Categories: pfsense, bgp

Configuring BGP on pfsense with FRR

There is no place like local-router-id

Why?

I had been entertaining the idea of getting my own AS + subnets for a little bit. BGP (especially public BGP) is essentially the foundation of the modern internet. I used to be pretty involved in the day to day of a telco and it’s still fun to dip your toes into that world!

Plus, I have a 2U server in colocation which makes the AS dream a possibility. Might as well give it a shot!

What do I actually need?

  • An AS for your local Internet Authority (ARIN, RIPE and the others), ARIN in my case.
  • A public IP range. It can be on loan from a friend, bought on the market or assigned directly from ARIN.
  • Someone willing to peer BGP with you and allow you to use them as a transit. It can be your colocation provider or a VPS from http://bgp.services/

How much did it cost?

Initial setup fees

  • ASN : 550$ USD
  • /24 : 250$ USD
  • Quebec Business Registration : 40$ CAN

Recurring fees

  • /24 : 250$ USD
  • Quebec Business Registration : 40$ CAN

How?

It’s not super complex, but it’s a mix of technical and simple administrative tasks.

1. Validate if your internet provider can do BGP peering/transit

In my case, my colocation provider also provides my internet. He is also able to peer BGP and act as my transit. This is specific to each provider.

Some VPS providers also allow you to do BGP. You can see the list at https://bgp.services

There might be a setup fee to get BGP up and running and/or a fee per month.

2. Registering your business (for fellow Canadians)

Because I am located in North America, my RIR (Regional Internet Authority) is ARIN. Compared to RIPE (for europeans), ARIN is a bit more restrictive and will require a registered business number.

Being in Quebec, this means :

  1. Register your business on the Quebec official site
  2. Go through the process for become a sole proprietor.
  3. Pay the 50$ CAN fee.
  4. Wait a couple of weeks to get the papers back.
  5. Confirm your registration by looking on the official registry.
  6. Download your official registration confirmation. ARIN will ask for it.

Getting your own AS through ARIN

  1. Create your account on the official ARIN site
  2. Go through the request process for an AS

That part of the process took about 4 days and required minimal interactions with ARIN. It’s worth mentionning that there is no exhaustion of ASN numbers ;)

You do have to prove a unique routing need or the fact that your would multihome (multiple transit)

Getting your own /24 through ARIN and the waiting list

With the current IPv4 exchaustion, the process can take a bit of time. You are either provided the IP range directly or placed on the waiting list. Periodically, ARIN will release ranges for waiting list members and you have the chance to get your ranges.

  1. Go through the request process for a /24
  2. You will either use the LIR/ISP or End-User form. Select LIR/ISP if you intend to resell/provide internet to third party. For example (like in my case), providing VPS services using the /24 means LIR/ISP form. If you are buying the ASN for your main office datacenter, select End-User.
  3. With the requests, you will need to attach your projected /24 usage. A simple Excel file with the breakdown was enough in my case.

And now you wait to get assigned your /24.

3. Getting into BGP

We now have all our pre-setup pieces.

BGP - Border Gateway Protocol - is a routing protocol that is built to be “internet-scale”. There really isn’t a modern internet without it.

In this case, we need to establish BGP between our edge router and our internet/bgp provider.

bgp-map

Sending your own subnets

The simple idea is this :

  • I have my own BGP autonomous system number (ASN).
  • I have my own /24 public IP range.
  • I have an edge device capable of running a BGP routing instance.
  • I want to use my ASN to make it known on the internet that my /24 is reachable through my edge device.
  • I want to indicate to my internet/bgp provider that “ASNXXXXX” is advertising the X.X.X.X/24 subnet.

Learning other subnets from the internet

As your own device is also active on the internet, you can also request to receive internet routes. - You can ask for just a default route to be forwarded to your device - 0.0.0.0/0 - You can ask for the entire internet routing table to be forwarded to your device. This can present some challenges as your device will need to be able to handle the full internet routing table. As of June 2022, the full table is about 923 233 routes. That said, if you just have 1 or 2 transit providers, full routes usually isn’t a requirement.

Creating your LOA

An LOA (letter of authorization) is a simple document where you indicate that you allow your provider to advertise your subnet.

Usually, this is really only required when you are not running BGP and you want your provider to advertise your subnet from his ASN. But every provider is a bit different.

There is no standard format but you should have : - Your full name - Full name of your company and the address - Your signature - Your provider AS - Your AS - Your subnet

The following template was good enough.

$FULL NAME
$TITLE
$YOUR_COMPANY_NAME
$YOUR_COMPANY_ADDRESS
$YOUR_ASN
AUTHORIZATION LETTER
$CURRENT_DATE


To whom it may concern,

This letter serves as authorization for HIVE DATACENTER with $BGP_PROVIDER_ASN
to announce the following IP address blocks:
$SUBNET_RANGE

As a representative of the company $COMPANY_NAME that is the owner
of the subnet and/or ASN, I hereby declare that I'm authorized to
represent and sign for this LOA.

Should you have questions about this request, email me at
$YOUR_EMAIL_ADDRESS

$YOUR_SIGNATURE

Creating your IRR Object Records

IRR records are a method of identifying routes/AS that are allowed to originate certain subnets. This helps to prevent hijacking/configuration mistakes where a third party starts advertising your subnets.

ARIN offers 4 object types :

  • route
  • as-set
  • aut-num
  • route-set

IRR filtering depends on providers and in my case, the “route” object was enough to get started.

You can configure your objects here

Connecting to your internet provider through BGP

There is where the magic happens!

This will really depend on the devices you use as the configuration syntax always varies (Cisco, Juiper, Arista etc.)

In my case, it will be Pfsense.

Configuring BGP in pfsense

Pfsense does not do BGP natively, it needs a package called FRR - Free Range Router. Once installed, you are ready to configure BGP.

The basic process is this :

  • Configure your IP address.
  • Activate the BGP routing daemon.
  • Configure your internet provider as your BGP neighbor.
  • Indicate to your BGP instance which subnet you want to advertise.
  • Configure a route-map to allow that subnet. By defauly, FRR will not advertise anything unless there is a routemap in place.

Here are a couple of screenshots to get started :

bgp-1

bgp-2

bgp-3

bgp-4

Confirm that BGP is up

bgp-5

Confirm that you are advertising your subnet

Confirm inside FRR

bgp-6

Confirm through a public Looking glass service. I enjoy the BGP topology map from NLNOG

https://lg.ring.nlnog.net/prefix_detail/lg01/ipv4?q=www.nlnog.net

bgp-map

Laurent Dumont
I route packets and juggle bytes

Related