- en
- fr
Table of Contents
Maximum BSDRP features lab
Complex example showing some of available features This lab is used for testing BSDRP before releasing new version.
Presentation
Network diagram
Setting-up the lab
Downloading BSD Router Project images
Download BSDRP serial image (prevent to have to use an X display) on Sourceforge.
Download Lab scripts
More information on these BSDRP lab scripts available on How to build a BSDRP router lab.
Start the lab with full-meshed 6 routers.
An example with bhyve under FreeBSD:
tools/BSDRP-lab-bhyve.sh -i /usr/obj/BSDRP.amd64/BSDRP-1.80-full-amd64-serial.img.xz -n 5 -e Setting-up a virtual lab with 5 VM(s): - Working directory: /tmp/BSDRP - Each VM have 1 core(s) and 256M RAM - Emulated NIC: e1000 - Switch mode: bridge + tap - 0 LAN(s) between all VM - Full mesh Ethernet links between each VM VM 1 have the following NIC: - em0 connected to VM 2 - em1 connected to VM 3 - em2 connected to VM 4 - em3 connected to VM 5 VM 2 have the following NIC: - em0 connected to VM 1 - em1 connected to VM 3 - em2 connected to VM 4 - em3 connected to VM 5 VM 3 have the following NIC: - em0 connected to VM 1 - em1 connected to VM 2 - em2 connected to VM 4 - em3 connected to VM 5 VM 4 have the following NIC: - em0 connected to VM 1 - em1 connected to VM 2 - em2 connected to VM 3 - em3 connected to VM 5 VM 5 have the following NIC: - em0 connected to VM 1 - em1 connected to VM 2 - em2 connected to VM 3 - em3 connected to VM 4 To connect VM'serial console, you can use: - VM 1 : cu -l /dev/nmdm-BSDRP.1B - VM 2 : cu -l /dev/nmdm-BSDRP.2B - VM 3 : cu -l /dev/nmdm-BSDRP.3B - VM 4 : cu -l /dev/nmdm-BSDRP.4B - VM 5 : cu -l /dev/nmdm-BSDRP.5B
Routers configuration
In this order for avoiding DHCP client timeout problems.
All these routers can be configured with labconfig tool (use it only on a lab, because it will replace your current running configuration):
labconfig full_vm[VM-NUMBER]
Router 5 (including jail5 and jail6)
(you can use script “labconfig vm5” for automatically pushing full configuration):
sysrc hostname=R5 \ ifconfig_em3=up \ cloned_interfaces=epair0 \ ifconfig_epair0a=up \ kld_list+=" if_lagg carp" ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf cat > /etc/devfs.rules <<EOF [devfsrules_jailpf=4] add include \$devfsrules_hide_all add include \$devfsrules_unhide_basic add include \$devfsrules_unhide_login add path 'bpf*' unhide EOF hostname R5 service devfs restart service netif restart service kld start if ifconfig -l | grep -q vtnet; then tenant -c -j jail5 -i vtnet3,epair0a else tenant -c -j jail5 -i em3,epair0a fi tenant -c -j jail6 -i epair0b sysrc -f /etc/jails/jail5/rc.conf hostname=jail5 \ ifconfig_em3="inet 10.0.45.5/24" \ ifconfig_em3_ipv6="inet6 2001:db8:45::5 prefixlen 64" \ ifconfig_epair0a="10.0.56.5/24" \ ifconfig_epair0a_ipv6="inet6 2001:db8:56::5 prefixlen 64" \ ifconfig_epair0a_alias0="inet 10.0.56.254/32 vhid 1 pass testpass" \ ifconfig_epair0a_alias1="inet6 2001:db8:56::fe prefixlen 128 vhid 1 pass testpass" \ rtadvd_enable=YES \ rtadvd_interfaces=epair0a \ dhcpd_enable=YES \ dhcpd_flags="-q" \ dhcpd_conf="/usr/local/etc/dhcpd.conf" \ frr_enable=YES \ frr_vtysh_boot=YES \ nfacctd_enable=YES \ pimd_enable=YES ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/jails/jail5/rc.conf mkdir -p /etc/jails/jail5/local/frr cat > /etc/jails/jail5/local/dhcpd.conf <<EOF option domain-name "bsdrp.net"; default-lease-time 600; max-lease-time 7200; ddns-update-style none; #Declare useless network subnet 10.0.45.0 netmask 255.255.255.0 { } #Declare R1 LAN and gateway subnet 10.0.12.0 netmask 255.255.255.0 { range 10.0.12.1 10.0.12.1; option routers 10.0.12.254; } #Declare R6 subnet and gateway subnet 10.0.56.0 netmask 255.255.255.0 { range 10.0.56.6 10.0.56.6; option routers 10.0.56.254; } EOF cat > /etc/jails/jail5/local/frr/frr.conf <<EOF frr version 7.0 frr defaults traditional hostname jail5 log syslog ! interface em3 ip router isis BSDRP ipv6 router isis BSDRP ! interface epair0a ip router isis BSDRP ipv6 router isis BSDRP isis passive ! interface vtnet3 ip router isis BSDRP ipv6 router isis BSDRP ! router isis BSDRP is-type level-1-2 net 49.0001.1720.1600.5005.00 ! line vty ! bfd ! EOF ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/jails/jail5/local/frr/frr.conf chown frr:frr /etc/jails/jail5/local/frr cat > /etc/jails/jail5/local/nfacctd.conf<<EOF daemonize: true syslog: daemon ! ! interested in in and outbound traffic aggregate: src_host,dst_host nfacctd_ip: 10.0.45.5 nfacctd_port: 2055 aggregate[ip]: src_host, dst_host, timestamp_start, timestamp_end, src_port, dst_port, proto, src_as, dst_as, peer_src_ip plugins: print[ip] print_output: csv print_refresh_time: 300 print_history: 5m print_output_file[ip]: /tmp/file-%Y%m%d-%H%M.txt print_history_roundoff: m print_output_file_append: true files_umask: 022 EOF sysrc -f /etc/jails/jail6/rc.conf hostname=jail6 \ ifconfig_epair0b="up" \ cloned_interfaces="lagg0" \ ifconfig_lagg0="laggproto failover laggport epair0b SYNCDHCP" \ ifconfig_lagg0_ipv6="inet6 accept_rtadv" \ rtsold_enable=YES \ bsnmpd_enable=YES \ gateway_enable=NO \ ipv6_gateway_enable=NO service jail start
Router 2
(you can use script “labconfig vm2” for automatically pushing full configuration):
sysrc hostname=R2 sysrc rtadvd_enable=YES sysrc rtadvd_interfaces="em0" sysrc vlans_em1="23" sysrc ifconfig_em1="up mtu 1528" sysrc ifconfig_em0="inet 10.0.12.2/24" sysrc ifconfig_em0_ipv6="inet6 2001:db8:12::2 prefixlen 64" sysrc ifconfig_em1_23="inet 10.0.23.2/24" sysrc ifconfig_em1_23_ipv6="inet6 2001:db8:23::2 prefixlen 64" sysrc cloned_interfaces="lo1" sysrc ifconfig_lo1="inet 10.0.0.2/32" sysrc ifconfig_lo1_ipv6="inet6 2001:db8::2 prefixlen 128" sysrc frr_enable=YES sysrc frr_vtysh_boot=YES sysrc dhcprelya_enable=YES sysrc dhcprelya_servers="10.0.45.5" sysrc dhcprelya_ifaces=em0 sysrc mpd_enable=YES sysrc mpd_flags="-b -s ppp" sysrc ipsec_enable=YES sysrc ipsec_file="/etc/ipsec.conf" sysrc pimd_enable=YES sysrc freevrrpd_enable=YES ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf cat > /usr/local/etc/freevrrpd.conf <<EOF [VRID] serverid = 1 interface = em0 # We want that this router is the master priority = 101 addr = 10.0.12.254/24 password = vrid1 EOF ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /usr/local/etc/freevrrpd.conf cat > /usr/local/etc/mpd5/if-up.sh <<EOF #!/bin/sh set -e logger "\$0 called with parameters: \$@" if [ "\$2" == "inet6" ]; then if ifconfig \$1 \$2 2001:db8:24::2; then logger "\$0: \$cmd successfull" return 0 else logger "\$0: \$cmd failed" return 1 fi else return 0 fi EOF chmod +x /usr/local/etc/mpd5/if-up.sh cat > /usr/local/etc/mpd5/mpd.conf <<EOF # Configuring a server PPTP VPN with tunnels to R4 default: load vpnipv4 load vpnipv6 vpnipv4: # Create bundle called vpnipv4 create bundle static vpnipv4 # IP of client and server, on another subnet for avoiding problems set ipcp ranges 10.4.24.2/32 10.4.24.4/32 # Remote LAN subnet: Learned by routing protocol #set iface route 10.0.45.0/24 # Enable Microsoft Point-to-Point encryption (MPPE) set bundle enable compression set ccp yes mppc set mppc yes e40 set mppc yes e128 set bundle enable crypt-reqd set mppc yes stateless # Create a static pptp link called lvpnipv4 create link static lvpnipv4 pptp # Attach this link to vpnipv4 set link action bundle vpnipv4 # Set somes link settings set link no pap set link yes chap set auth authname "VpnLogin4" # Reduce the size of the outgoing packet for avoiding fragmentation set link mtu 1460 set link keep-alive 10 75 # max-redial: # Server side, need to be "-1" # Client side, need to be positive (0 for allways) set link max-redial -1 # Local WAN IP addresse set pptp self 10.0.0.2 # Remote WAN IP addresse set pptp peer 10.0.0.4 # Allow incoming call set link enable incoming vpnipv6: # Create bundle called vpnipv6 create bundle static vpnipv6 # Don't know how to disable IPv4 ipcp set ipcp ranges 10.6.24.2/32 10.6.24.4/32 # Enable IPv6 set bundle enable ipv6cp # Remote LAN subnet: Learned by routing protocol #set iface route 2001:db8:45::/64 # Need to statically set inet6 address set iface up-script /usr/local/etc/mpd5/if-up.sh # Enable Microsoft Point-to-Point encryption (MPPE) set bundle enable compression set ccp yes mppc set mppc yes e40 set mppc yes e128 set bundle enable crypt-reqd set mppc yes stateless # Create a static pptp link called lvpnipv4 create link static lvpnipv6 pptp # Attach this link to vpnipv6 set link action bundle vpnipv6 # Set somes link settings set link no pap set link yes chap set auth authname "VpnLogin6" # Reduce the size of the outgoing packet for avoiding fragmentation set link mtu 1460 set link keep-alive 10 75 # max-redial: # Server side, need to be "-1" # Client side, need to be positive (0 for allways) set link max-redial -1 # Local WAN IP addresse set pptp self 2001:db8::2 # Remote WAN IP addresse set pptp peer 2001:db8::4 # Allow incoming call set link enable incoming EOF cat > /usr/local/etc/mpd5/mpd.secret <<EOF VpnLogin4 VpnPassword4 VpnLogin6 VpnPassword6 EOF cat > /etc/ipsec.conf <<EOF flush ; add 10.0.23.2 10.0.23.3 tcp 0x1000 -A tcp-md5 "abigpassword" ; add 10.0.23.3 10.0.23.2 tcp 0x1001 -A tcp-md5 "abigpassword" ; add -6 2001:db8:23::2 2001:db8:23::3 tcp 0x1002 -A tcp-md5 "abigpassword" ; add -6 2001:db8:23::3 2001:db8:23::2 tcp 0x1003 -A tcp-md5 "abigpassword" ; EOF cat > /usr/local/etc/frr/frr.conf <<EOF frr version 7.0 frr defaults traditional hostname R2 log syslog ! interface ng0 ip ospf message-digest-key 1 md5 superpass ip ospf network point-to-point ipv6 ospf6 passive ! interface ng1 ipv6 ospf6 network point-to-point ! router-id 0.0.0.2 ! router bgp 100 neighbor 10.0.23.3 remote-as 100 neighbor 10.0.23.3 password abigpassword neighbor 2001:db8:23::3 remote-as 100 neighbor 2001:db8:23::3 password abigpassword ! address-family ipv4 unicast network 10.0.0.2/32 neighbor 10.0.23.3 soft-reconfiguration inbound no neighbor 2001:db8:23::3 activate exit-address-family ! address-family ipv6 unicast network 2001:db8::2/128 neighbor 2001:db8:23::3 activate neighbor 2001:db8:23::3 soft-reconfiguration inbound exit-address-family ! router ospf ospf router-id 0.0.0.2 network 10.0.12.0/24 area 0.0.0.0 network 10.4.24.0/24 area 0.0.0.0 area 0.0.0.0 authentication message-digest ! router ospf6 interface ng1 area 0.0.0.0 interface em0 area 0.0.0.0 interface vtnet0 area 0.0.0.0 ! line vty ! bfd ! EOF config save hostname R2 service netif restart service ipsec start service rtadvd start service freevrrpd start service frr start service dhcprelya start service mpd5 start service pimd start
Router 3
(you can use script “labconfig vm3” for automatically pushing full configuration):
sysrc hostname=R3 sysrc vlans_em1="23" sysrc ifconfig_em1="up mtu 1528" sysrc ifconfig_em1_23="inet 10.0.23.3/24" sysrc ifconfig_em1_23_ipv6="inet6 2001:db8:23::3 prefixlen 64" sysrc ifconfig_em2="inet 10.0.34.3/24 mtu 1528" sysrc ifconfig_em2_ipv6="inet6 2001:db8:34::3 prefixlen 64" sysrc bird_enable=YES sysrc pf_enable=YES sysrc pf_rules="/etc/pf.conf" ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf cat > /etc/pf.conf <<EOF #Variables definitions #TO_R2_if = "{" vtnet1.23 em1.23 "}" #TO_R4_if = "{" vtnet2 em2 "}" #R2 = "10.0.0.2/32" #R4 = "10.0.0.4/32" ## ALTQ rules # Queue outgoing from \$TO_R4_if (R2 => R4) # Rate-limit inet 4 VPN traffic to 10Mb #altq on \$TO_R4_if hfsc bandwidth 100Mb queue { VPN4_TO_R4, OTHER_TO_R4 } #queue VPN4_TO_R4 bandwidth 10Mb hfsc(upperlimit 10Mb) #queue OTHER_TO_R4 bandwidth 90Mb hfsc(default) # Queue for outgoing traffic from \$TO_R2_if (R4 => R2) #altq on \$TO_R2_if hfsc bandwidth 100Mb queue { VPN4_TO_R2, OTHER_TO_R2 } #queue VPN4_TO_R2 bandwidth 10Mb hfsc(upperlimit 10Mb) #queue OTHER_TO_R2 bandwidth 90Mb hfsc(default) ## PF rules # R2 => R4 # Shapping works on outgoing traffic only, but need to 'mark' traffic # entering the interface for putting returning traffic in the good queue #pass in quick on \$TO_R2_if proto gre from \$R2 to \$R4 queue VPN4_TO_R2 # Apply ALTQ to traffic that get out from \$TO_R4_if #pass out quick on \$TO_R4_if proto gre from \$R2 to \$R4 queue VPN4_TO_R4 # PF rules R4 => R2 #pass in quick on \$TO_R4_if proto gre from \$R4 to \$R2 queue VPN4_TO_R4 #pass out quick on \$TO_R2_if proto gre from \$R4 to \$R2 queue VPN4_TO_R2 # ALTQ is disabled since BSDRP 1.81 (too much performance impact) pass all EOF cat > /usr/local/etc/bird.conf <<EOF # Configure logging log syslog all; log "/var/log/bird.log" all; log stderr all; # Override router ID router id 0.0.0.3; # Sync bird routing table with kernel protocol kernel kernel4 { ipv4 { export all; }; } protocol kernel kernel6 { ipv6 { export all; }; } # Include device route (warning, a device route is a /32) protocol device { scan time 10; } # Include directly connected networks protocol direct { ipv4; ipv6; } protocol rip R4inet4 { interface "vtnet2","em2" { version 2; }; ipv4 { export all; }; } protocol rip ng R4inet6 { interface "vtnet2","em2" ; ipv6 { export all; }; } protocol bgp R2inet4 { local as 100; # Bird creates IPSEC SAD entry automatically but it need to know the source IP address # Otherwise it will use the wrong 0.0.0.0 IP as source source address 10.0.23.3; neighbor 10.0.23.2 as 100; password "abigpassword"; ipv4 { import all; export all; }; } protocol bgp R2inet6 { local as 100; # Bird creates IPSEC SAD entry automatically but it need to know the source IP address # Otherwise it will use the wrong :: IP as source source address 2001:db8:23::3; neighbor 2001:db8:23::2 as 100; password "abigpassword"; ipv6 { import all; export all; }; } EOF config save hostname R3 service netif restart service pf start service bird start
Router 4
(you can use script “labconfig vm4” for automatically pushing full configuration):
sysrc hostname=R4 sysrc ifconfig_em3="inet 10.0.45.4/24" sysrc ifconfig_em3_ipv6="inet6 2001:db8:45::4 prefixlen 64" sysrc ifconfig_em2="10.0.34.4/24 mtu 1528" sysrc ifconfig_em2_ipv6="inet6 2001:db8:34::4 prefixlen 64" sysrc cloned_interfaces="lo1" sysrc ifconfig_lo1="inet 10.0.0.4/32" sysrc ifconfig_lo1_ipv6="inet6 2001:db8::4 prefixlen 128" sysrc frr_enable=YES sysrc frr_vtysh_boot=YES sysrc mpd_enable=YES sysrc mpd_flags="-b -s ppp" sysrc firewall_enable=YES sysrc firewall_script="/etc/ipfw.rules" sysrc ipfw_netflow_enable=YES sysrc ipfw_netflow_ip=10.0.45.5 sysrc ipfw_netflow_port=2055 sysrc ipfw_netflow_version=9 sysrc pimd_enable=YES ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf cat > /usr/local/etc/frr/frr.conf <<EOF frr version 7.0 frr defaults traditional hostname R4 log syslog ! interface em3 ip router isis BSDRP ipv6 ospf6 passive ipv6 router isis BSDRP ! interface ng0 ip ospf message-digest-key 1 md5 superpass ip ospf network point-to-point ipv6 ospf6 passive ! interface ng1 ipv6 ospf6 network point-to-point ! ! interface vtnet3 ip router isis BSDRP ipv6 ospf6 passive ipv6 router isis BSDRP ! router-id 0.0.0.4 ! router rip network lo1 network em2 network vtnet2 version 2 ! router ripng network lo1 network em2 network vtnet2 ! router ospf ospf router-id 0.0.0.4 redistribute isis passive-interface em3 passive-interface vtnet3 network 10.0.4.0/24 area 0.0.0.0 network 10.0.45.0/24 area 0.0.0.0 network 10.4.24.0/24 area 0.0.0.0 area 0.0.0.0 authentication message-digest ! router ospf6 redistribute isis interface ng1 area 0.0.0.0 interface vtnet3 area 0.0.0.0 ! router isis BSDRP is-type level-1-2 net 49.0001.1720.1600.4004.00 redistribute ipv4 ospf level-1 redistribute ipv4 connected level-1 redistribute ipv6 ospf6 level-1 redistribute ipv6 connected level-1 ! line vty ! bfd ! EOF cat > /usr/local/etc/mpd5/if-up.sh <<EOF #!/bin/sh set -e logger "\$0 called with parameters: \$@" if [ "\$2" == "inet6" ]; then if ifconfig \$1 \$2 2001:db8:24::4; then logger "\$0: \$cmd successfull" return 0 else logger "\$0: \$cmd failed" return 1 fi else return 0 fi EOF chmod +x /usr/local/etc/mpd5/if-up.sh cat > /usr/local/etc/mpd5/mpd.conf <<EOF default: load vpnipv4 load vpnipv6 vpnipv4: # Create bundle called vpnipv4 create bundle static vpnipv4 # Getting IP from the server set ipcp ranges 0.0.0.0/0 # Remote LAN subnet: Learned by ISIS #set iface route 10.0.12.0/24 # Enable Microsoft Point-to-Point encryption (MPPE) set bundle enable compression set ccp yes mppc set mppc yes e40 set mppc yes e128 set bundle enable crypt-reqd set mppc yes stateless # Create a static pptp link called lvpnipv4 create link static lvpnipv4 pptp # Attach this link to vpnipv4 set link action bundle vpnipv4 # Set somes link settings set link no pap set link yes chap set auth authname VpnLogin4 # Reduce the size of the outgoing packet for avoiding fragmentation set link mtu 1460 set link keep-alive 10 75 # max-redial: # Server side, need to be "-1" # Client side, need to be positive (0 for allways) set link max-redial 0 # Local WAN IP addresse set pptp self 10.0.0.4 # Remote WAN IP addresse set pptp peer 10.0.0.2 # Open (initiate) the link to the server open vpnipv6: # Create bundle called vpnipv6 create bundle static vpnipv6 # Getting IP from the server set ipcp ranges 0.0.0.0/0 # Enable IPv6 set bundle enable ipv6cp # Remote LAN subnet: Learned by ISIS #set iface route 2001:db8:12::/64 # Need to statically configure inet6 adress set iface up-script /usr/local/etc/mpd5/if-up.sh # Create a static pptp link called lvpnipv6 create link static lvpnipv6 pptp # Attach this link to vpnipv6 set link action bundle vpnipv6 # Set somes link settings set link no pap set link yes chap set auth authname VpnLogin6 # Reduce the size of the outgoing packet for avoiding fragmentation set link mtu 1460 set link keep-alive 10 75 # max-redial: # Server side, need to be "-1" # Client side, need to be positive (0 for allways) set link max-redial 0 # Local WAN IP addresse set pptp self 2001:db8::4 # Remote WAN IP addresse set pptp peer 2001:db8::2 # Open (initiate) the link to the server open EOF cat > /usr/local/etc/mpd5/mpd.secret <<EOF VpnLogin4 VpnPassword4 VpnLogin6 VpnPassword6 EOF echo "# IPFW we need to let it to pass IPv6 Unknown Extension Header for IPv6 PPTP" >> /etc/sysctl.conf echo "net.inet6.ip6.fw.deny_unknown_exthdrs=0" >> /etc/sysctl.conf cat > /etc/ipfw.rules <<EOF #!/bin/sh fwcmd="/sbin/ipfw" if ! kldstat -q -m dummynet; then kldload dummynet fi # Flush out the list before we begin. \${fwcmd} -f flush # Create hard-limited pipes: One for each direction \${fwcmd} pipe 60 config bw 20Mbit/s \${fwcmd} pipe 61 config bw 20Mbit/s \${fwcmd} pipe 40 config bw 10Mbit/s \${fwcmd} pipe 41 config bw 10Mbit/s # Put PPTP Traffic into pipes \${fwcmd} add pipe 40 all from 10.0.0.4 to 10.0.0.2 out via any \${fwcmd} add pipe 41 all from 10.0.0.2 to 10.0.0.4 in via any \${fwcmd} add pipe 60 all from 2001:db8::4 to 2001:db8::2 out via any \${fwcmd} add pipe 61 all from 2001:db8::2 to 2001:db8::4 in via any # We don't want to block traffic, only shape some \${fwcmd} add allow ip from any to any EOF config save hostname R4 service netif restart service frr start service mpd5 start service ipfw start service sysctl reload service ipfw_netflow start service pimd start
Router 1
This router will be used for backuping all other routers configuration files, then it need a root password for enabling SSH access to it. We will use “root” password for this lab.
sysrc hostname=R1 \ gateway_enable=NO \ ipv6_gateway_enable=NO \ ifconfig_em0=up \ cloned_interfaces=lagg0 \ ifconfig_lagg0="laggproto loadbalance laggport em0 SYNCDHCP" \ ifconfig_lagg0_ipv6="inet6 accept_rtadv" \ sshd_enable=yes ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf config save hostname R1 service routing restart service netif restart service sshd start
Final testing
IPv4 traffic shaping
From R5, enter jail6 console and launch iperf in IPv4 (default) mode:
[root@R5]~# service jail console jail6 Last login: Sun Jul 2 16:44:12 on ttyu0 BSD Router project (BSDRP) (c) 2009-2017, The BSDRP Development Team All rights reserved. BSDRP is under the Simplified BSD license. Documentation: http://bsdrp.net Discover BSDRP tools with "help" command Keyboard layout can be changed with this command: kbdcontrol -l keymap_file (<TAB> for list available maps) root has logged on ttyu0 from local. [root@jail6]~# iperf3 -s ----------------------------------------------------------- Server listening on 5201 -----------------------------------------------------------
Start an iperf3 client on R1, and check available bandwidth is about 10Mb/s:
[root@R1]~# iperf3 -c 10.0.56.6 Connecting to host 10.0.56.6, port 5201 [ 5] local 10.0.12.1 port 20434 connected to 10.0.56.6 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 1.04 MBytes 8.73 Mbits/sec 0 56.7 KBytes [ 5] 1.00-2.00 sec 1.15 MBytes 9.65 Mbits/sec 1 52.3 KBytes [ 5] 2.00-3.00 sec 1.14 MBytes 9.55 Mbits/sec 2 49.6 KBytes [ 5] 3.00-4.00 sec 1.13 MBytes 9.51 Mbits/sec 1 43.8 KBytes [ 5] 4.00-5.00 sec 1.13 MBytes 9.46 Mbits/sec 1 38.1 KBytes [ 5] 5.00-6.00 sec 1.15 MBytes 9.66 Mbits/sec 1 35.3 KBytes [ 5] 6.00-7.00 sec 1.15 MBytes 9.61 Mbits/sec 1 1.41 KBytes [ 5] 7.00-8.00 sec 1.14 MBytes 9.59 Mbits/sec 0 65.1 KBytes [ 5] 8.00-9.00 sec 1.14 MBytes 9.57 Mbits/sec 1 60.9 KBytes [ 5] 9.00-10.00 sec 1.14 MBytes 9.54 Mbits/sec 1 58.0 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 11.3 MBytes 9.49 Mbits/sec 9 sender [ 5] 0.00-10.04 sec 11.3 MBytes 9.41 Mbits/sec receiver iperf Done.
IPv6 traffic shaping
One jail6, display its autoconfigured inet6 address:
[root@jail6]~# ifconfig lagg0 inet6 | grep autoconf inet6 2001:db8:56:0:ff:ff:fe00:80b prefixlen 64 autoconf
Start an iperf3 ipv6 client on R1, and check available bandwith is about 20Mb/s:
[root@R1]~# iperf3 -c 2001:db8:56:0:cf:8fff:fea9:490b Connecting to host 2001:db8:56:0:cf:8fff:fea9:490b, port 5201 [ 5] local 2001:db8:12:0:5a9c:fcff:fe01:201 port 62845 connected to 2001:db8:56:0:cf:8fff:fea9:490b port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 1.74 MBytes 14.6 Mbits/sec 0 68.2 KBytes [ 5] 1.00-2.00 sec 2.23 MBytes 18.7 Mbits/sec 3 65.2 KBytes [ 5] 2.00-3.00 sec 2.19 MBytes 18.3 Mbits/sec 2 77.6 KBytes [ 5] 3.00-4.00 sec 2.19 MBytes 18.3 Mbits/sec 8 57.1 KBytes [ 5] 4.00-5.00 sec 2.19 MBytes 18.3 Mbits/sec 2 38.0 KBytes [ 5] 5.00-6.00 sec 2.19 MBytes 18.3 Mbits/sec 1 61.2 KBytes [ 5] 6.00-7.00 sec 2.19 MBytes 18.4 Mbits/sec 2 42.1 KBytes [ 5] 7.00-8.00 sec 2.19 MBytes 18.3 Mbits/sec 1 61.2 KBytes [ 5] 8.00-9.00 sec 2.19 MBytes 18.3 Mbits/sec 2 44.8 KBytes [ 5] 9.00-10.00 sec 2.18 MBytes 18.3 Mbits/sec 1 65.3 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 21.5 MBytes 18.0 Mbits/sec 22 sender [ 5] 0.00-10.03 sec 21.3 MBytes 17.8 Mbits/sec receiver iperf Done. [root@R1]~#
And during iperf, R4 ipfw pipe showing some activity:
root@R4:~ # ipfw pipe show 00040: 10.000 Mbit/s 0 ms burst 0 q131112 50 sl. 0 flows (1 buckets) sched 65576 weight 0 lmax 0 pri 0 droptail sched 65576 type FIFO flags 0x0 0 buckets 0 active 00041: 10.000 Mbit/s 0 ms burst 0 q131113 50 sl. 0 flows (1 buckets) sched 65577 weight 0 lmax 0 pri 0 droptail sched 65577 type FIFO flags 0x0 0 buckets 0 active 00061: 20.000 Mbit/s 0 ms burst 0 q131133 50 sl. 0 flows (1 buckets) sched 65597 weight 0 lmax 0 pri 0 droptail sched 65597 type FIFO flags 0x0 0 buckets 1 active BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 ip 0.0.0.0/0 0.0.0.0/0 483 378358 9 6349 0 00060: 20.000 Mbit/s 0 ms burst 0 q131132 50 sl. 0 flows (1 buckets) sched 65596 weight 0 lmax 0 pri 0 droptail sched 65596 type FIFO flags 0x0 0 buckets 1 active 0 ip 0.0.0.0/0 0.0.0.0/0 125 15881 0 0 0
netflow
Check that netflows are collected on jail5 (/tmp/file-date-hour.txt):
[root@jail5]~# ls /tmp/file-* /tmp/file-20170630-0000.txt /tmp/file-20170630-0025.txt /tmp/file-20170630-0005.txt /tmp/file-20170630-0030.txt /tmp/file-20170630-0010.txt /tmp/file-20170630-0035.txt /tmp/file-20170630-0015.txt /tmp/file-20170630-0040.txt /tmp/file-20170630-0020.txt
SNMP
From R1, get 2 SNMP values of R6:
- The basic sysname
- The UCD module version
[root@R1]~# bsnmpget -s 10.0.56.6 sysName.0 sysName.0 = jail6 [root@R1]~# bsnmpwalk -s 10.0.56.6 1.3.6.1.4.1.2021.100.2.0 1.3.6.1.4.1.2021.100.2.0 = $Name: bsnmp-ucd-0-4-3 $
Configurations files network backup
R1 will be use as a configuration files backup repository
Mounting data partition on R1 and configure root password
[root@R1]~# mount /data/ [root@R1]~# passwd Changing local password for root New Password: Retype New Password:
Sending configuration archive file to R1
From all others routers, send the configuration file to the /data partition of R1:
[root@R2]/# config put scp root@10.0.12.1:/data/R2.tar.xz Send saved configuration by SCP to root@10.0.12.1:/data/R2.tar.xz The authenticity of host '10.0.12.1 (10.0.12.1)' can't be established. RSA key fingerprint is 4d:e9:ce:26:d4:2f:92:15:5e:06:97:a8:83:78:0c:e5. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.0.12.1' (RSA) to the list of known hosts. Password: config.3803.tar.xz 100% 7100 6.9KB/s 00:00
System integrity check
Download the mtree reference file corresponding to your BSDRP release and start a system integrity check. In this lab, we put the reference file in the /tmp folder of R1:
[root@R1]~# system integrity /tmp/BSDRP-1.4-amd64-serial.mtree.xz Here is the modified files comparing to the reference mtree file: dev extra etc extra tmp extra var extra
Extra files and folder are normal regarding your previous tests.