On Tue, Apr 06, 2010 at 09:42:05PM +0700, Insan Praja SW wrote:
> Hi Misc@,
> Has anyone try to setup bgpd(8) configuration with pf(4)
> specifically with rdomain?
> I'm trying to setup a simple VPN routing (VRF like) on openbsd
> 4.7.i386-current (15 march 2010). RTFM-ing the manual, I could only
> come up with:
>
> 1. rtable on pf.conf is similar with rdomains. I don't know if there
> are additional parameters to includes an interface on a specific
> routing domain (eg. rdomain 1) to pf(4) ruleset.
pf(4)'s rtable is smart enough to figure out if a state is between two
rdomains or not. In the first case it acts similar to a NAT/RDR (but
without modification of source or destination IP) in the second case only
the lookup in the direction of the state will use the special routing
table (reverse traffic will use the main table).
> 2. to supply routing table on rdomain 1 using bgpd(8), I had to set
> rtable 1 on global configuration, which also means that I had to
> setup another instance of bgpd to retain the default routing table
> (rtable 0).
>
Running bgpd on different rdomains is currently not realy possible.
bgpd does not allow to run on a completly different rdomain it will always
user rdomain 0 for some stuff. I'm on the way to fix this but it is a 3500
line diff and is still not finished.
> My questions are:
> 1. Are there additional setup in pf rulesets to includes an
> interface that belongs to a specific rdomain?
pf(4) knows when a packet/state is in a different rdomain. You can select
rdomains based on the interfaces belonging to them e.g. by using interface
groups but I know that there is an upcomming need for a "pass on rdomain 1".
Here a quick example:
pass on vlan203
Traffic is forwarded and route lookups etc, happen on the rdomain vlan203
is in.
pass on vlan203 rtable 2
Traffic is passed and while going through pf the rdomain is switched to
rtable 2 aka rdomain 2. So the route lookup will happen on that rdomain
and not the rdomain vlan203 belongs to. Reverse traffic will also switch
back to the original rdomain. Depending when the state is created (in vs.
out) the ip_forward route lookup will happen in the translated or
untranslated rdomain (so make sure you have routes available to make it to
pf_test() in ip_output).
> 2. Is there anyway to setup vrf-like configurations without another
> instance of bgpd? or storing/injecting a bgpd rib from a neighbor
> into a specific routing table (eg. rtable 1)?
>
Again this is comming with full BGP MPLS VPN support. Then you can use
something like:
rdomain 1 {
descr "CUSTOMER1"
rd 65003:1
import-target rt 65003:1
export-target rt 65003:1
}
in bgpd.conf to add routes into rdomains.
--
:wq Claudio
