Re: Foreign upstream gateway for remote maintenance
Good morning Nils, On 26.03.21 08:47, Nils van Lück wrote:
Hello!
I am using the latest Bird version from the git repo under Debian. I have one dedicated NIC for the LAN, one dedicated NIC for BGP sessions and one NIC with an IP from a foreign ASN for remote maintenance. How can I make the routed traffic go through Bird but still connect to a foreign gateway via SSH through another NIC? Also the operating system updates (apt-get) should run over the third NIC and not over the bird routes.
NIC 1: LAN / OSPF NIC 2: BGP / Peering / routed traffic over bird NIC 3: foreign gateway fo remote maintenance of the routers debian instance
Regards,
Nils van Lück
I'm not 100% sure... but I see two two ways, but both with limitations. Maybe someone can comment on these approaches, or provide an alternative better idea. 1) Use different routing tables. This way you can ensure that traffic which hits nic3 goes out of nic3 then. See https://tldp.org/HOWTO/pdf/Adv-Routing-HOWTO.pdf Section 4.2.1. Split access for the general setup But I do not know how you would /tell/ `apt` to use that table or a specific source address (so its traffic would then go out of nic3). However, bird is able to use different tables. 2) Using namespaces Start `sshd` in a separate namespace, and call `apt` also only from within this namespace. This namespace would only have `lo` and `nic3`. See for instance https://lwn.net/Articles/580893/ While using a namespace for sshd and apt, you would not need to configure bird / tell bird about it. Hope this helps somehow. Best, Bernd
On Fri, Mar 26, 2021 at 09:58:17AM +0100, Bernd Naumann wrote:
Good morning Nils,
On 26.03.21 08:47, Nils van Lück wrote:
Hello!
I am using the latest Bird version from the git repo under Debian. I have one dedicated NIC for the LAN, one dedicated NIC for BGP sessions and one NIC with an IP from a foreign ASN for remote maintenance. How can I make the routed traffic go through Bird but still connect to a foreign gateway via SSH through another NIC? Also the operating system updates (apt-get) should run over the third NIC and not over the bird routes.
NIC 1: LAN / OSPF NIC 2: BGP / Peering / routed traffic over bird NIC 3: foreign gateway fo remote maintenance of the routers debian instance
Regards,
Nils van Lück
I'm not 100% sure... but I see two two ways, but both with limitations. Maybe someone can comment on these approaches, or provide an alternative better idea.
1) Use different routing tables. This way you can ensure that traffic which hits nic3 goes out of nic3 then.
See https://tldp.org/HOWTO/pdf/Adv-Routing-HOWTO.pdf Section 4.2.1. Split access for the general setup
But I do not know how you would /tell/ `apt` to use that table or a specific source address (so its traffic would then go out of nic3).
However, bird is able to use different tables.
You can also use VRFs: https://www.kernel.org/doc/Documentation/networking/vrf.txt man ip-vrf That is like different routing tables, but with easier setup (just assign iface to VRF instead of meddling with ip rule table). You can either use default VRF as management (put NIC 3 there), or you can use 'ip vrf exec' to run apt in different VRF. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
participants (2)
-
Bernd Naumann -
Ondrej Zajicek