Thanks Claudio - that clears it up. -John
On 10/21/2015 02:06 AM, Claudio Jeker wrote: > On Tue, Oct 20, 2015 at 11:07:12AM -0400, John E.P. Hynes wrote: >> Hi list, >> >> I've read through the docs and Claudio's guide, but something isn't >> clear to me I'm hoping to get some direction on: >> >> I am about to multihome. My uplinks to my ISPs terminate on different >> OpenBSD routers. The class C network behind them includes one internal >> OpenBSD gateway performing NAT for connections leaving the internal >> private network. >> >> My understanding is that I would configure OpenBGPD on the two border >> routers with iBGP between them, like this: >> >> /etc/bgpd.conf >> >> # Global Config >> AS MyASN >> router-id 1.2.3.4 >> >> # Announce Our Network Space >> network 1.2.3/24 >> >> # Neighbor Config >> neighbor 9.8.7.6 { >> descr "My ISP 1" >> remote-as TheirASN >> } >> >> # iBGP >> group IBGP { >> remote-as MyASN >> neighbor 1.2.3.5 { >> descr "MyOtherBorderGateway" >> } >> } >> >> ...Essentially, since no host in my public network would be aware of >> which border gateway to leave through, I need an IGP such as OpenOSPFd >> as well. Something like this on the border gateways: >> >> /etc/ospfd.conf >> >> # Global Config >> router-id 0.0.0.1 >> redistribute connected >> >> # Areas >> area 0.0.0.0 { >> auth-type crypt >> auth-md 1 "SomePW" >> auth-md 2 "SomeDifferentPW" >> auth-md-keyid 1 >> >> # Main Link (DMZ) >> interface em1 >> } >> >> ...and then something like this on all hosts on my public network, >> including the NAT firewall: >> >> /etc/ospfd.conf >> >> # Global Config >> router-id 0.0.0.3 >> >> # Areas >> area 0.0.0.0 { >> auth-type crypt >> auth-md 1 "SomePW" >> auth-md 2 "SomeDifferentPW" >> auth-md-keyid 1 >> >> # Main Link (DMZ) >> interface em1 >> } >> >> >> My questions are: >> >> 1) Claudio's guide suggests to me that iBGP needs to be run on the NAT >> firewall as well, but I don't understand *why* that would be necessary >> and I think I'm mis-reading it. Clarification please? > > By running BGP on the internal FW allows you to send out the traffic to > the correct broder router and so you get better control over which path > you reach the internet. > >> 2) Do I really want "redistribute connected" in the ospfd.conf on the >> border routers, or "redistribute default"? >> > > If you feed the BGP table to your FW than you most probably need > redistribute connected. In such a simple setup as yours you can also skip > using OSPF and just use "set nexthop self" in bgpd since all your routers > & firewalls are directly connected. > > In short the IGP (OSPF) is required for incoming traffic to find its > destination in your network whereas iBGP is required to take the optimal > way out of your network.