From 7c523633f4253ffd9046db4508943580026c8167 Mon Sep 17 00:00:00 2001 From: Jack O'Sullivan Date: Fri, 18 Nov 2022 11:54:04 +0000 Subject: [PATCH] nixos/estuary: Update networking config for iFog and new IXPs --- nixos/boxes/colony/vms/estuary/bgp.nix | 60 ++++++++++++++- nixos/boxes/colony/vms/estuary/default.nix | 86 ++++++++++++++-------- 2 files changed, 113 insertions(+), 33 deletions(-) diff --git a/nixos/boxes/colony/vms/estuary/bgp.nix b/nixos/boxes/colony/vms/estuary/bgp.nix index 0d8a5d0..06102d5 100644 --- a/nixos/boxes/colony/vms/estuary/bgp.nix +++ b/nixos/boxes/colony/vms/estuary/bgp.nix @@ -44,7 +44,7 @@ in protocol device {} protocol direct { - interface "wan", "frys-ix"; + interface "wan", "frys-ix", "nl-ix", "fogixp", "ifog-transit"; ipv4; ipv6; } @@ -64,7 +64,7 @@ in import none; export filter { if net ~ OWNNETSET4 then reject; - krt_prefsrc = OWNIP4; + #krt_prefsrc = OWNIP4; accept; }; }; @@ -75,7 +75,7 @@ in export filter { if net = HOMENET6 then accept; if net ~ OWNNETSET6 then reject; - krt_prefsrc = OWNIP6; + #krt_prefsrc = OWNIP6; accept; }; }; @@ -176,6 +176,11 @@ in neighbor 2a02:898:0:20::e1 as 8283; } + protocol bgp upstream6_ifog from upstream_bgp6 { + description "iFog transit (IPv6)"; + neighbor 2a0c:9a40:100f:370::1 as 34927; + } + protocol bgp upstream6_frysix_he from upstream_bgp6 { description "Hurricane Electric (on Frys-IX, IPv6)"; neighbor 2001:7f8:10f::1b1b:154 as 6939; @@ -225,6 +230,55 @@ in description "Hurricane Electric (on Frys-IX, IPv4)"; neighbor 185.1.203.154 as 6939; } + + protocol bgp ixp4_nlix_rs1 from ixp_bgp4 { + description "NL-ix route server 1 (IPv4)"; + neighbor 193.239.116.255 as 34307; + } + protocol bgp ixp6_nlix_rs1 from ixp_bgp6 { + description "NL-ix route server 1 (IPv6)"; + neighbor 2001:7f8:13::a503:4307:1 as 34307; + } + + protocol bgp ixp4_nlix_rs2 from ixp_bgp4 { + description "NL-ix route server 2 (IPv4)"; + neighbor 193.239.117.0 as 34307; + } + protocol bgp ixp6_nlix_rs2 from ixp_bgp6 { + description "NL-ix route server 2 (IPv6)"; + neighbor 2001:7f8:13::a503:4307:2 as 34307; + } + + protocol bgp peer6_nlix_cloudflare1 from peer_bgp6 { + description "Cloudflare NL-ix 1 (IPv6)"; + neighbor 2001:7f8:13::a501:3335:1 as 13335; + } + protocol bgp peer6_nlix_cloudflare2 from peer_bgp6 { + description "Cloudflare NL-ix 2 (IPv6)"; + neighbor 2001:7f8:13::a501:3335:2 as 13335; + } + protocol bgp peer6_nlix_cloudflare3 from peer_bgp6 { + description "Cloudflare NL-ix 3 (IPv6)"; + neighbor 2001:7f8:13::a501:3335:3 as 13335; + } + + protocol bgp ixp4_fogixp_rs1 from ixp_bgp4 { + description "FogIXP route server 1 (IPv4)"; + neighbor 185.1.147.111 as 47498; + } + protocol bgp ixp6_fogixp_rs1 from ixp_bgp6 { + description "FogIXP route server 1 (IPv6)"; + neighbor 2001:7f8:ca:1::111 as 47498; + } + + protocol bgp ixp4_fogixp_rs2 from ixp_bgp4 { + description "FogIXP route server 2 (IPv4)"; + neighbor 185.1.147.222 as 47498; + } + protocol bgp ixp6_fogixp_rs2 from ixp_bgp6 { + description "FogIXP route server 2 (IPv6)"; + neighbor 2001:7f8:ca:1::222 as 47498; + } ''; }; }; diff --git a/nixos/boxes/colony/vms/estuary/default.nix b/nixos/boxes/colony/vms/estuary/default.nix index d957b74..9d96711 100644 --- a/nixos/boxes/colony/vms/estuary/default.nix +++ b/nixos/boxes/colony/vms/estuary/default.nix @@ -148,22 +148,26 @@ in }; }; - netdevs = { - "25-frys-ix-base" = { - netdevConfig = { - Name = "frys-ix-base"; - Kind = "vlan"; + netdevs = + let + mkVLAN = name: vid: { + "25-${name}" = { + netdevConfig = { + Name = name; + Kind = "vlan"; + }; + vlanConfig.Id = vid; }; - vlanConfig.Id = 409; }; - "25-frys-ix" = { - netdevConfig = { - Name = "frys-ix"; - Kind = "vlan"; - }; - vlanConfig.Id = 2604; - }; - }; + in + mkMerge [ + (mkVLAN "ifog" 409) + + (mkVLAN "frys-ix" 701) + (mkVLAN "nl-ix" 1845) + (mkVLAN "fogixp" 1147) + (mkVLAN "ifog-transit" 702) + ]; links = { "10-wan" = { @@ -192,10 +196,31 @@ in }; }; - networks = { + networks = + let + mkIXPConfig = name: ipv4: ipv6: { + "85-${name}" = { + matchConfig.Name = name; + address = [ ipv4 ipv6 ]; + linkConfig.MTUBytes = "1500"; + networkConfig = { + DHCP = "no"; + LLDP = false; + EmitLLDP = false; + IPv6AcceptRA = false; + }; + }; + }; + in + mkMerge + [ + (mkIXPConfig "frys-ix" "185.1.203.196/24" "2001:7f8:10f::3:3850:196/64") + (mkIXPConfig "nl-ix" "193.239.116.145/22" "2001:7f8:13::a521:1024:1/64") + (mkIXPConfig "fogixp" "185.1.147.159/24" "2001:7f8:ca:1::159/64") + { "80-wan" = { matchConfig.Name = "wan"; - vlan = [ "frys-ix-base" ]; + vlan = [ "ifog" ]; DHCP = "no"; address = with assignments.internal; [ (with ipv4; "${address}/${toString mask}") @@ -212,12 +237,12 @@ in IPv6AcceptRA = false; }; }; - "85-frys-ix-base" = { + "85-ifog" = { matchConfig = { - Name = "frys-ix-base"; + Name = "ifog"; Kind = "vlan"; }; - vlan = [ "frys-ix" ]; + vlan = [ "frys-ix" "nl-ix" "fogixp" "ifog-transit" ]; networkConfig = { LinkLocalAddressing = "no"; DHCP = "no"; @@ -226,12 +251,10 @@ in IPv6AcceptRA = false; }; }; - "85-frys-ix" = { - matchConfig.Name = "frys-ix"; - address = [ - "185.1.203.196/24" - "2001:7f8:10f::3:3850:196/64" - ]; + "85-ifog-transit" = { + matchConfig.Name = "ifog-transit"; + address = [ "2a0c:9a40:100f:370::2/64" ]; + linkConfig.MTUBytes = "1500"; networkConfig = { DHCP = "no"; LLDP = false; @@ -280,7 +303,7 @@ in ]; networkConfig.IPv6AcceptRA = false; }; - }; + } ]; }; my = { @@ -330,6 +353,8 @@ in ''; in '' + define ixps = { frys-ix, nl-ix, fogixp, ifog-transit } + table inet filter { chain routing-tcp { # Safe enough to allow all SSH @@ -354,13 +379,14 @@ in } chain forward { - iifname { wan, frys-ix } oifname base jump filter-routing - oifname frys-ix jump ixp + iifname wan oifname base jump filter-routing + iifname ixps oifname base jump filter-routing + oifname ixps jump ixp oifname as211024 accept } chain output { - oifname frys-ix-base ether type != vlan reject - oifname frys-ix jump ixp + oifname ifog ether type != vlan reject + oifname ixps jump ixp } } table inet nat {