Source address selection for transit-router with "blackholed" linknet
Hi! I'm working on getting a few linux-routers with bird up and running and I'm wondering: Is there any way to influence source-address selection for the routes installed by bird? (how do other bird-users handle this?, I guess I'm not alone?) We have a transit from a provider that doesn't announce the linknet, as a lot of providers do. (and i shouldn't source traffic from the linknet, i should use own addresses) When i source traffic from the server/router it seems linux default-action is to select the interface closest to the destination which is the peering-linknet and it happily sends tcp / udp / icmp requests to the world. The replies never make it back though since the ip isn't reachable from anywhere else. With ip route there seems to be this flag "src <addr>", so you can specify "ip route add x.x.x.x/y via z.z.z.z src a.a.a.a", this influences the kernel to select src a.a.a.a when sending traffic to x.x.x.x/y, but i haven't found such an option in the kernel-table in bird. If i have a router where only the "inside"-ip is reachable from the internet, and all routes point to the outside, how do i make it source all locally generated traffic from the inside-ip? Do you setup multiple routing-tables and set the default-table to direct traffic to the inside, then on the inside-interface have the full routing table (would this work?), or how do you handle this? Best regards Oskar Stenman
Yes, it's a common pitfall, look for "krt_prefsrc" in the doc. Or have a look at https://dn42.net/howto/bird#Source-address-selection (sorry, certificate seems to have expired) On Thu, Nov 13, 2014 at 11:06:25PM +0100, oskar@cetex.se wrote:
Hi!
I'm working on getting a few linux-routers with bird up and running and I'm wondering: Is there any way to influence source-address selection for the routes installed by bird? (how do other bird-users handle this?, I guess I'm not alone?)
We have a transit from a provider that doesn't announce the linknet, as a lot of providers do. (and i shouldn't source traffic from the linknet, i should use own addresses) When i source traffic from the server/router it seems linux default-action is to select the interface closest to the destination which is the peering-linknet and it happily sends tcp / udp / icmp requests to the world. The replies never make it back though since the ip isn't reachable from anywhere else.
With ip route there seems to be this flag "src <addr>", so you can specify "ip route add x.x.x.x/y via z.z.z.z src a.a.a.a", this influences the kernel to select src a.a.a.a when sending traffic to x.x.x.x/y, but i haven't found such an option in the kernel-table in bird.
If i have a router where only the "inside"-ip is reachable from the internet, and all routes point to the outside, how do i make it source all locally generated traffic from the inside-ip?
Do you setup multiple routing-tables and set the default-table to direct traffic to the inside, then on the inside-interface have the full routing table (would this work?), or how do you handle this?
Best regards Oskar Stenman
On 2014/11/13 23:06, oskar@cetex.se wrote:
Hi!
I'm working on getting a few linux-routers with bird up and running and I'm wondering: Is there any way to influence source-address selection for the routes installed by bird? (how do other bird-users handle this?, I guess I'm not alone?)
One method is to force the address to be marked "deprecated", this means that it can receive packets but isn't chosen as a source. I do this on OpenBSD by setting "pltime 0" when configuring the address, there's a blog post describing this on Linux where the equivalent is "preferred_lft 0". http://www.davidc.net/networking/ipv6-source-address-selection-linux This isn't BIRD-specific.
participants (3)
-
Baptiste Jonglez -
oskar@cetex.se -
Stuart Henderson