On Tue, Apr 06, 2010 at 09:42:05PM +0700, Insan Praja SW wrote: > Hi Misc@, > Has anyone try to setup bgpd(8) configuration with pf(4) > specifically with rdomain? > I'm trying to setup a simple VPN routing (VRF like) on openbsd > 4.7.i386-current (15 march 2010). RTFM-ing the manual, I could only > come up with: > > 1. rtable on pf.conf is similar with rdomains. I don't know if there > are additional parameters to includes an interface on a specific > routing domain (eg. rdomain 1) to pf(4) ruleset.
pf(4)'s rtable is smart enough to figure out if a state is between two rdomains or not. In the first case it acts similar to a NAT/RDR (but without modification of source or destination IP) in the second case only the lookup in the direction of the state will use the special routing table (reverse traffic will use the main table). > 2. to supply routing table on rdomain 1 using bgpd(8), I had to set > rtable 1 on global configuration, which also means that I had to > setup another instance of bgpd to retain the default routing table > (rtable 0). > Running bgpd on different rdomains is currently not realy possible. bgpd does not allow to run on a completly different rdomain it will always user rdomain 0 for some stuff. I'm on the way to fix this but it is a 3500 line diff and is still not finished. > My questions are: > 1. Are there additional setup in pf rulesets to includes an > interface that belongs to a specific rdomain? pf(4) knows when a packet/state is in a different rdomain. You can select rdomains based on the interfaces belonging to them e.g. by using interface groups but I know that there is an upcomming need for a "pass on rdomain 1". Here a quick example: pass on vlan203 Traffic is forwarded and route lookups etc, happen on the rdomain vlan203 is in. pass on vlan203 rtable 2 Traffic is passed and while going through pf the rdomain is switched to rtable 2 aka rdomain 2. So the route lookup will happen on that rdomain and not the rdomain vlan203 belongs to. Reverse traffic will also switch back to the original rdomain. Depending when the state is created (in vs. out) the ip_forward route lookup will happen in the translated or untranslated rdomain (so make sure you have routes available to make it to pf_test() in ip_output). > 2. Is there anyway to setup vrf-like configurations without another > instance of bgpd? or storing/injecting a bgpd rib from a neighbor > into a specific routing table (eg. rtable 1)? > Again this is comming with full BGP MPLS VPN support. Then you can use something like: rdomain 1 { descr "CUSTOMER1" rd 65003:1 import-target rt 65003:1 export-target rt 65003:1 } in bgpd.conf to add routes into rdomains. -- :wq Claudio