Table of Contents
Maximum BSDRP features lab
Complex example showing some of available features This lab is used for testing BSDRP before releasing new version.
Presentation
Network diagram
Here is the logical and physical view:
Setting-up the lab
Downloading BSD Router Project images
Download BSDRP serial image (prevent to have to use an X display) on Sourceforge.
Download Lab scripts
More information on these BSDRP lab scripts available on How to build a BSDRP router lab.
Start the lab with full-meshed 6 routers.
An example with bhyve under FreeBSD:
tools/BSDRP-lab-bhyve.sh -i /usr/obj/BSDRP.amd64/BSDRP-1.80-full-amd64-serial.img.xz -n 5 -e Setting-up a virtual lab with 5 VM(s): - Working directory: /tmp/BSDRP - Each VM have 1 core(s) and 256M RAM - Emulated NIC: e1000 - Switch mode: bridge + tap - 0 LAN(s) between all VM - Full mesh Ethernet links between each VM VM 1 have the following NIC: - em0 connected to VM 2 - em1 connected to VM 3 - em2 connected to VM 4 - em3 connected to VM 5 VM 2 have the following NIC: - em0 connected to VM 1 - em1 connected to VM 3 - em2 connected to VM 4 - em3 connected to VM 5 VM 3 have the following NIC: - em0 connected to VM 1 - em1 connected to VM 2 - em2 connected to VM 4 - em3 connected to VM 5 VM 4 have the following NIC: - em0 connected to VM 1 - em1 connected to VM 2 - em2 connected to VM 3 - em3 connected to VM 5 VM 5 have the following NIC: - em0 connected to VM 1 - em1 connected to VM 2 - em2 connected to VM 3 - em3 connected to VM 4 To connect VM'serial console, you can use: - VM 1 : cu -l /dev/nmdm-BSDRP.1B - VM 2 : cu -l /dev/nmdm-BSDRP.2B - VM 3 : cu -l /dev/nmdm-BSDRP.3B - VM 4 : cu -l /dev/nmdm-BSDRP.4B - VM 5 : cu -l /dev/nmdm-BSDRP.5B
Routers configuration
In this order for avoiding DHCP client timeout problems.
All these routers can be configured with labconfig tool (use it only on a lab, because it will replace your current running configuration):
labconfig full_vm[VM-NUMBER]
Router 5 (including jail5 and jail6)
(you can use script “labconfig vm5” for automatically pushing full configuration):
sysrc hostname=R5 \
ifconfig_em3=up \
cloned_interfaces=epair0 \
ifconfig_epair0a=up \
kld_list+=" if_lagg carp"
ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf
cat > /etc/devfs.rules <<EOF
[devfsrules_jailpf=4]
add include \$devfsrules_hide_all
add include \$devfsrules_unhide_basic
add include \$devfsrules_unhide_login
add path 'bpf*' unhide
EOF
hostname R5
service devfs restart
service netif restart
service kld start
if ifconfig -l | grep -q vtnet; then
tenant -c -j jail5 -i vtnet3,epair0a
else
tenant -c -j jail5 -i em3,epair0a
fi
tenant -c -j jail6 -i epair0b
sysrc -f /etc/jails/jail5/rc.conf hostname=jail5 \
ifconfig_em3="inet 10.0.45.5/24" \
ifconfig_em3_ipv6="inet6 2001:db8:45::5 prefixlen 64" \
ifconfig_epair0a="10.0.56.5/24" \
ifconfig_epair0a_ipv6="inet6 2001:db8:56::5 prefixlen 64" \
ifconfig_epair0a_alias0="inet 10.0.56.254/32 vhid 1 pass testpass" \
ifconfig_epair0a_alias1="inet6 2001:db8:56::fe prefixlen 128 vhid 1 pass testpass" \
rtadvd_enable=YES \
rtadvd_interfaces=epair0a \
dhcpd_enable=YES \
dhcpd_flags="-q" \
dhcpd_conf="/usr/local/etc/dhcpd.conf" \
frr_enable=YES \
frr_vtysh_boot=YES \
nfacctd_enable=YES \
pimd_enable=YES
ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/jails/jail5/rc.conf
mkdir -p /etc/jails/jail5/local/frr
cat > /etc/jails/jail5/local/dhcpd.conf <<EOF
option domain-name "bsdrp.net";
default-lease-time 600;
max-lease-time 7200;
ddns-update-style none;
#Declare useless network
subnet 10.0.45.0 netmask 255.255.255.0 {
}
#Declare R1 LAN and gateway
subnet 10.0.12.0 netmask 255.255.255.0 {
range 10.0.12.1 10.0.12.1;
option routers 10.0.12.254;
}
#Declare R6 subnet and gateway
subnet 10.0.56.0 netmask 255.255.255.0 {
range 10.0.56.6 10.0.56.6;
option routers 10.0.56.254;
}
EOF
cat > /etc/jails/jail5/local/frr/frr.conf <<EOF
frr version 7.0
frr defaults traditional
hostname jail5
log syslog
!
interface em3
ip router isis BSDRP
ipv6 router isis BSDRP
!
interface epair0a
ip router isis BSDRP
ipv6 router isis BSDRP
isis passive
!
interface vtnet3
ip router isis BSDRP
ipv6 router isis BSDRP
!
router isis BSDRP
is-type level-1-2
net 49.0001.1720.1600.5005.00
!
line vty
!
bfd
!
EOF
ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/jails/jail5/local/frr/frr.conf
chown frr:frr /etc/jails/jail5/local/frr
cat > /etc/jails/jail5/local/nfacctd.conf<<EOF
daemonize: true
syslog: daemon
!
! interested in in and outbound traffic
aggregate: src_host,dst_host
nfacctd_ip: 10.0.45.5
nfacctd_port: 2055
aggregate[ip]: src_host, dst_host, timestamp_start, timestamp_end, src_port, dst_port, proto, src_as, dst_as, peer_src_ip
plugins: print[ip]
print_output: csv
print_refresh_time: 300
print_history: 5m
print_output_file[ip]: /tmp/file-%Y%m%d-%H%M.txt
print_history_roundoff: m
print_output_file_append: true
files_umask: 022
EOF
sysrc -f /etc/jails/jail6/rc.conf hostname=jail6 \
ifconfig_epair0b="up" \
cloned_interfaces="lagg0" \
ifconfig_lagg0="laggproto failover laggport epair0b SYNCDHCP" \
ifconfig_lagg0_ipv6="inet6 accept_rtadv" \
rtsold_enable=YES \
bsnmpd_enable=YES \
gateway_enable=NO \
ipv6_gateway_enable=NO
service jail start
Router 2
(you can use script “labconfig vm2” for automatically pushing full configuration):
sysrc hostname=R2
sysrc rtadvd_enable=YES
sysrc rtadvd_interfaces="em0"
sysrc vlans_em1="23"
sysrc ifconfig_em1="up mtu 1528"
sysrc ifconfig_em0="inet 10.0.12.2/24"
sysrc ifconfig_em0_ipv6="inet6 2001:db8:12::2 prefixlen 64"
sysrc ifconfig_em1_23="inet 10.0.23.2/24"
sysrc ifconfig_em1_23_ipv6="inet6 2001:db8:23::2 prefixlen 64"
sysrc cloned_interfaces="lo1"
sysrc ifconfig_lo1="inet 10.0.0.2/32"
sysrc ifconfig_lo1_ipv6="inet6 2001:db8::2 prefixlen 128"
sysrc frr_enable=YES
sysrc frr_vtysh_boot=YES
sysrc dhcprelya_enable=YES
sysrc dhcprelya_servers="10.0.45.5"
sysrc dhcprelya_ifaces=em0
sysrc mpd_enable=YES
sysrc mpd_flags="-b -s ppp"
sysrc ipsec_enable=YES
sysrc ipsec_file="/etc/ipsec.conf"
sysrc pimd_enable=YES
sysrc freevrrpd_enable=YES
ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf
cat > /usr/local/etc/freevrrpd.conf <<EOF
[VRID]
serverid = 1
interface = em0
# We want that this router is the master
priority = 101
addr = 10.0.12.254/24
password = vrid1
EOF
ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /usr/local/etc/freevrrpd.conf
cat > /usr/local/etc/mpd5/if-up.sh <<EOF
#!/bin/sh
set -e
logger "\$0 called with parameters: \$@"
if [ "\$2" == "inet6" ]; then
if ifconfig \$1 \$2 2001:db8:24::2; then
logger "\$0: \$cmd successfull"
return 0
else
logger "\$0: \$cmd failed"
return 1
fi
else
return 0
fi
EOF
chmod +x /usr/local/etc/mpd5/if-up.sh
cat > /usr/local/etc/mpd5/mpd.conf <<EOF
# Configuring a server PPTP VPN with tunnels to R4
default:
load vpnipv4
load vpnipv6
vpnipv4:
# Create bundle called vpnipv4
create bundle static vpnipv4
# IP of client and server, on another subnet for avoiding problems
set ipcp ranges 10.4.24.2/32 10.4.24.4/32
# Remote LAN subnet: Learned by routing protocol
#set iface route 10.0.45.0/24
# Enable Microsoft Point-to-Point encryption (MPPE)
set bundle enable compression
set ccp yes mppc
set mppc yes e40
set mppc yes e128
set bundle enable crypt-reqd
set mppc yes stateless
# Create a static pptp link called lvpnipv4
create link static lvpnipv4 pptp
# Attach this link to vpnipv4
set link action bundle vpnipv4
# Set somes link settings
set link no pap
set link yes chap
set auth authname "VpnLogin4"
# Reduce the size of the outgoing packet for avoiding fragmentation
set link mtu 1460
set link keep-alive 10 75
# max-redial:
# Server side, need to be "-1"
# Client side, need to be positive (0 for allways)
set link max-redial -1
# Local WAN IP addresse
set pptp self 10.0.0.2
# Remote WAN IP addresse
set pptp peer 10.0.0.4
# Allow incoming call
set link enable incoming
vpnipv6:
# Create bundle called vpnipv6
create bundle static vpnipv6
# Don't know how to disable IPv4 ipcp
set ipcp ranges 10.6.24.2/32 10.6.24.4/32
# Enable IPv6
set bundle enable ipv6cp
# Remote LAN subnet: Learned by routing protocol
#set iface route 2001:db8:45::/64
# Need to statically set inet6 address
set iface up-script /usr/local/etc/mpd5/if-up.sh
# Enable Microsoft Point-to-Point encryption (MPPE)
set bundle enable compression
set ccp yes mppc
set mppc yes e40
set mppc yes e128
set bundle enable crypt-reqd
set mppc yes stateless
# Create a static pptp link called lvpnipv4
create link static lvpnipv6 pptp
# Attach this link to vpnipv6
set link action bundle vpnipv6
# Set somes link settings
set link no pap
set link yes chap
set auth authname "VpnLogin6"
# Reduce the size of the outgoing packet for avoiding fragmentation
set link mtu 1460
set link keep-alive 10 75
# max-redial:
# Server side, need to be "-1"
# Client side, need to be positive (0 for allways)
set link max-redial -1
# Local WAN IP addresse
set pptp self 2001:db8::2
# Remote WAN IP addresse
set pptp peer 2001:db8::4
# Allow incoming call
set link enable incoming
EOF
cat > /usr/local/etc/mpd5/mpd.secret <<EOF
VpnLogin4 VpnPassword4
VpnLogin6 VpnPassword6
EOF
cat > /etc/ipsec.conf <<EOF
flush ;
add 10.0.23.2 10.0.23.3 tcp 0x1000 -A tcp-md5 "abigpassword" ;
add 10.0.23.3 10.0.23.2 tcp 0x1001 -A tcp-md5 "abigpassword" ;
add -6 2001:db8:23::2 2001:db8:23::3 tcp 0x1002 -A tcp-md5 "abigpassword" ;
add -6 2001:db8:23::3 2001:db8:23::2 tcp 0x1003 -A tcp-md5 "abigpassword" ;
EOF
cat > /usr/local/etc/frr/frr.conf <<EOF
frr version 7.0
frr defaults traditional
hostname R2
log syslog
!
interface ng0
ip ospf message-digest-key 1 md5 superpass
ip ospf network point-to-point
ipv6 ospf6 passive
!
interface ng1
ipv6 ospf6 network point-to-point
!
router-id 0.0.0.2
!
router bgp 100
neighbor 10.0.23.3 remote-as 100
neighbor 10.0.23.3 password abigpassword
neighbor 2001:db8:23::3 remote-as 100
neighbor 2001:db8:23::3 password abigpassword
!
address-family ipv4 unicast
network 10.0.0.2/32
neighbor 10.0.23.3 soft-reconfiguration inbound
no neighbor 2001:db8:23::3 activate
exit-address-family
!
address-family ipv6 unicast
network 2001:db8::2/128
neighbor 2001:db8:23::3 activate
neighbor 2001:db8:23::3 soft-reconfiguration inbound
exit-address-family
!
router ospf
ospf router-id 0.0.0.2
network 10.0.12.0/24 area 0.0.0.0
network 10.4.24.0/24 area 0.0.0.0
area 0.0.0.0 authentication message-digest
!
router ospf6
interface ng1 area 0.0.0.0
interface em0 area 0.0.0.0
interface vtnet0 area 0.0.0.0
!
line vty
!
bfd
!
EOF
config save
hostname R2
service netif restart
service ipsec start
service rtadvd start
service freevrrpd start
service frr start
service dhcprelya start
service mpd5 start
service pimd start
Router 3
(you can use script “labconfig vm3” for automatically pushing full configuration):
sysrc hostname=R3
sysrc vlans_em1="23"
sysrc ifconfig_em1="up mtu 1528"
sysrc ifconfig_em1_23="inet 10.0.23.3/24"
sysrc ifconfig_em1_23_ipv6="inet6 2001:db8:23::3 prefixlen 64"
sysrc ifconfig_em2="inet 10.0.34.3/24 mtu 1528"
sysrc ifconfig_em2_ipv6="inet6 2001:db8:34::3 prefixlen 64"
sysrc bird_enable=YES
sysrc pf_enable=YES
sysrc pf_rules="/etc/pf.conf"
ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf
cat > /etc/pf.conf <<EOF
#Variables definitions
#TO_R2_if = "{" vtnet1.23 em1.23 "}"
#TO_R4_if = "{" vtnet2 em2 "}"
#R2 = "10.0.0.2/32"
#R4 = "10.0.0.4/32"
## ALTQ rules
# Queue outgoing from \$TO_R4_if (R2 => R4)
# Rate-limit inet 4 VPN traffic to 10Mb
#altq on \$TO_R4_if hfsc bandwidth 100Mb queue { VPN4_TO_R4, OTHER_TO_R4 }
#queue VPN4_TO_R4 bandwidth 10Mb hfsc(upperlimit 10Mb)
#queue OTHER_TO_R4 bandwidth 90Mb hfsc(default)
# Queue for outgoing traffic from \$TO_R2_if (R4 => R2)
#altq on \$TO_R2_if hfsc bandwidth 100Mb queue { VPN4_TO_R2, OTHER_TO_R2 }
#queue VPN4_TO_R2 bandwidth 10Mb hfsc(upperlimit 10Mb)
#queue OTHER_TO_R2 bandwidth 90Mb hfsc(default)
## PF rules
# R2 => R4
# Shapping works on outgoing traffic only, but need to 'mark' traffic
# entering the interface for putting returning traffic in the good queue
#pass in quick on \$TO_R2_if proto gre from \$R2 to \$R4 queue VPN4_TO_R2
# Apply ALTQ to traffic that get out from \$TO_R4_if
#pass out quick on \$TO_R4_if proto gre from \$R2 to \$R4 queue VPN4_TO_R4
# PF rules R4 => R2
#pass in quick on \$TO_R4_if proto gre from \$R4 to \$R2 queue VPN4_TO_R4
#pass out quick on \$TO_R2_if proto gre from \$R4 to \$R2 queue VPN4_TO_R2
# ALTQ is disabled since BSDRP 1.81 (too much performance impact)
pass all
EOF
cat > /usr/local/etc/bird.conf <<EOF
# Configure logging
log syslog all;
log "/var/log/bird.log" all;
log stderr all;
# Override router ID
router id 0.0.0.3;
# Sync bird routing table with kernel
protocol kernel kernel4 {
ipv4 {
export all;
};
}
protocol kernel kernel6 {
ipv6 {
export all;
};
}
# Include device route (warning, a device route is a /32)
protocol device {
scan time 10;
}
# Include directly connected networks
protocol direct {
ipv4;
ipv6;
}
protocol rip R4inet4 {
interface "vtnet2","em2" {
version 2;
};
ipv4 {
export all;
};
}
protocol rip ng R4inet6 {
interface "vtnet2","em2" ;
ipv6 {
export all;
};
}
protocol bgp R2inet4 {
local as 100;
# Bird creates IPSEC SAD entry automatically but it need to know the source IP address
# Otherwise it will use the wrong 0.0.0.0 IP as source
source address 10.0.23.3;
neighbor 10.0.23.2 as 100;
password "abigpassword";
ipv4 {
import all;
export all;
};
}
protocol bgp R2inet6 {
local as 100;
# Bird creates IPSEC SAD entry automatically but it need to know the source IP address
# Otherwise it will use the wrong :: IP as source
source address 2001:db8:23::3;
neighbor 2001:db8:23::2 as 100;
password "abigpassword";
ipv6 {
import all;
export all;
};
}
EOF
config save
hostname R3
service netif restart
service pf start
service bird start
Router 4
(you can use script “labconfig vm4” for automatically pushing full configuration):
sysrc hostname=R4
sysrc ifconfig_em3="inet 10.0.45.4/24"
sysrc ifconfig_em3_ipv6="inet6 2001:db8:45::4 prefixlen 64"
sysrc ifconfig_em2="10.0.34.4/24 mtu 1528"
sysrc ifconfig_em2_ipv6="inet6 2001:db8:34::4 prefixlen 64"
sysrc cloned_interfaces="lo1"
sysrc ifconfig_lo1="inet 10.0.0.4/32"
sysrc ifconfig_lo1_ipv6="inet6 2001:db8::4 prefixlen 128"
sysrc frr_enable=YES
sysrc frr_vtysh_boot=YES
sysrc mpd_enable=YES
sysrc mpd_flags="-b -s ppp"
sysrc firewall_enable=YES
sysrc firewall_script="/etc/ipfw.rules"
sysrc ipfw_netflow_enable=YES
sysrc ipfw_netflow_ip=10.0.45.5
sysrc ipfw_netflow_port=2055
sysrc ipfw_netflow_version=9
sysrc pimd_enable=YES
ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf
cat > /usr/local/etc/frr/frr.conf <<EOF
frr version 7.0
frr defaults traditional
hostname R4
log syslog
!
interface em3
ip router isis BSDRP
ipv6 ospf6 passive
ipv6 router isis BSDRP
!
interface ng0
ip ospf message-digest-key 1 md5 superpass
ip ospf network point-to-point
ipv6 ospf6 passive
!
interface ng1
ipv6 ospf6 network point-to-point
!
!
interface vtnet3
ip router isis BSDRP
ipv6 ospf6 passive
ipv6 router isis BSDRP
!
router-id 0.0.0.4
!
router rip
network lo1
network em2
network vtnet2
version 2
!
router ripng
network lo1
network em2
network vtnet2
!
router ospf
ospf router-id 0.0.0.4
redistribute isis
passive-interface em3
passive-interface vtnet3
network 10.0.4.0/24 area 0.0.0.0
network 10.0.45.0/24 area 0.0.0.0
network 10.4.24.0/24 area 0.0.0.0
area 0.0.0.0 authentication message-digest
!
router ospf6
redistribute isis
interface ng1 area 0.0.0.0
interface vtnet3 area 0.0.0.0
!
router isis BSDRP
is-type level-1-2
net 49.0001.1720.1600.4004.00
redistribute ipv4 ospf level-1
redistribute ipv4 connected level-1
redistribute ipv6 ospf6 level-1
redistribute ipv6 connected level-1
!
line vty
!
bfd
!
EOF
cat > /usr/local/etc/mpd5/if-up.sh <<EOF
#!/bin/sh
set -e
logger "\$0 called with parameters: \$@"
if [ "\$2" == "inet6" ]; then
if ifconfig \$1 \$2 2001:db8:24::4; then
logger "\$0: \$cmd successfull"
return 0
else
logger "\$0: \$cmd failed"
return 1
fi
else
return 0
fi
EOF
chmod +x /usr/local/etc/mpd5/if-up.sh
cat > /usr/local/etc/mpd5/mpd.conf <<EOF
default:
load vpnipv4
load vpnipv6
vpnipv4:
# Create bundle called vpnipv4
create bundle static vpnipv4
# Getting IP from the server
set ipcp ranges 0.0.0.0/0
# Remote LAN subnet: Learned by ISIS
#set iface route 10.0.12.0/24
# Enable Microsoft Point-to-Point encryption (MPPE)
set bundle enable compression
set ccp yes mppc
set mppc yes e40
set mppc yes e128
set bundle enable crypt-reqd
set mppc yes stateless
# Create a static pptp link called lvpnipv4
create link static lvpnipv4 pptp
# Attach this link to vpnipv4
set link action bundle vpnipv4
# Set somes link settings
set link no pap
set link yes chap
set auth authname VpnLogin4
# Reduce the size of the outgoing packet for avoiding fragmentation
set link mtu 1460
set link keep-alive 10 75
# max-redial:
# Server side, need to be "-1"
# Client side, need to be positive (0 for allways)
set link max-redial 0
# Local WAN IP addresse
set pptp self 10.0.0.4
# Remote WAN IP addresse
set pptp peer 10.0.0.2
# Open (initiate) the link to the server
open
vpnipv6:
# Create bundle called vpnipv6
create bundle static vpnipv6
# Getting IP from the server
set ipcp ranges 0.0.0.0/0
# Enable IPv6
set bundle enable ipv6cp
# Remote LAN subnet: Learned by ISIS
#set iface route 2001:db8:12::/64
# Need to statically configure inet6 adress
set iface up-script /usr/local/etc/mpd5/if-up.sh
# Create a static pptp link called lvpnipv6
create link static lvpnipv6 pptp
# Attach this link to vpnipv6
set link action bundle vpnipv6
# Set somes link settings
set link no pap
set link yes chap
set auth authname VpnLogin6
# Reduce the size of the outgoing packet for avoiding fragmentation
set link mtu 1460
set link keep-alive 10 75
# max-redial:
# Server side, need to be "-1"
# Client side, need to be positive (0 for allways)
set link max-redial 0
# Local WAN IP addresse
set pptp self 2001:db8::4
# Remote WAN IP addresse
set pptp peer 2001:db8::2
# Open (initiate) the link to the server
open
EOF
cat > /usr/local/etc/mpd5/mpd.secret <<EOF
VpnLogin4 VpnPassword4
VpnLogin6 VpnPassword6
EOF
echo "# IPFW we need to let it to pass IPv6 Unknown Extension Header for IPv6 PPTP" >> /etc/sysctl.conf
echo "net.inet6.ip6.fw.deny_unknown_exthdrs=0" >> /etc/sysctl.conf
cat > /etc/ipfw.rules <<EOF
#!/bin/sh
fwcmd="/sbin/ipfw"
if ! kldstat -q -m dummynet; then
kldload dummynet
fi
# Flush out the list before we begin.
\${fwcmd} -f flush
# Create hard-limited pipes: One for each direction
\${fwcmd} pipe 60 config bw 20Mbit/s
\${fwcmd} pipe 61 config bw 20Mbit/s
\${fwcmd} pipe 40 config bw 10Mbit/s
\${fwcmd} pipe 41 config bw 10Mbit/s
# Put PPTP Traffic into pipes
\${fwcmd} add pipe 40 all from 10.0.0.4 to 10.0.0.2 out via any
\${fwcmd} add pipe 41 all from 10.0.0.2 to 10.0.0.4 in via any
\${fwcmd} add pipe 60 all from 2001:db8::4 to 2001:db8::2 out via any
\${fwcmd} add pipe 61 all from 2001:db8::2 to 2001:db8::4 in via any
# We don't want to block traffic, only shape some
\${fwcmd} add allow ip from any to any
EOF
config save
hostname R4
service netif restart
service frr start
service mpd5 start
service ipfw start
service sysctl reload
service ipfw_netflow start
service pimd start
Router 1
This router will be used for backuping all other routers configuration files, then it need a root password for enabling SSH access to it. We will use “root” password for this lab.
sysrc hostname=R1 \ gateway_enable=NO \ ipv6_gateway_enable=NO \ ifconfig_em0=up \ cloned_interfaces=lagg0 \ ifconfig_lagg0="laggproto loadbalance laggport em0 SYNCDHCP" \ ifconfig_lagg0_ipv6="inet6 accept_rtadv" \ sshd_enable=yes ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf config save hostname R1 service routing restart service netif restart service sshd start
Final testing
IPv4 traffic shaping
From R5, enter jail6 console and launch iperf in IPv4 (default) mode:
[root@R5]~# service jail console jail6 Last login: Sun Jul 2 16:44:12 on ttyu0 BSD Router project (BSDRP) (c) 2009-2017, The BSDRP Development Team All rights reserved. BSDRP is under the Simplified BSD license. Documentation: http://bsdrp.net Discover BSDRP tools with "help" command Keyboard layout can be changed with this command: kbdcontrol -l keymap_file (<TAB> for list available maps) root has logged on ttyu0 from local. [root@jail6]~# iperf3 -s ----------------------------------------------------------- Server listening on 5201 -----------------------------------------------------------
Start an iperf3 client on R1, and check available bandwidth is about 10Mb/s:
[root@R1]~# iperf3 -c 10.0.56.6 Connecting to host 10.0.56.6, port 5201 [ 5] local 10.0.12.1 port 20434 connected to 10.0.56.6 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 1.04 MBytes 8.73 Mbits/sec 0 56.7 KBytes [ 5] 1.00-2.00 sec 1.15 MBytes 9.65 Mbits/sec 1 52.3 KBytes [ 5] 2.00-3.00 sec 1.14 MBytes 9.55 Mbits/sec 2 49.6 KBytes [ 5] 3.00-4.00 sec 1.13 MBytes 9.51 Mbits/sec 1 43.8 KBytes [ 5] 4.00-5.00 sec 1.13 MBytes 9.46 Mbits/sec 1 38.1 KBytes [ 5] 5.00-6.00 sec 1.15 MBytes 9.66 Mbits/sec 1 35.3 KBytes [ 5] 6.00-7.00 sec 1.15 MBytes 9.61 Mbits/sec 1 1.41 KBytes [ 5] 7.00-8.00 sec 1.14 MBytes 9.59 Mbits/sec 0 65.1 KBytes [ 5] 8.00-9.00 sec 1.14 MBytes 9.57 Mbits/sec 1 60.9 KBytes [ 5] 9.00-10.00 sec 1.14 MBytes 9.54 Mbits/sec 1 58.0 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 11.3 MBytes 9.49 Mbits/sec 9 sender [ 5] 0.00-10.04 sec 11.3 MBytes 9.41 Mbits/sec receiver iperf Done.
IPv6 traffic shaping
One jail6, display its autoconfigured inet6 address:
[root@jail6]~# ifconfig lagg0 inet6 | grep autoconf
inet6 2001:db8:56:0:ff:ff:fe00:80b prefixlen 64 autoconf
Start an iperf3 ipv6 client on R1, and check available bandwith is about 20Mb/s:
[root@R1]~# iperf3 -c 2001:db8:56:0:cf:8fff:fea9:490b Connecting to host 2001:db8:56:0:cf:8fff:fea9:490b, port 5201 [ 5] local 2001:db8:12:0:5a9c:fcff:fe01:201 port 62845 connected to 2001:db8:56:0:cf:8fff:fea9:490b port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 1.74 MBytes 14.6 Mbits/sec 0 68.2 KBytes [ 5] 1.00-2.00 sec 2.23 MBytes 18.7 Mbits/sec 3 65.2 KBytes [ 5] 2.00-3.00 sec 2.19 MBytes 18.3 Mbits/sec 2 77.6 KBytes [ 5] 3.00-4.00 sec 2.19 MBytes 18.3 Mbits/sec 8 57.1 KBytes [ 5] 4.00-5.00 sec 2.19 MBytes 18.3 Mbits/sec 2 38.0 KBytes [ 5] 5.00-6.00 sec 2.19 MBytes 18.3 Mbits/sec 1 61.2 KBytes [ 5] 6.00-7.00 sec 2.19 MBytes 18.4 Mbits/sec 2 42.1 KBytes [ 5] 7.00-8.00 sec 2.19 MBytes 18.3 Mbits/sec 1 61.2 KBytes [ 5] 8.00-9.00 sec 2.19 MBytes 18.3 Mbits/sec 2 44.8 KBytes [ 5] 9.00-10.00 sec 2.18 MBytes 18.3 Mbits/sec 1 65.3 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 21.5 MBytes 18.0 Mbits/sec 22 sender [ 5] 0.00-10.03 sec 21.3 MBytes 17.8 Mbits/sec receiver iperf Done. [root@R1]~#
And during iperf, R4 ipfw pipe showing some activity:
root@R4:~ # ipfw pipe show 00040: 10.000 Mbit/s 0 ms burst 0 q131112 50 sl. 0 flows (1 buckets) sched 65576 weight 0 lmax 0 pri 0 droptail sched 65576 type FIFO flags 0x0 0 buckets 0 active 00041: 10.000 Mbit/s 0 ms burst 0 q131113 50 sl. 0 flows (1 buckets) sched 65577 weight 0 lmax 0 pri 0 droptail sched 65577 type FIFO flags 0x0 0 buckets 0 active 00061: 20.000 Mbit/s 0 ms burst 0 q131133 50 sl. 0 flows (1 buckets) sched 65597 weight 0 lmax 0 pri 0 droptail sched 65597 type FIFO flags 0x0 0 buckets 1 active BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 ip 0.0.0.0/0 0.0.0.0/0 483 378358 9 6349 0 00060: 20.000 Mbit/s 0 ms burst 0 q131132 50 sl. 0 flows (1 buckets) sched 65596 weight 0 lmax 0 pri 0 droptail sched 65596 type FIFO flags 0x0 0 buckets 1 active 0 ip 0.0.0.0/0 0.0.0.0/0 125 15881 0 0 0
netflow
Check that netflows are collected on jail5 (/tmp/file-date-hour.txt):
[root@jail5]~# ls /tmp/file-* /tmp/file-20170630-0000.txt /tmp/file-20170630-0025.txt /tmp/file-20170630-0005.txt /tmp/file-20170630-0030.txt /tmp/file-20170630-0010.txt /tmp/file-20170630-0035.txt /tmp/file-20170630-0015.txt /tmp/file-20170630-0040.txt /tmp/file-20170630-0020.txt
SNMP
From R1, get 2 SNMP values of R6:
- The basic sysname
- The UCD module version
[root@R1]~# bsnmpget -s 10.0.56.6 sysName.0 sysName.0 = jail6 [root@R1]~# bsnmpwalk -s 10.0.56.6 1.3.6.1.4.1.2021.100.2.0 1.3.6.1.4.1.2021.100.2.0 = $Name: bsnmp-ucd-0-4-3 $
Configurations files network backup
R1 will be use as a configuration files backup repository
Mounting data partition on R1 and configure root password
[root@R1]~# mount /data/ [root@R1]~# passwd Changing local password for root New Password: Retype New Password:
Sending configuration archive file to R1
From all others routers, send the configuration file to the /data partition of R1:
[root@R2]/# config put scp root@10.0.12.1:/data/R2.tar.xz Send saved configuration by SCP to root@10.0.12.1:/data/R2.tar.xz The authenticity of host '10.0.12.1 (10.0.12.1)' can't be established. RSA key fingerprint is 4d:e9:ce:26:d4:2f:92:15:5e:06:97:a8:83:78:0c:e5. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.0.12.1' (RSA) to the list of known hosts. Password: config.3803.tar.xz 100% 7100 6.9KB/s 00:00
System integrity check
Download the mtree reference file corresponding to your BSDRP release and start a system integrity check. In this lab, we put the reference file in the /tmp folder of R1:
[root@R1]~# system integrity /tmp/BSDRP-1.4-amd64-serial.mtree.xz Here is the modified files comparing to the reference mtree file: dev extra etc extra tmp extra var extra
Extra files and folder are normal regarding your previous tests.