On Tue, Oct 20, 2015 at 11:07:12AM -0400, John E.P. Hynes wrote:
> Hi list,
>
> I've read through the docs and Claudio's guide, but something isn't
> clear to me I'm hoping to get some direction on:
>
> I am about to multihome. My uplinks to my ISPs terminate on different
> OpenBSD routers. The class C network behind them includes one internal
> OpenBSD gateway performing NAT for connections leaving the internal
> private network.
>
> My understanding is that I would configure OpenBGPD on the two border
> routers with iBGP between them, like this:
>
> /etc/bgpd.conf
>
> # Global Config
> AS MyASN
> router-id 1.2.3.4
>
> # Announce Our Network Space
> network 1.2.3/24
>
> # Neighbor Config
> neighbor 9.8.7.6 {
> descr "My ISP 1"
> remote-as TheirASN
> }
>
> # iBGP
> group IBGP {
> remote-as MyASN
> neighbor 1.2.3.5 {
> descr "MyOtherBorderGateway"
> }
> }
>
> ...Essentially, since no host in my public network would be aware of
> which border gateway to leave through, I need an IGP such as OpenOSPFd
> as well. Something like this on the border gateways:
>
> /etc/ospfd.conf
>
> # Global Config
> router-id 0.0.0.1
> redistribute connected
>
> # Areas
> area 0.0.0.0 {
> auth-type crypt
> auth-md 1 "SomePW"
> auth-md 2 "SomeDifferentPW"
> auth-md-keyid 1
>
> # Main Link (DMZ)
> interface em1
> }
>
> ...and then something like this on all hosts on my public network,
> including the NAT firewall:
>
> /etc/ospfd.conf
>
> # Global Config
> router-id 0.0.0.3
>
> # Areas
> area 0.0.0.0 {
> auth-type crypt
> auth-md 1 "SomePW"
> auth-md 2 "SomeDifferentPW"
> auth-md-keyid 1
>
> # Main Link (DMZ)
> interface em1
> }
>
>
> My questions are:
>
> 1) Claudio's guide suggests to me that iBGP needs to be run on the NAT
> firewall as well, but I don't understand *why* that would be necessary
> and I think I'm mis-reading it. Clarification please?
By running BGP on the internal FW allows you to send out the traffic to
the correct broder router and so you get better control over which path
you reach the internet.
> 2) Do I really want "redistribute connected" in the ospfd.conf on the
> border routers, or "redistribute default"?
>
If you feed the BGP table to your FW than you most probably need
redistribute connected. In such a simple setup as yours you can also skip
using OSPF and just use "set nexthop self" in bgpd since all your routers
& firewalls are directly connected.
In short the IGP (OSPF) is required for incoming traffic to find its
destination in your network whereas iBGP is required to take the optimal
way out of your network.
--
:wq Claudio
