Hello, I think I can reply to myself : bgpd.conf(5) says "currently the routing table must belong to the default routing domain". So by now what I'm trying to do is just not possible with OpenBSD + bgpd.
Anybody knows if it is planned to implement this functionality ? Maybe I could help testing, as my C skills are far below what is needed to do that ? -- Cordialement, Pierre BARDOU -----Message d'origine----- De : BARDOU Pierre Envoyé : lundi 19 mai 2014 11:30 À : misc@openbsd.org Objet : Multi-VRF bgpd (no MPLS) Hello, I'm trying to prevent my boss from buying an ASA 5585-X to use an OpenBSD box instead. NAT on ASA is such a pain... The use would be a WAN firewall, routing for sites with potentially identical IP ranges. Overlapping IP ranges are translated by the firewall so that from the point of view of the main site every IP is different. Actually, this is done using ASA contexts and static routing. I'd like to do the same with openBSD plus BGP routing. So I started to set up a PF box with VRFs (one BSD VRF <-> one ASA context), this works like a charm. Problems start when I try to do BGP routing : basically what I need is one BGP daemon running in each VRF. I tried to launch BGP with route -T <VRF number> exec bgpd -f /etc/bgpd.conf.<VRF number>, it learns route from the WAN, but doesn't injects them in the rdomain <VRF number>. I dealt with the problem of nexhop qualifying on rdomain 0 using nexthop qualify via default. I have messages like these in my logs : neighbor 10.200.18.209 (ADH200_EXT): state change OpenConfirm -> Established, reason: KEEPALIVE message received nexthop 10.200.18.209 now valid: via 10.194.126.254 send_rtmsg: action 1, prefix 10.199.13.112/28: Network is unreachable send_rtmsg: action 1, prefix 10.199.12.112/28: Network is unreachable My bgpd.conf : # grep -v "^#" bgpd.adh200 peer_adh200_int="10.200.6.57" peer_adh200_ext="10.200.18.209" pool_adh200="10.199.12.112/28" AS 65040 router-id 10.194.126.241 listen on 10.200.18.214 listen on 10.200.6.62 rtable 200 nexthop qualify via default neighbor $peer_adh200_int { descr "ADH200_INT" remote-as 65040 } neighbor $peer_adh200_ext { descr "ADH200_EXT" remote-as 65041 } Some bgpctl show : # bgpctl sh nex Flags: * = nexthop valid Nexthop Route Prio Gateway Iface * 10.200.18.209 0.0.0.0/0 8 10.194.126.254 vlan3080 (UP, active) # bgpctl sh rib flags: * = Valid, > = Selected, I = via IBGP, A = Announced, S = Stale origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin *> 10.199.12.112/28 10.200.18.209 100 0 65041 i *> 10.199.13.112/28 10.200.18.209 100 0 65041 i # route -T 200 show Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 10.200.18.209 UGS 0 0 - 8 carp450 10/8 sw-t-wan-adh200 UGS 0 0 - 8 carp2200 10.200.6.56/29 link#10 UC 1 0 - 4 carp2200 10.200.6.56/29 link#10 UC 1 0 - 4 carp2200 sw-t-wan-adh200 00:08:e3:ff:fc:08 UHLc 3 38 - 4 carp2200 10.200.6.62 00:00:5e:00:01:01 UHLc 0 1 - 4 lo0 10.200.14.56/29 link#11 UC 0 0 - 4 carp2450 10.200.14.56/29 link#11 UC 0 0 - 4 carp2450 10.200.18.208/29 link#12 UC 0 0 - 4 carp450 10.200.18.208/29 link#12 UC 0 0 - 4 carp450 10.200.18.208/29 link#12 UC 0 0 - 4 carp450 10.200.18.208/29 link#12 UC 1 0 - 4 carp450 10.200.18.209 00:1e:c9:49:17:d8 UHLc 2 234 - 4 carp450 172.16/12 sw-t-wan-adh200 UGS 0 0 - 8 carp2200 192.168/16 sw-t-wan-adh200 UGS 0 0 - 8 carp2200 Any idea of why those routes are not injected ? Thanks -- Cordialement, Pierre BARDOU Ingénieur réseau - P2I Infrastructure 05 67 69 71 84 MiPih 12, rue Michel Labrousse - BP93668 31036 TOULOUSE Cedex 1 www.mipih.fr Avant d'imprimer cet e-mail, pensons à l'environnement