Hi,
I'm having a bit of trouble with the finer details of my OpenBGPD
config, and would appreciate some tips on getting it right and advice
on the right way of doing things.
I have two routers, two independent BGP connections, and a block of
provider independent address space. The routers are arranged in a
redundant pair. The public network and some private subnets have
gateway addresses provided with CARP. The two routers use pfsync.
The BGP connections are actually completely independent (I'll be
adding two more in due course for a total of four). They have
different network addresses, cables and route to the rest of the
world. The cables are plugged directly into the routers, and there's
no CARP on those interfaces. Packets will arrive via either of those
routes.
I have got a basic configuration working. This maintains the BGP
sessions, packets go in and out, and the firewalls will fail over as
they should. I use depend on carp0 ... carp3 on the master router
(chosen via advskew) to drop that session if it fails, and demote on
the backup to make sure it doesn't like being master if it doesn't
have a BGP session.
I have been recommended by our ISPs that I should also advertise
routes between the routers, so that if one's BGP session fails, it can
route packets to the other for a cleaner failover. I have not managed
to get this configuration working.
Some configuration information, with the real details removed to
protect the guilty.
AS: 99999
PI subnet: A.A.A.0/23
PI gateway: A.A.A.1
Master: A.A.A.2
Backup: A.A.A.3
BGP connection 1: X.X.X.4 -> X.X.X.200 on X.X.X.0/24, AS 88888
BGP connection 2: Y.Y.Y.4 -> Y.Y.Y.200 on Y.Y.Y.0/24, AS 88888
(Y.Y.Y != X.X.X)
/etc/bgpd.conf
AS 99999
network A.A.A.0/23
neighbor X.X.X.200 {
remote-as 88888
local-address X.X.X.4
announce self
tcp md5sig password PASSWORD1
depend on carp1
depend on carp2
depend on carp3
# demote on backup
}
neighbor A.A.A.3 {
remote-as 99999
descr "backup"
local-address A.A.A.2
announce all
tcp md5sig password PASSWORD2
set nexthop A.A.A.3 # A.A.A.2 didn't help
set localpref -10
}
# ... filter rules as example.
# I have also tried adding
# deny from A.A.A.3 prefix A.A.A.0/23
I have checked the other is the mirror image. I have not included a
dmesg as the machine is working fine, and I have a basic configuration
working.
With the failover configuration, I have managed to get it to transfer
the routes across, but if I set the ISP session to idle, it appears to
reconfigure the routes (checked with bgpctl and route get), but the
packets never get through with no route to host. My test packets are
originated from the router with the idle BGP connection.
I am using pf, but the same effects are seen with it disabled.
Am I doing this right?
Is it necessary in the first place? It does appear to be a
belt-and-braces solution to the fail-over problem.
Many thanks.
Ben
