Thanks Claudio - that clears it up.
-John
On 10/21/2015 02:06 AM, Claudio Jeker wrote:
> On Tue, Oct 20, 2015 at 11:07:12AM -0400, John E.P. Hynes wrote:
>> Hi list,
>>
>> I've read through the docs and Claudio's guide, but something isn't
>> clear to me I'm hoping to get some direction on:
>>
>> I am about to multihome. My uplinks to my ISPs terminate on different
>> OpenBSD routers. The class C network behind them includes one internal
>> OpenBSD gateway performing NAT for connections leaving the internal
>> private network.
>>
>> My understanding is that I would configure OpenBGPD on the two border
>> routers with iBGP between them, like this:
>>
>> /etc/bgpd.conf
>>
>> # Global Config
>> AS MyASN
>> router-id 1.2.3.4
>>
>> # Announce Our Network Space
>> network 1.2.3/24
>>
>> # Neighbor Config
>> neighbor 9.8.7.6 {
>> descr "My ISP 1"
>> remote-as TheirASN
>> }
>>
>> # iBGP
>> group IBGP {
>> remote-as MyASN
>> neighbor 1.2.3.5 {
>> descr "MyOtherBorderGateway"
>> }
>> }
>>
>> ...Essentially, since no host in my public network would be aware of
>> which border gateway to leave through, I need an IGP such as OpenOSPFd
>> as well. Something like this on the border gateways:
>>
>> /etc/ospfd.conf
>>
>> # Global Config
>> router-id 0.0.0.1
>> redistribute connected
>>
>> # Areas
>> area 0.0.0.0 {
>> auth-type crypt
>> auth-md 1 "SomePW"
>> auth-md 2 "SomeDifferentPW"
>> auth-md-keyid 1
>>
>> # Main Link (DMZ)
>> interface em1
>> }
>>
>> ...and then something like this on all hosts on my public network,
>> including the NAT firewall:
>>
>> /etc/ospfd.conf
>>
>> # Global Config
>> router-id 0.0.0.3
>>
>> # Areas
>> area 0.0.0.0 {
>> auth-type crypt
>> auth-md 1 "SomePW"
>> auth-md 2 "SomeDifferentPW"
>> auth-md-keyid 1
>>
>> # Main Link (DMZ)
>> interface em1
>> }
>>
>>
>> My questions are:
>>
>> 1) Claudio's guide suggests to me that iBGP needs to be run on the NAT
>> firewall as well, but I don't understand *why* that would be necessary
>> and I think I'm mis-reading it. Clarification please?
>
> By running BGP on the internal FW allows you to send out the traffic to
> the correct broder router and so you get better control over which path
> you reach the internet.
>
>> 2) Do I really want "redistribute connected" in the ospfd.conf on the
>> border routers, or "redistribute default"?
>>
>
> If you feed the BGP table to your FW than you most probably need
> redistribute connected. In such a simple setup as yours you can also skip
> using OSPF and just use "set nexthop self" in bgpd since all your routers
> & firewalls are directly connected.
>
> In short the IGP (OSPF) is required for incoming traffic to find its
> destination in your network whereas iBGP is required to take the optimal
> way out of your network.
