right now bird have some FIB support, but it is quite rare because the majority don't (like dnsmasq). So in place of using a feature that needs to be supported by the userland software, jail/vnet could be more simpler (invisible from the userland). BSDRP includes an helper-shell script to create a type of jail that could be useful in a multi-tenant use-case, like in this example: https://bsdrp.net/documentation/examples/multi-tenant_router_and_firewall But if you are the only admin and don't need this multi-tenant feature, you could do it a lot simpler, like on this example: https://github.com/ocochard/myscripts/blob/master/FreeBSD/jail/create-480-jails.sh So to resume the idea: - MGMT service as standard services on your router - Assign 'data' interfaces to a jail/vnet (they will disappear from your host) and run your bird process into this jail/vnet Regards, Olivier
_______________________________________________ Bsdrp-users mailing list Bsdrp-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bsdrp-users
