Re: BGP and carp slaves

[Claudio Jeker]

On Thu, Apr 02, 2020 at 11:34:21AM +0200, Luca Bodini wrote:
> Hi folks,
> 
> I’m just having a strange issue using OpenBSD 6.6 and BGP .
> I have two OpenBSD firewalls with a carp configuration, let’s suppose the 
> shared IP is 10.10.10.100, and I am able to announce 10.10.10.100/32 via BGP.
> Now, here is my /etc/bgpd.conf configuration:
> 
> # define our own ASN as a macro
> ASN=“65000"
> rde med compare always
> 
> # global configuration
> AS $ASN
> router-id 172.10.10.3 
> 
> # list of networks that may be originated by our ASN
> prefix-set mynetworks {         \
>         10.10.10.100/32        \
> }
> 
> # Generate routes for the networks our ASN will originate.
> # The communities (read 'tags') are later used to match on what
> # is announced to EBGP neighbors
> network prefix-set mynetworks set { community $ASN:1 med 10 } 
> 
> # upstream providers
> group "upstreams" {
>         remote-as 20746
>         neighbor 172.10.10.1  {
>                 descr “provider router 01"
>         }
>         neighbor 172.10.10.2 {
>                 descr “provider router 02"
>         }
> }
> 
> ## rules section
> allow from group upstreams prefix 0.0.0.0/0
> 
> # IBGP: allow all updates to and from our IBGP neighbors
> allow from ibgp
> allow to ibgp
> allow to ebgp prefix-set mynetworks 
> 
> The problem I’m facing is due to (i guess) provider router misconfiguration, 
> in fact, routers are forwarding traffic to carp slave and unexpectedly 
> everything is working fine: firewall is accepting connections and forwarding 
> traffic, for example if I try to SSH:
> ~# ssh -l root 10.10.10.100
> [root@fw-02 root]# ifconfig | grep vhid
>         carp: BACKUP carpdev vlan100 vhid 10 advbase 1 advskew 10 
> 
> I’ve asked provider to change BGP configuration and everything now is stetted 
> up correctly, now, the question is:
> Is the carp slave accepting and forwarding connections by design or is it un 
> “unintended" feature?
> 

By default bgpd will just announce mynetworks without checking if
something is up or not.
You may have more luck with 'network inet connected' or even better use a
rtlabel. In that case bgpd should respect the status of the route.

I normally use carp on both sides and use 'network X/Y set nexthop $CARPIP'
Where $CARPIP is the external carp IP shared between the two routers. In
this case both systems announce the same network with the same nexthop
(the carp IP) to the next routers and so no rerouting happens if the
master dies. This only works if the systems share a lan segement for ebgp
sessions.

-- 
:wq Claudio