From flyinsky2018 at gmail.com Thu Nov 2 11:30:29 2017 From: flyinsky2018 at gmail.com (=?UTF-8?B?5pu+5bCP5bCP?=) Date: Thu, 2 Nov 2017 18:30:29 +0800 Subject: about the bgp route reflector problem? Message-ID: about the bgp route reflector problem? Why does the reflector client receive EBGP routing entries without attributes?? my topology is shown below: R3 (as 100) | | ?ebgp? | | | ( ibgp) R1 (RR)--------------------R4 (client) (as 200) | | | | ( ibgp ) | | R2 ?client?(as 200) My configuration is as follows? ===The R1 (RR) configuration is as follows: #ebgp parts protocol bgp bgp_pa_r3 { description "ebgp-pa-r3"; multihop 10; table tab_pa_adsl; igp table tab_ospf_10; local as 200; neighbor 192.168.1.1 as 100; source address 192.168.1.2; import all; export all; next hop self; default bgp_local_pref 5; } #rr parts template bgp rr_client { description "ibgp-rr1"; local 192.168.2.1 as 200; multihop; rr client; rr cluster id 1.1.1.1; } protocol bgp bgp_pa_r2 from rr_client { debug all; enable route refresh on; table tab_rr_1; igp table tab_ospf_10; neighbor 192.168.2.2 as 200; export all; import all; } protocol bgp bgp_pa_r4 from rr_client { table tab_rr_1; igp table tab_ospf_10; neighbor 192.168.2.4 as 200; export all; import all; # next hop self; } ==The R2 client configuration is as follows: protocol bgp bgp_pa_r2 { router id 192.168.2.2; debug all; # debug { states,interfaces,events }; description "ibgp-rr1"; import all; export all; local as 200; neighbor 192.168.2.1 as 200; source address 192.168.2.2; next hop self; } ================== Check the route of R2 and find that the route entry received R4 has the BGP.originator_id and BGP.cluster_list attributes, but the entry received from R1 does not have this attribute. why? Thank you very much for your help!! thanks!! The route entries viewed by R2 are as follows: bird> show route protocol bgp_pa_r2 all 1007-121.52.236.16/32 1008- Type: BGP unicast univ 1012- BGP.origin: IGP BGP.as_path: BGP.next_hop: 192.168.2.4 BGP.local_pref: 100 * BGP.originator_id: 192.168.2.4* * BGP.cluster_list: 1.1.1.1* 1007-116.211.98.20/32 1008- Type: BGP unicast univ 1012- BGP.origin: IGP BGP.as_path: BGP.next_hop: 192.168.2.4 BGP.local_pref: 100 * BGP.originator_id: 192.168.2.4* * BGP.cluster_list: 1.1.1.1* 1007-120.26.0.0/18 1008- Type: BGP unicast univ 1012- BGP.origin: IGP BGP.as_path: 100 BGP.next_hop: 192.168.1.1 BGP.local_pref: 5 1007-122.72.90.78/32 1008- Type: BGP unicast univ 1012- BGP.origin: IGP BGP.as_path: 100 BGP.next_hop: 192.168.1.1 BGP.local_pref: 5 -------------- next part -------------- An HTML attachment was scrubbed... URL: From matthew at walster.org Thu Nov 2 18:47:50 2017 From: matthew at walster.org (Matthew Walster) Date: Thu, 2 Nov 2017 18:47:50 +0100 Subject: about the bgp route reflector problem? In-Reply-To: References: Message-ID: Maybe I'm missing something here, but in the examples you show, 120.26.0.0/18 and 122.72.90.78/32 have not been reflected? Route Reflection deals with iBGP only -- eBGP to iBGP does not need a route reflector. Only the attributes learned on the iBGP session from R4 will be reflected (and have the originator and cluster attributes set) to R1. Does that make sense? Matthew Walster On 2 November 2017 at 11:30, ??? wrote: > about the bgp route reflector problem? > Why does the reflector client receive EBGP routing entries without > attributes?? > > > my topology is shown below: > > R3 (as 100) > | > | ?ebgp? > | > | > | ( ibgp) > R1 (RR)--------------------R4 (client) (as 200) > | > | > | > | ( ibgp ) > | > | > R2 ?client?(as 200) > My configuration is as follows? > > ===The R1 (RR) configuration is as follows: > > #ebgp parts > > protocol bgp bgp_pa_r3 { > description "ebgp-pa-r3"; > multihop 10; > table tab_pa_adsl; > igp table tab_ospf_10; > local as 200; > neighbor 192.168.1.1 as 100; > source address 192.168.1.2; > import all; > export all; > next hop self; > default bgp_local_pref 5; > } > > #rr parts > template bgp rr_client { > description "ibgp-rr1"; > local 192.168.2.1 as 200; > multihop; > rr client; > rr cluster id 1.1.1.1; > } > > protocol bgp bgp_pa_r2 from rr_client { > debug all; > enable route refresh on; > table tab_rr_1; > igp table tab_ospf_10; > neighbor 192.168.2.2 as 200; > export all; > import all; > } > > protocol bgp bgp_pa_r4 from rr_client { > table tab_rr_1; > igp table tab_ospf_10; > neighbor 192.168.2.4 as 200; > export all; > import all; > # next hop self; > } > > ==The R2 client configuration is as follows: > > protocol bgp bgp_pa_r2 { > router id 192.168.2.2; > debug all; > # debug { states,interfaces,events }; > description "ibgp-rr1"; > import all; > export all; > local as 200; > neighbor 192.168.2.1 as 200; > source address 192.168.2.2; > next hop self; > } > > ================== > > Check the route of R2 and find that the route entry received R4 has the > BGP.originator_id and BGP.cluster_list attributes, > but the entry received from R1 does not have this attribute. why? > > Thank you very much for your help!! thanks!! > > > The route entries viewed by R2 are as follows: > > bird> show route protocol bgp_pa_r2 all > 1007-121.52.236.16/32 > 1008- Type: BGP unicast univ > 1012- BGP.origin: IGP > BGP.as_path: > BGP.next_hop: 192.168.2.4 > BGP.local_pref: 100 > * BGP.originator_id: 192.168.2.4* > * BGP.cluster_list: 1.1.1.1* > 1007-116.211.98.20/32 > 1008- Type: BGP unicast univ > 1012- BGP.origin: IGP > BGP.as_path: > BGP.next_hop: 192.168.2.4 > BGP.local_pref: 100 > * BGP.originator_id: 192.168.2.4* > * BGP.cluster_list: 1.1.1.1* > 1007-120.26.0.0/18 > 1008- Type: BGP unicast univ > 1012- BGP.origin: IGP > BGP.as_path: 100 > BGP.next_hop: 192.168.1.1 > BGP.local_pref: 5 > > 1007-122.72.90.78/32 > 1008- Type: BGP unicast univ > 1012- BGP.origin: IGP > BGP.as_path: 100 > BGP.next_hop: 192.168.1.1 > BGP.local_pref: 5 > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From flyinsky2018 at gmail.com Fri Nov 3 02:37:56 2017 From: flyinsky2018 at gmail.com (=?UTF-8?B?5pu+5bCP5bCP?=) Date: Fri, 3 Nov 2017 09:37:56 +0800 Subject: Fwd: about the bgp route reflector problem? In-Reply-To: References: Message-ID: ---------- Forwarded message ---------- From: ??? Date: 2017-11-03 9:36 GMT+08:00 Subject: Re: about the bgp route reflector problem? To: Matthew Walster Sorry for the description of some problems. Thank you for your answer, thank you very much??? I want to know the route (ebgp) of R3, after entering route reflector (R1), the route obtained on R2 (for example, 120.26.0.0/18, 122.72.90.78/32 route entry) did not add BGP.originator_id and BGP. cluster_list routing attributes? Did you mean that route reflectors do not add route attributes (BGP.originator_id and BGP. Cluster_list) to routes originating from ebgp? 2017-11-03 1:47 GMT+08:00 Matthew Walster : > Maybe I'm missing something here, but in the examples you show, > 120.26.0.0/18 and 122.72.90.78/32 have not been reflected? Route > Reflection deals with iBGP only -- eBGP to iBGP does not need a route > reflector. Only the attributes learned on the iBGP session from R4 will be > reflected (and have the originator and cluster attributes set) to R1. > > Does that make sense? > > Matthew Walster > > On 2 November 2017 at 11:30, ??? wrote: > >> about the bgp route reflector problem? >> Why does the reflector client receive EBGP routing entries without >> attributes?? >> >> >> my topology is shown below: >> >> R3 (as 100) >> | >> | ?ebgp? >> | >> | >> | ( ibgp) >> R1 (RR)--------------------R4 (client) (as 200) >> | >> | >> | >> | ( ibgp ) >> | >> | >> R2 ?client?(as 200) >> My configuration is as follows? >> >> ===The R1 (RR) configuration is as follows: >> >> #ebgp parts >> >> protocol bgp bgp_pa_r3 { >> description "ebgp-pa-r3"; >> multihop 10; >> table tab_pa_adsl; >> igp table tab_ospf_10; >> local as 200; >> neighbor 192.168.1.1 as 100; >> source address 192.168.1.2; >> import all; >> export all; >> next hop self; >> default bgp_local_pref 5; >> } >> >> #rr parts >> template bgp rr_client { >> description "ibgp-rr1"; >> local 192.168.2.1 as 200; >> multihop; >> rr client; >> rr cluster id 1.1.1.1; >> } >> >> protocol bgp bgp_pa_r2 from rr_client { >> debug all; >> enable route refresh on; >> table tab_rr_1; >> igp table tab_ospf_10; >> neighbor 192.168.2.2 as 200; >> export all; >> import all; >> } >> >> protocol bgp bgp_pa_r4 from rr_client { >> table tab_rr_1; >> igp table tab_ospf_10; >> neighbor 192.168.2.4 as 200; >> export all; >> import all; >> # next hop self; >> } >> >> ==The R2 client configuration is as follows: >> >> protocol bgp bgp_pa_r2 { >> router id 192.168.2.2; >> debug all; >> # debug { states,interfaces,events }; >> description "ibgp-rr1"; >> import all; >> export all; >> local as 200; >> neighbor 192.168.2.1 as 200; >> source address 192.168.2.2; >> next hop self; >> } >> >> ================== >> >> Check the route of R2 and find that the route entry received R4 has the >> BGP.originator_id and BGP.cluster_list attributes, >> but the entry received from R1 does not have this attribute. why? >> >> Thank you very much for your help!! thanks!! >> >> >> The route entries viewed by R2 are as follows: >> >> bird> show route protocol bgp_pa_r2 all >> 1007-121.52.236.16/32 >> 1008- Type: BGP unicast univ >> 1012- BGP.origin: IGP >> BGP.as_path: >> BGP.next_hop: 192.168.2.4 >> BGP.local_pref: 100 >> * BGP.originator_id: 192.168.2.4* >> * BGP.cluster_list: 1.1.1.1* >> 1007-116.211.98.20/32 >> 1008- Type: BGP unicast univ >> 1012- BGP.origin: IGP >> BGP.as_path: >> BGP.next_hop: 192.168.2.4 >> BGP.local_pref: 100 >> * BGP.originator_id: 192.168.2.4* >> * BGP.cluster_list: 1.1.1.1* >> 1007-120.26.0.0/18 >> 1008- Type: BGP unicast univ >> 1012- BGP.origin: IGP >> BGP.as_path: 100 >> BGP.next_hop: 192.168.1.1 >> BGP.local_pref: 5 >> >> 1007-122.72.90.78/32 >> 1008- Type: BGP unicast univ >> 1012- BGP.origin: IGP >> BGP.as_path: 100 >> BGP.next_hop: 192.168.1.1 >> BGP.local_pref: 5 >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mm at tagan.ru Fri Nov 3 12:29:20 2017 From: mm at tagan.ru (Mikhail Mayorov) Date: Fri, 3 Nov 2017 14:29:20 +0300 Subject: Fwd: about the bgp route reflector problem? In-Reply-To: References: Message-ID: <055b1696-f574-29f1-3cde-7a2e89c62acd@tagan.ru> I see you used different route table. Check mode type of pipe protocol. If you use "mode opaque" all attributes of route will be clearly. On 03/11/17 04:37, ??? wrote: > > ---------- Forwarded message ---------- > From: *???* > > Date: 2017-11-03 9:36 GMT+08:00 > Subject: Re: about the bgp route reflector problem? > To: Matthew Walster > > > > Sorry for the description of some problems. > > Thank you for your answer, thank you very much??? > > I want to know the route (ebgp) of R3, after entering route reflector > (R1), the route obtained on R2 (for example, 120.26.0.0/18 > , 122.72.90.78/32 route > entry) did not add BGP.originator_id and BGP. cluster_list routing > attributes? > > Did you mean that route reflectors do not add route attributes > (BGP.originator_id and BGP. Cluster_list) to routes originating from ebgp? > > 2017-11-03 1:47 GMT+08:00 Matthew Walster >: > > Maybe I'm missing something here, but in the examples you > show, 120.26.0.0/18 and 122.72.90.78/32 > have not been reflected? Route Reflection > deals with iBGP only -- eBGP to iBGP does not need a route > reflector. Only the attributes learned on the iBGP session from R4 > will be reflected (and have the originator and cluster attributes > set) to R1. > > Does that make sense? > > Matthew Walster > > On 2 November 2017 at 11:30, ??? > wrote: > > about the bgp route reflector problem? > Why does the reflector client receive EBGP routing entries > without attributes?? > > > my topology is shown below: > > R3 (as 100) > | > | ?ebgp? > | > | > | ( ibgp) > R1 (RR)--------------------R4 (client) (as 200) > | > | > | > | ( ibgp ) > | > | > R2 ?client?(as 200) > My configuration is as follows? > > ===The R1 (RR) configuration is as follows: > > #ebgp parts > > protocol bgp bgp_pa_r3 { > description "ebgp-pa-r3"; > multihop 10; > table tab_pa_adsl; > igp table tab_ospf_10; > local as 200; > neighbor 192.168.1.1 as 100; > source address 192.168.1.2; > import all; > export all; > next hop self; > default bgp_local_pref 5; > } > > #rr parts > template bgp rr_client { > description "ibgp-rr1"; > local 192.168.2.1 as 200; > multihop; > rr client; > rr cluster id 1.1.1.1; > } > > protocol bgp bgp_pa_r2 from rr_client { > debug all; > enable route refresh on; > table tab_rr_1; > igp table tab_ospf_10; > neighbor 192.168.2.2 as 200; > export all; > import all; > } > > protocol bgp bgp_pa_r4 from rr_client { > table tab_rr_1; > igp table tab_ospf_10; > neighbor 192.168.2.4 as 200; > export all; > import all; > # next hop self; > } > > ==The R2 client configuration is as follows: > > protocol bgp bgp_pa_r2 { > router id 192.168.2.2; > debug all; > # debug { states,interfaces,events }; > description "ibgp-rr1"; > import all; > export all; > local as 200; > neighbor 192.168.2.1 as 200; > source address 192.168.2.2; > next hop self; > } > > ================== > > Check the route of R2 and find that the route entry received R4 > has the BGP.originator_id and BGP.cluster_list attributes, > but the entry received from R1 does not have this attribute. why? > > Thank you very much for your help!! thanks!! > > > The route entries viewed by R2 are as follows: > > bird> show route protocol bgp_pa_r2 all > 1007-121.52.236.16/32 > 1008-Type: BGP unicast univ > 1012-BGP.origin: IGP > BGP.as_path: > BGP.next_hop: 192.168.2.4 > BGP.local_pref: 100 > /*BGP.originator_id: 192.168.2.4*/ > /* BGP.cluster_list: 1.1.1.1*/ > 1007-116.211.98.20/32 > 1008-Type: BGP unicast univ > 1012-BGP.origin: IGP > BGP.as_path: > BGP.next_hop: 192.168.2.4 > BGP.local_pref: 100 > */ BGP.originator_id: 192.168.2.4/* > */ BGP.cluster_list: 1.1.1.1/* > 1007-120.26.0.0/18 > 1008-Type: BGP unicast univ > 1012-BGP.origin: IGP > BGP.as_path: 100 > BGP.next_hop: 192.168.1.1 > BGP.local_pref: 5 > > 1007-122.72.90.78/32 > 1008-Type: BGP unicast univ > 1012-BGP.origin: IGP > BGP.as_path: 100 > BGP.next_hop: 192.168.1.1 > BGP.local_pref: 5 > > > > -- Regards, Mikhail V. Majorov Megalink Company, Director of engineering 318, Chehova street, Taganrog, Russia, 347932 tel work: +7 8634 431431 (ext 101) tel mobile: +7 918 5565520 sip: 000101 at tagan.ru www.tagan.ru -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From ml at vmi.se Wed Nov 8 08:20:15 2017 From: ml at vmi.se (=?iso-8859-1?Q?Magnus_L=F6fqvist?=) Date: Wed, 8 Nov 2017 07:20:15 +0000 Subject: BGP with wrong netmask on wan interface Message-ID: <32a19c63051e4c26ae7deabca48432b6@vmi.se> Hi, I have some mobile routers (connected over LTE) and with openvpn. Over the openvpn we are running a BGP to allow distribute some routes and export routes. Some of the routers are having wrong netmask (255.0.0.0 instead of 255.255.255.252). This seems to work (ie internet are working, and the openvpn connection is established). But when we are trying to get the BGP connection up, it tries to send the BGP connection over the WAN istead of openvpn connection. I guess that I have made some mistake in the config. It should take smaller path before matching the larger.. WAN (Mobile): 10.6.90.187 / 255.0.0.0 OpenVPN interface (tap0): 10.9.140.33 / 255.255.252.0 Bird config: template bgp RR_LTE { debug all; # debug BGP description "BIRD RR"; local as 1; # the AS used by the local BGP speaker direct; gateway direct; import filter import_ATM; # just accept everything export filter export_ATM; # and advertise it to all the neigbors connect retry time 10; # reconnect try after 10s hold time 240; # hold time send in BGP messages } protocol bgp BGP1 from RR_LTE { neighbor 10.9.140.1 as 1; preference 140;}; root at client1:/etc# tcpdump -ni wwan0 tcp port 179 and host 10.9.140.1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wwan0, link-type EN10MB (Ethernet), capture size 65535 bytes 15:29:08.755188 IP 10.6.90.187.34974 > 10.9.140.1.179: Flags [S], seq 1482209106, win 14600, options [mss 1460,sackOK,TS val 88007 ecr 0,nop,wscale 8], length 0 15:29:11.762726 IP 10.6.90.187.45591 > 10.9.140.1.179: Flags [S], seq 1681977930, win 14600, options [mss 1460,sackOK,TS val 88307 ecr 0,nop,wscale 8], length 0 Med v?nlig h?lsning / Best regards Magnus L?fqvist -------------- next part -------------- An HTML attachment was scrubbed... URL: From green at qrator.net Wed Nov 8 10:15:53 2017 From: green at qrator.net (Alexander Zubkov) Date: Wed, 8 Nov 2017 10:15:53 +0100 Subject: BGP with wrong netmask on wan interface In-Reply-To: <32a19c63051e4c26ae7deabca48432b6@vmi.se> References: <32a19c63051e4c26ae7deabca48432b6@vmi.se> Message-ID: Hi, You have: WAN (Mobile): 10.6.90.187 / 255.0.0.0 OpenVPN interface (tap0): 10.9.140.33 / 255.255.252.0 protocol bgp BGP1 from RR_LTE { neighbor 10.9.140.1 as 1; preference 140;}; So you are trying to reach 10.9.140.1. If you have no additional routes, than this address falls into 10.6.90.187 / 255.0.0.0 network, i.e. WAN interface and will be routed there. On Wed, Nov 8, 2017 at 8:20 AM, Magnus L?fqvist wrote: > Hi, > > > > I have some mobile routers (connected over LTE) and with openvpn. > > > > Over the openvpn we are running a BGP to allow distribute some routes and > export routes. > > > > Some of the routers are having wrong netmask (255.0.0.0 instead of > 255.255.255.252). > > This seems to work (ie internet are working, and the openvpn connection is > established). > > > > But when we are trying to get the BGP connection up, it tries to send the > BGP connection over the WAN istead of openvpn connection. > > I guess that I have made some mistake in the config. > > It should take smaller path before matching the larger.. > > > > > > WAN (Mobile): 10.6.90.187 / 255.0.0.0 > > OpenVPN interface (tap0): 10.9.140.33 / 255.255.252.0 > > > > Bird config: > > > > template bgp RR_LTE { > > debug all; # debug BGP > > description "BIRD RR"; > > local as 1; # the AS used by the > local BGP speaker > > direct; > > gateway direct; > > import filter import_ATM; # just > accept everything > > export filter export_ATM; # and > advertise it to all the neigbors > > connect retry time 10; # reconnect try after > 10s > > hold time 240; # hold time send in > BGP messages > > } > > > > protocol bgp BGP1 from RR_LTE { neighbor 10.9.140.1 as 1; preference 140;}; > > > > root at client1:/etc# tcpdump -ni wwan0 tcp port 179 and host 10.9.140.1 > > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > > listening on wwan0, link-type EN10MB (Ethernet), capture size 65535 bytes > > 15:29:08.755188 IP 10.6.90.187.34974 > 10.9.140.1.179: Flags [S], seq > 1482209106, win 14600, options [mss 1460,sackOK,TS val 88007 ecr > 0,nop,wscale 8], length 0 > > 15:29:11.762726 IP 10.6.90.187.45591 > 10.9.140.1.179: Flags [S], seq > 1681977930, win 14600, options [mss 1460,sackOK,TS val 88307 ecr > 0,nop,wscale 8], length 0 > > > > > > > > Med v?nlig h?lsning / Best regards > > Magnus L?fqvist > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ml at vmi.se Wed Nov 8 10:47:30 2017 From: ml at vmi.se (=?utf-8?B?TWFnbnVzIEzDtmZxdmlzdA==?=) Date: Wed, 8 Nov 2017 09:47:30 +0000 Subject: SV: BGP with wrong netmask on wan interface In-Reply-To: References: <32a19c63051e4c26ae7deabca48432b6@vmi.se> Message-ID: <78080054efb24c1fb6a6f92df4c191cf@vmi.se> Hi, Yes, you are correct. But we have routes for 10.9.140.0/22 (OpenVPN transport network) ip ro sh: default via 10.6.52.59 dev wwan0 10.0.0.0/8 dev wwan0 proto kernel scope link src 10.6.52.58 10.9.140.0/22 dev tap0 proto kernel scope link src 10.9.140.33 Bird: bird> show route 0.0.0.0/0 via 10.6.52.59 on wwan0 [kernel1 09:43:55] * (10) 10.9.140.0/22 dev tap0 [direct1 09:44:12] * (240) So why are not BGP traffic to 10.9.140.1 going thru tap0 ? Med v?nlig h?lsning / Best regards Magnus L?fqvist VMI IT Services AB Head office: Hantverksv?gen 15 764 93 V?DD?, SWEDEN Visiting address: Lilla Torget 1A 761 30 NORRT?LJE, SWEDEN Tel +46 176 20 89 00 (02) Fax +46 176 20 89 19 E-mail: ml at vmi.se *** VMI E-mail disclaimer *** The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Any opinions or advice contained in this e-mail are subject to the terms and conditions expressed in the VMI General terms and conditions. Fr?n: green at highloadlab.com [mailto:green at highloadlab.com] F?r Alexander Zubkov Skickat: den 8 november 2017 10:16 Till: Magnus L?fqvist Kopia: bird-users at network.cz ?mne: Re: BGP with wrong netmask on wan interface Hi, You have: WAN (Mobile): 10.6.90.187 / 255.0.0.0 OpenVPN interface (tap0): 10.9.140.33 / 255.255.252.0 protocol bgp BGP1 from RR_LTE { neighbor 10.9.140.1 as 1; preference 140;}; So you are trying to reach 10.9.140.1. If you have no additional routes, than this address falls into 10.6.90.187 / 255.0.0.0 network, i.e. WAN interface and will be routed there. On Wed, Nov 8, 2017 at 8:20 AM, Magnus L?fqvist > wrote: Hi, I have some mobile routers (connected over LTE) and with openvpn. Over the openvpn we are running a BGP to allow distribute some routes and export routes. Some of the routers are having wrong netmask (255.0.0.0 instead of 255.255.255.252). This seems to work (ie internet are working, and the openvpn connection is established). But when we are trying to get the BGP connection up, it tries to send the BGP connection over the WAN istead of openvpn connection. I guess that I have made some mistake in the config. It should take smaller path before matching the larger.. WAN (Mobile): 10.6.90.187 / 255.0.0.0 OpenVPN interface (tap0): 10.9.140.33 / 255.255.252.0 Bird config: template bgp RR_LTE { debug all; # debug BGP description "BIRD RR"; local as 1; # the AS used by the local BGP speaker direct; gateway direct; import filter import_ATM; # just accept everything export filter export_ATM; # and advertise it to all the neigbors connect retry time 10; # reconnect try after 10s hold time 240; # hold time send in BGP messages } protocol bgp BGP1 from RR_LTE { neighbor 10.9.140.1 as 1; preference 140;}; root at client1:/etc# tcpdump -ni wwan0 tcp port 179 and host 10.9.140.1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wwan0, link-type EN10MB (Ethernet), capture size 65535 bytes 15:29:08.755188 IP 10.6.90.187.34974 > 10.9.140.1.179: Flags [S], seq 1482209106, win 14600, options [mss 1460,sackOK,TS val 88007 ecr 0,nop,wscale 8], length 0 15:29:11.762726 IP 10.6.90.187.45591 > 10.9.140.1.179: Flags [S], seq 1681977930, win 14600, options [mss 1460,sackOK,TS val 88307 ecr 0,nop,wscale 8], length 0 Med v?nlig h?lsning / Best regards Magnus L?fqvist -------------- next part -------------- An HTML attachment was scrubbed... URL: From green at qrator.net Wed Nov 8 11:52:02 2017 From: green at qrator.net (Alexander Zubkov) Date: Wed, 8 Nov 2017 11:52:02 +0100 Subject: BGP with wrong netmask on wan interface In-Reply-To: <78080054efb24c1fb6a6f92df4c191cf@vmi.se> References: <32a19c63051e4c26ae7deabca48432b6@vmi.se> <78080054efb24c1fb6a6f92df4c191cf@vmi.se> Message-ID: In that case it probably because you are using direct (not multihop) bgp session and bird binds to the interface which have this address in its direct network - wwan0. In that case only routes with dev wwan0 will be applied. I think you want to use multihop bgp session. If you want to use direct session and this address is accepted directly via tap0, than I think specifying source address from tap0 in bgp session should work. On Wed, Nov 8, 2017 at 10:47 AM, Magnus L?fqvist wrote: > Hi, > > > > Yes, you are correct. > > But we have routes for 10.9.140.0/22 (OpenVPN transport network) > > > > ip ro sh: > > default via 10.6.52.59 dev wwan0 > > 10.0.0.0/8 dev wwan0 proto kernel scope link src 10.6.52.58 > > 10.9.140.0/22 dev tap0 proto kernel scope link src 10.9.140.33 > > > > Bird: > > bird> show route > > 0.0.0.0/0 via 10.6.52.59 on wwan0 [kernel1 09:43:55] * (10) > > 10.9.140.0/22 dev tap0 [direct1 09:44:12] * (240) > > > > So why are not BGP traffic to 10.9.140.1 going thru tap0 ? > > > > > > > > > > Med v?nlig h?lsning / Best regards > > Magnus L?fqvist > > > > *VMI IT Services AB* > > *Head office:* > > Hantverksv?gen 15 > > 764 93 V?DD?, SWEDEN > > *Visiting address:* > > Lilla Torget 1A > > 761 30 NORRT?LJE, SWEDEN > > Tel +46 176 20 89 00 (02) > > Fax +46 176 20 89 19 > > > E-mail: ml at vmi.se > > > > **** VMI E-mail disclaimer **** > > > > *The information in this e-mail is confidential and may be legally > privileged.* > > *It is intended solely for the addressee. Access to this email by anyone > else is unauthorized.* > > *If you are not the intended recipient, any disclosure, copying, > distribution or any action taken * > > *or omitted to be taken in reliance on it, is prohibited and may be > unlawful. Any opinions or * > > *advice contained in this e-mail are subject to the terms and conditions > expressed in the * > > *VMI General terms and conditions.* > > > > *Fr?n:* green at highloadlab.com [mailto:green at highloadlab.com] *F?r *Alexander > Zubkov > *Skickat:* den 8 november 2017 10:16 > *Till:* Magnus L?fqvist > *Kopia:* bird-users at network.cz > *?mne:* Re: BGP with wrong netmask on wan interface > > > > Hi, > > You have: > > WAN (Mobile): 10.6.90.187 / 255.0.0.0 > > OpenVPN interface (tap0): 10.9.140.33 / 255.255.252.0 > > > > protocol bgp BGP1 from RR_LTE { neighbor 10.9.140.1 as 1; preference 140;}; > > > > So you are trying to reach 10.9.140.1. If you have no additional routes, > than this address falls into > > 10.6.90.187 / 255.0.0.0 network, i.e. WAN interface and will be routed > there. > > > > On Wed, Nov 8, 2017 at 8:20 AM, Magnus L?fqvist wrote: > > Hi, > > > > I have some mobile routers (connected over LTE) and with openvpn. > > > > Over the openvpn we are running a BGP to allow distribute some routes and > export routes. > > > > Some of the routers are having wrong netmask (255.0.0.0 instead of > 255.255.255.252). > > This seems to work (ie internet are working, and the openvpn connection is > established). > > > > But when we are trying to get the BGP connection up, it tries to send the > BGP connection over the WAN istead of openvpn connection. > > I guess that I have made some mistake in the config. > > It should take smaller path before matching the larger.. > > > > > > WAN (Mobile): 10.6.90.187 / 255.0.0.0 > > OpenVPN interface (tap0): 10.9.140.33 / 255.255.252.0 > > > > Bird config: > > > > template bgp RR_LTE { > > debug all; # debug BGP > > description "BIRD RR"; > > local as 1; # the AS used by the > local BGP speaker > > direct; > > gateway direct; > > import filter import_ATM; # just > accept everything > > export filter export_ATM; # and > advertise it to all the neigbors > > connect retry time 10; # reconnect try after > 10s > > hold time 240; # hold time send in > BGP messages > > } > > > > protocol bgp BGP1 from RR_LTE { neighbor 10.9.140.1 as 1; preference 140;}; > > > > root at client1:/etc# tcpdump -ni wwan0 tcp port 179 and host 10.9.140.1 > > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > > listening on wwan0, link-type EN10MB (Ethernet), capture size 65535 bytes > > 15:29:08.755188 IP 10.6.90.187.34974 > 10.9.140.1.179: Flags [S], seq > 1482209106, win 14600, options [mss 1460,sackOK,TS val 88007 ecr > 0,nop,wscale 8], length 0 > > 15:29:11.762726 IP 10.6.90.187.45591 > 10.9.140.1.179: Flags [S], seq > 1681977930, win 14600, options [mss 1460,sackOK,TS val 88307 ecr > 0,nop,wscale 8], length 0 > > > > > > > > Med v?nlig h?lsning / Best regards > > Magnus L?fqvist > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ml at vmi.se Wed Nov 8 15:48:58 2017 From: ml at vmi.se (=?utf-8?B?TWFnbnVzIEzDtmZxdmlzdA==?=) Date: Wed, 8 Nov 2017 14:48:58 +0000 Subject: SV: BGP with wrong netmask on wan interface In-Reply-To: References: <32a19c63051e4c26ae7deabca48432b6@vmi.se> <78080054efb24c1fb6a6f92df4c191cf@vmi.se> Message-ID: <7852b9a936d3494ca7fe43f6d4062dd0@vmi.se> Hi again, If I use multihop (ie removing direct and gateway direct from config), it will connect, but I get the imported routes with my internet gateway as router. XX.XX.XX.0/27 via 10.6.24.82 dev wwan0 proto bird It should be XX.XX.XX.0/27 via 10.9.140.1 dev tap0 proto bird It doesn?t matter if I specified the source address and local address, it seems always to try to send the traffic over wwan0 (external wan connection) Med v?nlig h?lsning / Best regards Magnus L?fqvist VMI IT Services AB Head office: Hantverksv?gen 15 764 93 V?DD?, SWEDEN Visiting address: Lilla Torget 1A 761 30 NORRT?LJE, SWEDEN Tel +46 176 20 89 00 (02) Fax +46 176 20 89 19 E-mail: ml at vmi.se *** VMI E-mail disclaimer *** The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Any opinions or advice contained in this e-mail are subject to the terms and conditions expressed in the VMI General terms and conditions. Fr?n: green at highloadlab.com [mailto:green at highloadlab.com] F?r Alexander Zubkov Skickat: den 8 november 2017 11:52 Till: Magnus L?fqvist Kopia: bird-users at network.cz ?mne: Re: BGP with wrong netmask on wan interface In that case it probably because you are using direct (not multihop) bgp session and bird binds to the interface which have this address in its direct network - wwan0. In that case only routes with dev wwan0 will be applied. I think you want to use multihop bgp session. If you want to use direct session and this address is accepted directly via tap0, than I think specifying source address from tap0 in bgp session should work. On Wed, Nov 8, 2017 at 10:47 AM, Magnus L?fqvist > wrote: Hi, Yes, you are correct. But we have routes for 10.9.140.0/22 (OpenVPN transport network) ip ro sh: default via 10.6.52.59 dev wwan0 10.0.0.0/8 dev wwan0 proto kernel scope link src 10.6.52.58 10.9.140.0/22 dev tap0 proto kernel scope link src 10.9.140.33 Bird: bird> show route 0.0.0.0/0 via 10.6.52.59 on wwan0 [kernel1 09:43:55] * (10) 10.9.140.0/22 dev tap0 [direct1 09:44:12] * (240) So why are not BGP traffic to 10.9.140.1 going thru tap0 ? Med v?nlig h?lsning / Best regards Magnus L?fqvist VMI IT Services AB Head office: Hantverksv?gen 15 764 93 V?DD?, SWEDEN Visiting address: Lilla Torget 1A 761 30 NORRT?LJE, SWEDEN Tel +46 176 20 89 00 (02) Fax +46 176 20 89 19 E-mail: ml at vmi.se *** VMI E-mail disclaimer *** The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Any opinions or advice contained in this e-mail are subject to the terms and conditions expressed in the VMI General terms and conditions. Fr?n: green at highloadlab.com [mailto:green at highloadlab.com] F?r Alexander Zubkov Skickat: den 8 november 2017 10:16 Till: Magnus L?fqvist > Kopia: bird-users at network.cz ?mne: Re: BGP with wrong netmask on wan interface Hi, You have: WAN (Mobile): 10.6.90.187 / 255.0.0.0 OpenVPN interface (tap0): 10.9.140.33 / 255.255.252.0 protocol bgp BGP1 from RR_LTE { neighbor 10.9.140.1 as 1; preference 140;}; So you are trying to reach 10.9.140.1. If you have no additional routes, than this address falls into 10.6.90.187 / 255.0.0.0 network, i.e. WAN interface and will be routed there. On Wed, Nov 8, 2017 at 8:20 AM, Magnus L?fqvist > wrote: Hi, I have some mobile routers (connected over LTE) and with openvpn. Over the openvpn we are running a BGP to allow distribute some routes and export routes. Some of the routers are having wrong netmask (255.0.0.0 instead of 255.255.255.252). This seems to work (ie internet are working, and the openvpn connection is established). But when we are trying to get the BGP connection up, it tries to send the BGP connection over the WAN istead of openvpn connection. I guess that I have made some mistake in the config. It should take smaller path before matching the larger.. WAN (Mobile): 10.6.90.187 / 255.0.0.0 OpenVPN interface (tap0): 10.9.140.33 / 255.255.252.0 Bird config: template bgp RR_LTE { debug all; # debug BGP description "BIRD RR"; local as 1; # the AS used by the local BGP speaker direct; gateway direct; import filter import_ATM; # just accept everything export filter export_ATM; # and advertise it to all the neigbors connect retry time 10; # reconnect try after 10s hold time 240; # hold time send in BGP messages } protocol bgp BGP1 from RR_LTE { neighbor 10.9.140.1 as 1; preference 140;}; root at client1:/etc# tcpdump -ni wwan0 tcp port 179 and host 10.9.140.1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wwan0, link-type EN10MB (Ethernet), capture size 65535 bytes 15:29:08.755188 IP 10.6.90.187.34974 > 10.9.140.1.179: Flags [S], seq 1482209106, win 14600, options [mss 1460,sackOK,TS val 88007 ecr 0,nop,wscale 8], length 0 15:29:11.762726 IP 10.6.90.187.45591 > 10.9.140.1.179: Flags [S], seq 1681977930, win 14600, options [mss 1460,sackOK,TS val 88307 ecr 0,nop,wscale 8], length 0 Med v?nlig h?lsning / Best regards Magnus L?fqvist -------------- next part -------------- An HTML attachment was scrubbed... URL: From green at qrator.net Wed Nov 8 21:24:22 2017 From: green at qrator.net (Alexander Zubkov) Date: Wed, 8 Nov 2017 21:24:22 +0100 Subject: BGP with wrong netmask on wan interface In-Reply-To: <7852b9a936d3494ca7fe43f6d4062dd0@vmi.se> References: <32a19c63051e4c26ae7deabca48432b6@vmi.se> <78080054efb24c1fb6a6f92df4c191cf@vmi.se> <7852b9a936d3494ca7fe43f6d4062dd0@vmi.se> Message-ID: Hi again, I think I've got you idea. Probably bird can not do "recursive" direct routes. For example I set up: Linux: 9: test2: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 56:0a:42:5f:b3:46 brd ff:ff:ff:ff:ff:ff inet 192.168.1.2/24 scope global test2 valid_lft forever preferred_lft forever 192.168.1.0/24 dev test2 proto kernel scope link src 192.168.1.2 192.168.2.0/24 dev test2 scope link bird have (no export to kernel): protocol static { route 192.168.2.0/24 via "test2"; route 192.168.3.0/24 via 192.168.2.1; } And I see in bird no route for 192.168.3.0/24: bird> show route 192.168.1.0/24 dev test2 [direct1 23:10:42] * (240) 192.168.2.0/24 dev test2 [static1 23:10:42] * (200) If I add to Linux such device: 2: dum1: mtu 1500 qdisc noqueue state UNKNOWN group default link/ether ee:b2:97:43:3c:79 brd ff:ff:ff:ff:ff:ff inet 192.168.100.1/16 scope global dum1 valid_lft forever preferred_lft forever And bird starts to route via it: bird> show route 192.168.0.0/16 dev dum1 [direct1 23:18:16] * (240) 192.168.1.0/24 dev test2 [direct1 23:10:41] * (240) 192.168.2.0/24 dev test2 [static1 23:10:41] * (200) 192.168.3.0/24 via 192.168.2.1 on dum1 [static1 23:18:16] * (200) On Wed, Nov 8, 2017 at 3:48 PM, Magnus L?fqvist wrote: > Hi again, > > > > If I use multihop (ie removing direct and gateway direct from config), it > will connect, but I get the imported routes with my internet gateway as > router. > > > > XX.XX.XX.0/27 via 10.6.24.82 dev wwan0 proto bird > > > > It should be > > XX.XX.XX.0/27 via 10.9.140.1 dev tap0 proto bird > > > > It doesn?t matter if I specified the source address and local address, it > seems always to try to send the traffic over wwan0 (external wan connection) > > > > > > > > Med v?nlig h?lsning / Best regards > > Magnus L?fqvist > > > > *VMI IT Services AB* > > *Head office:* > > Hantverksv?gen 15 > > 764 93 V?DD?, SWEDEN > > *Visiting address:* > > Lilla Torget 1A > > 761 30 NORRT?LJE, SWEDEN > > Tel +46 176 20 89 00 (02) > > Fax +46 176 20 89 19 > > > E-mail: ml at vmi.se > > > > **** VMI E-mail disclaimer **** > > > > *The information in this e-mail is confidential and may be legally > privileged.* > > *It is intended solely for the addressee. Access to this email by anyone > else is unauthorized.* > > *If you are not the intended recipient, any disclosure, copying, > distribution or any action taken * > > *or omitted to be taken in reliance on it, is prohibited and may be > unlawful. Any opinions or * > > *advice contained in this e-mail are subject to the terms and conditions > expressed in the * > > *VMI General terms and conditions.* > > > > *Fr?n:* green at highloadlab.com [mailto:green at highloadlab.com] *F?r *Alexander > Zubkov > *Skickat:* den 8 november 2017 11:52 > > *Till:* Magnus L?fqvist > *Kopia:* bird-users at network.cz > *?mne:* Re: BGP with wrong netmask on wan interface > > > > In that case it probably because you are using direct (not multihop) bgp > session and bird binds to the interface which have this address in its > direct network - wwan0. In that case only routes with dev wwan0 will be > applied. I think you want to use multihop bgp session. If you want to use > direct session and this address is accepted directly via tap0, than I think > specifying source address from tap0 in bgp session should work. > > > > On Wed, Nov 8, 2017 at 10:47 AM, Magnus L?fqvist wrote: > > Hi, > > > > Yes, you are correct. > > But we have routes for 10.9.140.0/22 (OpenVPN transport network) > > > > ip ro sh: > > default via 10.6.52.59 dev wwan0 > > 10.0.0.0/8 dev wwan0 proto kernel scope link src 10.6.52.58 > > 10.9.140.0/22 dev tap0 proto kernel scope link src 10.9.140.33 > > > > Bird: > > bird> show route > > 0.0.0.0/0 via 10.6.52.59 on wwan0 [kernel1 09:43:55] * (10) > > 10.9.140.0/22 dev tap0 [direct1 09:44:12] * (240) > > > > So why are not BGP traffic to 10.9.140.1 going thru tap0 ? > > > > > > > > > > Med v?nlig h?lsning / Best regards > > Magnus L?fqvist > > > > *VMI IT Services AB* > > *Head office:* > > Hantverksv?gen 15 > > 764 93 V?DD?, SWEDEN > > *Visiting address:* > > Lilla Torget 1A > > 761 30 NORRT?LJE, SWEDEN > > Tel +46 176 20 89 00 (02) > > Fax +46 176 20 89 19 > > > E-mail: ml at vmi.se > > > > **** VMI E-mail disclaimer **** > > > > *The information in this e-mail is confidential and may be legally > privileged.* > > *It is intended solely for the addressee. Access to this email by anyone > else is unauthorized.* > > *If you are not the intended recipient, any disclosure, copying, > distribution or any action taken * > > *or omitted to be taken in reliance on it, is prohibited and may be > unlawful. Any opinions or * > > *advice contained in this e-mail are subject to the terms and conditions > expressed in the * > > *VMI General terms and conditions.* > > > > *Fr?n:* green at highloadlab.com [mailto:green at highloadlab.com] *F?r *Alexander > Zubkov > *Skickat:* den 8 november 2017 10:16 > *Till:* Magnus L?fqvist > *Kopia:* bird-users at network.cz > *?mne:* Re: BGP with wrong netmask on wan interface > > > > Hi, > > You have: > > WAN (Mobile): 10.6.90.187 / 255.0.0.0 > > OpenVPN interface (tap0): 10.9.140.33 / 255.255.252.0 > > > > protocol bgp BGP1 from RR_LTE { neighbor 10.9.140.1 as 1; preference 140;}; > > > > So you are trying to reach 10.9.140.1. If you have no additional routes, > than this address falls into > > 10.6.90.187 / 255.0.0.0 network, i.e. WAN interface and will be routed > there. > > > > On Wed, Nov 8, 2017 at 8:20 AM, Magnus L?fqvist wrote: > > Hi, > > > > I have some mobile routers (connected over LTE) and with openvpn. > > > > Over the openvpn we are running a BGP to allow distribute some routes and > export routes. > > > > Some of the routers are having wrong netmask (255.0.0.0 instead of > 255.255.255.252). > > This seems to work (ie internet are working, and the openvpn connection is > established). > > > > But when we are trying to get the BGP connection up, it tries to send the > BGP connection over the WAN istead of openvpn connection. > > I guess that I have made some mistake in the config. > > It should take smaller path before matching the larger.. > > > > > > WAN (Mobile): 10.6.90.187 / 255.0.0.0 > > OpenVPN interface (tap0): 10.9.140.33 / 255.255.252.0 > > > > Bird config: > > > > template bgp RR_LTE { > > debug all; # debug BGP > > description "BIRD RR"; > > local as 1; # the AS used by the > local BGP speaker > > direct; > > gateway direct; > > import filter import_ATM; # just > accept everything > > export filter export_ATM; # and > advertise it to all the neigbors > > connect retry time 10; # reconnect try after > 10s > > hold time 240; # hold time send in > BGP messages > > } > > > > protocol bgp BGP1 from RR_LTE { neighbor 10.9.140.1 as 1; preference 140;}; > > > > root at client1:/etc# tcpdump -ni wwan0 tcp port 179 and host 10.9.140.1 > > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > > listening on wwan0, link-type EN10MB (Ethernet), capture size 65535 bytes > > 15:29:08.755188 IP 10.6.90.187.34974 > 10.9.140.1.179: Flags [S], seq > 1482209106, win 14600, options [mss 1460,sackOK,TS val 88007 ecr > 0,nop,wscale 8], length 0 > > 15:29:11.762726 IP 10.6.90.187.45591 > 10.9.140.1.179: Flags [S], seq > 1681977930, win 14600, options [mss 1460,sackOK,TS val 88307 ecr > 0,nop,wscale 8], length 0 > > > > > > > > Med v?nlig h?lsning / Best regards > > Magnus L?fqvist > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From green at qrator.net Wed Nov 8 21:41:29 2017 From: green at qrator.net (Alexander Zubkov) Date: Wed, 8 Nov 2017 21:41:29 +0100 Subject: BGP with wrong netmask on wan interface In-Reply-To: References: <32a19c63051e4c26ae7deabca48432b6@vmi.se> <78080054efb24c1fb6a6f92df4c191cf@vmi.se> <7852b9a936d3494ca7fe43f6d4062dd0@vmi.se> Message-ID: But this works: protocol static { route 192.168.2.0/24 via "test2"; route 192.168.3.0/24 recursive 192.168.2.1; } bird> show route 192.168.0.0/16 dev dum1 [direct1 23:18:17] * (240) 192.168.1.0/24 dev test2 [direct1 23:10:42] * (240) 192.168.2.0/24 dev test2 [static1 23:10:42] * (200) 192.168.3.0/24 via 192.168.2.1 on test2 [static1 23:22:44] * (200) I also succeeded with such bgp setup: protocol static { route 192.168.2.0/24 via "test2"; # route 192.168.3.0/24 recursive 192.168.2.1; } protocol bgp { import all; local as 65002; source address 192.168.1.2; neighbor 192.168.2.1 as 65001; multihop 1; } bird> show route 192.168.0.0/16 dev dum1 [direct1 23:18:16] * (240) 192.168.1.0/24 dev test2 [direct1 23:10:41] * (240) 192.168.2.0/24 dev test2 [static1 23:10:41] * (200) 192.168.4.0/24 via 192.168.2.1 on test2 [bgp1 23:38:37] * (100/0) [AS65001i] bird> show route all 192.168.4.0/24 192.168.4.0/24 via 192.168.2.1 on test2 [bgp1 23:38:37] * (100/0) [AS65001i] Type: BGP unicast univ BGP.origin: IGP BGP.as_path: 65001 BGP.next_hop: 192.168.2.1 BGP.local_pref: 100 If I have direct in BGP - bird ignores interface direct route and tries to connect via dum1 interface. But multihop works. On Wed, Nov 8, 2017 at 9:24 PM, Alexander Zubkov wrote: > Hi again, > > I think I've got you idea. Probably bird can not do "recursive" direct > routes. For example I set up: > > Linux: > > 9: test2: mtu 1500 qdisc pfifo_fast > state UP group default qlen 1000 > link/ether 56:0a:42:5f:b3:46 brd ff:ff:ff:ff:ff:ff > inet 192.168.1.2/24 scope global test2 > valid_lft forever preferred_lft forever > > 192.168.1.0/24 dev test2 proto kernel scope link src 192.168.1.2 > 192.168.2.0/24 dev test2 scope link > > bird have (no export to kernel): > > protocol static { > route 192.168.2.0/24 via "test2"; > route 192.168.3.0/24 via 192.168.2.1; > } > > And I see in bird no route for 192.168.3.0/24: > > bird> show route > 192.168.1.0/24 dev test2 [direct1 23:10:42] * (240) > 192.168.2.0/24 dev test2 [static1 23:10:42] * (200) > > If I add to Linux such device: > > 2: dum1: mtu 1500 qdisc noqueue state > UNKNOWN group default > link/ether ee:b2:97:43:3c:79 brd ff:ff:ff:ff:ff:ff > inet 192.168.100.1/16 scope global dum1 > valid_lft forever preferred_lft forever > > And bird starts to route via it: > > bird> show route > 192.168.0.0/16 dev dum1 [direct1 23:18:16] * (240) > 192.168.1.0/24 dev test2 [direct1 23:10:41] * (240) > 192.168.2.0/24 dev test2 [static1 23:10:41] * (200) > 192.168.3.0/24 via 192.168.2.1 on dum1 [static1 23:18:16] * (200) > > > On Wed, Nov 8, 2017 at 3:48 PM, Magnus L?fqvist wrote: > >> Hi again, >> >> >> >> If I use multihop (ie removing direct and gateway direct from config), it >> will connect, but I get the imported routes with my internet gateway as >> router. >> >> >> >> XX.XX.XX.0/27 via 10.6.24.82 dev wwan0 proto bird >> >> >> >> It should be >> >> XX.XX.XX.0/27 via 10.9.140.1 dev tap0 proto bird >> >> >> >> It doesn?t matter if I specified the source address and local address, it >> seems always to try to send the traffic over wwan0 (external wan connection) >> >> >> >> >> >> >> >> Med v?nlig h?lsning / Best regards >> >> Magnus L?fqvist >> >> >> >> *VMI IT Services AB* >> >> *Head office:* >> >> Hantverksv?gen 15 >> >> 764 93 V?DD?, SWEDEN >> >> *Visiting address:* >> >> Lilla Torget 1A >> >> 761 30 NORRT?LJE, SWEDEN >> >> Tel +46 176 20 89 00 (02) >> >> Fax +46 176 20 89 19 >> >> >> E-mail: ml at vmi.se >> >> >> >> **** VMI E-mail disclaimer **** >> >> >> >> *The information in this e-mail is confidential and may be legally >> privileged.* >> >> *It is intended solely for the addressee. Access to this email by anyone >> else is unauthorized.* >> >> *If you are not the intended recipient, any disclosure, copying, >> distribution or any action taken * >> >> *or omitted to be taken in reliance on it, is prohibited and may be >> unlawful. Any opinions or * >> >> *advice contained in this e-mail are subject to the terms and conditions >> expressed in the * >> >> *VMI General terms and conditions.* >> >> >> >> *Fr?n:* green at highloadlab.com [mailto:green at highloadlab.com] *F?r *Alexander >> Zubkov >> *Skickat:* den 8 november 2017 11:52 >> >> *Till:* Magnus L?fqvist >> *Kopia:* bird-users at network.cz >> *?mne:* Re: BGP with wrong netmask on wan interface >> >> >> >> In that case it probably because you are using direct (not multihop) bgp >> session and bird binds to the interface which have this address in its >> direct network - wwan0. In that case only routes with dev wwan0 will be >> applied. I think you want to use multihop bgp session. If you want to use >> direct session and this address is accepted directly via tap0, than I think >> specifying source address from tap0 in bgp session should work. >> >> >> >> On Wed, Nov 8, 2017 at 10:47 AM, Magnus L?fqvist wrote: >> >> Hi, >> >> >> >> Yes, you are correct. >> >> But we have routes for 10.9.140.0/22 (OpenVPN transport network) >> >> >> >> ip ro sh: >> >> default via 10.6.52.59 dev wwan0 >> >> 10.0.0.0/8 dev wwan0 proto kernel scope link src 10.6.52.58 >> >> 10.9.140.0/22 dev tap0 proto kernel scope link src 10.9.140.33 >> >> >> >> Bird: >> >> bird> show route >> >> 0.0.0.0/0 via 10.6.52.59 on wwan0 [kernel1 09:43:55] * (10) >> >> 10.9.140.0/22 dev tap0 [direct1 09:44:12] * (240) >> >> >> >> So why are not BGP traffic to 10.9.140.1 going thru tap0 ? >> >> >> >> >> >> >> >> >> >> Med v?nlig h?lsning / Best regards >> >> Magnus L?fqvist >> >> >> >> *VMI IT Services AB* >> >> *Head office:* >> >> Hantverksv?gen 15 >> >> 764 93 V?DD?, SWEDEN >> >> *Visiting address:* >> >> Lilla Torget 1A >> >> 761 30 NORRT?LJE, SWEDEN >> >> Tel +46 176 20 89 00 (02) >> >> Fax +46 176 20 89 19 >> >> >> E-mail: ml at vmi.se >> >> >> >> **** VMI E-mail disclaimer **** >> >> >> >> *The information in this e-mail is confidential and may be legally >> privileged.* >> >> *It is intended solely for the addressee. Access to this email by anyone >> else is unauthorized.* >> >> *If you are not the intended recipient, any disclosure, copying, >> distribution or any action taken * >> >> *or omitted to be taken in reliance on it, is prohibited and may be >> unlawful. Any opinions or * >> >> *advice contained in this e-mail are subject to the terms and conditions >> expressed in the * >> >> *VMI General terms and conditions.* >> >> >> >> *Fr?n:* green at highloadlab.com [mailto:green at highloadlab.com] *F?r *Alexander >> Zubkov >> *Skickat:* den 8 november 2017 10:16 >> *Till:* Magnus L?fqvist >> *Kopia:* bird-users at network.cz >> *?mne:* Re: BGP with wrong netmask on wan interface >> >> >> >> Hi, >> >> You have: >> >> WAN (Mobile): 10.6.90.187 / 255.0.0.0 >> >> OpenVPN interface (tap0): 10.9.140.33 / 255.255.252.0 >> >> >> >> protocol bgp BGP1 from RR_LTE { neighbor 10.9.140.1 as 1; preference >> 140;}; >> >> >> >> So you are trying to reach 10.9.140.1. If you have no additional routes, >> than this address falls into >> >> 10.6.90.187 / 255.0.0.0 network, i.e. WAN interface and will be routed >> there. >> >> >> >> On Wed, Nov 8, 2017 at 8:20 AM, Magnus L?fqvist wrote: >> >> Hi, >> >> >> >> I have some mobile routers (connected over LTE) and with openvpn. >> >> >> >> Over the openvpn we are running a BGP to allow distribute some routes and >> export routes. >> >> >> >> Some of the routers are having wrong netmask (255.0.0.0 instead of >> 255.255.255.252). >> >> This seems to work (ie internet are working, and the openvpn connection >> is established). >> >> >> >> But when we are trying to get the BGP connection up, it tries to send the >> BGP connection over the WAN istead of openvpn connection. >> >> I guess that I have made some mistake in the config. >> >> It should take smaller path before matching the larger.. >> >> >> >> >> >> WAN (Mobile): 10.6.90.187 / 255.0.0.0 >> >> OpenVPN interface (tap0): 10.9.140.33 / 255.255.252.0 >> >> >> >> Bird config: >> >> >> >> template bgp RR_LTE { >> >> debug all; # debug BGP >> >> description "BIRD RR"; >> >> local as 1; # the AS used by the >> local BGP speaker >> >> direct; >> >> gateway direct; >> >> import filter import_ATM; # just >> accept everything >> >> export filter export_ATM; # and >> advertise it to all the neigbors >> >> connect retry time 10; # reconnect try after >> 10s >> >> hold time 240; # hold time send in >> BGP messages >> >> } >> >> >> >> protocol bgp BGP1 from RR_LTE { neighbor 10.9.140.1 as 1; preference >> 140;}; >> >> >> >> root at client1:/etc# tcpdump -ni wwan0 tcp port 179 and host 10.9.140.1 >> >> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >> >> listening on wwan0, link-type EN10MB (Ethernet), capture size 65535 bytes >> >> 15:29:08.755188 IP 10.6.90.187.34974 > 10.9.140.1.179: Flags [S], seq >> 1482209106, win 14600, options [mss 1460,sackOK,TS val 88007 ecr >> 0,nop,wscale 8], length 0 >> >> 15:29:11.762726 IP 10.6.90.187.45591 > 10.9.140.1.179: Flags [S], seq >> 1681977930, win 14600, options [mss 1460,sackOK,TS val 88307 ecr >> 0,nop,wscale 8], length 0 >> >> >> >> >> >> >> >> Med v?nlig h?lsning / Best regards >> >> Magnus L?fqvist >> >> >> >> >> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From green at qrator.net Wed Nov 8 21:44:00 2017 From: green at qrator.net (Alexander Zubkov) Date: Wed, 8 Nov 2017 21:44:00 +0100 Subject: BGP with wrong netmask on wan interface In-Reply-To: References: <32a19c63051e4c26ae7deabca48432b6@vmi.se> <78080054efb24c1fb6a6f92df4c191cf@vmi.se> <7852b9a936d3494ca7fe43f6d4062dd0@vmi.se> Message-ID: Please show what you have in "show rote all" for the multihop case. May be you need to alter next_hop on the advertising router. On Wed, Nov 8, 2017 at 9:41 PM, Alexander Zubkov wrote: > But this works: > > protocol static { > route 192.168.2.0/24 via "test2"; > route 192.168.3.0/24 recursive 192.168.2.1; > } > > bird> show route > 192.168.0.0/16 dev dum1 [direct1 23:18:17] * (240) > 192.168.1.0/24 dev test2 [direct1 23:10:42] * (240) > 192.168.2.0/24 dev test2 [static1 23:10:42] * (200) > 192.168.3.0/24 via 192.168.2.1 on test2 [static1 23:22:44] * (200) > > I also succeeded with such bgp setup: > > protocol static { > route 192.168.2.0/24 via "test2"; > # route 192.168.3.0/24 recursive 192.168.2.1; > } > > protocol bgp > { > import all; > local as 65002; > source address 192.168.1.2; > neighbor 192.168.2.1 as 65001; > multihop 1; > } > > bird> show route > 192.168.0.0/16 dev dum1 [direct1 23:18:16] * (240) > 192.168.1.0/24 dev test2 [direct1 23:10:41] * (240) > 192.168.2.0/24 dev test2 [static1 23:10:41] * (200) > 192.168.4.0/24 via 192.168.2.1 on test2 [bgp1 23:38:37] * (100/0) > [AS65001i] > > bird> show route all 192.168.4.0/24 > 192.168.4.0/24 via 192.168.2.1 on test2 [bgp1 23:38:37] * (100/0) > [AS65001i] > Type: BGP unicast univ > BGP.origin: IGP > BGP.as_path: 65001 > BGP.next_hop: 192.168.2.1 > BGP.local_pref: 100 > > If I have direct in BGP - bird ignores interface direct route and tries to > connect via dum1 interface. But multihop works. > > On Wed, Nov 8, 2017 at 9:24 PM, Alexander Zubkov wrote: > >> Hi again, >> >> I think I've got you idea. Probably bird can not do "recursive" direct >> routes. For example I set up: >> >> Linux: >> >> 9: test2: mtu 1500 qdisc pfifo_fast >> state UP group default qlen 1000 >> link/ether 56:0a:42:5f:b3:46 brd ff:ff:ff:ff:ff:ff >> inet 192.168.1.2/24 scope global test2 >> valid_lft forever preferred_lft forever >> >> 192.168.1.0/24 dev test2 proto kernel scope link src 192.168.1.2 >> 192.168.2.0/24 dev test2 scope link >> >> bird have (no export to kernel): >> >> protocol static { >> route 192.168.2.0/24 via "test2"; >> route 192.168.3.0/24 via 192.168.2.1; >> } >> >> And I see in bird no route for 192.168.3.0/24: >> >> bird> show route >> 192.168.1.0/24 dev test2 [direct1 23:10:42] * (240) >> 192.168.2.0/24 dev test2 [static1 23:10:42] * (200) >> >> If I add to Linux such device: >> >> 2: dum1: mtu 1500 qdisc noqueue state >> UNKNOWN group default >> link/ether ee:b2:97:43:3c:79 brd ff:ff:ff:ff:ff:ff >> inet 192.168.100.1/16 scope global dum1 >> valid_lft forever preferred_lft forever >> >> And bird starts to route via it: >> >> bird> show route >> 192.168.0.0/16 dev dum1 [direct1 23:18:16] * (240) >> 192.168.1.0/24 dev test2 [direct1 23:10:41] * (240) >> 192.168.2.0/24 dev test2 [static1 23:10:41] * (200) >> 192.168.3.0/24 via 192.168.2.1 on dum1 [static1 23:18:16] * (200) >> >> >> On Wed, Nov 8, 2017 at 3:48 PM, Magnus L?fqvist wrote: >> >>> Hi again, >>> >>> >>> >>> If I use multihop (ie removing direct and gateway direct from config), >>> it will connect, but I get the imported routes with my internet gateway as >>> router. >>> >>> >>> >>> XX.XX.XX.0/27 via 10.6.24.82 dev wwan0 proto bird >>> >>> >>> >>> It should be >>> >>> XX.XX.XX.0/27 via 10.9.140.1 dev tap0 proto bird >>> >>> >>> >>> It doesn?t matter if I specified the source address and local address, >>> it seems always to try to send the traffic over wwan0 (external wan >>> connection) >>> >>> >>> >>> >>> >>> >>> >>> Med v?nlig h?lsning / Best regards >>> >>> Magnus L?fqvist >>> >>> >>> >>> *VMI IT Services AB* >>> >>> *Head office:* >>> >>> >>> Hantverksv?gen 15 >>> >>> 764 93 V?DD?, SWEDEN >>> >>> *Visiting address:* >>> >>> Lilla Torget 1A >>> >>> 761 30 NORRT?LJE, SWEDEN >>> >>> Tel +46 176 20 89 00 (02) >>> >>> Fax +46 176 20 89 19 >>> >>> >>> E-mail: ml at vmi.se >>> >>> >>> >>> **** VMI E-mail disclaimer **** >>> >>> >>> >>> *The information in this e-mail is confidential and may be legally >>> privileged.* >>> >>> *It is intended solely for the addressee. Access to this email by anyone >>> else is unauthorized.* >>> >>> *If you are not the intended recipient, any disclosure, copying, >>> distribution or any action taken * >>> >>> *or omitted to be taken in reliance on it, is prohibited and may be >>> unlawful. Any opinions or * >>> >>> *advice contained in this e-mail are subject to the terms and conditions >>> expressed in the * >>> >>> *VMI General terms and conditions.* >>> >>> >>> >>> *Fr?n:* green at highloadlab.com [mailto:green at highloadlab.com] *F?r *Alexander >>> Zubkov >>> *Skickat:* den 8 november 2017 11:52 >>> >>> *Till:* Magnus L?fqvist >>> *Kopia:* bird-users at network.cz >>> *?mne:* Re: BGP with wrong netmask on wan interface >>> >>> >>> >>> In that case it probably because you are using direct (not multihop) bgp >>> session and bird binds to the interface which have this address in its >>> direct network - wwan0. In that case only routes with dev wwan0 will be >>> applied. I think you want to use multihop bgp session. If you want to use >>> direct session and this address is accepted directly via tap0, than I think >>> specifying source address from tap0 in bgp session should work. >>> >>> >>> >>> On Wed, Nov 8, 2017 at 10:47 AM, Magnus L?fqvist wrote: >>> >>> Hi, >>> >>> >>> >>> Yes, you are correct. >>> >>> But we have routes for 10.9.140.0/22 (OpenVPN transport network) >>> >>> >>> >>> ip ro sh: >>> >>> default via 10.6.52.59 dev wwan0 >>> >>> 10.0.0.0/8 dev wwan0 proto kernel scope link src 10.6.52.58 >>> >>> 10.9.140.0/22 dev tap0 proto kernel scope link src 10.9.140.33 >>> >>> >>> >>> Bird: >>> >>> bird> show route >>> >>> 0.0.0.0/0 via 10.6.52.59 on wwan0 [kernel1 09:43:55] * (10) >>> >>> 10.9.140.0/22 dev tap0 [direct1 09:44:12] * (240) >>> >>> >>> >>> So why are not BGP traffic to 10.9.140.1 going thru tap0 ? >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> Med v?nlig h?lsning / Best regards >>> >>> Magnus L?fqvist >>> >>> >>> >>> *VMI IT Services AB* >>> >>> *Head office:* >>> >>> >>> Hantverksv?gen 15 >>> >>> 764 93 V?DD?, SWEDEN >>> >>> *Visiting address:* >>> >>> Lilla Torget 1A >>> >>> 761 30 NORRT?LJE, SWEDEN >>> >>> Tel +46 176 20 89 00 (02) >>> >>> Fax +46 176 20 89 19 >>> >>> >>> E-mail: ml at vmi.se >>> >>> >>> >>> **** VMI E-mail disclaimer **** >>> >>> >>> >>> *The information in this e-mail is confidential and may be legally >>> privileged.* >>> >>> *It is intended solely for the addressee. Access to this email by anyone >>> else is unauthorized.* >>> >>> *If you are not the intended recipient, any disclosure, copying, >>> distribution or any action taken * >>> >>> *or omitted to be taken in reliance on it, is prohibited and may be >>> unlawful. Any opinions or * >>> >>> *advice contained in this e-mail are subject to the terms and conditions >>> expressed in the * >>> >>> *VMI General terms and conditions.* >>> >>> >>> >>> *Fr?n:* green at highloadlab.com [mailto:green at highloadlab.com] *F?r *Alexander >>> Zubkov >>> *Skickat:* den 8 november 2017 10:16 >>> *Till:* Magnus L?fqvist >>> *Kopia:* bird-users at network.cz >>> *?mne:* Re: BGP with wrong netmask on wan interface >>> >>> >>> >>> Hi, >>> >>> You have: >>> >>> WAN (Mobile): 10.6.90.187 / 255.0.0.0 >>> >>> OpenVPN interface (tap0): 10.9.140.33 / 255.255.252.0 >>> >>> >>> >>> protocol bgp BGP1 from RR_LTE { neighbor 10.9.140.1 as 1; preference >>> 140;}; >>> >>> >>> >>> So you are trying to reach 10.9.140.1. If you have no additional routes, >>> than this address falls into >>> >>> 10.6.90.187 / 255.0.0.0 network, i.e. WAN interface and will be routed >>> there. >>> >>> >>> >>> On Wed, Nov 8, 2017 at 8:20 AM, Magnus L?fqvist wrote: >>> >>> Hi, >>> >>> >>> >>> I have some mobile routers (connected over LTE) and with openvpn. >>> >>> >>> >>> Over the openvpn we are running a BGP to allow distribute some routes >>> and export routes. >>> >>> >>> >>> Some of the routers are having wrong netmask (255.0.0.0 instead of >>> 255.255.255.252). >>> >>> This seems to work (ie internet are working, and the openvpn connection >>> is established). >>> >>> >>> >>> But when we are trying to get the BGP connection up, it tries to send >>> the BGP connection over the WAN istead of openvpn connection. >>> >>> I guess that I have made some mistake in the config. >>> >>> It should take smaller path before matching the larger.. >>> >>> >>> >>> >>> >>> WAN (Mobile): 10.6.90.187 / 255.0.0.0 >>> >>> OpenVPN interface (tap0): 10.9.140.33 / 255.255.252.0 >>> >>> >>> >>> Bird config: >>> >>> >>> >>> template bgp RR_LTE { >>> >>> debug all; # debug BGP >>> >>> description "BIRD RR"; >>> >>> local as 1; # the AS used by >>> the local BGP speaker >>> >>> direct; >>> >>> gateway direct; >>> >>> import filter import_ATM; # >>> just accept everything >>> >>> export filter export_ATM; # and >>> advertise it to all the neigbors >>> >>> connect retry time 10; # reconnect try >>> after 10s >>> >>> hold time 240; # hold time send >>> in BGP messages >>> >>> } >>> >>> >>> >>> protocol bgp BGP1 from RR_LTE { neighbor 10.9.140.1 as 1; preference >>> 140;}; >>> >>> >>> >>> root at client1:/etc# tcpdump -ni wwan0 tcp port 179 and host 10.9.140.1 >>> >>> tcpdump: verbose output suppressed, use -v or -vv for full protocol >>> decode >>> >>> listening on wwan0, link-type EN10MB (Ethernet), capture size 65535 bytes >>> >>> 15:29:08.755188 IP 10.6.90.187.34974 > 10.9.140.1.179: Flags [S], seq >>> 1482209106, win 14600, options [mss 1460,sackOK,TS val 88007 ecr >>> 0,nop,wscale 8], length 0 >>> >>> 15:29:11.762726 IP 10.6.90.187.45591 > 10.9.140.1.179: Flags [S], seq >>> 1681977930, win 14600, options [mss 1460,sackOK,TS val 88307 ecr >>> 0,nop,wscale 8], length 0 >>> >>> >>> >>> >>> >>> >>> >>> Med v?nlig h?lsning / Best regards >>> >>> Magnus L?fqvist >>> >>> >>> >>> >>> >>> >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ml at vmi.se Thu Nov 9 09:16:30 2017 From: ml at vmi.se (=?utf-8?B?TWFnbnVzIEzDtmZxdmlzdA==?=) Date: Thu, 9 Nov 2017 08:16:30 +0000 Subject: SV: BGP with wrong netmask on wan interface In-Reply-To: References: <32a19c63051e4c26ae7deabca48432b6@vmi.se> <78080054efb24c1fb6a6f92df4c191cf@vmi.se> <7852b9a936d3494ca7fe43f6d4062dd0@vmi.se> Message-ID: Hi, Here are the show route all from the client, when configurated as multihop: bird> show route all 0.0.0.0/0 via 10.6.21.144 on wwan0 [kernel1 08:13:05] * (10) Type: inherit unicast univ Kernel.source: 3 Kernel.metric: 0 XX.XX.XX.0/27 via 10.6.21.144 on wwan0 [BGP1 08:13:28 from 10.9.140.1] * (130/?) [i] Type: BGP unicast univ BGP.origin: IGP BGP.as_path: BGP.next_hop: 10.7.0.1 BGP.local_pref: 100 10.98.10.252/30 dev eth0.1 [direct1 08:13:05] * (240) Type: device unicast univ 10.9.140.0/22 dev tap0 [direct1 08:13:25] * (240) Type: device unicast univ XX.XX.XX.0/27 should have next_hop to the BGP neighbour (10.9.140.1). How can I alter that? Med v?nlig h?lsning / Best regards Magnus L?fqvist VMI IT Services AB Head office: Hantverksv?gen 15 764 93 V?DD?, SWEDEN Visiting address: Lilla Torget 1A 761 30 NORRT?LJE, SWEDEN Tel +46 176 20 89 00 (02) Fax +46 176 20 89 19 E-mail: ml at vmi.se *** VMI E-mail disclaimer *** The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Any opinions or advice contained in this e-mail are subject to the terms and conditions expressed in the VMI General terms and conditions. Fr?n: green at highloadlab.com [mailto:green at highloadlab.com] F?r Alexander Zubkov Skickat: den 8 november 2017 21:44 Till: Magnus L?fqvist Kopia: bird-users at network.cz ?mne: Re: BGP with wrong netmask on wan interface Please show what you have in "show rote all" for the multihop case. May be you need to alter next_hop on the advertising router. On Wed, Nov 8, 2017 at 9:41 PM, Alexander Zubkov > wrote: But this works: protocol static { route 192.168.2.0/24 via "test2"; route 192.168.3.0/24 recursive 192.168.2.1; } bird> show route 192.168.0.0/16 dev dum1 [direct1 23:18:17] * (240) 192.168.1.0/24 dev test2 [direct1 23:10:42] * (240) 192.168.2.0/24 dev test2 [static1 23:10:42] * (200) 192.168.3.0/24 via 192.168.2.1 on test2 [static1 23:22:44] * (200) I also succeeded with such bgp setup: protocol static { route 192.168.2.0/24 via "test2"; # route 192.168.3.0/24 recursive 192.168.2.1; } protocol bgp { import all; local as 65002; source address 192.168.1.2; neighbor 192.168.2.1 as 65001; multihop 1; } bird> show route 192.168.0.0/16 dev dum1 [direct1 23:18:16] * (240) 192.168.1.0/24 dev test2 [direct1 23:10:41] * (240) 192.168.2.0/24 dev test2 [static1 23:10:41] * (200) 192.168.4.0/24 via 192.168.2.1 on test2 [bgp1 23:38:37] * (100/0) [AS65001i] bird> show route all 192.168.4.0/24 192.168.4.0/24 via 192.168.2.1 on test2 [bgp1 23:38:37] * (100/0) [AS65001i] Type: BGP unicast univ BGP.origin: IGP BGP.as_path: 65001 BGP.next_hop: 192.168.2.1 BGP.local_pref: 100 If I have direct in BGP - bird ignores interface direct route and tries to connect via dum1 interface. But multihop works. On Wed, Nov 8, 2017 at 9:24 PM, Alexander Zubkov > wrote: Hi again, I think I've got you idea. Probably bird can not do "recursive" direct routes. For example I set up: Linux: 9: test2: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 56:0a:42:5f:b3:46 brd ff:ff:ff:ff:ff:ff inet 192.168.1.2/24 scope global test2 valid_lft forever preferred_lft forever 192.168.1.0/24 dev test2 proto kernel scope link src 192.168.1.2 192.168.2.0/24 dev test2 scope link bird have (no export to kernel): protocol static { route 192.168.2.0/24 via "test2"; route 192.168.3.0/24 via 192.168.2.1; } And I see in bird no route for 192.168.3.0/24: bird> show route 192.168.1.0/24 dev test2 [direct1 23:10:42] * (240) 192.168.2.0/24 dev test2 [static1 23:10:42] * (200) If I add to Linux such device: 2: dum1: mtu 1500 qdisc noqueue state UNKNOWN group default link/ether ee:b2:97:43:3c:79 brd ff:ff:ff:ff:ff:ff inet 192.168.100.1/16 scope global dum1 valid_lft forever preferred_lft forever And bird starts to route via it: bird> show route 192.168.0.0/16 dev dum1 [direct1 23:18:16] * (240) 192.168.1.0/24 dev test2 [direct1 23:10:41] * (240) 192.168.2.0/24 dev test2 [static1 23:10:41] * (200) 192.168.3.0/24 via 192.168.2.1 on dum1 [static1 23:18:16] * (200) On Wed, Nov 8, 2017 at 3:48 PM, Magnus L?fqvist > wrote: Hi again, If I use multihop (ie removing direct and gateway direct from config), it will connect, but I get the imported routes with my internet gateway as router. XX.XX.XX.0/27 via 10.6.24.82 dev wwan0 proto bird It should be XX.XX.XX.0/27 via 10.9.140.1 dev tap0 proto bird It doesn?t matter if I specified the source address and local address, it seems always to try to send the traffic over wwan0 (external wan connection) Med v?nlig h?lsning / Best regards Magnus L?fqvist VMI IT Services AB Head office: Hantverksv?gen 15 764 93 V?DD?, SWEDEN Visiting address: Lilla Torget 1A 761 30 NORRT?LJE, SWEDEN Tel +46 176 20 89 00 (02) Fax +46 176 20 89 19 E-mail: ml at vmi.se *** VMI E-mail disclaimer *** The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Any opinions or advice contained in this e-mail are subject to the terms and conditions expressed in the VMI General terms and conditions. Fr?n: green at highloadlab.com [mailto:green at highloadlab.com] F?r Alexander Zubkov Skickat: den 8 november 2017 11:52 Till: Magnus L?fqvist > Kopia: bird-users at network.cz ?mne: Re: BGP with wrong netmask on wan interface In that case it probably because you are using direct (not multihop) bgp session and bird binds to the interface which have this address in its direct network - wwan0. In that case only routes with dev wwan0 will be applied. I think you want to use multihop bgp session. If you want to use direct session and this address is accepted directly via tap0, than I think specifying source address from tap0 in bgp session should work. On Wed, Nov 8, 2017 at 10:47 AM, Magnus L?fqvist > wrote: Hi, Yes, you are correct. But we have routes for 10.9.140.0/22 (OpenVPN transport network) ip ro sh: default via 10.6.52.59 dev wwan0 10.0.0.0/8 dev wwan0 proto kernel scope link src 10.6.52.58 10.9.140.0/22 dev tap0 proto kernel scope link src 10.9.140.33 Bird: bird> show route 0.0.0.0/0 via 10.6.52.59 on wwan0 [kernel1 09:43:55] * (10) 10.9.140.0/22 dev tap0 [direct1 09:44:12] * (240) So why are not BGP traffic to 10.9.140.1 going thru tap0 ? Med v?nlig h?lsning / Best regards Magnus L?fqvist VMI IT Services AB Head office: Hantverksv?gen 15 764 93 V?DD?, SWEDEN Visiting address: Lilla Torget 1A 761 30 NORRT?LJE, SWEDEN Tel +46 176 20 89 00 (02) Fax +46 176 20 89 19 E-mail: ml at vmi.se *** VMI E-mail disclaimer *** The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Any opinions or advice contained in this e-mail are subject to the terms and conditions expressed in the VMI General terms and conditions. Fr?n: green at highloadlab.com [mailto:green at highloadlab.com] F?r Alexander Zubkov Skickat: den 8 november 2017 10:16 Till: Magnus L?fqvist > Kopia: bird-users at network.cz ?mne: Re: BGP with wrong netmask on wan interface Hi, You have: WAN (Mobile): 10.6.90.187 / 255.0.0.0 OpenVPN interface (tap0): 10.9.140.33 / 255.255.252.0 protocol bgp BGP1 from RR_LTE { neighbor 10.9.140.1 as 1; preference 140;}; So you are trying to reach 10.9.140.1. If you have no additional routes, than this address falls into 10.6.90.187 / 255.0.0.0 network, i.e. WAN interface and will be routed there. On Wed, Nov 8, 2017 at 8:20 AM, Magnus L?fqvist > wrote: Hi, I have some mobile routers (connected over LTE) and with openvpn. Over the openvpn we are running a BGP to allow distribute some routes and export routes. Some of the routers are having wrong netmask (255.0.0.0 instead of 255.255.255.252). This seems to work (ie internet are working, and the openvpn connection is established). But when we are trying to get the BGP connection up, it tries to send the BGP connection over the WAN istead of openvpn connection. I guess that I have made some mistake in the config. It should take smaller path before matching the larger.. WAN (Mobile): 10.6.90.187 / 255.0.0.0 OpenVPN interface (tap0): 10.9.140.33 / 255.255.252.0 Bird config: template bgp RR_LTE { debug all; # debug BGP description "BIRD RR"; local as 1; # the AS used by the local BGP speaker direct; gateway direct; import filter import_ATM; # just accept everything export filter export_ATM; # and advertise it to all the neigbors connect retry time 10; # reconnect try after 10s hold time 240; # hold time send in BGP messages } protocol bgp BGP1 from RR_LTE { neighbor 10.9.140.1 as 1; preference 140;}; root at client1:/etc# tcpdump -ni wwan0 tcp port 179 and host 10.9.140.1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wwan0, link-type EN10MB (Ethernet), capture size 65535 bytes 15:29:08.755188 IP 10.6.90.187.34974 > 10.9.140.1.179: Flags [S], seq 1482209106, win 14600, options [mss 1460,sackOK,TS val 88007 ecr 0,nop,wscale 8], length 0 15:29:11.762726 IP 10.6.90.187.45591 > 10.9.140.1.179: Flags [S], seq 1681977930, win 14600, options [mss 1460,sackOK,TS val 88307 ecr 0,nop,wscale 8], length 0 Med v?nlig h?lsning / Best regards Magnus L?fqvist -------------- next part -------------- An HTML attachment was scrubbed... URL: From green at qrator.net Thu Nov 9 17:49:01 2017 From: green at qrator.net (Alexander Zubkov) Date: Thu, 9 Nov 2017 17:49:01 +0100 Subject: BGP with wrong netmask on wan interface In-Reply-To: References: <32a19c63051e4c26ae7deabca48432b6@vmi.se> <78080054efb24c1fb6a6f92df4c191cf@vmi.se> <7852b9a936d3494ca7fe43f6d4062dd0@vmi.se> Message-ID: As you can see - you receive the route from neigbour with such next_hop: BGP.next_hop: 10.7.0.1 And this is used to calcutlate route destination. You should work now with the sending side to set needed next_hop attribute. Probably "next hop self" will be enough, but you need to check to not break some other things. On Thu, Nov 9, 2017 at 9:16 AM, Magnus L?fqvist wrote: > Hi, > > > > Here are the show route all from the client, when configurated as multihop: > > > > bird> show route all > > 0.0.0.0/0 via 10.6.21.144 on wwan0 [kernel1 08:13:05] * (10) > > Type: inherit unicast univ > > Kernel.source: 3 > > Kernel.metric: 0 > > XX.XX.XX.0/27 via 10.6.21.144 on wwan0 [BGP1 08:13:28 from 10.9.140.1] * > (130/?) [i] > > Type: BGP unicast univ > > BGP.origin: IGP > > BGP.as_path: > > BGP.next_hop: 10.7.0.1 > > BGP.local_pref: 100 > > 10.98.10.252/30 dev eth0.1 [direct1 08:13:05] * (240) > > Type: device unicast univ > > 10.9.140.0/22 dev tap0 [direct1 08:13:25] * (240) > > Type: device unicast univ > > > > XX.XX.XX.0/27 should have next_hop to the BGP neighbour (10.9.140.1). > > How can I alter that? > > > > > > Med v?nlig h?lsning / Best regards > > Magnus L?fqvist > > > > *VMI IT Services AB* > > *Head office:* > > Hantverksv?gen 15 > > 764 93 V?DD?, SWEDEN > > *Visiting address:* > > Lilla Torget 1A > > 761 30 NORRT?LJE, SWEDEN > > Tel +46 176 20 89 00 (02) > > Fax +46 176 20 89 19 > > > E-mail: ml at vmi.se > > > > **** VMI E-mail disclaimer **** > > > > *The information in this e-mail is confidential and may be legally > privileged.* > > *It is intended solely for the addressee. Access to this email by anyone > else is unauthorized.* > > *If you are not the intended recipient, any disclosure, copying, > distribution or any action taken * > > *or omitted to be taken in reliance on it, is prohibited and may be > unlawful. Any opinions or * > > *advice contained in this e-mail are subject to the terms and conditions > expressed in the * > > *VMI General terms and conditions.* > > > > *Fr?n:* green at highloadlab.com [mailto:green at highloadlab.com] *F?r *Alexander > Zubkov > *Skickat:* den 8 november 2017 21:44 > > *Till:* Magnus L?fqvist > *Kopia:* bird-users at network.cz > *?mne:* Re: BGP with wrong netmask on wan interface > > > > Please show what you have in "show rote all" for the multihop case. May be > you need to alter next_hop on the advertising router. > > > > On Wed, Nov 8, 2017 at 9:41 PM, Alexander Zubkov wrote: > > But this works: > > protocol static { > route 192.168.2.0/24 via "test2"; > route 192.168.3.0/24 recursive 192.168.2.1; > } > > bird> show route > 192.168.0.0/16 dev dum1 [direct1 23:18:17] * (240) > 192.168.1.0/24 dev test2 [direct1 23:10:42] * (240) > 192.168.2.0/24 dev test2 [static1 23:10:42] * (200) > 192.168.3.0/24 via 192.168.2.1 on test2 [static1 23:22:44] * (200) > > > > I also succeeded with such bgp setup: > > > > protocol static { > route 192.168.2.0/24 via "test2"; > # route 192.168.3.0/24 recursive 192.168.2.1; > } > > protocol bgp > { > import all; > local as 65002; > source address 192.168.1.2; > neighbor 192.168.2.1 as 65001; > multihop 1; > } > > > > bird> show route > 192.168.0.0/16 dev dum1 [direct1 23:18:16] * (240) > 192.168.1.0/24 dev test2 [direct1 23:10:41] * (240) > 192.168.2.0/24 dev test2 [static1 23:10:41] * (200) > 192.168.4.0/24 via 192.168.2.1 on test2 [bgp1 23:38:37] * (100/0) > [AS65001i] > > > > bird> show route all 192.168.4.0/24 > 192.168.4.0/24 via 192.168.2.1 on test2 [bgp1 23:38:37] * (100/0) > [AS65001i] > Type: BGP unicast univ > BGP.origin: IGP > BGP.as_path: 65001 > BGP.next_hop: 192.168.2.1 > BGP.local_pref: 100 > > > > If I have direct in BGP - bird ignores interface direct route and tries to > connect via dum1 interface. But multihop works. > > > > On Wed, Nov 8, 2017 at 9:24 PM, Alexander Zubkov wrote: > > Hi again, > > I think I've got you idea. Probably bird can not do "recursive" direct > routes. For example I set up: > > > > Linux: > > > 9: test2: mtu 1500 qdisc pfifo_fast > state UP group default qlen 1000 > link/ether 56:0a:42:5f:b3:46 brd ff:ff:ff:ff:ff:ff > inet 192.168.1.2/24 scope global test2 > valid_lft forever preferred_lft forever > > 192.168.1.0/24 dev test2 proto kernel scope link src 192.168.1.2 > 192.168.2.0/24 dev test2 scope link > > bird have (no export to kernel): > > protocol static { > route 192.168.2.0/24 via "test2"; > route 192.168.3.0/24 via 192.168.2.1; > } > > And I see in bird no route for 192.168.3.0/24: > > bird> show route > 192.168.1.0/24 dev test2 [direct1 23:10:42] * (240) > 192.168.2.0/24 dev test2 [static1 23:10:42] * (200) > > If I add to Linux such device: > > 2: dum1: mtu 1500 qdisc noqueue state > UNKNOWN group default > link/ether ee:b2:97:43:3c:79 brd ff:ff:ff:ff:ff:ff > inet 192.168.100.1/16 scope global dum1 > valid_lft forever preferred_lft forever > > And bird starts to route via it: > > bird> show route > 192.168.0.0/16 dev dum1 [direct1 23:18:16] * (240) > 192.168.1.0/24 dev test2 [direct1 23:10:41] * (240) > 192.168.2.0/24 dev test2 [static1 23:10:41] * (200) > 192.168.3.0/24 via 192.168.2.1 on dum1 [static1 23:18:16] * (200) > > > > > > On Wed, Nov 8, 2017 at 3:48 PM, Magnus L?fqvist wrote: > > Hi again, > > > > If I use multihop (ie removing direct and gateway direct from config), it > will connect, but I get the imported routes with my internet gateway as > router. > > > > XX.XX.XX.0/27 via 10.6.24.82 dev wwan0 proto bird > > > > It should be > > XX.XX.XX.0/27 via 10.9.140.1 dev tap0 proto bird > > > > It doesn?t matter if I specified the source address and local address, it > seems always to try to send the traffic over wwan0 (external wan connection) > > > > > > > > Med v?nlig h?lsning / Best regards > > Magnus L?fqvist > > > > *VMI IT Services AB* > > *Head office:* > > Hantverksv?gen 15 > > 764 93 V?DD?, SWEDEN > > *Visiting address:* > > Lilla Torget 1A > > 761 30 NORRT?LJE, SWEDEN > > Tel +46 176 20 89 00 (02) > > Fax +46 176 20 89 19 > > > E-mail: ml at vmi.se > > > > **** VMI E-mail disclaimer **** > > > > *The information in this e-mail is confidential and may be legally > privileged.* > > *It is intended solely for the addressee. Access to this email by anyone > else is unauthorized.* > > *If you are not the intended recipient, any disclosure, copying, > distribution or any action taken * > > *or omitted to be taken in reliance on it, is prohibited and may be > unlawful. Any opinions or * > > *advice contained in this e-mail are subject to the terms and conditions > expressed in the * > > *VMI General terms and conditions.* > > > > *Fr?n:* green at highloadlab.com [mailto:green at highloadlab.com] *F?r *Alexander > Zubkov > *Skickat:* den 8 november 2017 11:52 > > > *Till:* Magnus L?fqvist > *Kopia:* bird-users at network.cz > *?mne:* Re: BGP with wrong netmask on wan interface > > > > In that case it probably because you are using direct (not multihop) bgp > session and bird binds to the interface which have this address in its > direct network - wwan0. In that case only routes with dev wwan0 will be > applied. I think you want to use multihop bgp session. If you want to use > direct session and this address is accepted directly via tap0, than I think > specifying source address from tap0 in bgp session should work. > > > > On Wed, Nov 8, 2017 at 10:47 AM, Magnus L?fqvist wrote: > > Hi, > > > > Yes, you are correct. > > But we have routes for 10.9.140.0/22 (OpenVPN transport network) > > > > ip ro sh: > > default via 10.6.52.59 dev wwan0 > > 10.0.0.0/8 dev wwan0 proto kernel scope link src 10.6.52.58 > > 10.9.140.0/22 dev tap0 proto kernel scope link src 10.9.140.33 > > > > Bird: > > bird> show route > > 0.0.0.0/0 via 10.6.52.59 on wwan0 [kernel1 09:43:55] * (10) > > 10.9.140.0/22 dev tap0 [direct1 09:44:12] * (240) > > > > So why are not BGP traffic to 10.9.140.1 going thru tap0 ? > > > > > > > > > > Med v?nlig h?lsning / Best regards > > Magnus L?fqvist > > > > *VMI IT Services AB* > > > > *Head office:* > > Hantverksv?gen 15 > > 764 93 V?DD?, SWEDEN > > *Visiting address:* > > Lilla Torget 1A > > 761 30 NORRT?LJE, SWEDEN > > Tel +46 176 20 89 00 (02) > > Fax +46 176 20 89 19 > > > E-mail: ml at vmi.se > > > > **** VMI E-mail disclaimer **** > > > > *The information in this e-mail is confidential and may be legally > privileged.* > > *It is intended solely for the addressee. Access to this email by anyone > else is unauthorized.* > > *If you are not the intended recipient, any disclosure, copying, > distribution or any action taken * > > *or omitted to be taken in reliance on it, is prohibited and may be > unlawful. Any opinions or * > > *advice contained in this e-mail are subject to the terms and conditions > expressed in the * > > *VMI General terms and conditions.* > > > > *Fr?n:* green at highloadlab.com [mailto:green at highloadlab.com] *F?r *Alexander > Zubkov > *Skickat:* den 8 november 2017 10:16 > *Till:* Magnus L?fqvist > *Kopia:* bird-users at network.cz > *?mne:* Re: BGP with wrong netmask on wan interface > > > > Hi, > > You have: > > WAN (Mobile): 10.6.90.187 / 255.0.0.0 > > OpenVPN interface (tap0): 10.9.140.33 / 255.255.252.0 > > > > protocol bgp BGP1 from RR_LTE { neighbor 10.9.140.1 as 1; preference 140;}; > > > > So you are trying to reach 10.9.140.1. If you have no additional routes, > than this address falls into > > 10.6.90.187 / 255.0.0.0 network, i.e. WAN interface and will be routed > there. > > > > On Wed, Nov 8, 2017 at 8:20 AM, Magnus L?fqvist wrote: > > Hi, > > > > I have some mobile routers (connected over LTE) and with openvpn. > > > > Over the openvpn we are running a BGP to allow distribute some routes and > export routes. > > > > Some of the routers are having wrong netmask (255.0.0.0 instead of > 255.255.255.252). > > This seems to work (ie internet are working, and the openvpn connection is > established). > > > > But when we are trying to get the BGP connection up, it tries to send the > BGP connection over the WAN istead of openvpn connection. > > I guess that I have made some mistake in the config. > > It should take smaller path before matching the larger.. > > > > > > WAN (Mobile): 10.6.90.187 / 255.0.0.0 > > OpenVPN interface (tap0): 10.9.140.33 / 255.255.252.0 > > > > Bird config: > > > > template bgp RR_LTE { > > debug all; # debug BGP > > description "BIRD RR"; > > local as 1; # the AS used by the > local BGP speaker > > direct; > > gateway direct; > > import filter import_ATM; # just > accept everything > > export filter export_ATM; # and > advertise it to all the neigbors > > connect retry time 10; # reconnect try after > 10s > > hold time 240; # hold time send in > BGP messages > > } > > > > protocol bgp BGP1 from RR_LTE { neighbor 10.9.140.1 as 1; preference 140;}; > > > > root at client1:/etc# tcpdump -ni wwan0 tcp port 179 and host 10.9.140.1 > > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > > listening on wwan0, link-type EN10MB (Ethernet), capture size 65535 bytes > > 15:29:08.755188 IP 10.6.90.187.34974 > 10.9.140.1.179: Flags [S], seq > 1482209106, win 14600, options [mss 1460,sackOK,TS val 88007 ecr > 0,nop,wscale 8], length 0 > > 15:29:11.762726 IP 10.6.90.187.45591 > 10.9.140.1.179: Flags [S], seq > 1681977930, win 14600, options [mss 1460,sackOK,TS val 88307 ecr > 0,nop,wscale 8], length 0 > > > > > > > > Med v?nlig h?lsning / Best regards > > Magnus L?fqvist > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bksteiny at gmail.com Sun Nov 12 06:44:46 2017 From: bksteiny at gmail.com (Chris Stein) Date: Sat, 11 Nov 2017 23:44:46 -0600 Subject: Issues establishing more than 2 BGP sessions Message-ID: Hello there- I?m hoping to get guidance/feedback from you all on whether or not what I?m trying to do it possible, and if it is possible, what am I doing incorrectly. My goal is to make this a transit VPC for handling routes between multiple remote regions (and clouds). I?m testing with 4 VPCs (A, B, C, and D), each with a different ASN. VPC B is acting as my transit VPC, which is where bird and strongswan are running. VPCs A, C, and D are acting as the remote regions, and each has a VPN connection back to B. IPSec is up and working as expected, but routing is giving me some trouble. Each VPN has 2 tunnels, so I?m currently trying to establish 6 BGP sessions, however, only 2 sessions will establish at a time. The other sessions are in a ?Start? state. Eventually, one of the established connections will drop and may reestablish, or, one of the other tunnels will establish a BGP connection. I have tried multiple bird configurations, but all roads lead back only 2 established BGP sessions. I thought this example might be what I need, but it also did not work: https://gitlab.labs.nic.cz/labs/bird/wikis/Simple_route_server Individually, bird is able to establish a session on both tunnels at every remote VPC, so I know that works. Occasionally, I have noticed that established connections will disconnect with a ?Hold timer expired?. There?s something I?m missing/overlooking in the config to allow all sessions to be active. Below is the most basic config I have used. Thanks in advance for your help. log "/var/log/bird.log" all; debug protocols all; router id 172.41.1.117; protocol kernel { scan time 10; export all; import all; } protocol device { scan time 10; } template bgp aws { local as 65000; hold time 30; export all; import all; direct; } protocol bgp ATUN0 from aws { neighbor 169.254.xxx.xxx as 7224; } protocol bgp ATUN1 from aws { neighbor 169.254.xxx.xxx as 7224; } protocol bgp CTUN0 from aws { neighbor 169.254.xxx.xxx as 65100; } protocol bgp CTUN1 from aws { neighbor 169.254.xxx.xxx as 65100; } protocol bgp DTUN0 from aws { neighbor 169.254.xxx.xxx as 65200; } protocol bgp DTUN1 from aws { neighbor 169.254.xxx.xxx as 65200; } -------------- next part -------------- An HTML attachment was scrubbed... URL: From bernat at luffy.cx Sun Nov 12 10:52:36 2017 From: bernat at luffy.cx (Vincent Bernat) Date: Sun, 12 Nov 2017 10:52:36 +0100 Subject: Issues establishing more than 2 BGP sessions In-Reply-To: (Chris Stein's message of "Sat, 11 Nov 2017 23:44:46 -0600") References: Message-ID: <87375jrfh7.fsf@luffy.cx> ? 11 novembre 2017 23:44 -0600, Chris Stein ?: > Individually, bird is able to establish a session on both tunnels at every > remote VPC, so I know that works. Occasionally, I have noticed that > established connections will disconnect with a ?Hold timer expired?. > There?s something I?m missing/overlooking in the config to allow all > sessions to be active. I think BIRD is receiving a remote route that would replace the route used to reach the neighbor. Are you using route-based tunnels (with VTI interfaces)? If yes, "ip route show" output would help to understand. Otherwise, "ip xfrm policy" would help. If you want a working setup similar to yours (a tad more complex since it involves multiple routing tables), here is one: https://vincent.bernat.im/en/blog/2017-route-based-vpn -- Use self-identifying input. Allow defaults. Echo both on output. - The Elements of Programming Style (Kernighan & Plauger) From oliver.peter.herms at gmail.com Sun Nov 12 12:47:25 2017 From: oliver.peter.herms at gmail.com (Oliver Herms) Date: Sun, 12 Nov 2017 12:47:25 +0100 Subject: bird control-socket: connection reset by peer Message-ID: Hello bird users, I'm running bird 1.6.3 on ubuntu 16.04 as kind of a route server. I wrote a piece of software that connects to the bird control-socket and runs queries against it like this: "show route all for x.y.z.a protocol xxx". The software keeps the socket open and executes the queries in a loop persisting of a write() call followed by a read() call. Now to the problem: At some point bird resets the connection and the logs are not showing anything related. Did anyone make similar experiences or can help me to find out what's wrong with bird here? Thanks Oliver -- Oliver Herms oliver.peter.herms at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From bksteiny at gmail.com Sun Nov 12 15:54:20 2017 From: bksteiny at gmail.com (Chris Stein) Date: Sun, 12 Nov 2017 14:54:20 +0000 Subject: Issues establishing more than 2 BGP sessions In-Reply-To: <87375jrfh7.fsf@luffy.cx> References: <87375jrfh7.fsf@luffy.cx> Message-ID: Thanks for the suggestion, Vincent. I am using VTI interfaces for this, similar to what?s documented on the strongswan page. After reading your blog, I gave each tunnel a different mark value, which seemed to do the trick. I?m going to monitor the status of this throughout the day, but after making that change, all of my tunnels have been able to establish a BGP session. Thanks again for the help. Nice blog post, by the way. On Sun, Nov 12, 2017 at 03:52 Vincent Bernat wrote: > ? 11 novembre 2017 23:44 -0600, Chris Stein : > > > Individually, bird is able to establish a session on both tunnels at > every > > remote VPC, so I know that works. Occasionally, I have noticed that > > established connections will disconnect with a ?Hold timer expired?. > > There?s something I?m missing/overlooking in the config to allow all > > sessions to be active. > > I think BIRD is receiving a remote route that would replace the route > used to reach the neighbor. Are you using route-based tunnels (with VTI > interfaces)? If yes, "ip route show" output would help to > understand. Otherwise, "ip xfrm policy" would help. > > If you want a working setup similar to yours (a tad more complex since > it involves multiple routing tables), here is one: > > https://vincent.bernat.im/en/blog/2017-route-based-vpn > -- > Use self-identifying input. Allow defaults. Echo both on output. > - The Elements of Programming Style (Kernighan & Plauger) > -------------- next part -------------- An HTML attachment was scrubbed... URL: From saksham.manchanda at gmail.com Sun Nov 12 20:02:14 2017 From: saksham.manchanda at gmail.com (Saksham Manchanda) Date: Sun, 12 Nov 2017 12:02:14 -0700 Subject: Bird6 high CPU usage Message-ID: Hi All, I have a loopback IPv6 address on a server. IP addr = 2dd:1111:1111:1111:1111::1 I use BGP to announce this to the upstream router. Client traffic comes in through an interface ens3 connected to the router with destination address as the loopback. Bird configuration: protocol direct { description "Local anycast addresses"; export none; interface "lo"; } # The kernel protocol gives us access to the kernel routing table. protocol kernel { #persist; # Don't remove routes on shutdown scan time 20; # Scan kernel routing table every 20 seconds export all; # Default is export none } # The device protocol is needed in order to see what addresses are local # to this server. protocol device { scan time 10; # Scan interfaces every 10 seconds } protocol bgp { description "Arya"; import none; local as 65001; neighbor neighbourIPv6ADDR as 100; direct; # Neighbors are directly connected hold time 240; connect retry time 120; keepalive time 80; # defaults to hold time / 3 #export filter packetdns; export all; } All this works great. Now, when client traffic comes in we get the following entries in the routing table: . . . CLIENTIP::136 via 2dd:1111:1111:1111:1111::1 dev ens3 metric 0 cache CLIENTIP::5 via 2dd:1111:1111:1111:1111::1 dev ens3 metric 0 cache CLIENTIP::13 via 2dd:1111:1111:1111:1111::1 dev ens3 metric 0 cache CLIENTIP::15 via 2dd:1111:1111:1111:1111::1 dev ens3 metric 0 cache . . . This table grows to ip -6 r s |wc -l 8296 And changes constantly. Now, the top output shows bird using a lot of CPU: 2205 root 20 0 6924 780 560 R 26.2 0.0 0:06.14 bird6 Since my configuration will never make use of these entries, is there a way to disable this scanning behaviour in bird? Thanks! -- Saksham Manchanda -------------- next part -------------- An HTML attachment was scrubbed... URL: From dnikolaev at mega-net.ru Mon Nov 13 05:54:29 2017 From: dnikolaev at mega-net.ru (Dmitry S. Nikolaev) Date: Mon, 13 Nov 2017 07:54:29 +0300 Subject: bird control-socket: connection reset by peer In-Reply-To: References: Message-ID: <1df022c9-7b3f-11b1-d3ca-fd02cddf5b0f@mega-net.ru> Hi. I had similar experience when wrote LG for bird. I don`t have any problems. You can try my code, it is avail at http://bird-lg.subnets.ru/ With best regards, Dmitry S. Nikolaev Moscow, Russia phone: +7 (499) 678 8007 [ext. 6003] fax: +7 (499) 678 8007 [ext. 7777] www: http://www.mega-net.ru mail: dnikolaev at mega-net.ru SIP URI: dnikolaev at sip.mega-net.ru || dn at sip.mega-net.ru On 12.11.2017 14:47, Oliver Herms wrote: > Hello bird users, > > I'm running bird 1.6.3 on ubuntu 16.04 as kind of a route server. > I wrote a piece of software that connects to the bird control-socket > and runs queries against it like this: "show route all for x.y.z.a > protocol xxx". > The software keeps the socket open and executes the queries in a loop > persisting of a write() call followed by a read() call. > > Now to the problem: > At some point bird resets the connection and the logs are not showing > anything related. > > Did anyone make similar experiences or can help me to find out what's > wrong with bird here? > > Thanks > Oliver > -- > Oliver Herms > oliver.peter.herms at gmail.com > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dnikolaev at mega-net.ru Mon Nov 13 05:56:47 2017 From: dnikolaev at mega-net.ru (Dmitry S. Nikolaev) Date: Mon, 13 Nov 2017 07:56:47 +0300 Subject: Decode BGP Shutdown Communication messages (RFC 8203) In-Reply-To: References: <0fb1194b-cd62-47f3-f471-e115e8ae8b1d@msk-ix.ru> Message-ID: <239b136a-0158-06ae-9c6e-5651f6cc9b17@mega-net.ru> Hi. So, can we expect an answer ? Thanks. With best regards, Dmitry S. Nikolaev Moscow, Russia phone: +7 (499) 678 8007 [ext. 6003] fax: +7 (499) 678 8007 [ext. 7777] www: http://www.mega-net.ru mail: dnikolaev at mega-net.ru SIP URI: dnikolaev at sip.mega-net.ru || dn at sip.mega-net.ru On 31.10.2017 13:39, Dmitry S. Nikolaev wrote: > Hi, hope you well. > > I also interested in this question. > Can someone from the developers say something about it ? > > Thanks. > > With best regards, Dmitry S. Nikolaev > Moscow, Russia > SIP URI: dn at sip.mega-net.ru > > On 26.10.2017 16:40, Mikhail Grishin wrote: >> Hi, >> >> 1) You also implemented >> enable bgp2 "enable message" >> This message currently seen only at local side and doesn't seen at >> remote peer. >> >> Scenario: You made maintenance work with the shutdown message "Session >> will be down from 13:00 till 14:00". >> Later session was established again. Days after at remote peer side >> still printed the same message. That's confusing. >> >> Suggestion: >> (May be) To show two different messages? Tx and Rx. >> To clear Rx message every time when BGP session state changed to >> established. >> >> >> 2) Is it possible to log such messages and see via syslog? >> >> P.S. For russian UTF8 text 128 bytes restriction (RFC) probably not >> always enough. >> > From oliver.peter.herms at gmail.com Tue Nov 14 16:47:06 2017 From: oliver.peter.herms at gmail.com (Oliver Herms) Date: Tue, 14 Nov 2017 16:47:06 +0100 Subject: bird control-socket: connection reset by peer In-Reply-To: <1df022c9-7b3f-11b1-d3ca-fd02cddf5b0f@mega-net.ru> References: <1df022c9-7b3f-11b1-d3ca-fd02cddf5b0f@mega-net.ru> Message-ID: I've just checked out your code. I think the big difference is that my code keeps the socket open and uses it for multiple queries while yours connects, sends one query, fetches the result and closes the socket. The issue never happens for the first query. It takes ~50 queries before bird resets the connection. 2017-11-13 5:54 GMT+01:00 Dmitry S. Nikolaev : > Hi. > I had similar experience when wrote LG for bird. > I don`t have any problems. You can try my code, it is avail at > http://bird-lg.subnets.ru/ > > With best regards, Dmitry S. Nikolaev > > Moscow, Russia > phone: +7 (499) 678 8007 <+7%20499%20678-80-07> [ext. 6003] > fax: +7 (499) 678 8007 <+7%20499%20678-80-07> [ext. 7777] > www: http://www.mega-net.ru > mail: dnikolaev at mega-net.ru > SIP URI: dnikolaev at sip.mega-net.ru || dn at sip.mega-net.ru > > On 12.11.2017 14:47, Oliver Herms wrote: > > Hello bird users, > > I'm running bird 1.6.3 on ubuntu 16.04 as kind of a route server. > I wrote a piece of software that connects to the bird control-socket and > runs queries against it like this: "show route all for x.y.z.a protocol > xxx". > The software keeps the socket open and executes the queries in a loop > persisting of a write() call followed by a read() call. > > Now to the problem: > At some point bird resets the connection and the logs are not showing > anything related. > > Did anyone make similar experiences or can help me to find out what's > wrong with bird here? > > Thanks > Oliver > -- > Oliver Herms > oliver.peter.herms at gmail.com > > > -- Oliver Herms oliver.peter.herms at gmail.com +49 (0) 174 434 155 6 -------------- next part -------------- An HTML attachment was scrubbed... URL: From santiago at crfreenet.org Wed Nov 15 02:38:42 2017 From: santiago at crfreenet.org (Ondrej Zajicek) Date: Wed, 15 Nov 2017 02:38:42 +0100 Subject: Decode BGP Shutdown Communication messages (RFC 8203) In-Reply-To: <239b136a-0158-06ae-9c6e-5651f6cc9b17@mega-net.ru> References: <0fb1194b-cd62-47f3-f471-e115e8ae8b1d@msk-ix.ru> <239b136a-0158-06ae-9c6e-5651f6cc9b17@mega-net.ru> Message-ID: <20171115013842.b3s75ujvfuvijh2m@feanor.crfreenet.org> On Mon, Nov 13, 2017 at 07:56:47AM +0300, Dmitry S. Nikolaev wrote: > Hi. > > So, can we expect an answer ? Hi I hope that i answered: http://trubka.network.cz/pipermail/bird-users/2017-October/011623.html -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago at crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so." From jeanbaptiste.coupiac at nfrance.com Wed Nov 15 11:44:03 2017 From: jeanbaptiste.coupiac at nfrance.com (Jean-Baptiste COUPIAC) Date: Wed, 15 Nov 2017 11:44:03 +0100 Subject: Export only "Primary" (best) route Message-ID: Hello everybody, I'm trying to configure a Route-Reflector. I have created a filter to import only some AS: ############################ filter bgp_IN prefix set allnet; int set allas; { allas = [10753, 10929, 11478, 12322, 12353, 12392, 12566, 12670, 12684, 12876, 13193, 13238, 13335, 133530, 13414, 14061, 14618, 15133, 15169, 15557, 15895, 16136, 16211, 16276, 16347, 16509, 174, 19506, 197161, 198551, 199064, 201106, 202089, 202727, 203070, 203476, 20473, 20900, 20940, 21502, 21837, 2200, 23033, 23889, 24711, 24940, 24961, 25117, 25186, 25540, 26101, 2635, 2856, 28708, 2914, 29169, 29286, 30999, 31167, 31216, 31976, 32097, 3215, 3269, 32934, 3303, 3320, 3352, 3356, 34010, 34173, 34177, 34274, 34949, 35540, 35625, 35632, 35994, 36351, 36408, 36647, 36903, 36947, 39405, 39473, 39572, 39931, 4134, 43350, 43646, 44050, 44444, 47608, 47833, 47841, 48069, 48072, 4837, 50583, 5089, 51207, 51862, 52075, 5410, 54104, 54113, 5432, 55967, 56844, 5769, 577, 57809, 60068, 60718, 60855, 62044, 62540, 65623, 6661, 6713, 6830, 6848, 702, 714, 786, 7922, 8068, 8075, 8218, 8220, 8228, 8346, 8399, 8560, 8565, 8839, 9003, 9159]; if (bgp_path.last ~ allas) then accept; reject; } ############################ protocol bgp ibgp_AAAAA { table bgp_filtre_IN; import filter bgp_IN; export none; local as XXXXX; neighbor YYYYYYYY as XXXXX; } protocol bgp ibgp_BBBBB { table bgp_filtre_IN; import filter bgp_IN; export none; local as XXXXX; neighbor ZZZZZZZZZ as XXXXX; } ############################ Into to table bgp_filtre_IN, I wan to have only the best route (primary route) instead of all. For example, for 2.22.88.0/22 bird> show route table bgp_filtre_IN for 2.22.88.0/22 2.22.88.0/22 unreachable [ibgp_AAAAA 17:04:11 from YYYYYYYYY] * (100/-) [AS20940i] unreachable [ibgp_BBBBB 17:04:07 from ZZZZZZZ] (100/-) [AS20940i] I just want to import first route, which is the best: 2.22.88.0/22 unreachable [ibgp_AAAAA 17:04:11 from YYYYYYYYY] * (100/-) [AS20940i] Can I do it into table bgp_filtre_IN ? Does I need to create another one with some filtering options ? Regards, __ Jean-Baptiste, -------------- next part -------------- An HTML attachment was scrubbed... URL: From marco at lamehost.it Wed Nov 15 15:59:19 2017 From: marco at lamehost.it (Marco Marzetti) Date: Wed, 15 Nov 2017 09:59:19 -0500 Subject: draft-keyur-idr-bgp-prefix-limit-orf Message-ID: Dear Developer of BIRD, We're working on a draft called draft-keyur-idr-bgp-prefix-limit-orf that you can find on IETF's website at this URL: https://tools.ietf.org/html/ draft-keyur-idr-bgp-prefix-limit-orf-02 Its goal is to allow BGP speakers to exchange maxprefix values in-band by making use of the ORF capability. We think the ideas expressed in the draft are very simple, but we would like to hear from you how hard it would be to get them implemented in your software. Let me briefly explain how it is supposed to work. Peer A and B set up a BGP session and set ORF as one of the active capabilities. Every time administrators of A change/set/remove maxprefix router A sends an ORF message indicating to router B the new value along with the behavior that router B must follow. In case that the Match field is set to DENY router B will consider the value as purely informational and will follow the usual behavior. Else, in case Match is set to PERMIT, router B will not advertise any prefix if that would cause the amount of advertised (non withdrawn) prefixes to exceed router's A maxprefix value. Please note that what described above is just a coarse summary of what is stated within the draft. We encourage you to read it to better understand what we're working on. In case that you're wondering why draft-keyur-idr-bgp-prefix-limit-orf could be useful here some real world cases: 1) Life safer for unplanned redistribution or fat fingers. In MPLS L3VPNs service providers often impose strict maxprefix limit as those are commercial values discussed before of signing the contracts. An unplanned increment in the advertisements may break the VPN. In that case spokes may prefer to not to announce some routes and still be able to reach the rest of the network from the larger part of the site than loosing all connectivity. And hubs can advertise both default and more specific routes for traffic engineering without the risk of breaking the network. Almost the same applies to FlowSpec where you could prefer to not to advertise some "rules" than to get all of them withdrawn because of an error. 2) Easier and faster method to share maxprefix betweem peers. Maxprefix is one of the few protection mechanisms used by autonomous systems when peering in the DFZ. When networks merge or transit providers get new large customers their NOCs have to reach all the peering partners in an attempt to get maxprefix updated. This is usually done by broadcasting the request by email to all peers (maybe multiple times) a few weeks before of the increment. Then "cross the fingers" and send the additional advertisements. What often happens is emails got lost or unnoticed by the network engineers of the receiving network and AS to AS connectivity breaks for some hours or even days. With the proposed solution the NOCs would be able to verify if the change has been executed before of touching anything. At this very moment we're in the process of refining the draft before of submitting it to the IETF community, but we do understand that internet standards are useful only if they're supported by vendors. For this reason we would like to hear from you how hard it could be to add the features of draft-keyur-idr-bgp-prefix-limit-orf in BIRD. In case that it would be too complicated please let us know how we could make things easier. Thank you in advance for the comments or the suggestions you would like to make. Regards -- Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From shurshuka at icloud.com Thu Nov 16 10:40:41 2017 From: shurshuka at icloud.com (Shurshuka) Date: Thu, 16 Nov 2017 12:40:41 +0300 Subject: BGP AS Path Filter In-Reply-To: References: Message-ID: Hello, I am newbie in Bird & BGP so pardon my question: I have server and my own AS/IP's (/24). I get default from my provider. My provider has a lot of upstreams (different IP transit providers with there own AS). I want my AS/routes to be announce only from some providers upstreams. My provider doesn't provide any self-service BGP communities for that. As I understood, I can do this thing with BGP AS Path Filter (Default is OK for this? Or Full View required?). What filter I need to use (import/export)? I tried to use this filter, but it failed: > import filter { > > if (bgp_path ~ [= * IP_TRANSIT_PROVIDER_AS_1 PROVIDER_AS MY_AS =]) || (bgp_path ~ [= * IP_TRANSIT_PROVIDER_AS_2 PROVIDER_AS MY_AS =]) then { > > accept; > > } else reject; > }; Could you please to answer my questions and to tell in what direction to move on? Thanks. From alarig at swordarmor.fr Thu Nov 16 14:13:15 2017 From: alarig at swordarmor.fr (Alarig Le Lay) Date: Thu, 16 Nov 2017 14:13:15 +0100 Subject: BGP AS Path Filter In-Reply-To: References: Message-ID: <20171116131315.ktad36jdrion7z5a@mew.swordarmor.fr> On jeu. 16 nov. 12:40:41 2017, Shurshuka wrote: > Hello, > > I am newbie in Bird & BGP so pardon my question: > > I have server and my own AS/IP's (/24). > I get default from my provider. > My provider has a lot of upstreams (different IP transit providers with there own AS). > I want my AS/routes to be announce only from some providers upstreams. > My provider doesn't provide any self-service BGP communities for that. > As I understood, I can do this thing with BGP AS Path Filter (Default is OK for this? Or Full View required?). > What filter I need to use (import/export)? > I tried to use this filter, but it failed: > > > import filter { > > > > if (bgp_path ~ [= * IP_TRANSIT_PROVIDER_AS_1 PROVIDER_AS MY_AS =]) || (bgp_path ~ [= * IP_TRANSIT_PROVIDER_AS_2 PROVIDER_AS MY_AS =]) then { > > > > accept; > > > > } else reject; > > }; > > Could you please to answer my questions and to tell in what direction to move on? > > Thanks. Hi, If your provider doesn?t have any communities you can?t deal with it; you will be announced on all its upstreams. And please, do IPv6 too, we?re in 2017 ;) -- alarig -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: From dave.seddon.ca at gmail.com Thu Nov 16 23:25:27 2017 From: dave.seddon.ca at gmail.com (dave seddon) Date: Thu, 16 Nov 2017 14:25:27 -0800 Subject: BGP AS Path Filter In-Reply-To: References: Message-ID: Bgp loop prevention works by never accepting a route with you're own AS in the path. Therefore if you prepend your route with the AS numbers of the upstream networks, those networks won't accept the route. However, maybe your ISP will not accept the route either if the have strict filters (they probably will accept it), but keep in mind reachability might not work, so treat carefully. On Nov 16, 2017 3:44 AM, "Shurshuka" wrote: > Hello, > > I am newbie in Bird & BGP so pardon my question: > > I have server and my own AS/IP's (/24). > I get default from my provider. > My provider has a lot of upstreams (different IP transit providers with > there own AS). > I want my AS/routes to be announce only from some providers upstreams. > My provider doesn't provide any self-service BGP communities for that. > As I understood, I can do this thing with BGP AS Path Filter (Default is > OK for this? Or Full View required?). > What filter I need to use (import/export)? > I tried to use this filter, but it failed: > > > import filter { > > > > if (bgp_path ~ [= * IP_TRANSIT_PROVIDER_AS_1 PROVIDER_AS > MY_AS =]) || (bgp_path ~ [= * IP_TRANSIT_PROVIDER_AS_2 PROVIDER_AS MY_AS > =]) then { > > > > accept; > > > > } else reject; > > }; > > Could you please to answer my questions and to tell in what direction to > move on? > > Thanks. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From emz at norma.perm.ru Fri Nov 24 12:48:19 2017 From: emz at norma.perm.ru (Eugene M. Zheganin) Date: Fri, 24 Nov 2017 16:48:19 +0500 Subject: OSPF: Cannot find next hop for LSA type Message-ID: <85519c80-d095-de86-c7f4-6b47ff8e224d@norma.perm.ru> Hi, Recenly I occasionally found that one can define the OSPF area twice, like area 0.0.0.1 { interface "eth0"; } area 0.0.0.1 { interface "eth1"; } And this obviously erroneous configuration passes the bird configuration check, and starts causing unpredictable and wierd problems, including the one mentioned in subject. Since bird doesn't seem to have a bug tracker, this list seems to be an appropriate place to report this. Thanks. Eugene. From eqian at vidscale.com Thu Nov 30 22:50:12 2017 From: eqian at vidscale.com (Eugene Qian) Date: Thu, 30 Nov 2017 16:50:12 -0500 Subject: Could bgp password include double quotation character "? Message-ID: Hi All, How could I include double quotation in bgp password? in my config file protocol bgp AS_64496 from ABC { description "BIRD BGP instance AS_64496"; multihop; neighbor x.y.z.3 as 65002; source address a.b.c.29; # What local address we use for the TCP connect password "a1s@"xyz"; import all; export where proto = "static_bgp"; } password "a1s@"xyz"; I tried to use \ to escape or use single quotation for password, the bird will give me this error /opt/bird/etc/bird.conf, line 30: syntax error What is the restriction on password? Thanks -Eugene -------------- next part -------------- An HTML attachment was scrubbed... URL: