pf rtable, bgpd, and route (8) (was: Anyone lucky with pf rtable ?)
On Fri, 25 Jan 2008 16:28:42 +0700, Henning Brauer [EMAIL PROTECTED] wrote: * Insan Praja SW [EMAIL PROTECTED] [2008-01-24 18:43]: Hi Misc@, I'm currently setup bgp router using openbgp. Routes learned from openbgpd are stored in routing table 1. So, I got this client from NET2, coming from the same interface that my ibgp peer coming from, and I want to pass client from NET2 going to regional exchange to QUAGGA router. I got no luck with: pass on $ext_if from $NET2 to any modulate state rtable 1, NET2 always use the default route via $ext_if when going to regional exchange I appreciate any input and suggestion regarding this. assigning an rtable decision on the outbond interface is too late, since the routang decision has already been taken then. yu have to do it in the inbound direction. that is true for the reverse path too. Hi Misc@, finally figured out how to use bgpd rtable into pf, and pftable and I get more curious. When I use route table 1, should all routes learned from default route copied to rtable 1 or I had to build it on my own? and when I did, I'm having problem with directly connected network, which I cannot insert mac address as default gateway, while using default rtable I see some of directly connected system/host had its default gateway in mac address. Anyone had any experience with this?. I Also like to ask, maybe a stupid question, how to display route label (from bgpd.conf) using netstat or route show? Thanks, Insan
Re: pf rtable, bgpd, and route (8) (was: Anyone lucky with pf rtable ?)
* Insan Praja SW [EMAIL PROTECTED] [2008-02-04 11:48]: On Fri, 25 Jan 2008 16:28:42 +0700, Henning Brauer [EMAIL PROTECTED] wrote: * Insan Praja SW [EMAIL PROTECTED] [2008-01-24 18:43]: Hi Misc@, I'm currently setup bgp router using openbgp. Routes learned from openbgpd are stored in routing table 1. So, I got this client from NET2, coming from the same interface that my ibgp peer coming from, and I want to pass client from NET2 going to regional exchange to QUAGGA router. I got no luck with: pass on $ext_if from $NET2 to any modulate state rtable 1, NET2 always use the default route via $ext_if when going to regional exchange I appreciate any input and suggestion regarding this. assigning an rtable decision on the outbond interface is too late, since the routang decision has already been taken then. yu have to do it in the inbound direction. that is true for the reverse path too. Hi Misc@, finally figured out how to use bgpd rtable into pf, and pftable and I get more curious. When I use route table 1, should all routes learned from default route copied to rtable 1 or I had to build it on my own? and when I did, I'm having problem with directly connected network, which I cannot insert mac address as default gateway, while using default rtable I see some of directly connected system/host had its default gateway in mac address. Anyone had any experience with this?. all arp happens in table 0 so far, no need to copy. I Also like to ask, maybe a stupid question, how to display route label (from bgpd.conf) using netstat or route show? route get shows the label if it is there -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Anyone lucky with pf rtable ?
* Insan Praja SW [EMAIL PROTECTED] [2008-01-24 18:43]: Hi Misc@, I'm currently setup bgp router using openbgp. Routes learned from openbgpd are stored in routing table 1. So, I got this client from NET2, coming from the same interface that my ibgp peer coming from, and I want to pass client from NET2 going to regional exchange to QUAGGA router. I got no luck with: pass on $ext_if from $NET2 to any modulate state rtable 1, NET2 always use the default route via $ext_if when going to regional exchange I appreciate any input and suggestion regarding this. assigning an rtable decision on the outbond interface is too late, since the routang decision has already been taken then. yu have to do it in the inbound direction. that is true for the reverse path too. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Anyone lucky with pf rtable ?
* Insan Praja SW [EMAIL PROTECTED] [2008-01-25 16:46]: On Fri, 25 Jan 2008 16:28:42 +0700, Henning Brauer [EMAIL PROTECTED] wrote: * Insan Praja SW [EMAIL PROTECTED] [2008-01-24 18:43]: Hi Misc@, I'm currently setup bgp router using openbgp. Routes learned from openbgpd are stored in routing table 1. So, I got this client from NET2, coming from the same interface that my ibgp peer coming from, and I want to pass client from NET2 going to regional exchange to QUAGGA router. I got no luck with: pass on $ext_if from $NET2 to any modulate state rtable 1, NET2 always use the default route via $ext_if when going to regional exchange I appreciate any input and suggestion regarding this. assigning an rtable decision on the outbond interface is too late, since the routang decision has already been taken then. yu have to do it in the inbound direction. that is true for the reverse path too. Hi Henning and Misc@, I figured out that my pf.conf on pass on $ext_if from $NET2 to any modulate state rtable 1 is wrong after carefully trying to understand pf. So, I change it to #pass in on $int_if from $NET2 to any modulate state rtable 1. It doesn't change anything, NET2 always going to the default gateway. well, it definately works, carefully check that the rule really is the last matching one and that you actually have a route in that table that matches. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Anyone lucky with pf rtable ?
On Fri, 25 Jan 2008 16:28:42 +0700, Henning Brauer [EMAIL PROTECTED]
wrote:
* Insan Praja SW [EMAIL PROTECTED] [2008-01-24 18:43]:
Hi Misc@,
I'm currently setup bgp router using openbgp. Routes learned from
openbgpd
are stored in routing table 1. So, I got this client from NET2, coming
from
the same interface that my ibgp peer coming from, and I want to pass
client
from NET2 going to regional exchange to QUAGGA router. I got no luck
with:
pass on $ext_if from $NET2 to any modulate state rtable 1, NET2 always
use the default route via $ext_if when going to regional exchange
I appreciate any input and suggestion regarding this.
assigning an rtable decision on the outbond interface is too late,
since the routang decision has already been taken then. yu have to do
it in the inbound direction. that is true for the reverse path too.
Hi Henning and Misc@,
I figured out that my pf.conf on pass on $ext_if from $NET2 to any
modulate state rtable 1 is wrong after carefully trying to understand pf.
So, I change it to #pass in on $int_if from $NET2 to any modulate state
rtable 1. It doesn't change anything, NET2 always going to the default
gateway.
Thanks,
Insan
ext_if = vlan2
ext_if0 = vlan111
ext_if1 = vlan4
ext_if2 = vlan22
int_if = em0
int_if0 = rl0
int_priv = {$int_if $int_if0}
port_proxy = 3128
mail_server = 202.149.93.14
icmp_types = { echoreq, unreach }
3d_net = {202.149.93.8 202.149.93.32/28}
3d_local_net = {202.149.93.32/27}
eazy_net = {210.23.64.0/24, 210.23.66.0/24, 210.23.68.0/24,
210.23.79.0/24}
simaya_net = {202.149.93.6 202.149.93.16/28}
simaya_local_net = {202.149.93.80/28}
gl_net = {10.10.10.0/24 192.168.0.0/24}
eazy_port = 15001:2
simaya_port = 20001:25000
gl_port = 25001:3
tigadport = 30001:35000
ejiport = 35001:4
serport = 40001:45001
#TABLE
table eazy_net const {210.23.64.0/24, 210.23.66.0/24, 210.23.68.0/24,
210.23.79.0/24}
table simaya_net const {202.149.93.6, 202.149.93.16/28}
table 3d_net const {202.149.93.8, 202.149.93.32/27}
table server_ip const {202.149.93.242, 202.149.93.243, 202.149.93.244,
202.149.93.245, 202.149.93.246} # Active IP on vlan4
table gl_net const {192.168.0.0/24, 10.10.10.0/24} # internal network
and management network
table rfc1918 const { 0.0.0.0/32, 1.0.0.0/8, 2.0.0.0/8,
5.0.0.0/8,7.0.0.0/8, 10.0.0.0/8, 23.0.0.0/8, 27.0.0.0/8, 31.0.0.0/8,
36.0.0.0/8, 37.0.0.0/8, 39.0.0.0/8, 42.0.0.0/8, 49.0.0.0/8, 50.0.0.0/8,
100.0.0.0/8, 101.0.0.0/8, 102.0.0.0/8, 103.0.0.0/8, 1
04.0.0.0/8, 105.0.0.0/8, 106.0.0.0/8, 107.0.0.0/8, 108.0.0.0/8,
109.0.0.0/8, 110.0.0.0/8, 111.0.0.0/8, 112.0.0.0/8, 113.0.0.0/
8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 173.0.0.0/8, 175.0.0.0/8,
176.0.0.0/8, 177.0.0.0/8, 178.0.0.0/8, 179.0.0.0/8, 1
80.0.0.0/8, 181.0.0.0/8, 182.0.0.0/8, 183.0.0.0/8, 184.0.0.0/8,
185.0.0.0/8, 192.0.2.0/24, 192.168.0.0/16, 197.0.0.0/8, 174.0.
0.0/8, 223.0.0.0/8 } # martians of the internet
set ruleset-optimization basic
set optimization aggressive
set block-policy drop
scrub in all
#QUEUE
altq on $ext_if2 bandwidth 6Mb hfsc(linkshare 5Mb upperlimit 5Mb) queue
{office, eazy, simaya, 3d, server}
queue officebandwidth 256Kb priority 7 qlimit 500 hfsc (realtime 50%
default ecn)
queue eazy bandwidth 1024Kb priority 6 qlimit 500 hfsc (upperlimit
1024Kb ecn)
queue simayabandwidth 2564Kb priority 6 qlimit 500 hfsc (upperlimit
2564Kb ecn)
queue 3dbandwidth 1024Kb priority 6 qlimit 500 hfsc (upperlimit
1024Kb ecn)
queue server bandwidth 128Kb priority 6 qlimit 500 hfsc (upperlimit 512Kb
ecn)
altq on $ext_if bandwidth 8Mb hfsc(linkshare 5Mb upperlimit 5Mb) queue
{dn_office, dn_eazy, dn_simaya, dn_3d, up_server}
queue dn_office bandwidth 512Kb priority 7 qlimit 500 hfsc (realtime 50%
default ecn)
queue dn_eazy bandwidth 1024Kb priority 6 qlimit 500 hfsc (upperlimit
1024Kb ecn)
queue dn_simaya bandwidth 2564Kb priority 6 qlimit 500 hfsc (upperlimit
2564Kb ecn)
queue dn_3d bandwidth 1024Kb priority 6 qlimit 500 hfsc (upperlimit 1024Kb
ecn)
queue up_server bandwidth 512Kb priority 6 qlimit 500 hfsc (upperlimit
1024Kb ecn)
altq on $ext_if1 bandwidth 2Mb hfsc(linkshare 2Mb upperlimit 2Mb) queue
{dn_trg, dn_nas, dn_ejigem, dn_matabumi, dn_crot}
queue dn_trg bandwidth 25% priority 6 qlimit 500 hfsc (realtime 50%
default ecn)
queue dn_nas bandwidth 25% priority 5 qlimit 500 hfsc (upperlimit 25% ecn)
queue dn_matabumi bandwidth 25% priority 6 qlimit 500 hfsc (upperlimit 25%
ecn)
queue dn_crot bandwidth 15% priority 6 qlimit 500 hfsc (upperlimit 25% ecn)
queue dn_ejigem bandwidth 10% priority 6 qlimit 500 hfsc (upperlimit 10%
ecn)
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
no nat on $ext_if inet from 3d_net to any
nat pass on $ext_if inet from gl_net to any - $ext_if
nat pass on $ext_if1 inet from gl_net to any - $ext_if1
nat pass on $ext_if2 inet from $eazy_net to any - $ext_if2 port $ejiport
source-hash
nat pass on $ext_if2 inet from $3d_net to any - $ext_if2 port $tigadport
source-hash
nat pass on $ext_if2 inet from $simaya_net to any -
Anyone lucky with pf rtable ?
Hi Misc@, I'm currently setup bgp router using openbgp. Routes learned from openbgpd are stored in routing table 1. So, I got this client from NET2, coming from the same interface that my ibgp peer coming from, and I want to pass client from NET2 going to regional exchange to QUAGGA router. I got no luck with: pass on $ext_if from $NET2 to any modulate state rtable 1, NET2 always use the default route via $ext_if when going to regional exchange I appreciate any input and suggestion regarding this. Thanks, Insan Praja SW as 65021 |---| |--| |QUAGGA |--| reg exchange |--| |---| |--| AS 65021| | ext_if1|-|ext_if2 | |-| OpenBSD gtw |NAT---UPSTREAM--INTERNET | |-| |---| | NET2 | |---| Non BGP clients
