Newbie bgp

ramarro

Hello,

i have to configure a network with 2 firewall with carp to achive fail tolerance.

Now, on BGP side, i have 2 cable that come from isp provider.

the service provider is saying that he is waiting for my BGPQ private session to allocate the /25 ip network.

i have prepared a pic of what i think i have to setup :)

1.now, is my configuration (speaking about cable layout and connection) is correct/optimal?
2.how am i supposed to configure BGP on the two host to make them work with carp?
3.there is a way to "test" this kind of configuration prior to go to a server farm with the 2 link? like some sort of 'simulator' or something like that?


dmateos

Hi Ramaro, First I think you have to Establish BGP session, and later try the CARP.

Do you already have you ASN? do you ask your internet provider make the routing for you ASN at Tier 1?

Install OpenBGPD packet

Services->OpenBGPD->Settings
    AS Number -> You must have one
    Holdtime -> default 30
    fib-time -> yes
    Listen on Ip -> leave blank to listen on all your interfaces for testing purposes
    Router Ip -> same above
    CARP Status -> same above
    Networks->you prefix that the ISP is going to route

If you have this information, we can advance with groups an neighbors

Sorry for my english !

Regards

ramarro

I think that i have all the informations.

i can't try them, the servers will be put in london and i am in italy, that's why i would like to try in a vbox or something like that :D

Also, my internet provider say something like

Ports are now configured (/29 connected for IPv4 and /112 for IPv6).
149.7.240.128/25 has been assigned, but not configured as we’re still pending you to fill in the BGPQ form for this for the private BGP session, once done we’ll router the /25 via this BGP session.

means that i should setup something before proceed.

i have TWO port from them, i think that i need to fill some extra data to proceed, i was presuming that i need to setup BGP session
in some way to obtain the required bgp.

This are the infos that i have for each port

Connected Address Block
149.6.25.40/29

Cogent Router port IP/Gateway
149.6.25.41

Customer Router Port IP
149.6.25.42

Subnet Mask
255.255.255.248

Cogent ASN
174

the other port have similar setup, just different ip (on my "beautiful" schema there are the ips)

with that info, i think that i can put all the data on the field, aside "networks" that is not so clear.

since i want to route all the 149.7.240.128/25 (that it's not yet configured standing to the mail that i have quoted above) what i should do?
i presume create a static route right? if so, i have to put my "customer route port ip" (that will be configured as static ip on the interface that will do the BGP job)
or am i wrong?

dmateos

Hi Ramarro, I think this is the very first time you face BGP.

Have you configured in a pure Router like cisco BGP Session?

Can you tell me what is the purpose of your public segment /25? and what are you going to implement in this segment? servers, dns, apps ???

• Answering, you can not virtualize EBGP (External), you need to implement directly to your ISP
• BGP is a routing protocol, when you establish the session against your ISP, They (ISP) is going to send you the /25 public segment they give you.
• Cogent has a ASN 174, you must have your own: http://bgp.he.net/AS174
• Remember that BGP is a layer 4 protocol and you have to implement certain rules on the interface that connect with you ISP.

Tell me about the purpose of your /25 network

I add an image of standard use of BGP with a DMZ.

Regards

ramarro

Hi dmateos,

you are totally right, this is my very first time, and not only, i am not a sysadmin, i am a software developer, so normally my job is quite different from this one, but as always we are facing some difficulties :)

/25 will host webapp on different webserver, there will be a port forward from the firewall (that have an alias for all ips) to the server. Server will have java daemon on different ports and will be forwarded to ip:80, 1 ip for each process or something like that…. anyway it's not that important i presume for the BGP setup.

Basically, i don't have a router, and i was thinking to use pfsense to make my firewall route the traffic in a proper way.

Considering that i am 0 on that, probably i need to get some sort of introduction :)

i have make a chart of the "current" setup. This setup is working like a charm, unfortunatly now we are moving all server to a 'neutral' serverfarm and this include all this work...

so basically, should i purchase a router or i can handle it in some way?

if so, well, i need all information that you can share :)


dmateos

You can make it with pfsense without a problem.

I have three different ISP, I have an Autonomous System Number, and network prefix /20 that is announce over BGP session.

All that in a pfsense box that connect a LAN /8 with my DMZ (Server Farm).

And works like a charm.

• you have to start with the basic configuration.
• First install the pfsense box connected with the ISP, just one line.
• And make sure NAT and Internet work correctly.
• Then install OpenBGP.
• Later you have to make the NAT and Firewall rules to serve your apss.

Let me know  when you start the production configuration in site, that way I can help you.

Read this, it help me a lot-> http://www.openbsd.org/papers/linuxtag06-network.pdf

ramarro

Hi, tnx a lot :)

i already read the docs.

as for now, everything (including carp) is already configured on pfsense, as i told you, on previous farm this setup (aside bgp) is all up and running :)
every node is connected in lagg to 2 switches, i have try to unplug every connection (2 years ago when we setup this thing) and everything is fault tolerant (including firewalls)

so basically i just need the BGP side :)

i want to keep a simple approach, as simple as possible.

here some questions:
–--q1----
on bgp page i see
Autonomous Systems (AS)
this is the one that come from cogent, or it's a new one?
----q2----
on "neighborhood" i should set a rule
with all params that come from cogent.
since i have TWO cable, connect to TWO different firewalls, i need
to put 1 neighborhood per firewall (the appropriate one) or both?
i think just one the other one ip will not be visible at all if i put them directly
on the firewall interface as per my draw
----q3---
on first bgp page i see "network to announce"
i have to announce my /25 is that right? and this config have to be done on BOTH
firewall, just putting the ip with netmask, am i right? (149.7.240.128/25 in my case)

if this is correct (and as say my configuration is already working with carp)
if i throw in my carp ip in the config, and let pfsense handle the 'magic'
one of the two bgpd will stay offline till carp ip get assigned to the firewall.
in that way, i should have some sort of fail tolerance (session will be disconnected, but
that's still acceptable)

sounds like it will work? :)

last note...
cogent say

we’re still pending you to fill in the BGPQ form for this for the private BGP session

what i am supposed to do here?!?

dmateos

Please ask your ISP for your local AS.

q1
In this install you should have

Remote AS: 174

Local AS: XXX?

q2
This is going to be the same config in the two firewall (of course with different ip)
I recommend you, first Establish the session on one firewall to simplify things

q3
Yes, this is the network you want to announce

Open a firewall rull
add image

ramarro

Ok, tnx i think that i am "understanding" (at least how to configure it)

in pfsense i can't see the remote-as input box, that's why i was getting confused.

on openbgp doc i have found this. correct me if my –> assumtion are wrong

global config

AS XXXX –-> this is my LOCAL asn (information need to be given by cogent)
router-id 149.6.25.42 --> my LOCAL ip (already have)

announce our PI address space

network 149.7.240.128/25 --> my PUBLIC lan (already have)

neighbor config

neighbor 149.6.25.41 { --> router IP (already have)
descr "cogent" --> some desc :)
remote-as 179 --> REMOTE ASN!! (already have)
}

basically remote-as have to put in raw config, it's not possible
to do it via gui (i am trying now on virtualmachine with the last pfsense)

no problem to put it by hand :D but just double check to be sure.

As for the firewall rules, totally understand, that's the easy part :D at least on that i am 'confident'  hehehe :)

there are also anything to do on route side?

dmateos

Sorry for the late;

Ok, you already install OpenBGPD on Packages.

Go to : Services -> OpenBGPD

First -> Settings, write all the basics here, only your ASN and Network.

Second -> Groups -> Here you put the remote - AS, and a name, COGENT for example.

Third -> Neighbors-> Add a new one and in the group select COGENT, and put the parameters you receive.

I recommend you at the end, two parameters, Set Next Hop -> 149.6.25.41, and, Local address -> 149.6.25.42
              In a router pure config I don't need hard code this, but in pfsense, if I don't put it, don't work.

Four -> Firewall Rules, as I say before, BGPD is a layer 4 service, you need to open the tcp 179 port on COGENT interface.

Best Regards

ramarro

i was in prague, and was able to make everything work like a charm :D :D

now, i have a question about multihoming & high availability.

since i have TWO cogent connections, i have try the following setup (remember, the current WORKING setup is c1->fw1, c2->fw2 + carp)

c1 –> switch --> fw1 (gateway1)
c2 --> switch --> fw1 (gateway2)
aggr_gateway: gateway1 + gateway2 used as lan gateway, with option 'member offline'
bgp with 2 neighborhood

i have configured a group, two cogent neightborood, 2 firewalls rule and on bgp log i see
that my routes get announced on BOTH cogent connection.

i can navigate, and receive packet (i suppose that it's the correct behaviour hehehe)

now, if i unplug c1 from the switch, i can still 'exit' from behind firewall (i have set a gateway with redundancy, so c1 gw goes offline, and traffic switch to c2)

but the INCOMING packet are lost (most of them)

jsut to give you an idea, if i try to reach from public internet a webserver behind firewall (on my /25 network)
pages get serverd 1 every 100 request :D

it's that normal?
on openbgp pdf (http://www.openbsd.org/papers/linuxtag06-network.pdf)
this 'config layout' is in page 5, and i have followed the diagram quite strictly.
i also can confirm that if both cables are connected everything work, it's basically when i unplug one cable that things goes wrong (so maybe, it's not how  high availability on 2 connection can be achived)

this tests are pointless, i know, cos i am using TWO cogent cable, but i want to get a level3 cable to setup a real high aviability, so this one should
be a good test.

tnx for your assistance