wireguard + multihop BGP = route rejected, but route created
Ivan Agarkov
ivan.agarkov at gmail.com
Sun Dec 10 14:25:28 CET 2023
Hello!
I'm creating a BGP lab for my students and found interesting and unexpected
behavior.
I'm getting reject message when receiving route:
2023-12-10 15:10:53.724 <TRACE> isp1.ipv4 > added [best] 10.200.0.0/16 0L
4G unicast
2023-12-10 15:10:53.724 <TRACE> isp1.ipv4 < rejected by protocol
10.200.0.0/16 0L 4G unicast
But then the route appears in ip route:
10.200.0.0/16 dev 201 proto bird scope link metric 32
I've dug into the source code and found that the reject is happening here:
proto/bgp/attrs.c:1641 if (src == p) return -1 into bgp_preexport function.
The question is: what is happening and does it look valid/expected?
Wireguard configuration is the same on all peers:
[Interface]
Address=10.10.10.201/32
PrivateKey=******
Table=off
[Peer]
Endpoint=*******
PublicKey=*****
PersistentKeepalive=25
AllowedIPs=0.0.0.0/0
My configuration for BIRD peers:
==== local bird.conf ====
log stderr all;
router id 10.10.10.201;
protocol device {
scan time 10;
}
protocol kernel {
ipv4 {
import all;
export all;
};
learn;
}
protocol static {
ipv4;
route 10.201.0.0/16 via "wlp41s0"; # wifi device
route 10.10.10.0/24 via "201"; # wireguard device
}
protocol bgp isp1 {
router id 10.10.10.201;
local 10.10.10.201 as 65201;
neighbor 10.10.10.200 as 65200;
source address 10.10.10.201;
multihop;
ipv4 {
import filter {
if net ~ 10.0.0.0/8 then accept;
else reject;
};
export filter {
if net ~ 10.201.0.0/16 then accept;
else reject;
};
};
debug all;
}
==== /client bird.conf ====
==== remote bird.conf ====
log stderr all;
protocol kernel {
learn; # Learn all alien routes from the kernel
persist; # Don't remove routes on bird shutdown
scan time 20; # Scan kernel routing table every 20 seconds
import all; # Default is import all
export all; # Default is export none
# kernel table 5; # Kernel table to synchronize with (default: main)
}
protocol device {
scan time 10;
}
protocol static {
export all;
route 10.10.10.0/24 via "200"; # wireguard device
route 10.200.0.0/16 via 10.200.200.200; # virtual network
}
template bgp cpr_ne {
local as 65200;
router id 10.10.10.200;
multihop;
source address 10.10.10.200;
import filter {
if net ~ 10.201.0.0/16 then accept;
else if net ~ 10.202.0.0/16 then accept;
else if net ~ 10.203.0.0/16 then accept;
else if net ~ 10.204.0.0/16 then accept;
else if net ~ 10.205.0.0/16 then accept;
else if net ~ 10.206.0.0/16 then accept;
else if net ~ 10.207.0.0/16 then accept;
else if net ~ 10.208.0.0/16 then accept;
else reject;
};
export filter {
if net ~ 10.200.0.0/16 then accept;
else reject;
};
}
protocol bgp cpr201 from cpr_ne {
neighbor 10.10.10.201 as 65201;
}
protocol bgp cpr202 from cpr_ne {
neighbor 10.10.10.202 as 65202;
}
protocol bgp cpr203 from cpr_ne {
neighbor 10.10.10.203 as 65203;
}
protocol bgp cpr204 from cpr_ne {
neighbor 10.10.10.204 as 65204;
}
protocol bgp cpr205 from cpr_ne {
neighbor 10.10.10.205 as 65205;
}
protocol bgp cpr206 from cpr_ne {
neighbor 10.10.10.206 as 65206;
}
protocol bgp cpr207 from cpr_ne {
neighbor 10.10.10.207 as 65207;
}
protocol bgp cpr208 from cpr_ne {
neighbor 10.10.10.208 as 65208;
}
==== remote bird.conf ====
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20231210/5f5a68aa/attachment.htm>
More information about the Bird-users
mailing list