Hi Marc,
I saw from previous email that Quagga was recommended as opposed to
OpenBGP. Any further comments on that? Also, any comments on the
choice of OpenBSD vs. Linux?
I don't want to start a religious war :-) Just curious about what
most folks are doing and what their experiences have been.
We run a similar setup since about a year. I also don't want to start
a "religious war" (being a happy user of both Linux and OpenBSD, for
different purposes), but in this scenario my decision was quick and
clear:
I went for OpenBSD with OpenBGPD, consistent with my experience
throughout the last few years, that for the basic, "hidden" (from end
user perspective) network services (routing, firewalling, DHCP, DNS…)
OpenBSD never let me down and saved me a _lot_ of time and hassle as
an admin (doing this stuff with Linux before). And admin time is often
more valuable than that of one or two CPU cycles… (and as long as I
get the throughput I demand plus a large enough margin I really don't
care about those).
My basic rule of thumb now is (and I'm just pragmatic, not religious):
If I can get away with the base installation of OpenBSD for a service,
I really give it the first try. So for OpenBGPD. It was also the
documentation, the clean design and the usability (okay, that's really
personal taste, but I really got to love the OpenBSD config file
style) that helped with that decision. And from my perspective, it
really was the right one: The setup just works, right from the
beginning. Flawless. With both Junipers and Ciscos as neighbors.
We are planning to run two OpenBSD based firewalls (with CARP and
pf) running OpenBGP in order to connect to the two ISPs.
Just one thing independent of the OpenBSD vs. Linux question:
Depending on the complexity of your setup and maybe also for a cleaner
design and possibly additional layers of security, I'd recommend to
think about separating the "pure" firewalls from the BGP stuff. I do
have three OpenBGPD boxes towards the Internet as our BGP peers plus
two redundant pairs of OpenBSD carp/pf boxes towards different
internal networks and DMZs. Between the OpenBGPD and the carp/pf boxes
is our "backbone".
I experimented with a setup as you describe it (many different BGP/
router/firewalling roles combined on one pair of OpenBSD boxes) first,
but soon realized that (while perfectly okay for a simple setup) as
soon as you get more and more specialized requirements, things tend to
get unneccessarily complicated and you're probably better of with
dedicated boxes (if not for performance reasons, then still for the
design).
Best regards,
Beat Vontobel
--
Beat Vontobel, CTO, MeteoNews AG
Siewerdtstr. 105, CH-8050 Zurich, Switzerland
E-Mail: b.vonto...@meteonews.ch
IT Department: +41 (0)43 288 40 54
Main phone: +41 (0)43 288 40 50