Using RDomain setup with pf(4) and bgpd(8)
Hi Misc@, Has anyone try to setup bgpd(8) configuration with pf(4) specifically with rdomain? I'm trying to setup a simple VPN routing (VRF like) on openbsd 4.7.i386-current (15 march 2010). RTFM-ing the manual, I could only come up with: 1. rtable on pf.conf is similar with rdomains. I don't know if there are additional parameters to includes an interface on a specific routing domain (eg. rdomain 1) to pf(4) ruleset. 2. to supply routing table on rdomain 1 using bgpd(8), I had to set rtable 1 on global configuration, which also means that I had to setup another instance of bgpd to retain the default routing table (rtable 0). My questions are: 1. Are there additional setup in pf rulesets to includes an interface that belongs to a specific rdomain? 2. Is there anyway to setup vrf-like configurations without another instance of bgpd? or storing/injecting a bgpd rib from a neighbor into a specific routing table (eg. rtable 1)? Thanks, Insan Praja -- insandotpraja(at)gmaildotcom
Re: Using RDomain setup with pf(4) and bgpd(8)
On Tue, Apr 06, 2010 at 09:42:05PM +0700, Insan Praja SW wrote:
Hi Misc@,
Has anyone try to setup bgpd(8) configuration with pf(4)
specifically with rdomain?
I'm trying to setup a simple VPN routing (VRF like) on openbsd
4.7.i386-current (15 march 2010). RTFM-ing the manual, I could only
come up with:
1. rtable on pf.conf is similar with rdomains. I don't know if there
are additional parameters to includes an interface on a specific
routing domain (eg. rdomain 1) to pf(4) ruleset.
pf(4)'s rtable is smart enough to figure out if a state is between two
rdomains or not. In the first case it acts similar to a NAT/RDR (but
without modification of source or destination IP) in the second case only
the lookup in the direction of the state will use the special routing
table (reverse traffic will use the main table).
2. to supply routing table on rdomain 1 using bgpd(8), I had to set
rtable 1 on global configuration, which also means that I had to
setup another instance of bgpd to retain the default routing table
(rtable 0).
Running bgpd on different rdomains is currently not realy possible.
bgpd does not allow to run on a completly different rdomain it will always
user rdomain 0 for some stuff. I'm on the way to fix this but it is a 3500
line diff and is still not finished.
My questions are:
1. Are there additional setup in pf rulesets to includes an
interface that belongs to a specific rdomain?
pf(4) knows when a packet/state is in a different rdomain. You can select
rdomains based on the interfaces belonging to them e.g. by using interface
groups but I know that there is an upcomming need for a pass on rdomain 1.
Here a quick example:
pass on vlan203
Traffic is forwarded and route lookups etc, happen on the rdomain vlan203
is in.
pass on vlan203 rtable 2
Traffic is passed and while going through pf the rdomain is switched to
rtable 2 aka rdomain 2. So the route lookup will happen on that rdomain
and not the rdomain vlan203 belongs to. Reverse traffic will also switch
back to the original rdomain. Depending when the state is created (in vs.
out) the ip_forward route lookup will happen in the translated or
untranslated rdomain (so make sure you have routes available to make it to
pf_test() in ip_output).
2. Is there anyway to setup vrf-like configurations without another
instance of bgpd? or storing/injecting a bgpd rib from a neighbor
into a specific routing table (eg. rtable 1)?
Again this is comming with full BGP MPLS VPN support. Then you can use
something like:
rdomain 1 {
descr CUSTOMER1
rd 65003:1
import-target rt 65003:1
export-target rt 65003:1
}
in bgpd.conf to add routes into rdomains.
--
:wq Claudio
Re: Using RDomain setup with pf(4) and bgpd(8)
Hi All,
On Tue, 06 Apr 2010 22:27:33 +0700, Claudio Jeker
cje...@diehard.n-r-g.com wrote:
On Tue, Apr 06, 2010 at 09:42:05PM +0700, Insan Praja SW wrote:
Hi Misc@,
Has anyone try to setup bgpd(8) configuration with pf(4)
specifically with rdomain?
I'm trying to setup a simple VPN routing (VRF like) on openbsd
4.7.i386-current (15 march 2010). RTFM-ing the manual, I could only
come up with:
1. rtable on pf.conf is similar with rdomains. I don't know if there
are additional parameters to includes an interface on a specific
routing domain (eg. rdomain 1) to pf(4) ruleset.
pf(4)'s rtable is smart enough to figure out if a state is between two
rdomains or not. In the first case it acts similar to a NAT/RDR (but
without modification of source or destination IP) in the second case only
the lookup in the direction of the state will use the special routing
table (reverse traffic will use the main table).
2. to supply routing table on rdomain 1 using bgpd(8), I had to set
rtable 1 on global configuration, which also means that I had to
setup another instance of bgpd to retain the default routing table
(rtable 0).
Running bgpd on different rdomains is currently not realy possible.
bgpd does not allow to run on a completly different rdomain it will
always
user rdomain 0 for some stuff. I'm on the way to fix this but it is a
3500
line diff and is still not finished.
My questions are:
1. Are there additional setup in pf rulesets to includes an
interface that belongs to a specific rdomain?
pf(4) knows when a packet/state is in a different rdomain. You can select
rdomains based on the interfaces belonging to them e.g. by using
interface
groups but I know that there is an upcomming need for a pass on rdomain
1.
Here a quick example:
pass on vlan203
Traffic is forwarded and route lookups etc, happen on the rdomain vlan203
is in.
pass on vlan203 rtable 2
Traffic is passed and while going through pf the rdomain is switched to
rtable 2 aka rdomain 2. So the route lookup will happen on that rdomain
and not the rdomain vlan203 belongs to. Reverse traffic will also switch
back to the original rdomain. Depending when the state is created (in vs.
out) the ip_forward route lookup will happen in the translated or
untranslated rdomain (so make sure you have routes available to make it
to
pf_test() in ip_output).
2. Is there anyway to setup vrf-like configurations without another
instance of bgpd? or storing/injecting a bgpd rib from a neighbor
into a specific routing table (eg. rtable 1)?
Again this is comming with full BGP MPLS VPN support. Then you can use
something like:
rdomain 1 {
descr CUSTOMER1
rd 65003:1
import-target rt 65003:1
export-target rt 65003:1
}
in bgpd.conf to add routes into rdomains.
Thanks for your time to provide us clear explanation. I understand there
are options between rtable and route-to/reply-to on pf ruleset. I choose
rtable because it just simpler. The first time rdomain are integrated into
OBSD makes my static rtable breaks, because it had to had an interface
attached to it. Now it works again, and I got a link-layer address this
time, from rdomain.
I hope that you made your peace with these 3500 lines of diff :) (god
knows how much beer to solve this), and OBSD has an rdomain support for
pf, bgpd, ospfd, ldpd and npppd.
Thanks and Good Luck,
--
insandotpraja(at)gmaildotcom
