Vegards Blog

Vegards nye karriere som blogger.

BGP part three – eBGP between a VPS and on-prem

In my last blog post, I described setting up a VPN tunnel between my home network and the VPS. This is thus the prerequisites for this post, I have a working VPN connection with point-to-point-connections

  • 192.168.229.2 (VPS) can talk to 192.168.229.1 (home network)
  • fd46:c709:32c6:3::1 (VPS) can talk to fd46:c709:32c6:3::2 (home network)

You also need to make sure that firewall rules doesn’t block the traffic, in particular we need port 179 for

In eBGP, you route between different ASes. I could probably have gotten way with iBGP also for this use case, but I wanted eBGP. It could also be possible that you are using a more advanced cloud provider which handles setting up a BGP AS for you. I wanted to use eBGP here, so eBGP it is. The actual differences between eBGP and iBGP I found nicely explained here.

As we’re using 64512 as our home AS, I have picked 64513 for my VPS AS.

Also keep in mind that on my Unifi, I am already running iBGP. I’ll leave that configuration in, so that you know that wherever my Unifi configuration refers to metallb, this is what is referred to. The vti64 interface on the Unifi router is the IPSEC interface (this is created automatically by IPSEC setup of Unifi), while tun-gre is my IPV6 tunnel.

I’m using FRR also on my Debian VPS, as it’s an open-source Linux tool so it’s available there too.

Let’s start with Unifi:

We have already set up the AS and the router ID:

router bgp 64512
 bgp router-id 192.168.1.1
 maximum-paths 2
 !

So, we need to add the BGP peering towards my VPS. After this, my neighbor configuration looks like this

 neighbor metallb peer-group
 neighbor metallb remote-as 64512
 neighbor metallb activate
 neighbor metallb soft-reconfiguration inbound
 neighbor 192.168.1.153 peer-group metallb
 neighbor 2001:db8:393:f101::1:0 peer-group metallb

 neighbor vps peer-group
 neighbor vps remote-as 64513
 neighbor vps activate
 neighbor vps soft-reconfiguration inbound
 neighbor 192.168.229.2 peer-group vps
 neighbor fd46:c709:32c6:3::1  peer-group vps

I also need to extend the configuration for the address-family entries:

 address-family ipv4 unicast
  redistribute connected
  neighbor metallb activate
  neighbor metallb route-map ALLOW-ALL in
  neighbor metallb next-hop-self
  neighbor metallb route-map ALLOW-ALL out
  
  neighbor vps activate
  neighbor vps soft-reconfiguration inbound
  neighbor vps route-map VPS-INCOMING in
  neighbor vps route-map VPS-OUTGOING out
  neighbor vps next-hop-self
exit-address-family

Here, things start to be a little more interesting. in an eBGP setup, you’ll probably want to be a bit more restrictive in regards to what routes you send to your peer, and especially what you accept. You don’t want to accept a new default route if you didn’t mean it, because then all traffic may be routed over the VPN….

ip prefix-list LIST-VPS-OUTGOING seq 5 deny 51.174.8.0/21 le 32
ip prefix-list LIST-VPS-OUTGOING seq 6 deny 194.168.229.0/24 le 32
ip prefix-list LIST-VPS-OUTGOING seq 8 permit 0.0.0.0/0 le 32
!
route-map VPS-OUTGOING permit 10
  match ip address prefix-list LIST-VPS-OUTGOING
!

Note: Here I actually allow to announce everything except the VPN interface network itself and the IPSEC interface endpoint, so it’s important to be a bit restrictive in the other end…

prefix-lists are just that, prefix-lists, and they are read in sequence by the seq numbers. They need to be referenced by a route-map which in turn has a default action, permit or deny, if nothing in the prefix-list matches

The VPS, however, shouldn’t announce any IPv4 addresses. The only IPV4 addresses it has is the external one, used for IPSEC, and the ones used for the IPSEC tunnel itself. Both of them would be a bad idea to mess with.

route-map VPS-INCOMING deny 10
!

As you can see, there’s no prefix-lists, so it’ll just go by the default deny action,

Then we’ll need to do the IPV6 setup. First the address-family:

 address-family ipv6 unicast
  redistribute connected
  neighbor metallb activate
  neighbor metallb route-map ALLOW-ALL in
  neighbor metallb route-map ALLOW-ALL out
  neighbor metallb soft-reconfiguration inbound
  neighbor metallb next-hop-self

  neighbor vps activate
  neighbor vps route-map VPS-INCOMING-IPV6 in
  neighbor vps route-map VPS-OUTGOING-IPV6 out
  neighbor vps soft-reconfiguration inbound
  neighbor vps next-hop-self
 exit-address-family

The route-maps need to be configured:

ipv6 prefix-list VPS-OUTGOING-IPV6 seq 5 deny 2001:db8:e002:a700::/56 le 128
ipv6 prefix-list VPS-OUTGOING-IPV6 seq 6 permit 2001:db8:393:f100::/56 le 128
ipv6 prefix-list VPS-OUTGOING-IPV6 seq 8 deny fd46:c709:32c6:3://64 le 128
ipv6 prefix-list VPS-INCOMING-IPV6 seq 5 deny 2001:db8:393:f100::/56 le 128
ipv6 prefix-list VPS-INCOMING-IPV6 seq 6 permit 2001:db8:e002:a700::/56 le 128
ipv6 prefix-list VPS-INCOMING-IPV6 seq 8 deny fd46:c709:32c6:3::/64 le 128

route-map VPS-OUTGOING-IPV6 permit 10
match ipv6 address prefix-list VPS-OUTGOING-IPV6
!
route-map VPS-INCOMING-IPV6 deny 10
  match ipv6 address prefix-list VPS-INCOMING-IPV6
!

Here, 2001:db8:393:f100::/56 is our home network range, 2001:db8:e002:a700::/56 is our VPS network range and fd46:c709:32c6:3::/64 is the GRE tunnel which is used for the BGP traffffic itself.

These is also good to have. It says what ranges that should be exposed announced on BGP – allthough they might be overriden later….

ip protocol connected route-map VPS-OUTGOING
!
ipv6 protocol connected route-map VPS-OUTGOING-IPV6
!

This really concludes the Unifi side of things. The VPS side is more or less an exact mirror, so we’ll include it all in one go.

router bgp 64513
 bgp router-id 192.168.229.2
 no bgp ebgp-requires-policy
 no bgp suppress-duplicates
 bgp graceful-restart
 no bgp network import-check
 neighbor home peer-group
 neighbor home remote-as 64512
 neighbor home description Unifi Router (VPN Tunnel)
 neighbor 192.168.229.1 peer-group home
 neighbor 192.168.229.1 disable-connected-check
 neighbor 192.168.229.1 update-source vti0
 neighbor fd46:c709:32c6:3::2 peer-group home
 neighbor fd46:c709:32c6:3::2 disable-connected-check
 neighbor fd46:c709:32c6:3::2 update-source tun-gre
 !
 address-family ipv4 unicast
  distance bgp 10 20 200
  redistribute connected
  neighbor home soft-reconfiguration inbound
  neighbor home route-map INCOMING-IPV4 in
  neighbor home route-map OUTGOING-IPV4 out
  neighbor home next-hop-self
 exit-address-family
 !
 address-family ipv6 unicast
  distance bgp 10 20 200
  redistribute connected
  neighbor home soft-reconfiguration inbound
  neighbor home route-map INCOMING-IPV6 in
  neighbor home route-map OUTGOING-IPV6 out
  neighbor home activate
  neighbor home next-hop-self
 exit-address-family
exit
!
ip prefix-list OUTGOING-IPV4 seq 5 deny 192.0.2.0/24
ip prefix-list OUTGOING-IPV5 deny 192.168.229.0/24 le 32
ip prefix-list INCOMING-IPV4 seq 5 deny 203.0.113.0/24
ip prefix-list INCOMING-IPV4 seq 6 deny 192.168.229.0/24 le 32
!
ipv6 prefix-list OUTGOING-IPV6 seq 5 deny 2001:db8:393:f100::/56 le 128
ipv6 prefix-list OUTGOING-IPV6 seq 6 permit 2001:db8:e002:a700::/56 le 128
ipv6 prefix-list OUTGOING-IPV6 seq 8 deny fd46:c709:32c6:3::/64 le 128

ipv6 prefix-list INCOMING-IPV6 seq 5 deny 2001:db8:e002:a700::/56 le 128
ipv6 prefix-list INCOMING-IPV6 seq 7 permit 2001:db8:393:f100::/56 le 128

route-map OUTGOING-IPV4 deny 10
 match ip address prefix-list OUTGOING-IPV4
exit
!
route-map INCOMING-IPV6 deny 10
 match ipv6 address prefix-list INCOMING-IPV6
exit
!
route-map OUTGOING-IPV6 permit 10
 match ipv6 address prefix-list OUTGOING-IPV6
exit
!
route-map INCOMING-IPV4 deny 10
 match ip address prefix-list INCOMING-IPV4
exit
!
route-map SET_LOCAL_PREF permit 10
 set local-preference 200
exit
!
ip protocol connected route-map OUTGOING-IPV4
!
ipv6 protocol connected route-map OUTGOING-IPV6
!

If all is good, you should see routing entries announced on the VPS. If not, vtysh is a good friend!

# ip route
default via 192.0.2.1 dev eth0 metric 250 
192.168.0.0/24 nhid 662 via 192.168.229.1 dev vti0 proto bgp metric 20 
192.168.1.0/24 nhid 662 via 192.168.229.1 dev vti0 proto bgp metric 20 
192.168.3.0/24 nhid 662 via 192.168.229.1 dev vti0 proto bgp metric 20 
192.168.4.0/24 nhid 662 via 192.168.229.1 dev vti0 proto bgp metric 20 
192.168.6.0/24 nhid 662 via 192.168.229.1 dev vti0 proto bgp metric 20 
192.168.7.0/24 nhid 662 via 192.168.229.1 dev vti0 proto bgp metric 20 
192.168.10.0/24 nhid 662 via 192.168.229.1 dev vti0 proto bgp metric 20 
192.168.11.0/24 nhid 662 via 192.168.229.1 dev vti0 proto bgp metric 20 
192.168.12.0/24 nhid 662 via 192.168.229.1 dev vti0 proto bgp metric 20 
192.168.20.0/24 nhid 662 via 192.168.229.1 dev vti0 proto bgp metric 20 
192.168.27.0/24 nhid 662 via 192.168.229.1 dev vti0 proto bgp metric 20 
192.168.30.0/24 nhid 662 via 192.168.229.1 dev vti0 proto bgp metric 20 
192.168.31.0/24 nhid 662 via 192.168.229.1 dev vti0 proto bgp metric 20 
192.168.50.0/24 nhid 662 via 192.168.229.1 dev vti0 proto bgp metric 20 
192.168.60.0/24 nhid 662 via 192.168.229.1 dev vti0 proto bgp metric 20 
192.168.70.0/24 nhid 662 via 192.168.229.1 dev vti0 proto bgp metric 20 
192.168.100.0/24 nhid 662 via 192.168.229.1 dev vti0 proto bgp metric 20 
192.168.110.0/24 nhid 662 via 192.168.229.1 dev vti0 proto bgp metric 20 
192.168.229.0/24 dev vti0 proto kernel scope link src 192.168.229.2 
192.168.250.0/24 nhid 662 via 192.168.229.1 dev vti0 proto bgp metric 20 
192.168.251.0/24 nhid 662 via 192.168.229.1 dev vti0 proto bgp metric 20

And the same for IPV6:

# ip -6 route

2001:db8:393:f101::/64 nhid 658 via fe80::5efe:c0a8:e501 dev tun-gre proto bgp metric 20 pref medium
2001:db8:393:f103::/64 nhid 658 via fe80::5efe:c0a8:e501 dev tun-gre proto bgp metric 20 pref medium
2001:db8:393:f104::/64 nhid 658 via fe80::5efe:c0a8:e501 dev tun-gre proto bgp metric 20 pref medium
2001:db8:393:f106::/64 nhid 658 via fe80::5efe:c0a8:e501 dev tun-gre proto bgp metric 20 pref medium
2001:db8:393:f114::/64 nhid 658 via fe80::5efe:c0a8:e501 dev tun-gre proto bgp metric 20 pref medium
2001:db8:393:f11b::/64 nhid 658 via fe80::5efe:c0a8:e501 dev tun-gre proto bgp metric 20 pref medium
2001:db8:393:f11e::/64 nhid 658 via fe80::5efe:c0a8:e501 dev tun-gre proto bgp metric 20 pref medium
2001:db8:393:f11f::/64 nhid 658 via fe80::5efe:c0a8:e501 dev tun-grep proto bgp metric 20 pref medium
2001:db8:393:f132::/64 nhid 658 via fe80::5efe:c0a8:e501 dev tun-gre proto bgp metric 20 pref medium
2001:db8:393:f146::/64 nhid 658 via fe80::5efe:c0a8:e501 dev tun-gre proto bgp metric 20 pref medium
2001:db8:393:f1a0::/64 nhid 658 via fe80::5efe:c0a8:e501 dev tun-gre proto bgp metric 20 pref medium
2001:db8:393:f1e1::/64 nhid 658 via fe80::5efe:c0a8:e501 dev tun-gre proto bgp metric 20 pref medium
2001:db8:393:f1e2::/64 nhid 658 via fe80::5efe:c0a8:e501 dev tun-gre proto bgp metric 20 pref medium
2001:db8::/64 dev eth0 proto kernel metric 256 pref medium
2001:db8:e002:a700::/64 dev eth0 proto kernel metric 256 pref medium
fd46:c709:32c6:3::/64 dev tun-gre proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
medium
fe80::/64 dev tun6 proto kernel metric 256 pref medium
fe80::/64 dev vti0 proto kernel metric 256 pref medium
default via fe80::1 dev eth0 proto kernel metric 1024 hoplimit 64 pref medium

In the above configurations, 192.0.2.0/24 and 203.0.113.0/24 stands for the networks towards the public internet side of things on the VPS and the Unifi side of things.

As you can see, in eBGP there’s a bit more to think about, especially when it comes to what networks to announce and what announcements you’ll accept. My advice is to make a good structure and good naming-schemes of things, so that the naming doesn’t confuse you if you should need to debug things. Also, I have anonymized things a bit as usual, there might be some mistakes because of that.

With this setup in place, I can (if firewalling permits) connect on a private link between my home network and the VPS, with the IP addresses preserved on any site. For example my VPS server can be allowed to access my internal services I defined in Kubernetes at Home: Internal and external services, because it is now part of my internal network (if I define it so). One potential use case is to mount network drives from my NAS, if I don’t mind the latency between the VPS and home. If adding networks at home in the ranges my BGP configuration announces, they’ll be automatically announced to my VPS. For my setup, I’d probably be perfectly fine with just statically route the /56’s on either side, but nerds wanna nerd!

All real IP addresses in this blog post is replaced with IP addresses from RFC5737 and RFC3849

vegard

, ,

Legg igjen en kommentar

Din e-postadresse vil ikke bli publisert. Obligatoriske felt er merket med *

This site uses Akismet to reduce spam. Learn how your comment data is processed.