nixos/estuary: Update networking config for iFog and new IXPs

This commit is contained in:
Jack O'Sullivan 2022-11-18 11:54:04 +00:00
parent 950bcb3055
commit 7c523633f4
2 changed files with 113 additions and 33 deletions

View File

@ -44,7 +44,7 @@ in
protocol device {} protocol device {}
protocol direct { protocol direct {
interface "wan", "frys-ix"; interface "wan", "frys-ix", "nl-ix", "fogixp", "ifog-transit";
ipv4; ipv4;
ipv6; ipv6;
} }
@ -64,7 +64,7 @@ in
import none; import none;
export filter { export filter {
if net ~ OWNNETSET4 then reject; if net ~ OWNNETSET4 then reject;
krt_prefsrc = OWNIP4; #krt_prefsrc = OWNIP4;
accept; accept;
}; };
}; };
@ -75,7 +75,7 @@ in
export filter { export filter {
if net = HOMENET6 then accept; if net = HOMENET6 then accept;
if net ~ OWNNETSET6 then reject; if net ~ OWNNETSET6 then reject;
krt_prefsrc = OWNIP6; #krt_prefsrc = OWNIP6;
accept; accept;
}; };
}; };
@ -176,6 +176,11 @@ in
neighbor 2a02:898:0:20::e1 as 8283; neighbor 2a02:898:0:20::e1 as 8283;
} }
protocol bgp upstream6_ifog from upstream_bgp6 {
description "iFog transit (IPv6)";
neighbor 2a0c:9a40:100f:370::1 as 34927;
}
protocol bgp upstream6_frysix_he from upstream_bgp6 { protocol bgp upstream6_frysix_he from upstream_bgp6 {
description "Hurricane Electric (on Frys-IX, IPv6)"; description "Hurricane Electric (on Frys-IX, IPv6)";
neighbor 2001:7f8:10f::1b1b:154 as 6939; neighbor 2001:7f8:10f::1b1b:154 as 6939;
@ -225,6 +230,55 @@ in
description "Hurricane Electric (on Frys-IX, IPv4)"; description "Hurricane Electric (on Frys-IX, IPv4)";
neighbor 185.1.203.154 as 6939; neighbor 185.1.203.154 as 6939;
} }
protocol bgp ixp4_nlix_rs1 from ixp_bgp4 {
description "NL-ix route server 1 (IPv4)";
neighbor 193.239.116.255 as 34307;
}
protocol bgp ixp6_nlix_rs1 from ixp_bgp6 {
description "NL-ix route server 1 (IPv6)";
neighbor 2001:7f8:13::a503:4307:1 as 34307;
}
protocol bgp ixp4_nlix_rs2 from ixp_bgp4 {
description "NL-ix route server 2 (IPv4)";
neighbor 193.239.117.0 as 34307;
}
protocol bgp ixp6_nlix_rs2 from ixp_bgp6 {
description "NL-ix route server 2 (IPv6)";
neighbor 2001:7f8:13::a503:4307:2 as 34307;
}
protocol bgp peer6_nlix_cloudflare1 from peer_bgp6 {
description "Cloudflare NL-ix 1 (IPv6)";
neighbor 2001:7f8:13::a501:3335:1 as 13335;
}
protocol bgp peer6_nlix_cloudflare2 from peer_bgp6 {
description "Cloudflare NL-ix 2 (IPv6)";
neighbor 2001:7f8:13::a501:3335:2 as 13335;
}
protocol bgp peer6_nlix_cloudflare3 from peer_bgp6 {
description "Cloudflare NL-ix 3 (IPv6)";
neighbor 2001:7f8:13::a501:3335:3 as 13335;
}
protocol bgp ixp4_fogixp_rs1 from ixp_bgp4 {
description "FogIXP route server 1 (IPv4)";
neighbor 185.1.147.111 as 47498;
}
protocol bgp ixp6_fogixp_rs1 from ixp_bgp6 {
description "FogIXP route server 1 (IPv6)";
neighbor 2001:7f8:ca:1::111 as 47498;
}
protocol bgp ixp4_fogixp_rs2 from ixp_bgp4 {
description "FogIXP route server 2 (IPv4)";
neighbor 185.1.147.222 as 47498;
}
protocol bgp ixp6_fogixp_rs2 from ixp_bgp6 {
description "FogIXP route server 2 (IPv6)";
neighbor 2001:7f8:ca:1::222 as 47498;
}
''; '';
}; };
}; };

View File

@ -148,22 +148,26 @@ in
}; };
}; };
netdevs = { netdevs =
"25-frys-ix-base" = { let
netdevConfig = { mkVLAN = name: vid: {
Name = "frys-ix-base"; "25-${name}" = {
Kind = "vlan"; netdevConfig = {
Name = name;
Kind = "vlan";
};
vlanConfig.Id = vid;
}; };
vlanConfig.Id = 409;
}; };
"25-frys-ix" = { in
netdevConfig = { mkMerge [
Name = "frys-ix"; (mkVLAN "ifog" 409)
Kind = "vlan";
}; (mkVLAN "frys-ix" 701)
vlanConfig.Id = 2604; (mkVLAN "nl-ix" 1845)
}; (mkVLAN "fogixp" 1147)
}; (mkVLAN "ifog-transit" 702)
];
links = { links = {
"10-wan" = { "10-wan" = {
@ -192,10 +196,31 @@ in
}; };
}; };
networks = { networks =
let
mkIXPConfig = name: ipv4: ipv6: {
"85-${name}" = {
matchConfig.Name = name;
address = [ ipv4 ipv6 ];
linkConfig.MTUBytes = "1500";
networkConfig = {
DHCP = "no";
LLDP = false;
EmitLLDP = false;
IPv6AcceptRA = false;
};
};
};
in
mkMerge
[
(mkIXPConfig "frys-ix" "185.1.203.196/24" "2001:7f8:10f::3:3850:196/64")
(mkIXPConfig "nl-ix" "193.239.116.145/22" "2001:7f8:13::a521:1024:1/64")
(mkIXPConfig "fogixp" "185.1.147.159/24" "2001:7f8:ca:1::159/64")
{
"80-wan" = { "80-wan" = {
matchConfig.Name = "wan"; matchConfig.Name = "wan";
vlan = [ "frys-ix-base" ]; vlan = [ "ifog" ];
DHCP = "no"; DHCP = "no";
address = with assignments.internal; [ address = with assignments.internal; [
(with ipv4; "${address}/${toString mask}") (with ipv4; "${address}/${toString mask}")
@ -212,12 +237,12 @@ in
IPv6AcceptRA = false; IPv6AcceptRA = false;
}; };
}; };
"85-frys-ix-base" = { "85-ifog" = {
matchConfig = { matchConfig = {
Name = "frys-ix-base"; Name = "ifog";
Kind = "vlan"; Kind = "vlan";
}; };
vlan = [ "frys-ix" ]; vlan = [ "frys-ix" "nl-ix" "fogixp" "ifog-transit" ];
networkConfig = { networkConfig = {
LinkLocalAddressing = "no"; LinkLocalAddressing = "no";
DHCP = "no"; DHCP = "no";
@ -226,12 +251,10 @@ in
IPv6AcceptRA = false; IPv6AcceptRA = false;
}; };
}; };
"85-frys-ix" = { "85-ifog-transit" = {
matchConfig.Name = "frys-ix"; matchConfig.Name = "ifog-transit";
address = [ address = [ "2a0c:9a40:100f:370::2/64" ];
"185.1.203.196/24" linkConfig.MTUBytes = "1500";
"2001:7f8:10f::3:3850:196/64"
];
networkConfig = { networkConfig = {
DHCP = "no"; DHCP = "no";
LLDP = false; LLDP = false;
@ -280,7 +303,7 @@ in
]; ];
networkConfig.IPv6AcceptRA = false; networkConfig.IPv6AcceptRA = false;
}; };
}; } ];
}; };
my = { my = {
@ -330,6 +353,8 @@ in
''; '';
in in
'' ''
define ixps = { frys-ix, nl-ix, fogixp, ifog-transit }
table inet filter { table inet filter {
chain routing-tcp { chain routing-tcp {
# Safe enough to allow all SSH # Safe enough to allow all SSH
@ -354,13 +379,14 @@ in
} }
chain forward { chain forward {
iifname { wan, frys-ix } oifname base jump filter-routing iifname wan oifname base jump filter-routing
oifname frys-ix jump ixp iifname ixps oifname base jump filter-routing
oifname ixps jump ixp
oifname as211024 accept oifname as211024 accept
} }
chain output { chain output {
oifname frys-ix-base ether type != vlan reject oifname ifog ether type != vlan reject
oifname frys-ix jump ixp oifname ixps jump ixp
} }
} }
table inet nat { table inet nat {