Need to setup BGP to peer and announce IPs and route them - help!
-
Disclaimer - I have been using pfSense as a general VPN, NAT and firewall (running under VMware ESXi) for a few months now and really enjoy it. I am not completely new to pfSense but most of the advanced features are unknown to me.
Now, that being said, I have an AS number that was issued to my company and I am tasked with:
- Peering with our datacenter/co-location provider;
- Announcing one or more of our APNIC allocations to the Internet;
- Naturally, routing traffic for the servers in the rack that use those announced IPs to the Internet.
I am pretty much clueless with BGP. I know there is an OpenBGPd package with pfSense. I have our ASN and our uplink's AS number. They assigned us a /30 for use with the BGP setup; one IP will be us and the other will be them, to whom we peer. I have our /24 that I need to announce.
What kind of configuration am I looking at here? How do I achieve this? I installed a brand new pfSense guest instance on VMware ESXi for use with this. The host machine itself has 3 NICs; one is connected to the LAN for management, one is connected to the drop with the /30 for peering with BGP and the other - do I need it? Or for routing traffic for our IPs through our peering arrangement do I need just the interface connected to the drop with the /30 allocation and peered, and the LAN? And route traffic to and from the LAN and that port?
What do I setup with OpenBGPd? I have the uplink's AS and they added us to their tables for peering. How do I tell pfSense to peer with their AS on the interface with the /30 assigned (we have 1 IP , they have the other , strictly for peering purpose ) and then announce our IP addresses (/24 and /23 CIDRs from APNIC) to it, and route the traffic to and from the Internet for these IPs?
I am sorry for a request of so much information. I just have no idea what I am doing just yet as this is my first peering setup and I don't want to jump in completely uninformed. Any help that anyone can provide would be absolutely wonderful. I figured this would be the place to ask since there are many pfSense and I assume also networking gurus.
Thank you all very much!
-
I too want to know the answer to this, but from my own posts and reading others. no one ever seems to reply with the answer.
-
I am in need of setting this up too. We have an AS and a /24 network that we need to advertise to the internet. I currently have a Brocade CER 2024C router, that is 4 or 5 years old, that currently does our BGP, but it doesn't have enough registers for the required 600,000 routes thats a full Internet routing table (it only has 524,288 max). Does anyone even know if pfSense can handle a BGP full Internet route table?
To the lab bench I go!
I'm going to build a test pfSense box and connect it to our Internet circuit after hours and see if it will.
-
I'm pulling full routes from two providers on a box with 8GB. It's only showing 10% memory usage. I'm sure there are plenty of others getting full routes on pfSense/OpenBGPd.
-
I am just curious in what scenario do you need to pull the full routing table?? Are you a peer for multiple backbone networks?
If your just an end user with some networks on your side, pretty much don't all 600 some thousand routes all point to your isp gateway anyway ;)
-
I am just curious in what scenario do you need to pull the full routing table?? Are you a peer for multiple backbone networks?
That's how BGP works- you compare the routing tables and see which provider has the best path. If you were not multi-homed, you could just use a default route, but then you wouldn't need BGP anyway.
-
No you would still need BGP if you wanted to announce and advertise the networks that are behind your transit. Advertising you have say 1.2.3.0/24 has nothing to do with holding the internet full routing table..
-
If you are single homed, why wouldn't you just have the provider announce the block for you?
-
You could do that… But what if you have multiple connections with different providers and announce part of your networks out of connection A, while others out of B and if A goes down you announce your networks out of the other location, etc.
My point was this poster does not seem like they are a internet peer with multiple connections and routes - there is NO point to trying to hold a copy of the internet routing table in such a setup. We run bgp and I can tell you for freaking sure we don't hold the internet routes on those routers - its completely pointless to do such a thing unless you peer with multiple backbones and have a use.
Most companies would be edge users and even when they have multiple providers into their location for failover, backup, load you would have no freaking use to hold the whole internet routing table on any of your devices be it a pfsense box or actual router, etc.
Now it can be interesting to look at ;) But holding the routing table for the whole freaking planet has really little to do with running bgp to advertise your routes..
As to your ISP announcing it for you.. You might do that if you have say 1 network or so. But we have a /16 and we adv different parts of it out of different location with different providers. etc..
-
This has gone totally off the rails in regards to the question asked. Some people need or want the full table. It is possible on pfSense/OpenBGPd. Not going to go on about particular use cases. Was just trying to share some data on memory usage. I'll use BGP the way I think it best suits my environment, and you can use it how it suits yours. Peace out.
-
Just to update everyone, I ended up setting this up and everything has been working great. I am accepting the full Internet routes (633,410) and my system is using 0% CPU and 2% of 98 GB RAM.
-
good to know.
how to you activate the full routing table? how do you see it?
in show routes I see only 20 entries i do not see the 6400000 entries.thanks for sharing
-
You set up the peering with the provider(s). They will send you routes based on their configuration. You should talk your provider. If you aren't multi-homed, you can just get a default route from them.
