My VyOS configuration for F333.DN42

Table of Contents

Network design
#

I have two routers, dn42-fw1 and dn42-fw2, placed into a DMZ. Each router announces all routes for f333.dn42 to external peers using eBGP. Internally each router has one half of the IPv4 address range (/28) and one /56 subnet from the IPv6 range. OSPF is used to exchange internal routes and announce the entire DN42 address range as a single static route (IPv4 & IPv6) to non-DN42 aware routers on the network.

DN42 networks
#

Router	IPv4 Network	IPv6 Network
dn42-fw1	172.23.38.64/28	fdb0:f750:cce0::/56
dn42-fw2	172.23.38.80/28	fdb0:f750:cce0:100::/56

Router	IPv4 Address	IPv6 Address
dn42-fw1	172.23.38.65	fdb0:f750:cce0::1
dn42-fw2	172.23.38.81	fdb0:f750:cce0:100::1

Internal networks
#

Name	Network
DMZ	192.168.xx.0/24
Internal ULA	fdfc:xxxx:xxxx::/48
ISP GLA	2001:xxxx:xxxx::/56

Basic router setup
#

Assign DN42 addresses

# DN42-FW1
set interfaces loopback lo address 172.23.38.65/32
set interfaces loopback lo address fdb0:f750:cce0::1/128
set interfaces ethernet eth1 address 172.23.38.66/28
set interfaces ethernet eth1 address fdb0:f750:cce0::2/64

# DN42-FW2
set interfaces loopback lo address 172.23.38.81/32
set interfaces loopback lo address fdb0:f750:cce0:100::1/128
set interfaces ethernet eth1 address 172.23.38.82/28
set interfaces ethernet eth1 address fdb0:f750:cce0:100::2/64

IGP using OSPF
#

Configure OSPF

# DN42-FW1
set protocols ospf parameters router-id 172.23.38.65
set protocols ospf area 0 network 172.23.38.64/28

# DN42-FW2
set protocols ospf parameters router-id 172.23.38.81
set protocols ospf area 0 network 172.23.38.80/28

# All
set protocols ospf area 0 area-type normal
set protocols ospf area 0 network 192.168.xx.0/24
set protocols ospf parameters abr-type cisco
set protocols ospf redistribute kernel metric 2
set protocols ospf redistribute kernel metric-type 2
set protocols ospf redistribute static metric 2
set protocols ospf redistribute static metric-type 2

Configure OSPFv3

# DN42-FW1
set protocols ospfv3 parameters router-id 172.23.38.65

# DN42-FW2
set protocols ospfv3 parameters router-id 172.23.38.81

# All
set protocols ospfv3 redistribute kernel
set protocols ospfv3 redistribute static
set protocols ospfv3 interface eth0 area 0.0.0.0
set protocols ospfv3 interface eth1 area 0.0.0.0
set protocols ospfv3 interface eth1 passive
set protocols ospfv3 interface lo area 0.0.0.0
set protocols ospfv3 interface lo passive

RPKI & route policies
#

Set up RPKI container

# first add container image fransking/vyos-gortr then configure
set container name dn42-roa image fransking/vyos-gortr
set container name dn42-roa allow-host-networks
set container name dn42-roa environment 'CACHE' value 'https://dn42.burble.com/roa/dn42_roa_46.json'
set container name dn42-roa environment 'VERIFY' value 'false'
set container name dn42-roa environment 'CHECKTIME' value 'false'
set container name dn42-roa environment 'PORT' value '38082'

set protocols rpki cache 127.0.0.1 port '38082'
set protocols rpki cache 127.0.0.1 preference '1'

Blackhole DN42 routes

set protocols static route 172.20.0.0/14 blackhole
set protocols static route 172.23.38.64/27 blackhole  
set protocols static route6 fd00::/8 blackhole
set protocols static route6 fdb0:f750:cce0::/48 blackhole

Set up route prefixes

set policy prefix-list dn42-own-networks rule 10 action 'permit'
set policy prefix-list dn42-own-networks rule 10 prefix '172.23.38.64/27'

set policy prefix-list6 dn42-own-networks-v6 rule 10 action 'permit'
set policy prefix-list6 dn42-own-networks-v6 rule 10 prefix 'fdb0:f750:cce0::/48'

# DN42 networks
  #  172.20.0.0/14{21,29}, # dn42
  #  172.20.0.0/24{28,32}, # dn42 Anycast
  #  172.21.0.0/24{28,32}, # dn42 Anycast
  #  172.22.0.0/24{28,32}, # dn42 Anycast
  #  172.23.0.0/24{28,32}  # dn42 Anycast
  #  fd00::/8{44,64}       # ULA address space as per RFC 4193

set policy prefix-list dn42-networks rule 10 action 'permit'
set policy prefix-list dn42-networks rule 10 ge '21'
set policy prefix-list dn42-networks rule 10 le '29'
set policy prefix-list dn42-networks rule 10 prefix '172.20.0.0/14'

set policy prefix-list dn42-networks rule 20 action 'permit'
set policy prefix-list dn42-networks rule 20 ge '28'
set policy prefix-list dn42-networks rule 20 le '32'
set policy prefix-list dn42-networks rule 20 prefix '172.20.0.0/24'

set policy prefix-list dn42-networks rule 30 action 'permit'
set policy prefix-list dn42-networks rule 30 ge '28'
set policy prefix-list dn42-networks rule 30 le '32'
set policy prefix-list dn42-networks rule 30 prefix '172.21.0.0/24'

set policy prefix-list dn42-networks rule 40 action 'permit'
set policy prefix-list dn42-networks rule 40 ge '28'
set policy prefix-list dn42-networks rule 40 le '32'
set policy prefix-list dn42-networks rule 40 prefix '172.22.0.0/24'

set policy prefix-list dn42-networks rule 50 action 'permit'
set policy prefix-list dn42-networks rule 50 ge '28'
set policy prefix-list dn42-networks rule 50 le '32'
set policy prefix-list dn42-networks rule 50 prefix '172.23.0.0/24'

set policy prefix-list6 dn42-networks-v6 rule 10 action 'permit'
set policy prefix-list6 dn42-networks-v6 rule 10 ge 44
set policy prefix-list6 dn42-networks-v6 rule 10 le 64
set policy prefix-list6 dn42-networks-v6 rule 10 prefix 'fd00::/8'

Create route map policies for iBGP

# deny own networks as these are announced over OSPF already
set policy route-map dn42-ibgp rule 10 action 'deny'
set policy route-map dn42-ibgp rule 10 description 'Deny dn42-own-networks'
set policy route-map dn42-ibgp rule 10 match ip address prefix-list 'dn42-own-networks'
set policy route-map dn42-ibgp rule 11 action 'deny'
set policy route-map dn42-ibgp rule 11 description 'Deny dn42-own-networks-v6'
set policy route-map dn42-ibgp rule 11 match ipv6 address prefix-list 'dn42-own-networks-v6'

set policy route-map dn42-ibgp rule 20 action 'permit'
set policy route-map dn42-ibgp rule 20 description 'Allow dn42-networks'
set policy route-map dn42-ibgp rule 20 match ip address prefix-list 'dn42-networks'
set policy route-map dn42-ibgp rule 21 action 'permit'
set policy route-map dn42-ibgp rule 21 description 'Allow dn42-networks-v6'
set policy route-map dn42-ibgp rule 21 match ipv6 address prefix-list 'dn42-networks-v6'
set policy route-map dn42-ibgp rule 96 action 'permit'
set policy route-map dn42-ibgp rule 96 match rpki 'valid'
set policy route-map dn42-ibgp rule 97 action 'deny'
set policy route-map dn42-ibgp rule 97 match rpki 'notfound'
set policy route-map dn42-ibgp rule 98 action 'deny'
set policy route-map dn42-ibgp rule 98 match rpki 'invalid'
set policy route-map dn42-ibgp rule 99 action 'deny'

Create route map policies for eBGP

set policy route-map dn42-ebgp rule 20 action 'permit'
set policy route-map dn42-ebgp rule 20 description 'Allow dn42-networks'
set policy route-map dn42-ebgp rule 20 match ip address prefix-list 'dn42-networks'
set policy route-map dn42-ebgp rule 21 action 'permit'
set policy route-map dn42-ebgp rule 21 description 'Allow dn42-networks-v6'
set policy route-map dn42-ebgp rule 21 match ipv6 address prefix-list 'dn42-networks-v6'
set policy route-map dn42-ebgp rule 96 action 'permit'
set policy route-map dn42-ebgp rule 96 match rpki 'valid'
set policy route-map dn42-ebgp rule 97 action 'deny'
set policy route-map dn42-ebgp rule 97 match rpki 'notfound'
set policy route-map dn42-ebgp rule 98 action 'deny'
set policy route-map dn42-ebgp rule 98 match rpki 'invalid'
set policy route-map dn42-ebgp rule 99 action 'deny'

iBGP
#

Set up iBGP between DN42-FW1 and DN42-FW2

set protocols bgp system-as '4242421252'
set protocols bgp address-family ipv4-unicast network 172.23.38.64/27  
set protocols bgp address-family ipv6-unicast network fdb0:f750:cce0::/48
set protocols bgp parameters router-id 172.23.38.65

set protocols bgp neighbor fdb0:f750:cce0:100::1 remote-as '4242421252'
set protocols bgp neighbor fdb0:f750:cce0:100::1 update-source 'fdb0:f750:cce0::1'
set protocols bgp neighbor fdb0:f750:cce0:100::1 interface v6only
set protocols bgp neighbor fdb0:f750:cce0:100::1 description 'dn42-fw2'
set protocols bgp neighbor fdb0:f750:cce0:100::1 capability extended-nexthop
set protocols bgp neighbor fdb0:f750:cce0:100::1 address-family ipv4-unicast nexthop-self
set protocols bgp neighbor fdb0:f750:cce0:100::1 address-family ipv6-unicast nexthop-self
set protocols bgp neighbor fdb0:f750:cce0:100::1 address-family ipv4-unicast route-map export 'dn42-ibgp'
set protocols bgp neighbor fdb0:f750:cce0:100::1 address-family ipv6-unicast route-map import 'dn42-ibgp'

Set up iBGP between DN42-FW2 and DN42-FW1

set protocols bgp system-as '4242421252'
set protocols bgp address-family ipv4-unicast network 172.23.38.64/27  
set protocols bgp address-family ipv6-unicast network fdb0:f750:cce0::/48
set protocols bgp parameters router-id 172.23.38.81

set protocols bgp neighbor fdb0:f750:cce0::1 remote-as '4242421252'
set protocols bgp neighbor fdb0:f750:cce0::1 update-source 'fdb0:f750:cce0:100::1'
set protocols bgp neighbor fdb0:f750:cce0::1 interface v6only
set protocols bgp neighbor fdb0:f750:cce0::1 description 'dn42-fw1'
set protocols bgp neighbor fdb0:f750:cce0::1 capability extended-nexthop
set protocols bgp neighbor fdb0:f750:cce0::1 address-family ipv4-unicast nexthop-self
set protocols bgp neighbor fdb0:f750:cce0::1 address-family ipv6-unicast nexthop-self
set protocols bgp neighbor fdb0:f750:cce0::1 address-family ipv4-unicast route-map export 'dn42-ibgp'
set protocols bgp neighbor fdb0:f750:cce0::1 address-family ipv6-unicast route-map import 'dn42-ibgp'

eBGP
#

Create eBGP peerings over wireguard

set interfaces wireguard wg0123456789 private-key <my private key>
set interfaces wireguard wg0123456789 port 23914
set interfaces wireguard wg0123456789 mtu 1420
set interfaces wireguard wg0123456789 address <my link local address>
set interfaces wireguard wg0123456789 ipv6 address no-default-link-local
set interfaces wireguard wg0123456789 ip adjust-mss 1300

set interfaces wireguard wg0123456789 peer 0123456789 public-key <peer public key>
set interfaces wireguard wg0123456789 peer 0123456789 address <peer ip address>
set interfaces wireguard wg0123456789 peer 0123456789 port <peer port>
set interfaces wireguard wg0123456789 peer 0123456789 allowed-ips 0.0.0.0/0
set interfaces wireguard wg0123456789 peer 0123456789 allowed-ips ::/0
set interfaces wireguard wg0123456789 peer 0123456789 persistent-keepalive 60

set protocols bgp neighbor fe80::ade0 remote-as '0123456789'
set protocols bgp neighbor fe80::ade0 interface source-interface 'wg0123456789'
set protocols bgp neighbor fe80::ade0 interface v6only
set protocols bgp neighbor fe80::ade0 capability extended-nexthop
set protocols bgp neighbor fe80::ade0 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp neighbor fe80::ade0 address-family ipv6-unicast soft-reconfiguration inbound
set protocols bgp neighbor fe80::ade0 address-family ipv4-unicast route-map export 'dn42-ebgp'
set protocols bgp neighbor fe80::ade0 address-family ipv6-unicast route-map import 'dn42-ebgp'

Masquerading
#

Masquerade non DN42 originated IPv4 and IPv6 traffic

set nat source rule 4200 outbound-interface name wg*
set nat source rule 4200 source address !172.20.0.0/14
set nat source rule 4200 translation address 'masquerade'

set nat66 source rule 4200 outbound-interface name wg*
set nat66 source rule 4200 source prefix 2001:xxxx:xxxx::/56  # ISP GLA
set nat66 source rule 4200 translation address 'masquerade'
set nat66 source rule 4202 outbound-interface name wg*
set nat66 source rule 4202 source prefix fdfc:xxxx:xxxx::/48  # Internal ULA
set nat66 source rule 4202 translation address 'masquerade'

Network design #

DN42 networks #

Internal networks #

Basic router setup #

IGP using OSPF #

RPKI & route policies #

iBGP #

eBGP #

Masquerading #