Foreign upstream gateway for remote maintenance

Fri Mar 26 15:48:08 CET 2021

On Fri, Mar 26, 2021 at 09:58:17AM +0100, Bernd Naumann wrote:
> Good morning Nils,
> 
> On 26.03.21 08:47, Nils van Lück wrote:
> > Hello!
> > 
> > I am using the latest Bird version from the git repo under Debian. I
> > have one dedicated NIC for the LAN, one dedicated NIC for BGP sessions
> > and one NIC with an IP from a foreign ASN for remote maintenance. How
> > can I make the routed traffic go through Bird but still connect to a
> > foreign gateway via SSH through another NIC? Also the operating system
> > updates (apt-get) should run over the third NIC and not over the bird
> > routes.
> > 
> > NIC 1: LAN / OSPF
> > NIC 2: BGP / Peering / routed traffic over bird
> > NIC 3: foreign gateway fo remote maintenance of the routers debian instance
> > 
> > Regards,
> > 
> > Nils van Lück
> 
> I'm not 100% sure... but I see two two ways, but both with limitations.
> Maybe someone can comment on these approaches, or provide an alternative
> better idea.
> 
> 1) Use different routing tables. This way you can ensure that traffic which
> hits nic3 goes out of nic3 then.
> 
> See https://tldp.org/HOWTO/pdf/Adv-Routing-HOWTO.pdf Section 4.2.1. Split
> access for the general setup
> 
> But I do not know how you would /tell/ `apt` to use that table or a specific
> source address (so its traffic would then go out of nic3).
> 
> However, bird is able to use different tables.

You can also use VRFs:

https://www.kernel.org/doc/Documentation/networking/vrf.txt
man ip-vrf

That is like different routing tables, but with easier setup (just assign
iface to VRF instead of meddling with ip rule table). You can either use
default VRF as management (put NIC 3 there), or you can use 'ip vrf exec'
to run apt in different VRF.

-- 
Elen sila lumenn' omentielvo

Ondrej 'Santiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."