documentation:examples:maximum_bsdrp_features_lab
no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
Next revision | |||
— | documentation:examples:maximum_bsdrp_features_lab [2019/05/29 17:32] – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Maximum BSDRP features lab ====== | ||
+ | {{description> | ||
+ | This lab is used for testing BSDRP before releasing new version. | ||
+ | |||
+ | ===== Presentation ===== | ||
+ | |||
+ | ==== Network diagram ==== | ||
+ | |||
+ | Here is the logical and physical view: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | ===== Setting-up the lab ===== | ||
+ | |||
+ | ==== Downloading BSD Router Project images ==== | ||
+ | |||
+ | Download BSDRP serial image (prevent to have to use an X display) on Sourceforge. | ||
+ | |||
+ | ==== Download Lab scripts ===== | ||
+ | |||
+ | More information on these BSDRP lab scripts available on [[documentation: | ||
+ | |||
+ | Start the lab with full-meshed 6 routers. | ||
+ | |||
+ | An example with bhyve under FreeBSD: | ||
+ | |||
+ | < | ||
+ | tools/ | ||
+ | Setting-up a virtual lab with 5 VM(s): | ||
+ | - Working directory: /tmp/BSDRP | ||
+ | - Each VM have 1 core(s) and 256M RAM | ||
+ | - Emulated NIC: e1000 | ||
+ | - Switch mode: bridge + tap | ||
+ | - 0 LAN(s) between all VM | ||
+ | - Full mesh Ethernet links between each VM | ||
+ | VM 1 have the following NIC: | ||
+ | - em0 connected to VM 2 | ||
+ | - em1 connected to VM 3 | ||
+ | - em2 connected to VM 4 | ||
+ | - em3 connected to VM 5 | ||
+ | VM 2 have the following NIC: | ||
+ | - em0 connected to VM 1 | ||
+ | - em1 connected to VM 3 | ||
+ | - em2 connected to VM 4 | ||
+ | - em3 connected to VM 5 | ||
+ | VM 3 have the following NIC: | ||
+ | - em0 connected to VM 1 | ||
+ | - em1 connected to VM 2 | ||
+ | - em2 connected to VM 4 | ||
+ | - em3 connected to VM 5 | ||
+ | VM 4 have the following NIC: | ||
+ | - em0 connected to VM 1 | ||
+ | - em1 connected to VM 2 | ||
+ | - em2 connected to VM 3 | ||
+ | - em3 connected to VM 5 | ||
+ | VM 5 have the following NIC: | ||
+ | - em0 connected to VM 1 | ||
+ | - em1 connected to VM 2 | ||
+ | - em2 connected to VM 3 | ||
+ | - em3 connected to VM 4 | ||
+ | To connect VM' | ||
+ | - VM 1 : cu -l / | ||
+ | - VM 2 : cu -l / | ||
+ | - VM 3 : cu -l / | ||
+ | - VM 4 : cu -l / | ||
+ | - VM 5 : cu -l / | ||
+ | </ | ||
+ | ===== Routers configuration ===== | ||
+ | |||
+ | In this order for avoiding DHCP client timeout problems. | ||
+ | |||
+ | All these routers can be configured with labconfig tool (use it only on a lab, because it will replace your current running configuration): | ||
+ | < | ||
+ | labconfig full_vm[VM-NUMBER] | ||
+ | </ | ||
+ | |||
+ | ==== Router 5 (including jail5 and jail6) ==== | ||
+ | |||
+ | (you can use script “labconfig vm5” for automatically pushing full configuration): | ||
+ | |||
+ | < | ||
+ | sysrc hostname=R5 | ||
+ | sysrc ifconfig_em3=up | ||
+ | sysrc cloned_interfaces=epair0 | ||
+ | sysrc ifconfig_epair0a=up | ||
+ | sysrc kld_list+=" | ||
+ | ifconfig -l | grep -q vtnet && sed -i "" | ||
+ | cat > / | ||
+ | [devfsrules_jailpf=4] | ||
+ | add include \$devfsrules_hide_all | ||
+ | add include \$devfsrules_unhide_basic | ||
+ | add include \$devfsrules_unhide_login | ||
+ | add path ' | ||
+ | EOF | ||
+ | |||
+ | hostname R5 | ||
+ | service devfs restart | ||
+ | service netif restart | ||
+ | service kld start | ||
+ | if ifconfig -l | grep -q vtnet; then | ||
+ | tenant -c -j jail5 -i vtnet3, | ||
+ | else | ||
+ | tenant -c -j jail5 -i em3,epair0a | ||
+ | fi | ||
+ | tenant -c -j jail6 -i epair0b | ||
+ | sysrc -f / | ||
+ | sysrc -f / | ||
+ | sysrc -f / | ||
+ | sysrc -f / | ||
+ | sysrc -f / | ||
+ | sysrc -f / | ||
+ | sysrc -f / | ||
+ | sysrc -f / | ||
+ | sysrc -f / | ||
+ | sysrc -f / | ||
+ | sysrc -f / | ||
+ | sysrc -f / | ||
+ | sysrc -f / | ||
+ | sysrc -f / | ||
+ | sysrc -f / | ||
+ | sysrc -f / | ||
+ | ifconfig -l | grep -q vtnet && sed -i "" | ||
+ | mkdir -p / | ||
+ | cat > / | ||
+ | option domain-name " | ||
+ | default-lease-time 600; | ||
+ | max-lease-time 7200; | ||
+ | ddns-update-style none; | ||
+ | #Declare useless network | ||
+ | subnet 10.0.45.0 netmask 255.255.255.0 { | ||
+ | } | ||
+ | #Declare R1 LAN and gateway | ||
+ | subnet 10.0.12.0 netmask 255.255.255.0 { | ||
+ | range 10.0.12.1 10.0.12.1; | ||
+ | option routers 10.0.12.254; | ||
+ | } | ||
+ | #Declare R6 subnet and gateway | ||
+ | subnet 10.0.56.0 netmask 255.255.255.0 { | ||
+ | range 10.0.56.6 10.0.56.6; | ||
+ | option routers 10.0.56.254; | ||
+ | } | ||
+ | EOF | ||
+ | |||
+ | cat > / | ||
+ | frr version 7.0 | ||
+ | frr defaults traditional | ||
+ | hostname jail5 | ||
+ | log syslog | ||
+ | ! | ||
+ | interface em3 | ||
+ | ip router isis BSDRP | ||
+ | ipv6 router isis BSDRP | ||
+ | ! | ||
+ | interface epair0a | ||
+ | ip router isis BSDRP | ||
+ | ipv6 router isis BSDRP | ||
+ | isis passive | ||
+ | ! | ||
+ | interface vtnet3 | ||
+ | ip router isis BSDRP | ||
+ | ipv6 router isis BSDRP | ||
+ | ! | ||
+ | router isis BSDRP | ||
+ | | ||
+ | net 49.0001.1720.1600.5005.00 | ||
+ | ! | ||
+ | line vty | ||
+ | ! | ||
+ | bfd | ||
+ | ! | ||
+ | EOF | ||
+ | |||
+ | ifconfig -l | grep -q vtnet && sed -i "" | ||
+ | chown frr:frr / | ||
+ | |||
+ | cat > / | ||
+ | daemonize: true | ||
+ | syslog: daemon | ||
+ | ! | ||
+ | ! interested in in and outbound traffic | ||
+ | aggregate: src_host, | ||
+ | nfacctd_ip: 10.0.45.5 | ||
+ | nfacctd_port: | ||
+ | aggregate[ip]: | ||
+ | plugins: print[ip] | ||
+ | print_output: | ||
+ | print_refresh_time: | ||
+ | print_history: | ||
+ | print_output_file[ip]: | ||
+ | print_history_roundoff: | ||
+ | print_output_file_append: | ||
+ | files_umask: | ||
+ | EOF | ||
+ | |||
+ | sysrc -f / | ||
+ | sysrc -f / | ||
+ | sysrc -f / | ||
+ | sysrc -f / | ||
+ | sysrc -f / | ||
+ | sysrc -f / | ||
+ | sysrc -f / | ||
+ | sysrc -f / | ||
+ | sysrc -f / | ||
+ | service jail start | ||
+ | </ | ||
+ | |||
+ | |||
+ | ==== Router 2 ==== | ||
+ | |||
+ | (you can use script “labconfig vm2” for automatically pushing full configuration): | ||
+ | |||
+ | < | ||
+ | sysrc hostname=R2 | ||
+ | sysrc rtadvd_enable=YES | ||
+ | sysrc rtadvd_interfaces=" | ||
+ | sysrc vlans_em1=" | ||
+ | sysrc ifconfig_em1=" | ||
+ | sysrc ifconfig_em0=" | ||
+ | sysrc ifconfig_em0_ipv6=" | ||
+ | sysrc ifconfig_em1_23=" | ||
+ | sysrc ifconfig_em1_23_ipv6=" | ||
+ | sysrc cloned_interfaces=" | ||
+ | sysrc ifconfig_lo1=" | ||
+ | sysrc ifconfig_lo1_ipv6=" | ||
+ | sysrc frr_enable=YES | ||
+ | sysrc frr_vtysh_boot=YES | ||
+ | sysrc dhcprelya_enable=YES | ||
+ | sysrc dhcprelya_servers=" | ||
+ | sysrc dhcprelya_ifaces=em0 | ||
+ | sysrc mpd_enable=YES | ||
+ | sysrc mpd_flags=" | ||
+ | sysrc ipsec_enable=YES | ||
+ | sysrc ipsec_file="/ | ||
+ | sysrc pimd_enable=YES | ||
+ | sysrc freevrrpd_enable=YES | ||
+ | ifconfig -l | grep -q vtnet && sed -i "" | ||
+ | |||
+ | cat > / | ||
+ | [VRID] | ||
+ | serverid = 1 | ||
+ | interface = em0 | ||
+ | # We want that this router is the master | ||
+ | priority = 101 | ||
+ | addr = 10.0.12.254/ | ||
+ | password = vrid1 | ||
+ | EOF | ||
+ | |||
+ | ifconfig -l | grep -q vtnet && sed -i "" | ||
+ | |||
+ | cat > / | ||
+ | #!/bin/sh | ||
+ | set -e | ||
+ | logger "\$0 called with parameters: \$@" | ||
+ | if [ " | ||
+ | if ifconfig \$1 \$2 2001: | ||
+ | logger "\$0: \$cmd successfull" | ||
+ | return 0 | ||
+ | else | ||
+ | logger "\$0: \$cmd failed" | ||
+ | return 1 | ||
+ | fi | ||
+ | else | ||
+ | return 0 | ||
+ | fi | ||
+ | EOF | ||
+ | |||
+ | chmod +x / | ||
+ | |||
+ | cat > / | ||
+ | # Configuring a server PPTP VPN with tunnels to R4 | ||
+ | default: | ||
+ | load vpnipv4 | ||
+ | load vpnipv6 | ||
+ | vpnipv4: | ||
+ | # Create bundle called vpnipv4 | ||
+ | create bundle static vpnipv4 | ||
+ | # IP of client and server, on another subnet for avoiding problems | ||
+ | set ipcp ranges 10.4.24.2/ | ||
+ | # Remote LAN subnet: Learned by routing protocol | ||
+ | #set iface route 10.0.45.0/ | ||
+ | # Enable Microsoft Point-to-Point encryption (MPPE) | ||
+ | set bundle enable compression | ||
+ | set ccp yes mppc | ||
+ | set mppc yes e40 | ||
+ | set mppc yes e128 | ||
+ | set bundle enable crypt-reqd | ||
+ | set mppc yes stateless | ||
+ | # Create a static pptp link called lvpnipv4 | ||
+ | create link static lvpnipv4 pptp | ||
+ | # Attach this link to vpnipv4 | ||
+ | set link action bundle vpnipv4 | ||
+ | # Set somes link settings | ||
+ | set link no pap | ||
+ | set link yes chap | ||
+ | set auth authname " | ||
+ | # Reduce the size of the outgoing packet for avoiding fragmentation | ||
+ | set link mtu 1460 | ||
+ | set link keep-alive 10 75 | ||
+ | # max-redial: | ||
+ | # Server side, need to be " | ||
+ | # Client side, need to be positive (0 for allways) | ||
+ | set link max-redial -1 | ||
+ | # Local WAN IP addresse | ||
+ | set pptp self 10.0.0.2 | ||
+ | # Remote WAN IP addresse | ||
+ | set pptp peer 10.0.0.4 | ||
+ | # Allow incoming call | ||
+ | set link enable incoming | ||
+ | vpnipv6: | ||
+ | # Create bundle called vpnipv6 | ||
+ | create bundle static vpnipv6 | ||
+ | # Don't know how to disable IPv4 ipcp | ||
+ | set ipcp ranges 10.6.24.2/ | ||
+ | # Enable IPv6 | ||
+ | set bundle enable ipv6cp | ||
+ | # Remote LAN subnet: Learned by routing protocol | ||
+ | #set iface route 2001: | ||
+ | # Need to statically set inet6 address | ||
+ | set iface up-script / | ||
+ | # Enable Microsoft Point-to-Point encryption (MPPE) | ||
+ | set bundle enable compression | ||
+ | set ccp yes mppc | ||
+ | set mppc yes e40 | ||
+ | set mppc yes e128 | ||
+ | set bundle enable crypt-reqd | ||
+ | set mppc yes stateless | ||
+ | # Create a static pptp link called lvpnipv4 | ||
+ | create link static lvpnipv6 pptp | ||
+ | # Attach this link to vpnipv6 | ||
+ | set link action bundle vpnipv6 | ||
+ | # Set somes link settings | ||
+ | set link no pap | ||
+ | set link yes chap | ||
+ | set auth authname " | ||
+ | # Reduce the size of the outgoing packet for avoiding fragmentation | ||
+ | set link mtu 1460 | ||
+ | set link keep-alive 10 75 | ||
+ | # max-redial: | ||
+ | # Server side, need to be " | ||
+ | # Client side, need to be positive (0 for allways) | ||
+ | set link max-redial -1 | ||
+ | # Local WAN IP addresse | ||
+ | set pptp self 2001:db8::2 | ||
+ | # Remote WAN IP addresse | ||
+ | set pptp peer 2001:db8::4 | ||
+ | # Allow incoming call | ||
+ | set link enable incoming | ||
+ | EOF | ||
+ | |||
+ | cat > / | ||
+ | VpnLogin4 | ||
+ | VpnLogin6 | ||
+ | EOF | ||
+ | |||
+ | cat > / | ||
+ | flush ; | ||
+ | add 10.0.23.2 10.0.23.3 tcp 0x1000 -A tcp-md5 " | ||
+ | add 10.0.23.3 10.0.23.2 tcp 0x1001 -A tcp-md5 " | ||
+ | add -6 2001: | ||
+ | add -6 2001: | ||
+ | EOF | ||
+ | |||
+ | cat > / | ||
+ | frr version 7.0 | ||
+ | frr defaults traditional | ||
+ | hostname R2 | ||
+ | log syslog | ||
+ | ! | ||
+ | interface ng0 | ||
+ | ip ospf message-digest-key 1 md5 superpass | ||
+ | ip ospf network point-to-point | ||
+ | ipv6 ospf6 passive | ||
+ | ! | ||
+ | interface ng1 | ||
+ | ipv6 ospf6 network point-to-point | ||
+ | ! | ||
+ | router-id 0.0.0.2 | ||
+ | ! | ||
+ | router bgp 100 | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | ! | ||
+ | | ||
+ | network 10.0.0.2/32 | ||
+ | neighbor 10.0.23.3 soft-reconfiguration inbound | ||
+ | no neighbor 2001: | ||
+ | | ||
+ | ! | ||
+ | | ||
+ | network 2001: | ||
+ | neighbor 2001: | ||
+ | neighbor 2001: | ||
+ | | ||
+ | ! | ||
+ | router ospf | ||
+ | ospf router-id 0.0.0.2 | ||
+ | | ||
+ | | ||
+ | area 0.0.0.0 authentication message-digest | ||
+ | ! | ||
+ | router ospf6 | ||
+ | | ||
+ | | ||
+ | | ||
+ | ! | ||
+ | line vty | ||
+ | ! | ||
+ | bfd | ||
+ | ! | ||
+ | EOF | ||
+ | |||
+ | config save | ||
+ | hostname R2 | ||
+ | service netif restart | ||
+ | service ipsec start | ||
+ | service rtadvd start | ||
+ | service freevrrpd start | ||
+ | service frr start | ||
+ | service dhcprelya start | ||
+ | service mpd5 start | ||
+ | service pimd start | ||
+ | </ | ||
+ | ==== Router 3 ==== | ||
+ | |||
+ | (you can use script “labconfig vm3” for automatically pushing full configuration): | ||
+ | |||
+ | < | ||
+ | sysrc hostname=R3 | ||
+ | sysrc vlans_em1=" | ||
+ | sysrc ifconfig_em1=" | ||
+ | sysrc ifconfig_em1_23=" | ||
+ | sysrc ifconfig_em1_23_ipv6=" | ||
+ | sysrc ifconfig_em2=" | ||
+ | sysrc ifconfig_em2_ipv6=" | ||
+ | sysrc bird_enable=YES | ||
+ | sysrc bird6_enable=YES | ||
+ | sysrc pf_enable=YES | ||
+ | sysrc pf_rules="/ | ||
+ | ifconfig -l | grep -q vtnet && sed -i "" | ||
+ | |||
+ | cat > / | ||
+ | # ALTQ is disabled since BSDRP 1.81 (too much performance impact) | ||
+ | pass all | ||
+ | EOF | ||
+ | |||
+ | cat > / | ||
+ | # Configure logging | ||
+ | log syslog all; | ||
+ | log "/ | ||
+ | log stderr all; | ||
+ | |||
+ | # Override router ID | ||
+ | router id 0.0.0.3; | ||
+ | |||
+ | # Sync bird routing table with kernel | ||
+ | protocol kernel { | ||
+ | export all; | ||
+ | } | ||
+ | |||
+ | # Include device route (warning, a device route is a /32) | ||
+ | protocol device { | ||
+ | scan time 10; | ||
+ | } | ||
+ | |||
+ | # Include directly connected network | ||
+ | protocol direct { | ||
+ | interface " | ||
+ | } | ||
+ | |||
+ | protocol rip R4 { | ||
+ | export all; | ||
+ | interface " | ||
+ | version 2; | ||
+ | password " | ||
+ | authentication cryptographic; | ||
+ | }; | ||
+ | } | ||
+ | |||
+ | protocol bgp R2 { | ||
+ | local as 100; | ||
+ | # Bird creates IPSEC SAD entry automatically but it need to know the source IP address | ||
+ | # Otherwise it will use the wrong 0.0.0.0 IP as source | ||
+ | source address 10.0.23.3; | ||
+ | neighbor 10.0.23.2 as 100; | ||
+ | password " | ||
+ | import all; | ||
+ | export all; | ||
+ | } | ||
+ | EOF | ||
+ | |||
+ | cat > / | ||
+ | # Configure logging | ||
+ | log syslog all; | ||
+ | log "/ | ||
+ | log stderr all; | ||
+ | |||
+ | # Override router ID | ||
+ | router id 0.0.0.3; | ||
+ | |||
+ | # Sync bird routing table with kernel | ||
+ | protocol kernel { | ||
+ | export all; | ||
+ | } | ||
+ | |||
+ | protocol device { | ||
+ | scan time 10; | ||
+ | } | ||
+ | protocol direct { | ||
+ | interface " | ||
+ | } | ||
+ | |||
+ | protocol rip R4 { | ||
+ | export all; | ||
+ | interface " | ||
+ | } | ||
+ | |||
+ | protocol bgp R2 { | ||
+ | local as 100; | ||
+ | # Bird creates IPSEC SAD entry automatically but it need to know the source IP address | ||
+ | # Otherwise it will use the wrong :: IP as source | ||
+ | source address 2001: | ||
+ | neighbor 2001: | ||
+ | password " | ||
+ | import all; | ||
+ | export all; | ||
+ | } | ||
+ | EOF | ||
+ | |||
+ | config save | ||
+ | hostname R3 | ||
+ | service netif restart | ||
+ | service pf start | ||
+ | service bird start | ||
+ | service bird6 start | ||
+ | </ | ||
+ | ==== Router 4 ==== | ||
+ | |||
+ | (you can use script “labconfig vm4” for automatically pushing full configuration): | ||
+ | |||
+ | < | ||
+ | sysrc hostname=R4 | ||
+ | sysrc ifconfig_em3=" | ||
+ | sysrc ifconfig_em3_ipv6=" | ||
+ | sysrc ifconfig_em2=" | ||
+ | sysrc ifconfig_em2_ipv6=" | ||
+ | sysrc cloned_interfaces=" | ||
+ | sysrc ifconfig_lo1=" | ||
+ | sysrc ifconfig_lo1_ipv6=" | ||
+ | sysrc frr_enable=YES | ||
+ | sysrc frr_vtysh_boot=YES | ||
+ | sysrc mpd_enable=YES | ||
+ | sysrc mpd_flags=" | ||
+ | sysrc firewall_enable=YES | ||
+ | sysrc firewall_script="/ | ||
+ | sysrc ipfw_netflow_enable=YES | ||
+ | sysrc ipfw_netflow_ip=10.0.45.5 | ||
+ | sysrc ipfw_netflow_port=2055 | ||
+ | sysrc ipfw_netflow_version=9 | ||
+ | sysrc pimd_enable=YES | ||
+ | ifconfig -l | grep -q vtnet && sed -i "" | ||
+ | |||
+ | cat > / | ||
+ | frr version 7.0 | ||
+ | frr defaults traditional | ||
+ | hostname R4 | ||
+ | log syslog | ||
+ | ! | ||
+ | interface em3 | ||
+ | ip router isis BSDRP | ||
+ | ipv6 ospf6 passive | ||
+ | ipv6 router isis BSDRP | ||
+ | ! | ||
+ | interface ng0 | ||
+ | ip ospf message-digest-key 1 md5 superpass | ||
+ | ip ospf network point-to-point | ||
+ | ipv6 ospf6 passive | ||
+ | ! | ||
+ | interface ng1 | ||
+ | ipv6 ospf6 network point-to-point | ||
+ | ! | ||
+ | ! | ||
+ | interface vtnet3 | ||
+ | ip router isis BSDRP | ||
+ | ipv6 ospf6 passive | ||
+ | ipv6 router isis BSDRP | ||
+ | ! | ||
+ | router-id 0.0.0.4 | ||
+ | ! | ||
+ | router rip | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | ! | ||
+ | router ripng | ||
+ | | ||
+ | | ||
+ | | ||
+ | ! | ||
+ | router ospf | ||
+ | ospf router-id 0.0.0.4 | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | area 0.0.0.0 authentication message-digest | ||
+ | ! | ||
+ | router ospf6 | ||
+ | | ||
+ | | ||
+ | | ||
+ | ! | ||
+ | router isis BSDRP | ||
+ | | ||
+ | net 49.0001.1720.1600.4004.00 | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | ! | ||
+ | line vty | ||
+ | ! | ||
+ | bfd | ||
+ | ! | ||
+ | EOF | ||
+ | |||
+ | cat > / | ||
+ | #!/bin/sh | ||
+ | set -e | ||
+ | logger "\$0 called with parameters: \$@" | ||
+ | if [ " | ||
+ | if ifconfig \$1 \$2 2001: | ||
+ | logger "\$0: \$cmd successfull" | ||
+ | return 0 | ||
+ | else | ||
+ | logger "\$0: \$cmd failed" | ||
+ | return 1 | ||
+ | fi | ||
+ | else | ||
+ | return 0 | ||
+ | fi | ||
+ | EOF | ||
+ | |||
+ | chmod +x / | ||
+ | |||
+ | cat > / | ||
+ | default: | ||
+ | load vpnipv4 | ||
+ | load vpnipv6 | ||
+ | vpnipv4: | ||
+ | # Create bundle called vpnipv4 | ||
+ | create bundle static vpnipv4 | ||
+ | # Getting IP from the server | ||
+ | set ipcp ranges 0.0.0.0/0 | ||
+ | # Remote LAN subnet: Learned by ISIS | ||
+ | #set iface route 10.0.12.0/ | ||
+ | # Enable Microsoft Point-to-Point encryption (MPPE) | ||
+ | set bundle enable compression | ||
+ | set ccp yes mppc | ||
+ | set mppc yes e40 | ||
+ | set mppc yes e128 | ||
+ | set bundle enable crypt-reqd | ||
+ | set mppc yes stateless | ||
+ | # Create a static pptp link called lvpnipv4 | ||
+ | create link static lvpnipv4 pptp | ||
+ | # Attach this link to vpnipv4 | ||
+ | set link action bundle vpnipv4 | ||
+ | # Set somes link settings | ||
+ | set link no pap | ||
+ | set link yes chap | ||
+ | set auth authname VpnLogin4 | ||
+ | # Reduce the size of the outgoing packet for avoiding fragmentation | ||
+ | set link mtu 1460 | ||
+ | set link keep-alive 10 75 | ||
+ | # max-redial: | ||
+ | # Server side, need to be " | ||
+ | # Client side, need to be positive (0 for allways) | ||
+ | set link max-redial 0 | ||
+ | # Local WAN IP addresse | ||
+ | set pptp self 10.0.0.4 | ||
+ | # Remote WAN IP addresse | ||
+ | set pptp peer 10.0.0.2 | ||
+ | # Open (initiate) the link to the server | ||
+ | open | ||
+ | vpnipv6: | ||
+ | # Create bundle called vpnipv6 | ||
+ | create bundle static vpnipv6 | ||
+ | # Getting IP from the server | ||
+ | set ipcp ranges 0.0.0.0/0 | ||
+ | # Enable IPv6 | ||
+ | set bundle enable ipv6cp | ||
+ | # Remote LAN subnet: Learned by ISIS | ||
+ | #set iface route 2001: | ||
+ | # Need to statically configure inet6 adress | ||
+ | set iface up-script / | ||
+ | # Create a static pptp link called lvpnipv6 | ||
+ | create link static lvpnipv6 pptp | ||
+ | # Attach this link to vpnipv6 | ||
+ | set link action bundle vpnipv6 | ||
+ | # Set somes link settings | ||
+ | set link no pap | ||
+ | set link yes chap | ||
+ | set auth authname VpnLogin6 | ||
+ | # Reduce the size of the outgoing packet for avoiding fragmentation | ||
+ | set link mtu 1460 | ||
+ | set link keep-alive 10 75 | ||
+ | # max-redial: | ||
+ | # Server side, need to be " | ||
+ | # Client side, need to be positive (0 for allways) | ||
+ | set link max-redial 0 | ||
+ | # Local WAN IP addresse | ||
+ | set pptp self 2001:db8::4 | ||
+ | # Remote WAN IP addresse | ||
+ | set pptp peer 2001:db8::2 | ||
+ | # Open (initiate) the link to the server | ||
+ | open | ||
+ | EOF | ||
+ | |||
+ | cat > / | ||
+ | VpnLogin4 | ||
+ | VpnLogin6 | ||
+ | EOF | ||
+ | |||
+ | echo "# IPFW we need to let it to pass IPv6 Unknown Extension Header for IPv6 PPTP" >> / | ||
+ | echo " | ||
+ | |||
+ | cat > / | ||
+ | #!/bin/sh | ||
+ | fwcmd="/ | ||
+ | if ! kldstat -q -m dummynet; then | ||
+ | kldload dummynet | ||
+ | fi | ||
+ | # Flush out the list before we begin. | ||
+ | \${fwcmd} -f flush | ||
+ | # Create hard-limited pipes: One for each direction | ||
+ | \${fwcmd} pipe 60 config bw 20Mbit/s | ||
+ | \${fwcmd} pipe 61 config bw 20Mbit/s | ||
+ | \${fwcmd} pipe 40 config bw 10Mbit/s | ||
+ | \${fwcmd} pipe 41 config bw 10Mbit/s | ||
+ | # Put PPTP Traffic into pipes | ||
+ | \${fwcmd} add pipe 40 all from 10.0.0.4 to 10.0.0.2 out via any | ||
+ | \${fwcmd} add pipe 41 all from 10.0.0.2 to 10.0.0.4 in via any | ||
+ | \${fwcmd} add pipe 60 all from 2001:db8::4 to 2001:db8::2 out via any | ||
+ | \${fwcmd} add pipe 61 all from 2001:db8::2 to 2001:db8::4 in via any | ||
+ | # We don't want to block traffic, only shape some | ||
+ | \${fwcmd} add allow ip from any to any | ||
+ | EOF | ||
+ | |||
+ | config save | ||
+ | hostname R4 | ||
+ | service netif restart | ||
+ | service frr start | ||
+ | service mpd5 start | ||
+ | service ipfw start | ||
+ | service sysctl reload | ||
+ | service ipfw_netflow start | ||
+ | service pimd start | ||
+ | </ | ||
+ | |||
+ | ==== Router 1 ==== | ||
+ | |||
+ | This router will be used for backuping all other routers configuration files, then it need a root password for enabling SSH access to it. | ||
+ | We will use " | ||
+ | |||
+ | < | ||
+ | sysrc hostname=R1 | ||
+ | sysrc gateway_enable=NO | ||
+ | sysrc ipv6_gateway_enable=NO | ||
+ | sysrc ifconfig_em0=up | ||
+ | sysrc cloned_interfaces=lagg0 | ||
+ | sysrc ifconfig_lagg0=" | ||
+ | sysrc ifconfig_lagg0_ipv6=" | ||
+ | sysrc sshd_enable=yes | ||
+ | ifconfig -l | grep -q vtnet && sed -i "" | ||
+ | config save | ||
+ | hostname R1 | ||
+ | service routing restart | ||
+ | service netif restart | ||
+ | service sshd start | ||
+ | </ | ||
+ | ===== Final testing ===== | ||
+ | ==== IPv4 traffic shaping ==== | ||
+ | |||
+ | From R5, enter jail6 console and launch iperf in IPv4 (default) mode: | ||
+ | |||
+ | < | ||
+ | [root@R5]~# service jail console jail6 | ||
+ | Last login: Sun Jul 2 16:44:12 on ttyu0 | ||
+ | BSD Router project (BSDRP) (c) 2009-2017, The BSDRP Development Team | ||
+ | All rights reserved. | ||
+ | BSDRP is under the Simplified BSD license. | ||
+ | |||
+ | Documentation: | ||
+ | |||
+ | Discover BSDRP tools with " | ||
+ | |||
+ | Keyboard layout can be changed with this command: | ||
+ | kbdcontrol -l keymap_file (< | ||
+ | root has logged on ttyu0 from local. | ||
+ | |||
+ | [root@jail6]~# | ||
+ | ----------------------------------------------------------- | ||
+ | Server listening on 5201 | ||
+ | ----------------------------------------------------------- | ||
+ | |||
+ | </ | ||
+ | |||
+ | Start an iperf3 client on R1, and check available bandwidth is about 10Mb/s: | ||
+ | |||
+ | < | ||
+ | [root@R1]~# | ||
+ | Connecting to host 10.0.56.6, port 5201 | ||
+ | [ 5] local 10.0.12.1 port 20434 connected to 10.0.56.6 port 5201 | ||
+ | [ ID] Interval | ||
+ | [ 5] | ||
+ | [ 5] | ||
+ | [ 5] | ||
+ | [ 5] | ||
+ | [ 5] | ||
+ | [ 5] | ||
+ | [ 5] | ||
+ | [ 5] | ||
+ | [ 5] | ||
+ | [ 5] | ||
+ | - - - - - - - - - - - - - - - - - - - - - - - - - | ||
+ | [ ID] Interval | ||
+ | [ 5] | ||
+ | [ 5] | ||
+ | |||
+ | iperf Done. | ||
+ | </ | ||
+ | |||
+ | ==== IPv6 traffic shaping ==== | ||
+ | |||
+ | One jail6, display its autoconfigured inet6 address: | ||
+ | |||
+ | < | ||
+ | [root@jail6]~# | ||
+ | inet6 2001: | ||
+ | </ | ||
+ | |||
+ | Start an iperf3 ipv6 client on R1, and check available bandwith is about 20Mb/s: | ||
+ | |||
+ | ==== netflow ==== | ||
+ | |||
+ | Check that netflows are collected on jail5 (/ | ||
+ | |||
+ | < | ||
+ | [root@jail5]~# | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | ==== SNMP ==== | ||
+ | |||
+ | From R1, get 2 SNMP values of R6: | ||
+ | * The basic sysname | ||
+ | * The UCD module version | ||
+ | |||
+ | < | ||
+ | [root@R1]~# bsnmpget -s 10.0.56.6 sysName.0 | ||
+ | sysName.0 = jail6 | ||
+ | [root@R1]~# bsnmpwalk -s 10.0.56.6 1.3.6.1.4.1.2021.100.2.0 | ||
+ | 1.3.6.1.4.1.2021.100.2.0 = $Name: bsnmp-ucd-0-4-3 $ | ||
+ | </ | ||
+ | |||
+ | ==== Configurations files network backup ==== | ||
+ | |||
+ | R1 will be use as a configuration files backup repository | ||
+ | |||
+ | === Mounting data partition on R1 and configure root password === | ||
+ | |||
+ | < | ||
+ | [root@R1]~# mount /data/ | ||
+ | [root@R1]~# passwd | ||
+ | Changing local password for root | ||
+ | New Password: | ||
+ | Retype New Password: | ||
+ | </ | ||
+ | |||
+ | === Sending configuration archive file to R1 === | ||
+ | |||
+ | From all others routers, send the configuration file to the /data partition of R1: | ||
+ | |||
+ | < | ||
+ | [root@R2]/# config put scp root@10.0.12.1:/ | ||
+ | Send saved configuration by SCP to root@10.0.12.1:/ | ||
+ | The authenticity of host ' | ||
+ | RSA key fingerprint is 4d: | ||
+ | Are you sure you want to continue connecting (yes/no)? yes | ||
+ | Warning: Permanently added ' | ||
+ | Password: | ||
+ | config.3803.tar.xz | ||
+ | </ | ||
+ | |||
+ | ==== System integrity check ==== | ||
+ | |||
+ | Download the mtree reference file corresponding to your BSDRP release and start a system integrity check. | ||
+ | In this lab, we put the reference file in the /tmp folder of R1: | ||
+ | |||
+ | < | ||
+ | [root@R1]~# system integrity / | ||
+ | Here is the modified files comparing to the reference mtree file: | ||
+ | dev extra | ||
+ | etc extra | ||
+ | tmp extra | ||
+ | var extra | ||
+ | </ | ||
+ | |||
+ | Extra files and folder are normal regarding your previous tests. | ||
documentation/examples/maximum_bsdrp_features_lab.txt · Last modified: 2022/07/07 13:23 by olivier