Hi, I'm having a bit of trouble with the finer details of my OpenBGPD config, and would appreciate some tips on getting it right and advice on the right way of doing things.
I have two routers, two independent BGP connections, and a block of provider independent address space. The routers are arranged in a redundant pair. The public network and some private subnets have gateway addresses provided with CARP. The two routers use pfsync. The BGP connections are actually completely independent (I'll be adding two more in due course for a total of four). They have different network addresses, cables and route to the rest of the world. The cables are plugged directly into the routers, and there's no CARP on those interfaces. Packets will arrive via either of those routes. I have got a basic configuration working. This maintains the BGP sessions, packets go in and out, and the firewalls will fail over as they should. I use depend on carp0 ... carp3 on the master router (chosen via advskew) to drop that session if it fails, and demote on the backup to make sure it doesn't like being master if it doesn't have a BGP session. I have been recommended by our ISPs that I should also advertise routes between the routers, so that if one's BGP session fails, it can route packets to the other for a cleaner failover. I have not managed to get this configuration working. Some configuration information, with the real details removed to protect the guilty. AS: 99999 PI subnet: A.A.A.0/23 PI gateway: A.A.A.1 Master: A.A.A.2 Backup: A.A.A.3 BGP connection 1: X.X.X.4 -> X.X.X.200 on X.X.X.0/24, AS 88888 BGP connection 2: Y.Y.Y.4 -> Y.Y.Y.200 on Y.Y.Y.0/24, AS 88888 (Y.Y.Y != X.X.X) /etc/bgpd.conf AS 99999 network A.A.A.0/23 neighbor X.X.X.200 { remote-as 88888 local-address X.X.X.4 announce self tcp md5sig password PASSWORD1 depend on carp1 depend on carp2 depend on carp3 # demote on backup } neighbor A.A.A.3 { remote-as 99999 descr "backup" local-address A.A.A.2 announce all tcp md5sig password PASSWORD2 set nexthop A.A.A.3 # A.A.A.2 didn't help set localpref -10 } # ... filter rules as example. # I have also tried adding # deny from A.A.A.3 prefix A.A.A.0/23 I have checked the other is the mirror image. I have not included a dmesg as the machine is working fine, and I have a basic configuration working. With the failover configuration, I have managed to get it to transfer the routes across, but if I set the ISP session to idle, it appears to reconfigure the routes (checked with bgpctl and route get), but the packets never get through with no route to host. My test packets are originated from the router with the idle BGP connection. I am using pf, but the same effects are seen with it disabled. Am I doing this right? Is it necessary in the first place? It does appear to be a belt-and-braces solution to the fail-over problem. Many thanks. Ben