dn42_beginner_tips.md 9.0 KB
layout: page title: Beginner Tips permalink: /blog/dn42-beginner-tips/ keywords: bird,networking,sysctl,network,dn42,best practices,tips,hints,notes,bird filter,bird2 filter,bird2,bgp configuration,roa,free vm,monitoring,bgp communities,help with dn42 description: I was asked some time ago for tips for the dn42. Here they are. Furthermore I present my BGP peer configuration in bird. lang: en date: 2023-01-31 12:00:00 +0100
feed: true
I was asked for tips in an email. Well why not share them now? These tips are for "newbies" in dn42. I am happy to receive suggestions and ideas for improvement: {{ site.contact.marek }}
(The order is based on what came to my mind first)
Tips
- Make a backup of everything. BorgBase offers free 10GB encrypted backup. It's pretty easy to set up.
- Try to do ROA filtering. I used https://gitlab.com/bauen1/dn42-roagen for this so I don't have to depend on burbles service centrally.
- It doesn't matter if you make mistakes. The dn42 is for learning, not for making everything perfect.
- If you are looking for peers, you can look at https://dn42.us/peers/.
- If you use bird, you can easily enable extended next hop and extended messages. You can enable it by default. If your peer does not support it, it will not be used.
- If you use bird, you can look at https://github.com/jlu5/ansible-dn42/blob/main/roles/config-bird2/config/community_filters.conf.
- If you enjoy dn42 and are up for an adventure: IXP frnte
- If you need some filter examples: BGP Filter Guide - Guidance on BGP Filtering (attention, these have to be adapted for dn42); BGP Graceful Shutdown can be used without any changes.
- If you have little patience, don't use IPv4.
- If something does not work, see Universal Network Requirements and check the firewall. I once had a problem for several hours and in the end it was the firewall.
- If you are looking for hosting recommendations: IONOS VPS S offers a very cheap small server. (all other offers are overpriced). netcup.de offers cheap servers, but they want a ID card verification.
- Use an uptime monitor to monitor your network. UptimeRobot or HetrixTools offer free plans. I use Uptime Kuma (besides UptimeRobot and HetrixTools), but it is for self hosting.
- bird supports by default 65535:65281 (no-export), 65535:65282 (no-advertise) and 65535:65283 (no-export-subconfed) as community. (see User's guide 2.0 / 6. Protocols / BGP / interpret communities switch)
- Both I dn42-pingable.byeob.de and Burble (pingable.burble.dn42, 172.20.129.5, fd42:4242:2601:ac05::1) have pingable addresses which you can use to test your connectivity.
- If you want to peer with some at the beginning: Automatic Peering
- EuServ offers a free (one-time payment) LXE container at EUserv / VPS / VS2-free. I would recommend this only for "playing" with it. (I got it at that time without one-time payment). Otherwise, it's junk.
- If you get the message "Kernel dropped some linknet messages" from bird, you can increase (if you use Debian)
net.core.rmem_default. I have it for example on 4194304. - If you want to check something on your network there are several services: Diagnose your DN42 router setup (unfortunately currently only IPv4), burble.dn42 / Shell Accounts Burble provides a shell for each maintainer, or many Looking Glasses (I don't have any) Looking Glasses
- If you use bird and have a lot of time, I can recommend to have a look at the documentation: BIRD 2.0 User's Guide The same goes for VyOS. For the other daemons I don't know the documentation.
- If you need help, ask on IRC. If no one answers there, ask the Mailling list. For questions, it is best to specify the whole context. If you ask in IRC and want to send a log or something similar, use a paste bin (e. g. https://paste.dn42.us/ui/, https://paste.debian.net/) service (otherwise it looks very messy in IRC).
- Subscribe to the Mailling list. It is only conditionally active, but responds to questions actually always within a few days. (https://dn42.dev/contact#contact_mailing-list)
- Use WireGuard Tunnel to get started. Almost everyone uses it, so you can actually peer with everyone. They are simple. They are secure. Do not use OpenVPN. It is slower and only partially secure. IPsec is an adventure in itself (I haven't tried it yet). Try to avoid GRE as this type of tunnel is not encrypted.
- If you are running Debian, have IPv4 and have Anycast IPv4, it can happen that someone sends an Anycast request to server 1 and the response goes through server 2. If anycast is also configured on server 2, it will discard the packet that it has the IP address itself. To disable this behavior, accept_local must be set to 0 on each dn42 interface:
sysctl net.ipv4.conf.all.accept_local=1 net.ipv4.conf.eth0.accept_local=0
bird2 configuration
template bgp dnpeers {
local as OWNAS;
enable extended messages on;
graceful restart on;
long lived graceful restart on;
interpret communities on;
prefer older on;
ipv4 {
extended next hop on;
import where some_stuff();
export where some_stuff();
import limit 1000 action block;
import table on;
};
ipv6 {
import where some_stuff();
export where some_stuff();
import limit 1000 action block;
import table on;
};
}
This is a kind of improved version for bird2. I have omitted the import/export filters.
enable extended messages on;
Enables the extended messages extension. This causes that 65535 bytes can be transmitted in a BGP packet instead of 4096 bytes. This can be handy for many routes.
graceful restart on;
long lived graceful restart on;
I can explain this only conditionally well. Roughly it causes that routes are not deleted immediately in case of a BGP session went down. Thus a "peaceful" transition is possible. Existing connections can still be handled via this peering before the route is completely deleted. If the administrator of the peer has restarted the BGP daemon, it ensures that there is no interruption in the forwarding table. I also recommend to implement BGP Filter Guide / BGP Graceful Shutdown. This ensures that if a graceful shutdown is detected by the peer, it will try to install another route in the forwarding table. This also gives a "peaceful" transition.
interpret communities on;
This option is on by default. But I like to write it down again to be sure. It makes bird automatically support 65535:65281 (no-export), 65535:65282 (no-advertise) and 65535:65283 (no-export-subconfed) without having to implement them manually.
prefer older on;
If two routes are equally good, the router ID is used in the decision process. The route of which the router has the smallest ID is preferred. Personally, I find this decision criterion objectionable. With this option the oldest route is used instead of the lowest router ID. Just because this option is on, bird does not skip the other criteria (bgp_local_pref, bgp_med, AS path length, ...).
extended next hop on;
This is an extension that allows an IPv6 address to be used as a nexthop for an IPv4 route. If this option is active, no IPv4 addresses have to be negotiated in the tunnel (e.g. WireGuard). This "saves" IPv4 addresses in the tunnel.
import limit 1000 action block;
This ensures that a maximum of 1000 prefixes may be imported. All after that will be rejected. In dn42 there are about 500-700 prefixes. 1000 are therefore more than enough. It is recommended to enable this option. If the peer has misconfigured something, you can protect yourself with it. This option does not protect against route flapping. Route updates are not affected by the limit.
import table on;
This will also save discarded routes (not import them). If the filter is updated, the routes can be loaded without the peer having to resend them. For example, if you do ROA filtering and the peer exports a new route that is not yet in your ROA filter, the route remains "saved". If you now update your ROA filter, bird can import the new route without the need for the peer to resend the route.