This was done on a virtual pfSense host, but I had to disable my pf filter since I had problems installing the ipv6 pf rules.
e.g ( disable pf )
pfctl -d
IMHO: The pf rule should have worked, but I believe pfsense 2.0.1 was removing or ignoring the rule.
Here's the bgp cfg under /usr/local/etc/ for pfsense2.0.1+openbgpd;
AS 5XXX
fib-update no
listen on 2607:f2f8:xxx::2
neighbor 2607:f2f8:xxx:1 {
descr "IPV6"
announce none
remote-as 25xxx
local address 2607:f2f8:xxx::2
softreconfig in yes
}
And here's a few bgpctl show outputs;
-->
[2.0.1-RELEASE][admin@ares]/tmp(140):
bgpctl show ip bgp inet6 memory
RDE memory statistics
91867 IPv4 unicast network entries using
3.5M of memory
1 IPv6 unicast network entries using
56B of memory <-- IPv6 single prefix learn but still researching with my VPS hosting
183734 rib entries using 11.2M of memory
183735 prefix entries using 11.2M of memory
15401 BGP path attribute entries using
1.8M of memory
14065 BGP AS-PATH attribute entries using
755K of memory,
and
holding 15401 references
1509 BGP attributes entries using 58.9K
of memory
and
holding 2763 references
1508 BGP attributes using 11.8K of memory
RIB using 28.5M of memory_
and neighborship;
bgpctl show neighbor IPV6
BGP neighbor is
2607:f2f8:xxx::1, remote AS 25xxx
Description: IPV6
BGP version 4, remote router-id 10.0.1.0
BGP state = Established, up for 00:02:40
Last read 00:00:11, holdtime 90s, keepalive
interval 30s
Neighbor capabilities:
Multiprotocol extensions: IPv6 unicast
Route Refresh
Message statistics:
Sent Received
Opens 1 1
Notifications 0 0
Updates 0 1
Keepalives 6 6
Route Refresh 0 0
Total 7 8
Update statistics:
Sent Received
Updates 0 1
Withdraws 0 0
Local host: 2607:f2f8:xx::2, Local port: 179
Remote host:
2607:f2f8:xxx::1, Remote port:
39925
and more output;
bgpctl show fib inet6
bgp
flags: * = valid, B = BGP, C
= Connected, S = Static
N = BGP Nexthop reachable via this route
r = reject route, b = blackhole route
flags prio destination gateway
I believe my VPS provider hasn't finished his cfg, so my FIB does not show anything.
BTW: I'm not announcing anything to them at this time over this setup, nor do I have any Ipv6 assignments to announce as of this time.
Next project will be to get my pfsense box rebuilt & with 2.0.2. And start using ipv6 out of my virtual hosted environment and possible over a Ipv6 over Ipv4 tunnel terminated on the firewall.
Ken Felix
Freelance Network/Security Engineer
kfelix ----at----- hyperfeed ---dot----com
^ ^
=( 0 @ )=
O
~
I'm assuming this is ipv4, for a small business network, you should determine what's your end users needs are. Some things to consider;
ReplyDeleteDo you need any advance UTM security features
Do you need remote access & if so, how many what type of machines ( OSX,LINUX,Windows )
Do you have any specific security devices or methods to be deployed ( content filter, caching, email inspection,etc.......)
Do you interface with any remote branches or vendor
Does your business services reside 100% in the cloud or locally
Do have a DR plan
And how about DataStorage and backups
Until you answered all of the above, than it hard to build a architect. Base on your site and business needs, you will have a host items to consider in your planning. If you would contact me via email, I can refer you to a business associate of mine, that caters to the SMB/Medium business segments and has a host of solutions data warehousing, cloud computing or co-lo .