User Tools

Site Tools


documentation:examples:maximum_bsdrp_features_lab

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
documentation:examples:maximum_bsdrp_features_lab [2019/10/03 14:09]
olivier [Router 4]
documentation:examples:maximum_bsdrp_features_lab [2019/12/31 17:05] (current)
olivier [Router 1]
Line 80: Line 80:
  
 <​code>​ <​code>​
-sysrc hostname=R5 +sysrc hostname=R5 ​\ 
-sysrc ifconfig_em3=up + ​ifconfig_em3=up ​\ 
-sysrc cloned_interfaces=epair0 + ​cloned_interfaces=epair0 ​\ 
-sysrc ifconfig_epair0a=up + ​ifconfig_epair0a=up ​\ 
-sysrc kld_list+="​ if_lagg carp"+ ​kld_list+="​ if_lagg carp"
 ifconfig -l | grep -q vtnet && sed -i ""​ '​s/​em/​vtnet/​g'​ /​etc/​rc.conf ifconfig -l | grep -q vtnet && sed -i ""​ '​s/​em/​vtnet/​g'​ /​etc/​rc.conf
 cat > /​etc/​devfs.rules <<EOF cat > /​etc/​devfs.rules <<EOF
Line 104: Line 104:
 fi fi
 tenant -c -j jail6 -i epair0b tenant -c -j jail6 -i epair0b
-sysrc -f /​etc/​jails/​jail5/​rc.conf hostname=jail5 +sysrc -f /​etc/​jails/​jail5/​rc.conf hostname=jail5 ​\ 
-sysrc -f /​etc/​jails/​jail5/​rc.conf ​ifconfig_em3="​inet 10.0.45.5/​24"​ + ​ifconfig_em3="​inet 10.0.45.5/​24" ​\ 
-sysrc -f /​etc/​jails/​jail5/​rc.conf ​ifconfig_em3_ipv6="​inet6 2001:​db8:​45::​5 prefixlen 64" + ​ifconfig_em3_ipv6="​inet6 2001:​db8:​45::​5 prefixlen 64" ​\ 
-sysrc -f /​etc/​jails/​jail5/​rc.conf ​ifconfig_epair0a="​10.0.56.5/​24"​ + ​ifconfig_epair0a="​10.0.56.5/​24" ​\ 
-sysrc -f /​etc/​jails/​jail5/​rc.conf ​ifconfig_epair0a_ipv6="​inet6 2001:​db8:​56::​5 prefixlen 64" + ​ifconfig_epair0a_ipv6="​inet6 2001:​db8:​56::​5 prefixlen 64" ​\ 
-sysrc -f /​etc/​jails/​jail5/​rc.conf ​ifconfig_epair0a_alias0="​inet 10.0.56.254/​32 vhid 1 pass testpass"​ + ​ifconfig_epair0a_alias0="​inet 10.0.56.254/​32 vhid 1 pass testpass" ​\ 
-sysrc -f /​etc/​jails/​jail5/​rc.conf ​ifconfig_epair0a_alias1="​inet6 2001:​db8:​56::​fe prefixlen 128 vhid 1 pass testpass"​ + ​ifconfig_epair0a_alias1="​inet6 2001:​db8:​56::​fe prefixlen 128 vhid 1 pass testpass" ​\ 
-sysrc -f /​etc/​jails/​jail5/​rc.conf ​rtadvd_enable=YES + ​rtadvd_enable=YES ​\ 
-sysrc -f /​etc/​jails/​jail5/​rc.conf ​rtadvd_interfaces=epair0a + ​rtadvd_interfaces=epair0a ​\ 
-sysrc -f /​etc/​jails/​jail5/​rc.conf ​dhcpd_enable=YES + ​dhcpd_enable=YES ​\ 
-sysrc -f /​etc/​jails/​jail5/​rc.conf ​dhcpd_flags="​-q"​ + ​dhcpd_flags="​-q" ​\ 
-sysrc -f /​etc/​jails/​jail5/​rc.conf ​dhcpd_conf="/​usr/​local/​etc/​dhcpd.conf"​ + ​dhcpd_conf="/​usr/​local/​etc/​dhcpd.conf" ​\ 
-sysrc -f /​etc/​jails/​jail5/​rc.conf ​frr_enable=YES + ​frr_enable=YES ​\ 
-sysrc -f /​etc/​jails/​jail5/​rc.conf ​frr_vtysh_boot="YES" + ​frr_vtysh_boot=YES ​\ 
-sysrc -f /​etc/​jails/​jail5/​rc.conf ​nfacctd_enable=YES + ​nfacctd_enable=YES ​\ 
-sysrc -f /​etc/​jails/​jail5/​rc.conf ​pimd_enable=YES+ ​pimd_enable=YES
 ifconfig -l | grep -q vtnet && sed -i ""​ '​s/​em/​vtnet/​g'​ /​etc/​jails/​jail5/​rc.conf ifconfig -l | grep -q vtnet && sed -i ""​ '​s/​em/​vtnet/​g'​ /​etc/​jails/​jail5/​rc.conf
 mkdir -p /​etc/​jails/​jail5/​local/​frr mkdir -p /​etc/​jails/​jail5/​local/​frr
Line 130: Line 130:
 subnet 10.0.45.0 netmask 255.255.255.0 { subnet 10.0.45.0 netmask 255.255.255.0 {
 } }
 +
 #Declare R1 LAN and gateway #Declare R1 LAN and gateway
 subnet 10.0.12.0 netmask 255.255.255.0 { subnet 10.0.12.0 netmask 255.255.255.0 {
Line 193: Line 194:
 EOF EOF
  
-sysrc -f /​etc/​jails/​jail6/​rc.conf hostname=jail6 +sysrc -f /​etc/​jails/​jail6/​rc.conf hostname=jail6 ​\ 
-sysrc -f /​etc/​jails/​jail6/​rc.conf ​ifconfig_epair0b="​up"​ + ​ifconfig_epair0b="​up" ​\ 
-sysrc -f /​etc/​jails/​jail6/​rc.conf ​cloned_interfaces="​lagg0"​ + ​cloned_interfaces="​lagg0" ​\ 
-sysrc -f /​etc/​jails/​jail6/​rc.conf ​ifconfig_lagg0="​laggproto failover laggport epair0b SYNCDHCP"​ + ​ifconfig_lagg0="​laggproto failover laggport epair0b SYNCDHCP" ​\ 
-sysrc -f /​etc/​jails/​jail6/​rc.conf ​ifconfig_lagg0_ipv6="​inet6 accept_rtadv"​ + ​ifconfig_lagg0_ipv6="​inet6 accept_rtadv" ​\ 
-sysrc -f /​etc/​jails/​jail6/​rc.conf ​rtsold_enable=YES + ​rtsold_enable=YES ​\ 
-sysrc -f /​etc/​jails/​jail6/​rc.conf ​bsnmpd_enable=YES + ​bsnmpd_enable=YES ​\ 
-sysrc -f /​etc/​jails/​jail6/​rc.conf ​gateway_enable=NO + ​gateway_enable=NO ​\ 
-sysrc -f /​etc/​jails/​jail6/​rc.conf ​ipv6_gateway_enable=NO+ ​ipv6_gateway_enable=NO
 service jail start service jail start
 </​code>​ </​code>​
Line 436: Line 437:
 sysrc ifconfig_em2_ipv6="​inet6 2001:​db8:​34::​3 prefixlen 64" sysrc ifconfig_em2_ipv6="​inet6 2001:​db8:​34::​3 prefixlen 64"
 sysrc bird_enable=YES sysrc bird_enable=YES
-sysrc bird6_enable=YES 
 sysrc pf_enable=YES sysrc pf_enable=YES
 sysrc pf_rules="/​etc/​pf.conf"​ sysrc pf_rules="/​etc/​pf.conf"​
Line 442: Line 442:
  
 cat > /​etc/​pf.conf <<EOF cat > /​etc/​pf.conf <<EOF
 +#Variables definitions
 +#TO_R2_if = "​{"​ vtnet1.23 em1.23 "​}"​
 +#TO_R4_if = "​{"​ vtnet2 em2 "​}"​
 +#R2 = "​10.0.0.2/​32"​
 +#R4 = "​10.0.0.4/​32"​
 +
 +## ALTQ rules
 +# Queue outgoing from \$TO_R4_if (R2 => R4)
 +# Rate-limit inet 4 VPN traffic to 10Mb
 +#altq on \$TO_R4_if hfsc bandwidth 100Mb queue { VPN4_TO_R4, OTHER_TO_R4 }
 +#queue VPN4_TO_R4 bandwidth 10Mb hfsc(upperlimit 10Mb)
 +#queue OTHER_TO_R4 bandwidth 90Mb hfsc(default)
 +
 +# Queue for outgoing traffic from \$TO_R2_if (R4 => R2)
 +#altq on \$TO_R2_if hfsc bandwidth 100Mb queue { VPN4_TO_R2, OTHER_TO_R2 }
 +#queue VPN4_TO_R2 bandwidth 10Mb hfsc(upperlimit 10Mb)
 +#queue OTHER_TO_R2 bandwidth 90Mb hfsc(default)
 +
 +## PF rules
 +
 +# R2 => R4
 +# Shapping works on outgoing traffic only, but need to '​mark'​ traffic
 +# entering the interface for putting returning traffic in the good queue
 +#pass in quick on \$TO_R2_if proto gre from \$R2 to \$R4 queue VPN4_TO_R2
 +# Apply ALTQ to traffic that get out from \$TO_R4_if
 +#pass out quick on \$TO_R4_if proto gre from \$R2 to \$R4 queue VPN4_TO_R4
 +
 +# PF rules R4 => R2
 +#pass in quick on \$TO_R4_if proto gre from \$R4 to \$R2 queue VPN4_TO_R4
 +#pass out quick on \$TO_R2_if proto gre from \$R4 to \$R2 queue VPN4_TO_R2
 +
 # ALTQ is disabled since BSDRP 1.81 (too much performance impact) # ALTQ is disabled since BSDRP 1.81 (too much performance impact)
 pass all pass all
Line 456: Line 487:
  
 # Sync bird routing table with kernel # Sync bird routing table with kernel
-protocol kernel {+protocol kernel ​kernel4 { 
 +    ipv4 {
         export all;         export all;
 +    };
 +}
 +protocol kernel kernel6 {
 +    ipv6 {
 +        export all;
 +    };
 } }
  
Line 465: Line 503:
 } }
  
-# Include directly connected ​network+# Include directly connected ​networks
 protocol direct { protocol direct {
-        ​interface "​vtnet1",​ "​em1",​ "​vtnet2",​ "​em2"​;+        ​ipv4; 
 +        ipv6;
 } }
  
-protocol rip R4 +protocol rip R4inet4 ​
-        ​export all; +    interface "​vtnet2","​em2"​ { 
-        ​interface "​vtnet2","​em2"​ { +        version 2; 
-            version 2; +    }; 
-            ​password "​rippassword"​ { algorithm keyed md5; }; +    ipv4 { 
-            ​authentication cryptographic+         ​export all
-        };+    };
 } }
  
-protocol ​bgp R2 +protocol ​rip ng R4inet6 ​
-        local as 100; +    ​interface ​"vtnet2","​em2" ; 
-        # Bird creates IPSEC SAD entry automatically but it need to know the source IP address +    ipv6 {
-        # Otherwise it will use the wrong 0.0.0.0 IP as source +
-        source address 10.0.23.3;​ +
-        neighbor 10.0.23.2 as 100; +
-        password ​"abigpassword";  +
-        ​import all;+
         export all;         export all;
 +    };
 } }
-EOF 
  
-cat > /usr/local/​etc/​bird6.conf <<EOF +protocol bgp R2inet4 { 
-Configure logging +    ​local as 100; 
-log syslog all; +    Bird creates IPSEC SAD entry automatically but it need to know the source IP address 
-log "/​var/​log/​bird6.log"​ all; +    Otherwise it will use the wrong 0.0.0.0 IP as source 
-log stderr all; +    source address 10.0.23.3; 
- +    ​neighbor 10.0.23.2 as 100
-Override router ID +    ​password "​abigpassword"​
-router id 0.0.0.3; +    ​ipv4 ​
- +        ​import all;
-# Sync bird routing table with kernel +
-protocol kernel { +
-        export all+
-+
- +
-protocol device { +
-        scan time 10+
-+
-protocol direct ​+
-        ​interface "​vtnet1",​ "​em1",​ "​vtnet2",​ "​em2"​; +
-+
- +
-protocol rip R4 {+
         export all;         export all;
-        interface "​vtnet2","​em2" ​;+    };
 } }
  
-protocol bgp R2 +protocol bgp R2inet6 ​
-        local as 100; +    local as 100; 
-        # Bird creates IPSEC SAD entry automatically but it need to know the source IP address +    # Bird creates IPSEC SAD entry automatically but it need to know the source IP address 
-        # Otherwise it will use the wrong :: IP as source +    # Otherwise it will use the wrong :: IP as source 
-        source address 2001:​db8:​23::​3;​ +    source address 2001:​db8:​23::​3;​ 
-        neighbor 2001:​db8:​23::​2 as 100; +    neighbor 2001:​db8:​23::​2 as 100; 
-        password "​abigpassword";​+    password "​abigpassword";​ 
 +    ipv6 {
         import all;         import all;
         export all;         export all;
 +    };
 } }
 EOF EOF
Line 534: Line 557:
 service pf start service pf start
 service bird start service bird start
-service bird6 start 
 </​code>​ </​code>​
 ==== Router 4 ==== ==== Router 4 ====
Line 735: Line 757:
         kldload dummynet         kldload dummynet
 fi fi
 +
 # Flush out the list before we begin. # Flush out the list before we begin.
 \${fwcmd} -f flush \${fwcmd} -f flush
Line 768: Line 791:
  
 <​code>​ <​code>​
-sysrc hostname=R1 +sysrc hostname=R1 ​\ 
-sysrc gateway_enable=NO + ​gateway_enable=NO ​\ 
-sysrc ipv6_gateway_enable=NO + ​ipv6_gateway_enable=NO ​\ 
-sysrc ifconfig_em0=up + ​ifconfig_em0=up ​\ 
-sysrc cloned_interfaces=lagg0 + ​cloned_interfaces=lagg0 ​\ 
-sysrc ifconfig_lagg0="​laggproto loadbalance laggport em0 SYNCDHCP"​ + ​ifconfig_lagg0="​laggproto loadbalance laggport em0 SYNCDHCP" ​\ 
-sysrc ifconfig_lagg0_ipv6="​inet6 accept_rtadv"​ + ​ifconfig_lagg0_ipv6="​inet6 accept_rtadv" ​\ 
-sysrc sshd_enable=yes+ ​sshd_enable=yes
 ifconfig -l | grep -q vtnet && sed -i ""​ '​s/​em/​vtnet/​g'​ /​etc/​rc.conf ifconfig -l | grep -q vtnet && sed -i ""​ '​s/​em/​vtnet/​g'​ /​etc/​rc.conf
 config save config save
documentation/examples/maximum_bsdrp_features_lab.1570104575.txt.gz · Last modified: 2019/10/03 14:09 by olivier