User Tools

Site Tools


documentation:examples:maximum_bsdrp_features_lab

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
documentation:examples:maximum_bsdrp_features_lab [2019/10/03 14:09] – [Router 3] olivierdocumentation:examples:maximum_bsdrp_features_lab [2022/07/07 13:23] (current) – [IPv6 traffic shaping] olivier
Line 80: Line 80:
  
 <code> <code>
-sysrc hostname=R5 +sysrc hostname=R5 \ 
-sysrc ifconfig_em3=up + ifconfig_em3=up \ 
-sysrc cloned_interfaces=epair0 + cloned_interfaces=epair0 \ 
-sysrc ifconfig_epair0a=up + ifconfig_epair0a=up \ 
-sysrc kld_list+=" if_lagg carp"+ kld_list+=" if_lagg carp"
 ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf
 cat > /etc/devfs.rules <<EOF cat > /etc/devfs.rules <<EOF
Line 104: Line 104:
 fi fi
 tenant -c -j jail6 -i epair0b tenant -c -j jail6 -i epair0b
-sysrc -f /etc/jails/jail5/rc.conf hostname=jail5 +sysrc -f /etc/jails/jail5/rc.conf hostname=jail5 \ 
-sysrc -f /etc/jails/jail5/rc.conf ifconfig_em3="inet 10.0.45.5/24" + ifconfig_em3="inet 10.0.45.5/24" \ 
-sysrc -f /etc/jails/jail5/rc.conf ifconfig_em3_ipv6="inet6 2001:db8:45::5 prefixlen 64" + ifconfig_em3_ipv6="inet6 2001:db8:45::5 prefixlen 64" \ 
-sysrc -f /etc/jails/jail5/rc.conf ifconfig_epair0a="10.0.56.5/24" + ifconfig_epair0a="10.0.56.5/24" \ 
-sysrc -f /etc/jails/jail5/rc.conf ifconfig_epair0a_ipv6="inet6 2001:db8:56::5 prefixlen 64" + ifconfig_epair0a_ipv6="inet6 2001:db8:56::5 prefixlen 64" \ 
-sysrc -f /etc/jails/jail5/rc.conf ifconfig_epair0a_alias0="inet 10.0.56.254/32 vhid 1 pass testpass" + ifconfig_epair0a_alias0="inet 10.0.56.254/32 vhid 1 pass testpass" \ 
-sysrc -f /etc/jails/jail5/rc.conf ifconfig_epair0a_alias1="inet6 2001:db8:56::fe prefixlen 128 vhid 1 pass testpass" + ifconfig_epair0a_alias1="inet6 2001:db8:56::fe prefixlen 128 vhid 1 pass testpass" \ 
-sysrc -f /etc/jails/jail5/rc.conf rtadvd_enable=YES + rtadvd_enable=YES \ 
-sysrc -f /etc/jails/jail5/rc.conf rtadvd_interfaces=epair0a + rtadvd_interfaces=epair0a \ 
-sysrc -f /etc/jails/jail5/rc.conf dhcpd_enable=YES + dhcpd_enable=YES \ 
-sysrc -f /etc/jails/jail5/rc.conf dhcpd_flags="-q" + dhcpd_flags="-q" \ 
-sysrc -f /etc/jails/jail5/rc.conf dhcpd_conf="/usr/local/etc/dhcpd.conf" + dhcpd_conf="/usr/local/etc/dhcpd.conf" \ 
-sysrc -f /etc/jails/jail5/rc.conf frr_enable=YES + frr_enable=YES \ 
-sysrc -f /etc/jails/jail5/rc.conf frr_vtysh_boot="YES" + frr_vtysh_boot=YES \ 
-sysrc -f /etc/jails/jail5/rc.conf nfacctd_enable=YES + nfacctd_enable=YES \ 
-sysrc -f /etc/jails/jail5/rc.conf pimd_enable=YES+ pimd_enable=YES
 ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/jails/jail5/rc.conf ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/jails/jail5/rc.conf
 mkdir -p /etc/jails/jail5/local/frr mkdir -p /etc/jails/jail5/local/frr
Line 130: Line 130:
 subnet 10.0.45.0 netmask 255.255.255.0 { subnet 10.0.45.0 netmask 255.255.255.0 {
 } }
 +
 #Declare R1 LAN and gateway #Declare R1 LAN and gateway
 subnet 10.0.12.0 netmask 255.255.255.0 { subnet 10.0.12.0 netmask 255.255.255.0 {
Line 193: Line 194:
 EOF EOF
  
-sysrc -f /etc/jails/jail6/rc.conf hostname=jail6 +sysrc -f /etc/jails/jail6/rc.conf hostname=jail6 \ 
-sysrc -f /etc/jails/jail6/rc.conf ifconfig_epair0b="up" + ifconfig_epair0b="up" \ 
-sysrc -f /etc/jails/jail6/rc.conf cloned_interfaces="lagg0" + cloned_interfaces="lagg0" \ 
-sysrc -f /etc/jails/jail6/rc.conf ifconfig_lagg0="laggproto failover laggport epair0b SYNCDHCP" + ifconfig_lagg0="laggproto failover laggport epair0b SYNCDHCP" \ 
-sysrc -f /etc/jails/jail6/rc.conf ifconfig_lagg0_ipv6="inet6 accept_rtadv" + ifconfig_lagg0_ipv6="inet6 accept_rtadv" \ 
-sysrc -f /etc/jails/jail6/rc.conf rtsold_enable=YES + rtsold_enable=YES \ 
-sysrc -f /etc/jails/jail6/rc.conf bsnmpd_enable=YES + bsnmpd_enable=YES \ 
-sysrc -f /etc/jails/jail6/rc.conf gateway_enable=NO + gateway_enable=NO \ 
-sysrc -f /etc/jails/jail6/rc.conf ipv6_gateway_enable=NO+ ipv6_gateway_enable=NO
 service jail start service jail start
 </code> </code>
Line 436: Line 437:
 sysrc ifconfig_em2_ipv6="inet6 2001:db8:34::3 prefixlen 64" sysrc ifconfig_em2_ipv6="inet6 2001:db8:34::3 prefixlen 64"
 sysrc bird_enable=YES sysrc bird_enable=YES
-sysrc bird6_enable=YES 
 sysrc pf_enable=YES sysrc pf_enable=YES
 sysrc pf_rules="/etc/pf.conf" sysrc pf_rules="/etc/pf.conf"
Line 442: Line 442:
  
 cat > /etc/pf.conf <<EOF cat > /etc/pf.conf <<EOF
 +#Variables definitions
 +#TO_R2_if = "{" vtnet1.23 em1.23 "}"
 +#TO_R4_if = "{" vtnet2 em2 "}"
 +#R2 = "10.0.0.2/32"
 +#R4 = "10.0.0.4/32"
 +
 +## ALTQ rules
 +# Queue outgoing from \$TO_R4_if (R2 => R4)
 +# Rate-limit inet 4 VPN traffic to 10Mb
 +#altq on \$TO_R4_if hfsc bandwidth 100Mb queue { VPN4_TO_R4, OTHER_TO_R4 }
 +#queue VPN4_TO_R4 bandwidth 10Mb hfsc(upperlimit 10Mb)
 +#queue OTHER_TO_R4 bandwidth 90Mb hfsc(default)
 +
 +# Queue for outgoing traffic from \$TO_R2_if (R4 => R2)
 +#altq on \$TO_R2_if hfsc bandwidth 100Mb queue { VPN4_TO_R2, OTHER_TO_R2 }
 +#queue VPN4_TO_R2 bandwidth 10Mb hfsc(upperlimit 10Mb)
 +#queue OTHER_TO_R2 bandwidth 90Mb hfsc(default)
 +
 +## PF rules
 +
 +# R2 => R4
 +# Shapping works on outgoing traffic only, but need to 'mark' traffic
 +# entering the interface for putting returning traffic in the good queue
 +#pass in quick on \$TO_R2_if proto gre from \$R2 to \$R4 queue VPN4_TO_R2
 +# Apply ALTQ to traffic that get out from \$TO_R4_if
 +#pass out quick on \$TO_R4_if proto gre from \$R2 to \$R4 queue VPN4_TO_R4
 +
 +# PF rules R4 => R2
 +#pass in quick on \$TO_R4_if proto gre from \$R4 to \$R2 queue VPN4_TO_R4
 +#pass out quick on \$TO_R2_if proto gre from \$R4 to \$R2 queue VPN4_TO_R2
 +
 # ALTQ is disabled since BSDRP 1.81 (too much performance impact) # ALTQ is disabled since BSDRP 1.81 (too much performance impact)
 pass all pass all
Line 456: Line 487:
  
 # Sync bird routing table with kernel # Sync bird routing table with kernel
-protocol kernel {+protocol kernel kernel4 { 
 +    ipv4 {
         export all;         export all;
 +    };
 +}
 +protocol kernel kernel6 {
 +    ipv6 {
 +        export all;
 +    };
 } }
  
Line 465: Line 503:
 } }
  
-# Include directly connected network+# Include directly connected networks
 protocol direct { protocol direct {
-        interface "vtnet1", "em1", "vtnet2", "em2";+        ipv4; 
 +        ipv6;
 } }
  
-protocol rip R4 +protocol rip R4inet4 
-        export all; +    interface "vtnet2","em2"
-        interface "vtnet2","em2"+        version 2; 
-            version 2; +    }; 
-            password "rippassword" { algorithm keyed md5; }; +    ipv4 { 
-            authentication cryptographic+         export all
-        };+    };
 } }
  
-protocol bgp R2 +protocol rip ng R4inet6 
-        local as 100; +    interface "vtnet2","em2" ; 
-        # Bird creates IPSEC SAD entry automatically but it need to know the source IP address +    ipv6 {
-        # Otherwise it will use the wrong 0.0.0.0 IP as source +
-        source address 10.0.23.3; +
-        neighbor 10.0.23.2 as 100; +
-        password "abigpassword";  +
-        import all;+
         export all;         export all;
 +    };
 } }
-EOF 
  
-cat > /usr/local/etc/bird6.conf <<EOF +protocol bgp R2inet4 { 
-Configure logging +    local as 100; 
-log syslog all; +    Bird creates IPSEC SAD entry automatically but it need to know the source IP address 
-log "/var/log/bird6.log" all; +    Otherwise it will use the wrong 0.0.0.0 IP as source 
-log stderr all; +    source address 10.0.23.3; 
- +    neighbor 10.0.23.2 as 100
-Override router ID +    password "abigpassword"
-router id 0.0.0.3; +    ipv4 
- +        import all;
-# Sync bird routing table with kernel +
-protocol kernel { +
-        export all+
-+
- +
-protocol device { +
-        scan time 10+
-+
-protocol direct +
-        interface "vtnet1", "em1", "vtnet2", "em2"; +
-+
- +
-protocol rip R4 {+
         export all;         export all;
-        interface "vtnet2","em2" ;+    };
 } }
  
-protocol bgp R2 +protocol bgp R2inet6 
-        local as 100; +    local as 100; 
-        # Bird creates IPSEC SAD entry automatically but it need to know the source IP address +    # Bird creates IPSEC SAD entry automatically but it need to know the source IP address 
-        # Otherwise it will use the wrong :: IP as source +    # Otherwise it will use the wrong :: IP as source 
-        source address 2001:db8:23::3; +    source address 2001:db8:23::3; 
-        neighbor 2001:db8:23::2 as 100; +    neighbor 2001:db8:23::2 as 100; 
-        password "abigpassword";+    password "abigpassword"; 
 +    ipv6 {
         import all;         import all;
         export all;         export all;
 +    };
 } }
 EOF EOF
Line 534: Line 557:
 service pf start service pf start
 service bird start service bird start
-service bird6 start 
 </code> </code>
 ==== Router 4 ==== ==== Router 4 ====
Line 544: Line 566:
 sysrc ifconfig_em3="inet 10.0.45.4/24" sysrc ifconfig_em3="inet 10.0.45.4/24"
 sysrc ifconfig_em3_ipv6="inet6 2001:db8:45::4 prefixlen 64" sysrc ifconfig_em3_ipv6="inet6 2001:db8:45::4 prefixlen 64"
-sysrc ifconfig_em2="10.0.34.4/24"+sysrc ifconfig_em2="10.0.34.4/24 mtu 1528"
 sysrc ifconfig_em2_ipv6="inet6 2001:db8:34::4 prefixlen 64" sysrc ifconfig_em2_ipv6="inet6 2001:db8:34::4 prefixlen 64"
 sysrc cloned_interfaces="lo1" sysrc cloned_interfaces="lo1"
Line 735: Line 757:
         kldload dummynet         kldload dummynet
 fi fi
 +
 # Flush out the list before we begin. # Flush out the list before we begin.
 \${fwcmd} -f flush \${fwcmd} -f flush
Line 768: Line 791:
  
 <code> <code>
-sysrc hostname=R1 +sysrc hostname=R1 \ 
-sysrc gateway_enable=NO + gateway_enable=NO \ 
-sysrc ipv6_gateway_enable=NO + ipv6_gateway_enable=NO \ 
-sysrc ifconfig_em0=up + ifconfig_em0=up \ 
-sysrc cloned_interfaces=lagg0 + cloned_interfaces=lagg0 \ 
-sysrc ifconfig_lagg0="laggproto loadbalance laggport em0 SYNCDHCP" + ifconfig_lagg0="laggproto loadbalance laggport em0 SYNCDHCP" \ 
-sysrc ifconfig_lagg0_ipv6="inet6 accept_rtadv" + ifconfig_lagg0_ipv6="inet6 accept_rtadv" \ 
-sysrc sshd_enable=yes+ sshd_enable=yes
 ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf
 config save config save
Line 868: Line 891:
 iperf Done. iperf Done.
 [root@R1]~# [root@R1]~#
 +</code>
 +
 +And during iperf, R4 ipfw pipe showing some activity:
 +<code>
 +root@R4:~ # ipfw pipe show
 +00040:  10.000 Mbit/   0 ms burst 0
 +q131112  50 sl. 0 flows (1 buckets) sched 65576 weight 0 lmax 0 pri 0 droptail
 + sched 65576 type FIFO flags 0x0 0 buckets 0 active
 +00041:  10.000 Mbit/   0 ms burst 0
 +q131113  50 sl. 0 flows (1 buckets) sched 65577 weight 0 lmax 0 pri 0 droptail
 + sched 65577 type FIFO flags 0x0 0 buckets 0 active
 +00061:  20.000 Mbit/   0 ms burst 0
 +q131133  50 sl. 0 flows (1 buckets) sched 65597 weight 0 lmax 0 pri 0 droptail
 + sched 65597 type FIFO flags 0x0 0 buckets 1 active
 +BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
 +  0 ip           0.0.0.0/            0.0.0.0/     483   378358  9 6349   0
 +00060:  20.000 Mbit/   0 ms burst 0
 +q131132  50 sl. 0 flows (1 buckets) sched 65596 weight 0 lmax 0 pri 0 droptail
 + sched 65596 type FIFO flags 0x0 0 buckets 1 active
 +  0 ip           0.0.0.0/            0.0.0.0/     125    15881  0    0   0
 </code> </code>
 ==== netflow ==== ==== netflow ====
documentation/examples/maximum_bsdrp_features_lab.1570104562.txt.gz · Last modified: 2019/10/03 14:09 by olivier

Except where otherwise noted, content on this wiki is licensed under the following license: BSD 2-Clause
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki