Configuring BGP on pfsense with FRR
There is no place like local-router-id
I had been entertaining the idea of getting my own AS + subnets for a little bit. BGP (especially public BGP) is essentially the foundation of the modern internet. I used to be pretty involved in the day to day of a telco and it’s still fun to dip your toes into that world!
Plus, I have a 2U server in colocation which makes the AS dream a possibility. Might as well give it a shot!
What do I actually need?
- An AS for your local Internet Authority (ARIN, RIPE and the others), ARIN in my case.
- A public IP range. It can be on loan from a friend, bought on the market or assigned directly from ARIN.
- Someone willing to peer BGP with you and allow you to use them as a transit. It can be your colocation provider or a VPS from http://bgp.services/
How much did it cost?
Initial setup fees
- ASN : 550$ USD
- /24 : 250$ USD
- Quebec Business Registration : 40$ CAN
- /24 : 250$ USD
- Quebec Business Registration : 40$ CAN
It’s not super complex, but it’s a mix of technical and simple administrative tasks.
1. Validate if your internet provider can do BGP peering/transit
In my case, my colocation provider also provides my internet. He is also able to peer BGP and act as my transit. This is specific to each provider.
Some VPS providers also allow you to do BGP. You can see the list at https://bgp.services
There might be a setup fee to get BGP up and running and/or a fee per month.
2. Registering your business (for fellow Canadians)
Because I am located in North America, my RIR (Regional Internet Authority) is ARIN. Compared to RIPE (for europeans), ARIN is a bit more restrictive and will require a registered business number.
Being in Quebec, this means :
- Register your business on the Quebec official site
- Go through the process for become a sole proprietor.
- Pay the 50$ CAN fee.
- Wait a couple of weeks to get the papers back.
- Confirm your registration by looking on the official registry.
- Download your official registration confirmation. ARIN will ask for it.
Getting your own AS through ARIN
That part of the process took about 4 days and required minimal interactions with ARIN. It’s worth mentionning that there is no exhaustion of ASN numbers ;)
You do have to prove a unique routing need or the fact that your would multihome (multiple transit)
Getting your own /24 through ARIN and the waiting list
With the current IPv4 exchaustion, the process can take a bit of time. You are either provided the IP range directly or placed on the waiting list. Periodically, ARIN will release ranges for waiting list members and you have the chance to get your ranges.
- Go through the request process for a /24
- You will either use the LIR/ISP or End-User form. Select LIR/ISP if you intend to resell/provide internet to third party. For example (like in my case), providing VPS services using the /24 means LIR/ISP form. If you are buying the ASN for your main office datacenter, select End-User.
- With the requests, you will need to attach your projected /24 usage. A simple Excel file with the breakdown was enough in my case.
And now you wait to get assigned your /24.
3. Getting into BGP
We now have all our pre-setup pieces.
BGP - Border Gateway Protocol - is a routing protocol that is built to be “internet-scale”. There really isn’t a modern internet without it.
In this case, we need to establish BGP between our edge router and our internet/bgp provider.
Sending your own subnets
The simple idea is this :
- I have my own BGP autonomous system number (ASN).
- I have my own /24 public IP range.
- I have an edge device capable of running a BGP routing instance.
- I want to use my ASN to make it known on the internet that my /24 is reachable through my edge device.
- I want to indicate to my internet/bgp provider that “ASNXXXXX” is advertising the X.X.X.X/24 subnet.
Learning other subnets from the internet
As your own device is also active on the internet, you can also request to receive internet routes. - You can ask for just a default route to be forwarded to your device - 0.0.0.0/0 - You can ask for the entire internet routing table to be forwarded to your device. This can present some challenges as your device will need to be able to handle the full internet routing table. As of June 2022, the full table is about 923 233 routes. That said, if you just have 1 or 2 transit providers, full routes usually isn’t a requirement.
Creating your LOA
An LOA (letter of authorization) is a simple document where you indicate that you allow your provider to advertise your subnet.
Usually, this is really only required when you are not running BGP and you want your provider to advertise your subnet from his ASN. But every provider is a bit different.
There is no standard format but you should have : - Your full name - Full name of your company and the address - Your signature - Your provider AS - Your AS - Your subnet
The following template was good enough.
$FULL NAME $TITLE $YOUR_COMPANY_NAME $YOUR_COMPANY_ADDRESS $YOUR_ASN AUTHORIZATION LETTER $CURRENT_DATE To whom it may concern, This letter serves as authorization for HIVE DATACENTER with $BGP_PROVIDER_ASN to announce the following IP address blocks: $SUBNET_RANGE As a representative of the company $COMPANY_NAME that is the owner of the subnet and/or ASN, I hereby declare that I'm authorized to represent and sign for this LOA. Should you have questions about this request, email me at $YOUR_EMAIL_ADDRESS $YOUR_SIGNATURE
Creating your IRR Object Records
IRR records are a method of identifying routes/AS that are allowed to originate certain subnets. This helps to prevent hijacking/configuration mistakes where a third party starts advertising your subnets.
ARIN offers 4 object types :
IRR filtering depends on providers and in my case, the “route” object was enough to get started.
You can configure your objects here
Connecting to your internet provider through BGP
There is where the magic happens!
This will really depend on the devices you use as the configuration syntax always varies (Cisco, Juiper, Arista etc.)
In my case, it will be Pfsense.
Configuring BGP in pfsense
Pfsense does not do BGP natively, it needs a package called FRR - Free Range Router. Once installed, you are ready to configure BGP.
The basic process is this :
- Configure your IP address.
- Activate the BGP routing daemon.
- Configure your internet provider as your BGP neighbor.
- Indicate to your BGP instance which subnet you want to advertise.
- Configure a route-map to allow that subnet. By defauly, FRR will not advertise anything unless there is a routemap in place.
Here are a couple of screenshots to get started :
Confirm that BGP is up
Confirm that you are advertising your subnet
Confirm inside FRR
Confirm through a public Looking glass service. I enjoy the BGP topology map from NLNOG