Table of Contents
Maximum BSDRP features lab
This lab is used for testing BSDRP before release new version.
Presentation
Network diagram
Here is the logical and physical view:
Setting-up the lab
Downloading BSD Router Project images
Download BSDRP serial image (prevent to have to use an X display) on Sourceforge.
Download Lab scripts
More information on these BSDRP lab scripts available on How to build a BSDRP router lab.
Start the lab with 5 routers and a share-with-host LAN, here is an example with VirtualBox PowerShell script:
PS C:\Windows\system32> D:\Mes documents\BSDRP\BSDRP-lab-vbox.ps1
[Dirty Hack] Relaunching PowerShell script in STA mode
BSD Router Project - VirtualBox lab
Enabling one LAN between routers and the host ? (Permit IP access between host
and routers)
[Y] Yes [N] No [?] Help (default value is « Y ») : y
How many other LAN dedicaced to the lab? (between 0 and 7): 0
BSD Router Project - VirtualBox lab
Enable full mesh links between all routers ?
[Y] Yes [N] No [?] Help (default value is « Y ») : y
How many routers ? (between 2 and 8): 5
Setting-up a lab with 5 routers
- All routers and the host will be connected to a shared LAN
- Full mesh ethernet point-to-point link between each routers
Router 1 have the folllowing NIC:
em0 connected to Router2.
em1 connected to Router3.
em2 connected to Router4.
em3 connected to Router5.
em4 connected to the shared-with-host LAN.
Router 2 have the folllowing NIC:
em0 connected to Router1.
em1 connected to Router3.
em2 connected to Router4.
em3 connected to Router5.
em4 connected to the shared-with-host LAN.
Router 3 have the folllowing NIC:
em0 connected to Router1.
em1 connected to Router2.
em2 connected to Router4.
em3 connected to Router5.
em4 connected to the shared-with-host LAN.
Router 4 have the folllowing NIC:
em0 connected to Router1.
em1 connected to Router2.
em2 connected to Router3.
em3 connected to Router5.
em4 connected to the shared-with-host LAN.
Router 5 have the folllowing NIC:
em0 connected to Router1.
em1 connected to Router2.
em2 connected to Router3.
em3 connected to Router4.
em4 connected to the shared-with-host LAN.
All routers started, connect to them using:
- For BSDRP vga release, with mstsc (included in MS Windows):
mstsc /v:127.0.0.1:505x (replacing x by router number)
- For BSDRP serial and vga release: Configure PuTTY to connect to:
connection type: Serial
serial line: \\.\pipe\BSDRP_lab_Rx (replacing x by router number)
Press any key to continue...
Routers configuration
Router 1
Root password
This router will be used for backuping all other routers configuration files, then it need a root password for enabling SSH access to it. We will use “root” password for this lab.
[root@router]~# passwd Changing local password for root New Password: root Retype New Password: root
rc.conf
Edit /etc/rc.conf file:
vi /etc/rc.conf
# Hostname hostname="R1.bsdrp.net" # Enable SSHd sshd_enable="YES" # Enable IPv6 ipv6_enable="YES" # Enable RFC1323 extensions tcp_extensions="YES" #Waiting for a default route defaultroute_delay="5" # Configure NIC to R2 # Create an agreggate interface with only one interface ifconfig_em0="up" cloned_interfaces="lagg0" ifconfig_lagg0="laggproto lacp laggport em0 DHCP" # Configure NIC to shared-with-host LAN # (IP depends of your VirtualBox configuration) ifconfig_em4="192.168.56.11/24"
Saving configuration
Save configuration:
config save
Reboot
Reboot the router:
reboot
Router 2
rc.conf
Edit /etc/rc.conf file:
vi /etc/rc.conf
# Hostname hostname="R2.bsdrp.net" # Enable SSHd sshd_enable="YES" # Enable routing gateway_enable="YES" ipv6_gateway_enable="YES" # Enable IPv6 ipv6_enable="YES" # Enable Router Advertisment on interface to R1 rtadvd_enable="YES" rtadvd_interfaces="em0" # Enable RFC1323 extensions tcp_extensions="YES" # Default route: Set to "NO" for quagga and Bird defaultrouter="NO" # Configure NIC to R1 ifconfig_em0="inet 10.0.12.2/24" ipv6_ifconfig_em0="2001:db8:12::2 prefixlen 64" # Configure NIC to R2 ifconfig_em1="inet 10.0.23.2/24" ipv6_ifconfig_em1="2001:db8:23::2 prefixlen 64" # Create carp interface cloned_interfaces="carp0" ifconfig_carp0="vhid 1 pass testpass 10.0.12.254/24" # Configure IPv6 on carp0, but don't know how to advertise it with rtadv ipv6_ifconfig_carp0="vhid 1 pass testpass6 2001:db8:12::fe prefixlen 64" # Configure NIC to shared-with-host LAN # (IP depends of your VirtualBox configuration) ifconfig_em4="192.168.56.12/24" # Start Quagga quagga_enable="YES" quagga_flags="-d -A 127.0.0.1" quagga_daemons="zebra ripd ripngd" # Start and configure DHCP Relay dhcrelay_enable="YES" dhcrelay_servers="10.0.3.3" dhcrelay_ifaces="em0 em1" #Enable PPP VPN mpd_enable="YES" mpd_flags="-b -s ppp" #Enable netflow (promiscous mode not needed) fprobe_enable="YES" command_args="-p -i em0 10.0.12.1:2055"
rc.conf.misc
This file is used for special BSDRP related configuration. Edit this file (/etc/rc.conf.misc) and enable polling on all interfaces by replacing:
polling_enable="NO"
with:
polling_enable="YES"
mpd.conf
This file is used for configuring PPTP VPN tunnels to R4.
Edit mpd.conf file:
vi /usr/local/etc/mpd5/mpd.conf
default:
load vpnipv4
load vpnipv6
vpnipv4:
# Create bundle called vpnipv4
create bundle static vpnipv4
# IP of client and server, on another subnet for avoiding problems
set ipcp ranges 10.4.15.2/32 10.4.15.4/32
# Remote LAN subnet
set iface route 10.0.45.0/24
# Enable Microsoft Point-to-Point encryption (MPPE)
set bundle enable compression
set ccp yes mppc
set mppc yes e40
set mppc yes e128
set bundle enable crypt-reqd
set mppc yes stateless
# Create a static pptp link called lvpnipv4
create link static lvpnipv4 pptp
# Attach this link to vpnipv4
set link action bundle vpnipv4
# Set somes link settings
set link no pap
set link yes chap
set auth authname "VpnLogin4"
# Reduce the size of the outgoing packet for avoiding fragmentation
set link mtu 1460
set link keep-alive 10 75
# max-redial:
# Server side, need to be "-1"
# Client side, need to be positive (0 for allways)
set link max-redial -1
# Local WAN IP addresse
set pptp self 10.0.23.2
# Remote WAN IP addresse
set pptp peer 10.0.34.4
# Allow incoming call
set link enable incoming
# Because it's the server, open is not necessary
# open
vpnipv6:
# Create bundle called vpnipv6
create bundle static vpnipv6
# Don't know how to disable IPv4 ipcp
set ipcp ranges 10.6.15.2/32 10.6.15.4/32
# Enable IPv6
set bundle enable ipv6cp
# Remote LAN subnet
set iface route 2001:db8:45::/64
# Enable Microsoft Point-to-Point encryption (MPPE)
set bundle enable compression
set ccp yes mppc
set mppc yes e40
set mppc yes e128
set bundle enable crypt-reqd
set mppc yes stateless
# Create a static pptp link called lvpnipv4
create link static lvpnipv6 pptp
# Attach this link to vpnipv6
set link action bundle vpnipv6
# Set somes link settings
set link no pap
set link yes chap
set auth authname "VpnLogin6"
# Reduce the size of the outgoing packet for avoiding fragmentation
set link mtu 1460
set link keep-alive 10 75
# max-redial:
# Server side, need to be "-1"
# Client side, need to be positive (0 for allways)
set link max-redial -1
# Local WAN IP addresse
set pptp self 2001:db8:23::2
# Remote WAN IP addresse
set pptp peer 2001:db8:34::4
# Allow incoming call
set link enable incoming
# Because it's the server, open is not necessary
# open
mpd.secret
This file is used for storing remote user/pass for PPTP VPN.
Edit mpd.secret file:
vi /usr/local/etc/mpd5/mpd.secret
VpnLogin4 VpnPassword4 VpnLogin6 VpnPassword6
Quagga
Now configure Quagga:
[root@R2]~#cli Hello, this is Quagga (version 0.99.17). Copyright 1996-2005 Kunihiro Ishiguro, et al. R2.bsdrp.net# conf t R2.bsdrp.net(config)# key chain pass R2.bsdrp.net(config-keychain)# key 1 R2.bsdrp.net(config-keychain-key)# key-string rippassword R2.bsdrp.net(config-keychain-key)# exit R2.bsdrp.net(config-keychain)# exit R2.bsdrp.net(config)# interface em1 R2.bsdrp.net(config-if)# ip rip authentication mode md5 auth-length rfc R2.bsdrp.net(config-if)# ip rip authentication key-chain pass R2.bsdrp.net(config)# router rip R2.bsdrp.net(config-router)# network 10.0.23.0/24 R2.bsdrp.net(config-router)# network 10.0.12.0/24 R2.bsdrp.net(config-router)# passive-interface em0 R2.bsdrp.net(config-router)# exit R2.bsdrp.net(config)# router ripng R2.bsdrp.net(config-router)# network 2001:db8:12::/64 R2.bsdrp.net(config-router)# network 2001:db8:23::/64 R2.bsdrp.net(config-router)# passive-interface em0 R2.bsdrp.net(config-router)# exit R2.bsdrp.net(config)# exit R2.bsdrp.net# wr Building Configuration... Configuration saved to /usr/local/etc/quagga/zebra.conf Configuration saved to /usr/local/etc/quagga/ripd.conf Configuration saved to /usr/local/etc/quagga/ripngd.conf Configuration saved to /usr/local/etc/quagga/ospfd.conf Configuration saved to /usr/local/etc/quagga/ospf6d.conf [OK] R2.bsdrp.net# exit
Saving configuration
Save configuration:
config save
Reboot
Reboot the router:
reboot
Router 3
rc.conf
Edit /etc/rc.conf file:
vi /etc/rc.conf
# Hostname hostname="R3.bsdrp.net" # Enable SSHd sshd_enable="YES" # Enable routing gateway_enable="YES" ipv6_gateway_enable="YES" # Enable IPv6 ipv6_enable="YES" # Enable RFC1323 extensions tcp_extensions="YES" # Default route: Set to "NO" for quagga and Bird defaultrouter="NO" #Waiting for a default route defaultroute_delay="5" # Configure NIC ifconfig_em1="10.0.23.3/24" ifconfig_em2="10.0.34.3/24" ipv6_ifconfig_em1="2001:db8:23::3 prefixlen 64" ipv6_ifconfig_em2="2001:db8:34::3 prefixlen 64" # Create a loopback interface cloned_interfaces="lo1" ifconfig_lo1="inet 10.0.3.3/24" ipv6_ifconfig_lo1="2001:db8:3::3 prefixlen 64" # Configure NIC to shared-with-host LAN # (IP depends of your VirtualBox configuration) ifconfig_em4="192.168.56.13/24" # Start Quagga and some routing daemon quagga_enable="YES" quagga_flags="-d -A 127.0.0.1" quagga_daemons="zebra ripd ripngd ospfd ospf6d" # Start DHCP server dhcpd_enable="YES" dhcpd_flags="-q" dhcpd_conf="/usr/local/etc/dhcpd.conf" # Enable ALTQ (pf) pf_enable="YES" pf_rules="/etc/pf.conf"
rc.conf.misc
This file is used for special BSDRP related configuration. Edit this file (/etc/rc.conf.misc) and enable polling on all interfaces by replacing:
polling_enable="NO"
with:
polling_enable="YES"
pf.conf
Edit /etc/pf.conf file:
vi /etc/pf.conf
#Variables definitions
TO_R2_if = "em1"
TO_R4_if = "em2"
R2 = "10.0.23.2/32"
R4 = "10.0.34.4/32"
## ALTQ rules
# Queue outgoing from $TO_R4_if (R2 => R4)
# Rate-limit VPN traffic to 64Kb
altq on $TO_R4_if hfsc bandwidth 100Mb queue { VPN4_TO_R4, OTHER_TO_R4 }
queue VPN4_TO_R4 bandwidth 64Kb hfsc(upperlimit 64Kb)
queue OTHER_TO_R4 bandwidth 99Mb hfsc(default)
# Queue for outgoing traffic from $TO_R2_if (R4 => R2)
altq on $TO_R2_if hfsc bandwidth 100Mb queue { VPN4_TO_R2, OTHER_TO_R2 }
queue VPN4_TO_R2 bandwidth 64Kb hfsc(upperlimit 64Kb)
queue OTHER_TO_R2 bandwidth 99Mb hfsc(default)
## PF rules
# R2 => R4
# Shapping works on outgoing traffic only, but need to 'mark' traffic
# entering the interface for putting returning traffic in the good queue
pass in quick on $TO_R2_if proto gre from $R2 to $R4 queue VPN4_TO_R2
# Apply ALTQ to traffic that get out from $TO_R4_if
pass out quick on $TO_R4_if proto gre from $R2 to $R4 queue VPN4_TO_R4
# PF rules R4 => R2
pass in quick on $TO_R4_if proto gre from $R4 to $R2 queue VPN4_TO_R4
pass out quick on $TO_R2_if proto gre from $R4 to $R2 queue VPN4_TO_R2
dhcpd.conf
Edit dhcpd.conf file:
vi /usr/local/etc/dhcpd.conf
option domain-name "bsdrp.net";
default-lease-time 600;
max-lease-time 7200;
ddns-update-style none;
#Declare loopback network
subnet 10.0.3.0 netmask 255.255.255.0 {
}
#Declare em1 network
subnet 10.0.23.0 netmask 255.255.255.0 {
}
#Declare em2 network
subnet 10.0.34.0 netmask 255.255.255.0 {
}
#Declare R1 LAN and gateway
subnet 10.0.12.0 netmask 255.255.255.0 {
range 10.0.12.1 10.0.12.1;
option routers 10.0.12.254;
}
#Declare R5 subnet and gateway
subnet 10.0.45.0 netmask 255.255.255.0 {
range 10.0.45.5 10.0.45.5;
#There is a bug with freevrrpd (need to be solved)
#option routers 10.0.45.254;
option routers 10.0.45.4;
}
Quagga
Now configure Quagga:
[root@R3]~#cli Hello, this is Quagga (version 0.99.17). Copyright 1996-2005 Kunihiro Ishiguro, et al. R3.bsdrp.net# conf t R3.bsdrp.net(config)# key chain pass R3.bsdrp.net(config-keychain)# key 1 R3.bsdrp.net(config-keychain-key)# key-string rippassword R3.bsdrp.net(config-keychain-key)# exit R3.bsdrp.net(config-keychain)# exit R3.bsdrp.net(config)# interface em1 R3.bsdrp.net(config-if)# ip rip authentication mode md5 auth-length rfc R3.bsdrp.net(config-if)# ip rip authentication key-chain pass R3.bsdrp.net(config-if)# int em2 R3.bsdrp.net(config-if)# ospf message-digest-key 1 md5 superpass R3.bsdrp.net(config-if)# exit R3.bsdrp.net(config)# router rip R3.bsdrp.net(config-router)# network 10.0.23.0/24 R3.bsdrp.net(config-router)# network 10.0.34.0/24 R3.bsdrp.net(config-router)# network 10.0.3.0/24 R3.bsdrp.net(config-router)# passive-interface em2 R3.bsdrp.net(config-router)# exit R3.bsdrp.net(config)# router ripng R3.bsdrp.net(config-router)# network 2001:db8:3::/64 R3.bsdrp.net(config-router)# network 2001:db8:23::/64 R3.bsdrp.net(config-router)# network 2001:db8:34::/64 R3.bsdrp.net(config-router)# passive-interface em2 R3.bsdrp.net(config-router)# exit R3.bsdrp.net(config)# router ospf R3.bsdrp.net(config-router)# router-id 0.0.0.3 R3.bsdrp.net(config-router)# network 10.0.3.0/24 area 0.0.0.0 R3.bsdrp.net(config-router)# network 10.0.23.0/24 area 0.0.0.0 R3.bsdrp.net(config-router)# network 10.0.34.0/24 area 0.0.0.0 R3.bsdrp.net(config-router)# passive-interface em1 R3.bsdrp.net(config-router)# area 0.0.0.0 authentication message-digest R3.bsdrp.net(config-router)# exit R3.bsdrp.net(config)# int em1 R3.bsdrp.net(config-if)# ipv6 ospf6 passive R3.bsdrp.net(config-if)# exit R3.bsdrp.net(config)# router ospf6 R3.bsdrp.net(config-ospf6)# router-id 0.0.0.3 R3.bsdrp.net(config-ospf6)# interface em2 area 0.0.0.0 R3.bsdrp.net(config-ospf6)# interface em1 area 0.0.0.0 R3.bsdrp.net(config-ospf6)# interface lo1 area 0.0.0.0 R3.bsdrp.net(config-ospf6)# exit R3.bsdrp.net(config)# exit R3.bsdrp.net# wr Building Configuration... Configuration saved to /usr/local/etc/quagga/zebra.conf Configuration saved to /usr/local/etc/quagga/ripd.conf Configuration saved to /usr/local/etc/quagga/ripngd.conf Configuration saved to /usr/local/etc/quagga/ospfd.conf Configuration saved to /usr/local/etc/quagga/ospf6d.conf [OK] R3.bsdrp.net# exit
Saving configuration
Save configuration:
config save
Reboot
Reboot the router:
reboot
Router 4
rc.conf
Edit /etc/rc.conf file:
vi /etc/rc.conf
# Hostname hostname="R4.bsdrp.net" # Enable SSHd sshd_enable="YES" # Enable routing gateway_enable="YES" ipv6_gateway_enable="YES" # Enable IPv6 ipv6_enable="YES" # Enable Router Advertisment: rtadvd_enable="YES" rtadvd_interfaces="em3" # Enable RFC1323 extensions tcp_extensions="YES" # Default route: Set to "NO" for quagga and Bird defaultrouter="NO" #Waiting for a default route defaultroute_delay="5" # Configure NIC ifconfig_em3="10.0.45.4/24" ipv6_ifconfig_em3="2001:db8:45::4 prefixlen 64" ifconfig_em2="10.0.34.4/24" ipv6_ifconfig_em2="2001:db8:34::4 prefixlen 64" # Configure NIC to shared-with-host LAN # (IP depends of your VirtualBox configuration) ifconfig_em4="192.168.56.14/24" # Enable bird and bird6 bird_enable="YES" bird6_enable="YES" # Enable VRRP: freevrrpd_enable="YES" #Enable and configure DHCP Relay dhcrelay_enable="YES" dhcrelay_servers="10.0.3.3" dhcrelay_ifaces="em3 em2" #Enable PPP VPN mpd_enable="YES" mpd_flags="-b -s ppp" #Enable IPFW/Dummynet shapping firewall_enable="YES" firewall_script="/etc/ipfw.rules"
rc.conf.misc
This file is used for special BSDRP related configuration. Edit this file (/etc/rc.conf.misc) and enable polling on all interfaces by replacing:
polling_enable="NO"
with:
polling_enable="YES"
Bird
Create bird (IPv4) configuration file:
vi /usr/local/etc/bird.conf
# Configure logging
log syslog all;
log "/var/log/bird.log" all;
log stderr all;
# Override router ID
router id 0.0.0.4;
# Sync bird routing table with kernel
protocol kernel {
#import all;
export all;
}
# Include device route (warning, a device route is a /32)
protocol device {
scan time 10;
}
# Include directly connected network
protocol direct {
interface "em3";
}
protocol ospf R4 {
export all;
rfc1583compat yes;
area 0.0.0.0 {
interface "em2" {
cost 10;
type broadcast;
passwords {
password "superpass" {
id 1;
};
};
authentication cryptographic;
};
};
}
Bird6
Create bird (IPv6) configuration file:
vi /usr/local/etc/bird6.conf
# Configure logging
log syslog all;
log "/var/log/bird6.log" all;
log stderr all;
# Override router ID
router id 0.0.0.4;
# Sync bird routing table with kernel
protocol kernel {
#import all;
export all;
}
protocol device {
scan time 10;
}
protocol direct {
interface "em3";
}
protocol ospf R4 {
export all;
rfc1583compat yes;
area 0.0.0.0 {
interface "em2" {
cost 10;
type broadcast;
};
};
}
mpd.conf
Create mpd (PPTP VPN) configuration:
vi /usr/local/etc/mpd5/mpd.conf
default:
load vpnipv4
load vpnipv6
vpnipv4:
# Create bundle called vpnipv4
create bundle static vpnipv4
# Remote LAN subnet
set iface route 10.0.12.0/24
# Create a static pptp link called lvpnipv4
create link static lvpnipv4 pptp
# Attach this link to vpnipv4
set link action bundle vpnipv4
# Set somes link settings
set auth authname "VpnLogin4"
set auth password "VpnPassword4"
# Reduce the size of the outgoing packet for avoiding fragmentation
set link mtu 1460
set link keep-alive 10 75
# max-redial:
# Server side, need to be "-1"
# Client side, need to be positive (0 for allways)
set link max-redial 0
# Local WAN IP addresse
set pptp self 10.0.34.4
# Remote WAN IP addresse
set pptp peer 10.0.23.2
# Open (initiate) the link to the server
open
vpnipv6:
# Create bundle called vpnipv6
create bundle static vpnipv6
# Enable IPv6
set bundle enable ipv6cp
# Remote LAN subnet
set iface route 2001:db8:12::/64
# Create a static pptp link called lvpnipv6
create link static lvpnipv6 pptp
# Attach this link to vpnipv6
set link action bundle vpnipv6
# Set somes link settings
set auth authname "VpnLogin6"
set auth password "VpnPassword6"
# Reduce the size of the outgoing packet for avoiding fragmentation
set link mtu 1460
set link keep-alive 10 75
# max-redial:
# Server side, need to be "-1"
# Client side, need to be positive (0 for allways)
set link max-redial 0
# Local WAN IP addresse
set pptp self 2001:db8:34::4
# Remote WAN IP addresse
set pptp peer 2001:db8:23::2
# Open (initiate) the link to the server
open
freevrrpd.conf
Create FreeVRRPd configuration file:
vi /usr/local/etc/freevrrpd.conf
[VRID] serverid = 1 interface = em3 # We want that this router is the master priority = 101 addr = 10.0.45.254/24 password = vrid1
BUG TO solve: VRRP didn't works, need to force em3 in promiscous mode (with a tcpdump as example).
Need to check if this problem came from freevrrpd or VirtualBox
sysctl.conf
Before to enable IPFW we need to permit it to permit Unknown Extension Header.
Edit /etc/sysctl.conf and add these lines:
#Allow Unknown Extension Header to IPFW net.inet6.ip6.fw.deny_unknown_exthdrs=0
ipfw.rules
Create rules that shape IPv6 PPTP tunnel with IPFW:
vi /etc/ipfw.rules
And fill this new file with:
#!/bin/sh
fwcmd="/sbin/ipfw"
if ! dummynet -q -m ng_ether; then
kldload dummynet
fi
# Flush out the list before we begin.
${fwcmd} -f flush
#Need to reduce the default queue size too
#explanation on chapter "7.2.1. Pipe Queues"
#http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO
${fwcmd} pipe 10 config bw 128Kbit/s queue 10Kbytes
${fwcmd} pipe 20 config bw 128Kbit/s queue 10Kbytes
#Traffic getting out em2, is VPN PPTP traffic
${fwcmd} add 1000 pipe 10 all from 2001:db8:34::4 to 2001:db8:23::2 out via em2
#Traffic getting out em3, is clear traffic
${fwcmd} add 2000 pipe 20 all from 2001:db8:12::/64 to 2001:db8:45::/64 out via em3
#We don't want to block traffic, only shape some
${fwcmd} add 3000 allow ip from any to any
BUG TO solve: Enabling IPFW, generate lot's of message on the console (one for each packet?)
IPFW2: IPV6 - Unknown Extension Header(47), ext_hd=0 IPFW2: IPV6 - Unknown Extension Header(47), ext_hd=0 IPFW2: IPV6 - Unknown Extension Header(47), ext_hd=0 IPFW2: IPV6 - Unknown Extension Header(47), ext_hd=0 IPFW2: IPV6 - Unknown Extension Header(47), ext_hd=0 IPFW2: IPV6 - Unknown Extension Header(47), ext_hd=0 IPFW2: IPV6 - Unknown Extension Header(47), ext_hd=0
Saving configuration
Save configuration:
config save
Reboot
Reboot the router:
reboot
Router 5
rc.conf
Edit /etc/rc.conf file:
vi /etc/rc.conf
# Hostname hostname="R5.bsdrp.net" # Enable SSHd sshd_enable="YES" # Enable IPv6 ipv6_enable="YES" # Enable RFC1323 extensions tcp_extensions="YES" #Waiting for a default route defaultroute_delay="5" # Configure NIC # Create an failover interface with only one interface ifconfig_em3="up" cloned_interfaces="lagg0" ifconfig_lagg0="laggproto failover laggport em3 DHCP" # Configure NIC to shared-with-host LAN # (IP depends of your VirtualBox configuration) ifconfig_em4="192.168.56.15/24"
Saving configuration
Save configuration:
config save
Reboot
Reboot the router:
reboot
Final testing
Enable IPerf instances on R5
Launch tmux and create 2 windows, one with iperf in IPv4 (default) mode:
[root@R5]~#iperf -s ------------------------------------------------------------ Server listening on TCP port 5001 TCP window size: 64.0 KByte (default) ------------------------------------------------------------
And a second with iperf in server IPv6 mode:
[root@R5]~#iperf -V -s ------------------------------------------------------------ Server listening on TCP port 5001 TCP window size: 64.0 KByte (default) ------------------------------------------------------------
IPerf client instances and netflow dump on R1
Now, start 2 tmux windows on R1.
On the first tmux window, start a tcpdump filtering netflow coming from R2.
[root@R1]~# tcpdump -p -i em0 -s 0 -vv udp port 2055 tcpdump: WARNING: em0: no IPv4 address assigned tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes
And on the second tmux window start an IPerf client on R1 to R5 and check maximum bandwitdh (64kb/s for IPv4 and 128kb/s for IPv6):
[root@R1]~# iperf -c 10.0.45.5 -t 30 ------------------------------------------------------------ Client connecting to 10.0.45.5, TCP port 5001 TCP window size: 33.0 KByte (default) ------------------------------------------------------------ [ 3] local 10.0.12.1 port 12046 connected with 10.0.45.5 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-38.0 sec 384 KBytes 82.8 Kbits/sec [root@R1]~# iperf -V -c 2001:db8:45:0:a8aa:ff:fe00:545 -t 30 ------------------------------------------------------------ Client connecting to 2001:db8:45:0:a8aa:ff:fe00:545, TCP port 5001 TCP window size: 32.1 KByte (default) ------------------------------------------------------------ [ 3] local 2001:db8:12:0:a8aa:ff:fe00:112 port 63275 connected with 2001:db8:45:0:a8aa:ff:fe00:545 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-33.5 sec 512 KBytes 125 Kbits/sec
The IPv4 traffic send by the client to the server is more than 64Kb/s, but it's a correct behaviour because the exceeded traffic will be dropped later: We need to check the bandwidth received on R5 for verifying traffic shaping features.
After IPerf tests, check that the tcpdump (on the first tmux window) receive netflow packets from R2:
15:58:47.424286 IP (tos 0x0, ttl 64, id 9855, offset 0, flags [none], proto UDP (17), length 292)
10.0.12.2.14197 > 10.0.12.1.2055: [udp sum ok] UDP, length 264
16:00:02.443348 IP (tos 0x0, ttl 64, id 9998, offset 0, flags [none], proto UDP (17), length 244)
10.0.12.2.14197 > 10.0.12.1.2055: [udp sum ok] UDP, length 216
IPerf bandwitdh result received on R5
------------------------------------------------------------ Server listening on TCP port 5001 TCP window size: 64.0 KByte (default) ------------------------------------------------------------ [ 4] local 10.0.45.5 port 5001 connected with 10.0.12.1 port 41621 [ ID] Interval Transfer Bandwidth [ 4] 0.0-35.0 sec 256 KBytes 59.9 Kbits/sec
R5 receive about 60Kb/s of traffic.
Same behaviour for IPv6:
------------------------------------------------------------ Server listening on TCP port 5001 TCP window size: 64.0 KByte (default) ------------------------------------------------------------ [ 4] local 2001:db8:45:0:a8aa:ff:fe00:545 port 5001 connected with 2001:db8:12:0:a8aa:ff:fe00:112 port 63275 [ ID] Interval Transfer Bandwidth [ 4] 0.0-34.8 sec 512 KBytes 120 Kbits/sec
Configurations files network backup
R1 will be use as a configuration files backup repository
Mounting data partition on R1
[root@R1]~# mount /data/
Sending configuration archive file to R1
From all others routers, send the configuration file to the /data partition of R1:
[root@R2]/# config put scp root@10.0.12.1:/data/R2.tar.xz Send saved configuration by SCP to root@10.0.12.1:/data/R2.tar.xz The authenticity of host '10.0.12.1 (10.0.12.1)' can't be established. RSA key fingerprint is 4d:e9:ce:26:d4:2f:92:15:5e:06:97:a8:83:78:0c:e5. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.0.12.1' (RSA) to the list of known hosts. Password: config.3803.tar.xz 100% 7100 6.9KB/s 00:00
System integrity check
Download the mtree reference file corresponding to your BSDRP release and start a system intergrity check. In this lab, we put the reference file in the /tmp folder of R1:
[root@R1]/tmp# system integrity /tmp/BSDRP_1.0_full_amd64_serial.img.mtree.xz
Here is the modified files comparing to the reference mtree file:al.img.mtree.xz
boot/loader.conf changed
size expected 763 found 775
SHA-256 expected f19f9a16e941f2134730e455a57abd02361ac1baee620dfe595e3e10d7df4b27 found fb1ae5cbf666803387c69ba2ee15420941d99bfa74375a21cb83c96f4a803f34
boot/loader.conf.orig extra
conf/base/etc/fstab changed
link_count expected 2 found 1
SHA-256 expected 10d43223027473cb4d856a7deee8b1e58bae760604967cb442b706d7329abfb1 found bc736171e6c4cdb33a205501e6ce3e13fc4bae59fd4d87abb85001517d989757
data changed
permissions expected 0755 found 0555
data/.snap extra
data/R1.tar.xz extra
data/R2.tar.xz extra
data/R3.tar.xz extra
data/R4.tar.xz extra
data/R5.tar.xz extra
data/archives extra
dev extra
etc extra
tmp extra
var extra
Extra files and folder are normal regarding your previous tests.
Except where otherwise noted, content on this wiki is licensed under the following license: modified BSD license
