This lab is used for testing BSDRP before releasing new version.

Here is the logical and physical view:

Download BSDRP serial image (prevent to have to use an X display) on Sourceforge.

More information on these BSDRP lab scripts available on How to build a BSDRP router lab.

Start the lab with 5 routers, a share-with-host LAN. With virtualbox under FreeBSD/Linux:

BSDRP-lab-vbox.sh -i BSDRP-1.2-full-i386-serial.img -n 5 -c

You can start in virtio mode (but ALTQ is not supported on this NIC) by adding the ”-v” option.

here is an example with VirtualBox PowerShell script:

PS C:\Windows\system32> D:\Mes documents\BSDRP\BSDRP-lab-vbox.ps1
[Dirty Hack] Relaunching PowerShell script in STA mode

BSD Router Project - VirtualBox lab
Enabling one LAN between routers and the host ? (Permit IP access between host
and routers)
[Y] Yes  [N] No  [?] Help (default value is « Y ») : y
Enabling virtio mode ?
[Y] Yes  [N] No  [?] Help (default value is « Y ») : y
How many other LAN dedicaced to the lab? (between 0 and 7): 0

BSD Router Project - VirtualBox lab
Enable full mesh links between all routers ?
[Y] Yes  [N] No  [?] Help (default value is « Y ») : y
How many routers ? (between 2 and 8): 5
Setting-up a lab with 5 routers
- All routers and the host will be connected to a shared LAN
- Full mesh ethernet point-to-point link between each routers
Router 1 have the folllowing NIC:
vtnet0 connected to Router2.
vtnet1 connected to Router3.
vtnet2 connected to Router4.
vtnet3 connected to Router5.
vtnet4 connected to the shared-with-host LAN.
Router 2 have the folllowing NIC:
vtnet0 connected to Router1.
vtnet1 connected to Router3.
vtnet2 connected to Router4.
vtnet3 connected to Router5.
vtnet4 connected to the shared-with-host LAN.
Router 3 have the folllowing NIC:
vtnet0 connected to Router1.
vtnet1 connected to Router2.
vtnet2 connected to Router4.
vtnet3 connected to Router5.
vtnet4 connected to the shared-with-host LAN.
Router 4 have the folllowing NIC:
vtnet0 connected to Router1.
vtnet1 connected to Router2.
vtnet2 connected to Router3.
vtnet3 connected to Router5.
vtnet4 connected to the shared-with-host LAN.
Router 5 have the folllowing NIC:
vtnet0 connected to Router1.
vtnet1 connected to Router2.
vtnet2 connected to Router3.
vtnet3 connected to Router4.
vtnet4 connected to the shared-with-host LAN.
All routers started, connect to them using:
 - For BSDRP vga release, with mstsc (included in MS Windows):
     mstsc /v:127.0.0.1:505x (replacing x by router number)
 - For BSDRP serial and vga release: Configure PuTTY to connect to:
     connection type: Serial
     serial line: \\.\pipe\BSDRP_lab_Rx (replacing x by router number)
Press any key to continue...

If you have started a virtio enabled lab, you need to enable virtio drivers.

[root@router]~# system virtualized
This step will configure BSDRP for being use as a VM:
- Reduce kern.hz to 100
- Load virtio modules
Do you want to continue ? (y/n): y
A reboot is needed for apply changes.
Don't forget to modify rc.conf for declaring ifconfig_vtnetX

This router will be used for backuping all other routers configuration files, then it need a root password for enabling SSH access to it. We will use “root” password for this lab.

[root@router]~# passwd
Changing local password for root
New Password: root
Retype New Password: root

Create this /etc/rc.conf file:

cat > /etc/rc.conf <<'EOF'
# Hostname
hostname="R1.bsdrp.net"

# Enable SSHd
sshd_enable="YES"

# Enable IPv6
ipv6_activate_all_interfaces="YES"

# Enable RFC1323 extensions
tcp_extensions="YES"

#Waiting for a default route
defaultroute_delay="5"

# Configure NIC to R2
# Create an agreggate interface with only one interface
ifconfig_vtnet0="up"
ifconfig_em0="up"
cloned_interfaces="lagg0"
#ifconfig_lagg0="laggproto lacp laggport vtnet0 SYNCDHCP"
ifconfig_lagg0="laggproto lacp laggport em0 SYNCDHCP"
ifconfig_lagg0_ipv6="inet6 accept_rtadv"

# Configure NIC to shared-with-host LAN
# (IP depends of your VirtualBox configuration)
ifconfig_vtnet4="inet 192.168.56.11/24"
ifconfig_em4="inet 192.168.56.11/24"
'EOF'

Save configuration:

config save

Reboot the router:

reboot

If you have started a virtio enabled lab, you need to enable virtio drivers.

[root@router]~# system virtualized
This step will configure BSDRP for being use as a VM:
- Reduce kern.hz to 100
- Load virtio modules
Do you want to continue ? (y/n): y
A reboot is needed for apply changes.
Don't forget to modify rc.conf for declaring ifconfig_vtnetX

Create this /etc/rc.conf file:

cat > /etc/rc.conf <<'EOF'
# Hostname
hostname="R2.bsdrp.net"

# Enable SSHd
sshd_enable="YES"

# Enable routing
gateway_enable="YES"
ipv6_gateway_enable="YES"

# Enable IPv6
ipv6_activate_all_interfaces="YES"

# Enable Router Advertisment on interface to R1
rtadvd_enable="YES"
rtadvd_interfaces="vtnet0 em0"

# Enable RFC1323 extensions
tcp_extensions="YES"

# Configure NIC to R1
ifconfig_vtnet0="inet 10.0.12.2/24"
ifconfig_vtnet0_ipv6="inet6 2001:db8:12::2 prefixlen 64"
ifconfig_em0="inet 10.0.12.2/24"
ifconfig_em0_ipv6="inet6 2001:db8:12::2 prefixlen 64"

# Configure NIC to R2
ifconfig_vtnet1="inet 10.0.23.2/24"
ifconfig_vtnet1_ipv6="inet6 2001:db8:23::2 prefixlen 64"
ifconfig_em1="inet 10.0.23.2/24"
ifconfig_em1_ipv6="inet6 2001:db8:23::2 prefixlen 64"

# Create carp interface
# This command will be obsolete in 10.0 (merged to the ifconfig_physical_if) 
cloned_interfaces="carp0"
ifconfig_carp0="vhid 1 pass testpass 10.0.12.254/24"
# Configure IPv6 on carp0, but don't know how to advertise it with rtadv
ipv6_ifconfig_carp0="vhid 1 pass testpass6 2001:db8:12::fe prefixlen 64"

# Configure NIC to shared-with-host LAN
# (IP depends of your VirtualBox configuration)
ifconfig_vtnet4="inet 192.168.56.12/24"
ifconfig_em4="inet 192.168.56.12/24"

# Start Quagga
quagga_enable="YES"
quagga_flags="-d -A 127.0.0.1"
quagga_daemons="zebra ripd ripngd"

# Start and configure DHCP Relay
dhcrelay_enable="YES"
dhcrelay_servers="10.0.3.3"
#dhcrelay_ifaces="vtnet0 vtnet1"
dhcrelay_ifaces="em0 em1"

#Enable PPP VPN
mpd_enable="YES"
mpd_flags="-b -s ppp"

#Enable netflow (promiscous mode not needed)
fprobe_enable="YES"
#fprobe_flags="-p -i vtnet0 10.0.12.1:2055"
fprobe_flags="-p -i em0 10.0.12.1:2055"
'EOF'

This file is used for configuring a server PPTP VPN with tunnels to R4.

Create this mpd.conf file:

cat > /usr/local/etc/mpd5/mpd.conf <<'EOF'
default:
        load vpnipv4
        load vpnipv6
vpnipv4:
        # Create bundle called vpnipv4
        create bundle static vpnipv4
        # IP of client and server, on another subnet for avoiding problems
        set ipcp ranges 10.4.15.2/32 10.4.15.4/32
        # Remote LAN subnet
        set iface route 10.0.45.0/24
        # Enable Microsoft Point-to-Point encryption (MPPE)
        set bundle enable compression
        set ccp yes mppc
        set mppc yes e40
        set mppc yes e128
        set bundle enable crypt-reqd
        set mppc yes stateless
        # Create a static pptp link called lvpnipv4
        create link static lvpnipv4 pptp
        # Attach this link to vpnipv4
        set link action bundle vpnipv4
        # Set somes link settings
        set link no pap
        set link yes chap
        set auth authname "VpnLogin4"
        # Reduce the size of the outgoing packet for avoiding fragmentation
        set link mtu 1460
        set link keep-alive 10 75
        # max-redial:
        # Server side, need to be "-1"
        # Client side, need to be positive (0 for allways)
        set link max-redial -1
        # Local WAN IP addresse
        set pptp self 10.0.23.2
        # Remote WAN IP addresse
        set pptp peer 10.0.34.4
        # Allow incoming call
        set link enable incoming

vpnipv6:
        # Create bundle called vpnipv6
        create bundle static vpnipv6
        # Don't know how to disable IPv4 ipcp
        set ipcp ranges 10.6.15.2/32 10.6.15.4/32
        # Enable IPv6
        set bundle enable ipv6cp
        # Remote LAN subnet
        set iface route 2001:db8:45::/64
        # Enable Microsoft Point-to-Point encryption (MPPE)
        set bundle enable compression
        set ccp yes mppc
        set mppc yes e40
        set mppc yes e128
        set bundle enable crypt-reqd
        set mppc yes stateless
        # Create a static pptp link called lvpnipv4
        create link static lvpnipv6 pptp
        # Attach this link to vpnipv6
        set link action bundle vpnipv6
        # Set somes link settings
        set link no pap
        set link yes chap
        set auth authname "VpnLogin6"
        # Reduce the size of the outgoing packet for avoiding fragmentation
        set link mtu 1460
        set link keep-alive 10 75
        # max-redial:
        # Server side, need to be "-1"
        # Client side, need to be positive (0 for allways)
        set link max-redial -1
        # Local WAN IP addresse
        set pptp self 2001:db8:23::2
        # Remote WAN IP addresse
        set pptp peer 2001:db8:34::4
        # Allow incoming call
        set link enable incoming
'EOF'

This file is used for storing remote user/password for PPTP VPN.

Create this mpd.secret file:

cat > /usr/local/etc/mpd5/mpd.secret <<'EOF'
VpnLogin4       VpnPassword4
VpnLogin6       VpnPassword6
'EOF'

Now configure Quagga:

cli
conf t
key chain pass
key 1
key-string rippassword
exit
exit
interface em1
ip rip authentication mode md5 auth-length rfc
ip rip authentication key-chain pass
interface vtnet1
ip rip authentication mode md5 auth-length rfc
ip rip authentication key-chain pass
router rip
network 10.0.23.0/24
network 10.0.12.0/24
passive-interface vtnet0
passive-interface em0
exit
router ripng
network 2001:db8:12::/64
network 2001:db8:23::/64
passive-interface vtnet0
passive-interface em0
exit
exit
wr
exit

Save configuration:

config save

Reboot the router:

reboot

[root@router]~# system virtualized
This step will configure BSDRP for being use as a VM:
- Reduce kern.hz to 100
- Load virtio modules
Do you want to continue ? (y/n): y
A reboot is needed for apply changes.
Don't forget to modify rc.conf for declaring ifconfig_vtnetX

Create this /etc/rc.conf file:

cat > /etc/rc.conf <<'EOF'
# Hostname
hostname="R3.bsdrp.net"

# Enable SSHd
sshd_enable="YES"

# Enable routing
gateway_enable="YES"
ipv6_gateway_enable="YES"

# Enable IPv6
ipv6_activate_all_interfaces="YES"

# Enable RFC1323 extensions
tcp_extensions="YES"

# Configure NIC
ifconfig_vtnet1="inet 10.0.23.3/24"
ifconfig_em1="inet 10.0.23.3/24"
ifconfig_vtnet2="inet 10.0.34.3/24"
ifconfig_em2="inet 10.0.34.3/24"
ifconfig_vtnet1_ipv6="inet6 2001:db8:23::3 prefixlen 64"
ifconfig_em1_ipv6="inet6 2001:db8:23::3 prefixlen 64"
ifconfig_vtnet2_ipv6="inet6 2001:db8:34::3 prefixlen 64"
ifconfig_em2_ipv6="inet6 2001:db8:34::3 prefixlen 64"

# Create a loopback interface
cloned_interfaces="lo1"
ifconfig_lo1="inet 10.0.3.3/24"
ifconfig_lo1_ipv6="inet6 2001:db8:3::3 prefixlen 64"

# Configure NIC to shared-with-host LAN
# (IP depends of your VirtualBox configuration)
ifconfig_vtnet4="inet 192.168.56.13/24"
ifconfig_em4="inet 192.168.56.13/24"

# Start Quagga and some routing daemon
quagga_enable="YES"
quagga_flags="-d -A 127.0.0.1"
quagga_daemons="zebra ripd ripngd ospfd ospf6d"

# Start DHCP server
dhcpd_enable="YES"
dhcpd_flags="-q"
dhcpd_conf="/usr/local/etc/dhcpd.conf"

# Enable ALTQ (pf)
pf_enable="YES"
pf_rules="/etc/pf.conf"
'EOF'

Create this /etc/pf.conf file:

cat > /etc/pf.conf <<'EOF'
#Variables definitions
TO_R2_if = "{" vtnet1 em1 "}"
TO_R4_if = "{" vtnet2 em2 "}"
R2 = "10.0.23.2/32"
R4 = "10.0.34.4/32"

## ALTQ rules
# Queue outgoing from $TO_R4_if (R2 => R4)
# Rate-limit VPN traffic to 64Kb
altq on $TO_R4_if hfsc bandwidth 100Mb queue { VPN4_TO_R4, OTHER_TO_R4 }
queue VPN4_TO_R4 bandwidth 64Kb hfsc(upperlimit 64Kb)
queue OTHER_TO_R4 bandwidth 99Mb hfsc(default)

# Queue for outgoing traffic from $TO_R2_if (R4 => R2)
altq on $TO_R2_if hfsc bandwidth 100Mb queue { VPN4_TO_R2, OTHER_TO_R2 }
queue VPN4_TO_R2 bandwidth 64Kb hfsc(upperlimit 64Kb)
queue OTHER_TO_R2 bandwidth 99Mb hfsc(default)

## PF rules

# R2 => R4
# Shapping works on outgoing traffic only, but need to 'mark' traffic
# entering the interface for putting returning traffic in the good queue
pass in quick on $TO_R2_if proto gre from $R2 to $R4 queue VPN4_TO_R2
# Apply ALTQ to traffic that get out from $TO_R4_if
pass out quick on $TO_R4_if proto gre from $R2 to $R4 queue VPN4_TO_R4

# PF rules R4 => R2
pass in quick on $TO_R4_if proto gre from $R4 to $R2 queue VPN4_TO_R4
pass out quick on $TO_R2_if proto gre from $R4 to $R2 queue VPN4_TO_R2
'EOF'

Create this dhcpd.conf file:

cat > /usr/local/etc/dhcpd.conf <<'EOF'
option domain-name "bsdrp.net";
default-lease-time 600;
max-lease-time 7200;
ddns-update-style none;
#Declare loopback network
subnet 10.0.3.0 netmask 255.255.255.0 {
}
#Declare em1/vtnet1 network
subnet 10.0.23.0 netmask 255.255.255.0 {
}
#Declare em2/vtnet2 network
subnet 10.0.34.0 netmask 255.255.255.0 {
}
#Declare R1 LAN and gateway
subnet 10.0.12.0 netmask 255.255.255.0 {
  range 10.0.12.1 10.0.12.1;
  option routers 10.0.12.254;
}
#Declare R5 subnet and gateway
subnet 10.0.45.0 netmask 255.255.255.0 {
  range 10.0.45.5 10.0.45.5;
  option routers 10.0.45.254;
}
'EOF'

Now configure Quagga:

cli
conf t
key chain pass
key 1
key-string rippassword
exit
exit
interface vtnet1
ip rip authentication mode md5 auth-length rfc
ip rip authentication key-chain pass
interface em1
ip rip authentication mode md5 auth-length rfc
ip rip authentication key-chain pass
int vtnet2
ospf message-digest-key 1 md5 superpass
int em2
ospf message-digest-key 1 md5 superpass
exit
router rip
network 10.0.23.0/24
network 10.0.34.0/24
network 10.0.3.0/24
passive-interface vtnet2
passive-interface em2
exit
router ripng
network 2001:db8:3::/64
network 2001:db8:23::/64
network 2001:db8:34::/64
passive-interface vtnet2
passive-interface em2
exit
router ospf
router-id 0.0.0.3
network 10.0.3.0/24 area 0.0.0.0
network 10.0.23.0/24 area 0.0.0.0
network 10.0.34.0/24 area 0.0.0.0
passive-interface vtnet1
passive-interface em1
area 0.0.0.0 authentication message-digest
exit
int vtnet1
ipv6 ospf6 passive
int em1
ipv6 ospf6 passive
exit
router ospf6
router-id 0.0.0.3
interface vtnet2 area 0.0.0.0
interface vtnet1 area 0.0.0.0
interface em2 area 0.0.0.0
interface em1 area 0.0.0.0
interface lo1 area 0.0.0.0
exit
exit
wr
exit

Save configuration:

config save

Reboot the router:

reboot

[root@router]~# system virtualized
This step will configure BSDRP for being use as a VM:
- Reduce kern.hz to 100
- Load virtio modules
Do you want to continue ? (y/n): y
A reboot is needed for apply changes.
Don't forget to modify rc.conf for declaring ifconfig_vtnetX

Edit /etc/rc.conf file:

cat > /etc/rc.conf <<'EOF'
# Hostname
hostname="R4.bsdrp.net"

# Enable SSHd
sshd_enable="YES"

# Enable routing
gateway_enable="YES"
ipv6_gateway_enable="YES"

# Enable IPv6
ipv6_activate_all_interfaces="YES"

# Enable Router Advertisment:
rtadvd_enable="YES"
rtadvd_interfaces="vtnet3 em3"

# Enable RFC1323 extensions
tcp_extensions="YES"

# Default route: Set to "NO" for quagga and Bird
defaultrouter="NO"

#Waiting for a default route
defaultroute_delay="5"

# Configure NIC
ifconfig_vtnet3="inet 10.0.45.4/24"
ifconfig_vtnet3_ipv6="inet6 2001:db8:45::4 prefixlen 64"
ifconfig_em3="inet 10.0.45.4/24"
ifconfig_em3_ipv6="inet6 2001:db8:45::4 prefixlen 64"
ifconfig_vtnet2="10.0.34.4/24"
ifconfig_vtnet2_ipv6="inet6 2001:db8:34::4 prefixlen 64"
ifconfig_em2="10.0.34.4/24"
ifconfig_em2_ipv6="inet6 2001:db8:34::4 prefixlen 64"

# Configure NIC to shared-with-host LAN
# (IP depends of your VirtualBox configuration)
ifconfig_vtnet4="inet 192.168.56.14/24"
ifconfig_em4="inet 192.168.56.14/24"

# Enable bird and bird6
bird_enable="YES"
bird6_enable="YES"

# Enable VRRP:
freevrrpd_enable="YES"

#Enable and configure DHCP Relay
dhcrelay_enable="YES"
dhcrelay_servers="10.0.3.3"
#dhcrelay_ifaces="vtnet3 vtnet2"
dhcrelay_ifaces="em3 em2"

#Enable PPP VPN
mpd_enable="YES"
mpd_flags="-b -s ppp"

#Enable IPFW/Dummynet shapping
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
'EOF'

Create bird (IPv4) configuration file:

cat > /usr/local/etc/bird.conf <<'EOF'
# Configure logging
log syslog all;
log "/var/log/bird.log" all;
log stderr all;

# Override router ID
router id 0.0.0.4;

# Sync bird routing table with kernel
protocol kernel {
        #import all;
        export all;
}

# Include device route (warning, a device route is a /32)
protocol device {
        scan time 10;
}

# Include directly connected network
protocol direct {
        interface "vtnet3", "em3";
}

protocol ospf R4 {
        export all;
        rfc1583compat yes;
        area 0.0.0.0 {
                interface "vtnet2","em2" {
                        cost 10;
                        type broadcast;
                        passwords {
                               password "superpass" {
                                       id 1;
                               };
                       };
                       authentication cryptographic;
                };
        };
}
'EOF'

Create bird (IPv6) configuration file:

cat > /usr/local/etc/bird6.conf <<'EOF'
# Configure logging
log syslog all;
log "/var/log/bird6.log" all;
log stderr all;

# Override router ID
router id 0.0.0.4;

# Sync bird routing table with kernel
protocol kernel {
        #import all;
        export all;
}

protocol device {
        scan time 10;
}
protocol direct {
        interface "vtnet3","em3";
}
protocol ospf R4 {
        export all;
        rfc1583compat yes;
        area 0.0.0.0 {
                interface "vtnet2","em2" {
                        cost 10;
                        type broadcast;
                };
        };
}
'EOF'

Create the client mpd (PPTP VPN) configuration:

cat > /usr/local/etc/mpd5/mpd.conf <<'EOF'
default:
        load vpnipv4
        load vpnipv6
vpnipv4:
        # Create bundle called vpnipv4
        create bundle static vpnipv4
        # Getting IP from the server
        set ipcp ranges 0.0.0.0/0
        # Remote LAN subnet
        set iface route 10.0.12.0/24
        # Enable Microsoft Point-to-Point encryption (MPPE)
        set bundle enable compression
        set ccp yes mppc
        set mppc yes e40
        set mppc yes e128
        set bundle enable crypt-reqd
        set mppc yes stateless
        # Create a static pptp link called lvpnipv4
        create link static lvpnipv4 pptp
        # Attach this link to vpnipv4
        set link action bundle vpnipv4
        # Set somes link settings
        set link no pap
        set link yes chap
        set auth authname VpnLogin4
        # Reduce the size of the outgoing packet for avoiding fragmentation
        set link mtu 1460
        set link keep-alive 10 75
        # max-redial:
        # Server side, need to be "-1"
        # Client side, need to be positive (0 for allways)
        set link max-redial 0
        # Local WAN IP addresse
        set pptp self 10.0.34.4
        # Remote WAN IP addresse
        set pptp peer 10.0.23.2
        # Open (initiate) the link to the server
        open
vpnipv6:
        # Create bundle called vpnipv6
        create bundle static vpnipv6
        # Getting IP from the server
        set ipcp ranges 0.0.0.0/0
        # Enable IPv6
        set bundle enable ipv6cp
        # Remote LAN subnet
        set iface route 2001:db8:12::/64
        # Create a static pptp link called lvpnipv6
        create link static lvpnipv6 pptp
        # Attach this link to vpnipv6
        set link action bundle vpnipv6
        # Set somes link settings
        set link no pap
        set link yes chap
        set auth authname VpnLogin6
        # Reduce the size of the outgoing packet for avoiding fragmentation
        set link mtu 1460
        set link keep-alive 10 75
        # max-redial:
        # Server side, need to be "-1"
        # Client side, need to be positive (0 for allways)
        set link max-redial 0
        # Local WAN IP addresse
        set pptp self 2001:db8:34::4
        # Remote WAN IP addresse
        set pptp peer 2001:db8:23::2
        # Open (initiate) the link to the server
        open
'EOF'

This file is used for storing user/pass for PPTP VPN.

Edit mpd.secret file:

cat > /usr/local/etc/mpd5/mpd.secret <<'EOF'
VpnLogin4       VpnPassword4
VpnLogin6       VpnPassword6
'EOF'

Create FreeVRRPd configuration file:

cat > /usr/local/etc/freevrrpd.conf <<'EOF'
[VRID]
serverid = 1
#interface = vtnet3
interface = em3
# We want that this router is the master
priority = 101
addr = 10.0.45.254/24
password = vrid1
'EOF'

Before to enable IPFW we need to let it to pass IPv6 Unknown Extension Header: IPv6 PPTP links will be denied otherwise.

echo "net.inet6.ip6.fw.deny_unknown_exthdrs=0" >> /etc/sysctl.conf

Create rules that shape IPv6 PPTP tunnel with IPFW:

cat > /etc/ipfw.rules <<'EOF'
#!/bin/sh
fwcmd="/sbin/ipfw"
if ! dummynet -q -m ng_ether; then
        kldload dummynet
fi

# Flush out the list before we begin.
${fwcmd} -f flush
#Need to reduce the default queue size too
#explanation on chapter "7.2.1.        Pipe Queues"
#http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO
${fwcmd} pipe 10 config bw 128Kbit/s queue 10Kbytes
${fwcmd} pipe 20 config bw 128Kbit/s queue 10Kbytes
#Traffic getting out vtnet2, is VPN PPTP traffic
${fwcmd} add 1000 pipe 10 all from 2001:db8:34::4 to 2001:db8:23::2 out via any
#Traffic getting out em3, is clear traffic
${fwcmd} add 2000 pipe 20 all from 2001:db8:12::/64 to 2001:db8:45::/64 out via any
#We don't want to block traffic, only shape some
${fwcmd} add 3000 allow ip from any to any
'EOF'

Save configuration:

config save

Reboot the router:

reboot

[root@router]~# system virtualized
This step will configure BSDRP for being use as a VM:
- Reduce kern.hz to 100
- Load virtio modules
Do you want to continue ? (y/n): y
A reboot is needed for apply changes.
Don't forget to modify rc.conf for declaring ifconfig_vtnetX

Edit /etc/rc.conf file:

cat > /etc/rc.conf <<'EOF'
# Hostname
hostname="R5.bsdrp.net"

# Enable SSHd
sshd_enable="YES"

# Enable IPv6
ipv6_activate_all_interfaces="YES"

# Enable RFC1323 extensions
tcp_extensions="YES"

#Waiting for a default route
defaultroute_delay="5"

# Configure NIC
# Create an failover interface with only one interface
ifconfig_vtnet3="up"
ifconfig_em3="up"
cloned_interfaces="lagg0"
#ifconfig_lagg0="laggproto failover laggport vtnet3 SYNCDHCP"
ifconfig_lagg0="laggproto failover laggport em3 SYNCDHCP"
ifconfig_lagg0_ipv6="inet6 accept_rtadv"

# Configure NIC to shared-with-host LAN
# (IP depends of your VirtualBox configuration)
ifconfig_vtnet4="inet 192.168.56.15/24"
ifconfig_em4="inet 192.168.56.15/24"

# Enable snmpd
bsnmpd_enable="YES"
'EOF'

Save configuration:

config save

Reboot the router:

reboot

Launch tmux and create 2 windows, one with iperf in IPv4 (default) mode:

[root@R5]~#iperf -s
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 64.0 KByte (default)
------------------------------------------------------------

And a second with iperf in server IPv6 mode:

[root@R5]~#iperf -V -s
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 64.0 KByte (default)
------------------------------------------------------------

Now, start 2 tmux windows on R1.

On the first tmux window, start a tcpdump filtering netflow coming from R2.

[root@R1]~# tcpdump -p -i em0 -s 0 -vv udp port 2055
tcpdump: WARNING: em0: no IPv4 address assigned
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes

And on the second tmux window start an IPerf client on R1 to R5 and check maximum bandwitdh (64kb/s for IPv4 and 128kb/s for IPv6):

[root@R1]~# iperf -c 10.0.45.5 -t 30
------------------------------------------------------------
Client connecting to 10.0.45.5, TCP port 5001
TCP window size: 32.5 KByte (default)
------------------------------------------------------------
[  3] local 10.0.12.1 port 51097 connected with 10.0.45.5 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-45.1 sec   384 KBytes  69.7 Kbits/sec


[root@R1]~# iperf -V -c 2001:db8:45:0:a8aa:ff:fe00:545 -t 30
------------------------------------------------------------
Client connecting to 2001:db8:45:0:a8aa:ff:fe00:545, TCP port 5001
TCP window size: 32.1 KByte (default)
------------------------------------------------------------
[  3] local 2001:db8:12:0:a8aa:ff:fe01:101 port 60512 connected with 2001:db8:45:0:a8aa:ff:fe00:545 port 5001

[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-32.3 sec   512 KBytes   130 Kbits/sec

The IPv4 traffic send by the client to the server is more than 64Kb/s, but it's a correct behavior because the exceeded traffic will be dropped later: We need to check the bandwidth received on R5 for verifying traffic shaping features.

After IPerf tests, check that the tcpdump (on the first tmux window) receive netflow packets from R2:

15:58:47.424286 IP (tos 0x0, ttl 64, id 9855, offset 0, flags [none], proto UDP (17), length 292)
    10.0.12.2.14197 > 10.0.12.1.2055: [udp sum ok] UDP, length 264
16:00:02.443348 IP (tos 0x0, ttl 64, id 9998, offset 0, flags [none], proto UDP (17), length 244)
    10.0.12.2.14197 > 10.0.12.1.2055: [udp sum ok] UDP, length 216

------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 64.0 KByte (default)
------------------------------------------------------------
[  4] local 10.0.45.5 port 5001 connected with 10.0.12.1 port 41621
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-35.0 sec   256 KBytes  59.9 Kbits/sec

R5 receive about 60Kb/s of traffic.

Same behaviour for IPv6:

------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 64.0 KByte (default)
------------------------------------------------------------
[  4] local 2001:db8:45:0:a8aa:ff:fe00:545 port 5001 connected with 2001:db8:12:0:a8aa:ff:fe00:112 port 63275
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-34.8 sec   512 KBytes   120 Kbits/sec

From R1, get 2 SNMP values of R5:

• The basic sysname
• The UCD module version

[root@R1]~# bsnmpget -s 10.0.45.5 sysName.0
sysName.0 = R5.bsdrp.net
[root@R1]~# bsnmpwalk -s 10.0.45.5 1.3.6.1.4.1.2021.100.2.0
1.3.6.1.4.1.2021.100.2.0 = $Name: bsnmp-ucd-0-3-6 $

R1 will be use as a configuration files backup repository

[root@R1]~# mount /data/

From all others routers, send the configuration file to the /data partition of R1:

[root@R2]/# config put scp root@10.0.12.1:/data/R2.tar.xz
Send saved configuration by SCP to root@10.0.12.1:/data/R2.tar.xz
The authenticity of host '10.0.12.1 (10.0.12.1)' can't be established.
RSA key fingerprint is 4d:e9:ce:26:d4:2f:92:15:5e:06:97:a8:83:78:0c:e5.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.12.1' (RSA) to the list of known hosts.
Password:
config.3803.tar.xz                            100% 7100     6.9KB/s   00:00

Download the mtree reference file corresponding to your BSDRP release and start a system integrity check. In this lab, we put the reference file in the /tmp folder of R1:

[root@R1]~# system integrity /tmp/BSDRP-1.4-amd64-serial.mtree.xz
Here is the modified files comparing to the reference mtree file:
dev extra
etc extra
tmp extra
var extra

Extra files and folder are normal regarding your previous tests.