how to route traffic from the interface that arrives

nbari

nbari

I am announcing an IPv6 prefix via OSPF (bird2) to some routers, from the routers I can reach/ping the FreeBSD server, but I not from the internet:


Code: 
  (internet)
       |
       |
R1 --------- R2
  \         /
    FreeBSD



I am peering the node via wireguard using link-local and if I want to route via R1 I need to add it as the default gateway:

route -6 add default fe80::a1%wg0
or for router 2:
route -6 add default fe80::a2%wg1

But how to have all the available gateways (tunnel endpoints) to route traffic back from the interface where it arrived? could PF (reply-to) work for this?

I would like to balance the load and also if once routers go down I would like to use other available routers.
 
I replaced wireguard with gre just to simplify and used a FIB for the second tunnel, I create the first tunnel is like this:

Code: 
ifconfig gre0 tunnel <ip4 local> <ip4 remote>
ifconfig gre0 inet6 2001::80/64
route -6 add default 2001::1

Then for the second tunnel:

Code: 
ifconfig gre0 tunnel <ip4 local> <ip4 remote>
ifconfig gre0 inet6 2001:affe::80/64 fib 1
route -6 add default 2001:affe::1 -fib 1

With this I manage to ping from the BGP (Linux servers), then to accept traffic from both fibs I am using this PF rule:

Code: 
pass in on gre0 reply-to (gre0 2001:affe::1) from any to any rtable 0
pass in on gre1 reply-to (gre1 2001:affe::1) from any to any rtable 1

Just in case using a private range (fd00::/8 for the tunnel) and announcing only the prefix using OSPF worked, but I had trouble routing trafiffic back, I don't know if is because ospf imports/exports all to fib0, maybe FRR handles this better.

Any tips/hints to improve this, are pretty much appreciated.
 
I think a cleaner approach is to have the IP only declared once, peer using /127 and not use fibs, for example, the first tunnel :


Code: 
ifconfig gre0 tunnel <ip4 local> <ip4 remote>
ifconfig gre0 inet6 2001::b 2001::a prefixlen 128
route -6 add default 2001::a

Second tunnel:

Code: 
ifconfig gre0 tunnel <ip4 local> <ip4 remote>
ifconfig gre0 inet6 2002::b 2002::a prefixlen 128
route -6 add default 2002::a

I could have multiple default routes, but still need PF with something like:

Code: 
pass in on gre0 reply-to (gre0 2001::a) from any to any
pass in on gre1 reply-to (gre1 2002::a) from any to any

In lo1 I have address "2001::80:

In the Linux routers, I create the tunnel like this:

Code: 
auto gre.test
iface gre.test inet6 static
    pre-up ip tunnel add $IFACE mode gre remote X.X.X.X local Y.Y.Y.Y ttl 64
    pre-down ip tunnel delete $IFACE
    post-down ip -6 route del 2a01::80 via 2001::b
    up ip -6 route add 2a01::80 via 2001::b
    address 2001::a/127

But also in the dummy interface, I have "2a01::/64" (in the FreeBSD box I will use 2a01::80)

Code: 
auto dummy0
iface dummy0 inet6 static
    pre-up ip link add $IFACE type dummy
    pre-down ip link delete $IFACE
    address 2a01::/64
 
You must log in or register to reply here.
Back
Top