Task #7180

Updated by Nico Schottelius almost 2 years ago

* router1-new is up and running

h2. Steps

* Verify / update cdist configuration
* Checkout IP configuration
** Add VRRP IPs to loopback interface (will be used instead of keepalived)
* Verify sysctl configuration
* Rerun cdist, exclude announcing of routes
* Adjust radvd configuration
** lower interval
** lower life time

h2. cdist configuration

Was written for Devuan/keepalived. Need to check step-by-step.

* __ungleich_bgp_router: *TEMPFIX*
** contains static route announcements
** can only be used once the upstream networking is verified
* __dcl_node_exporter: still makes sense
** Is debian/devuan specific, needs changes
* __ungleich_ipv6_radvd --config router-$dc
** 80% done
** restart needs to be implemented
* __ungleich_nftables --config router-$dc
* --__dcl_router_resolvconf --search-path "$d"--: done
** no changes required
* __dcl_tftp_http_pxe_bootserver
** ok, needs to be tested for alpine
** needs to be updated for ipv6 only boot
** could be moved to APUs
* -require="__dcl_router_network" __dcl_router_keepalived --master-: done
** Needs to be ported to loopback + bgp
** -commented out statement for place6 routers-: done
* __dcl_router_network --ipsuffix 5
** Need to add keepalived IPs
* # __dcl_nat64 --mtu 9000

h2. Networking

* Update interfaces for alpine
** -place6-
** place5

h2. Implementing virtual IPs with BGP

* Announce the IPv6/128 IPv4/32 address
** Or network alone is enough?
* -Add the addresses to the loopback interface-: done
** all done locally on router1-new
** Needs to be put back into cdist
* Add addresses for place5

h2. Firewalling

h2. Change router advertisements

We will have 2 active routers now with both advertising with radvd at the same time.
This is part of replacing keepalived.

* -Change router advertisement lifetime to 10 seconds-
* -Change advertisement interval to 3..5-
* Modify cdist type to restart/reload radvd on changes

MinRtrAdvInterval 3;
MaxRtrAdvInterval 5;
AdvDefaultLifetime 10;

* Good documentation:

h2. IPv4 NAT session table

* With two active routers, the masquarading session information is only stored on one router
* If reply is received by other router, no session table match is found
* This only effects client devices
** VMs are using direct public IPv4

h2. Switch configuration

* Switches *might* need ipv4 bgp peering for providing virtual IPv4 address support
* Don't see traffic on router1-new from upstream
** Need to verify trunk configuration on switches

switch5-place6(config)#vlan 100
switch5-place6(config-vlan-100)#name netstream
Copy completed successfully.

switch6-place6(config)#vlan 100
switch6-place6(config-vlan-100)#name netstream
Copy completed successfully.


h2. Building jool


apk upgrade
apk add alpine-sdk
apk add libnl3-dev
apk add iptables-dev
apk add linux-vanilla-dev
apk add argp-standalone


tar xvfz jool_4.0.1.tar.gz
cd jool-4.0.1/
./configure && make && make install

h2. Missing routes from iBGP

* new router1.place6 does not receive full routing table from peers in place5
* Error "Invalid NEXT_HOP attribute" appears in the config file
** Good documentation:
*** (use translate...)
** It seems bird1.6 uses the peer's ip address for the route while
** bird2 uses the "correct" next hop address inside the route
* Solution for bird2: "next hop self ebgp;"

h2. Consul

* Missing: correct init script: not compatible w/ alpine
* Started manually -> works

[15:21] line:~% echo __dcl_consul_agent --datacenter place6 --server --server --server | cdist config -i - -vv -c ~/vcs/ungleich-dot-cdist/ -j8 -p8

h2. Node exporter / monit

* monit: need to modify /etc/monitrc to include include /etc/monit/conf.d/*
* need to create mkdir /etc/monit/conf.d -p
* Missing init script /etc/init.d/prometheus-node-exporter
** need to add this into cdist and or alpine package
** Alternative: modify the node-exporter monit configuration

[15:42] line:~% echo "__directory /etc/consul/conf.d; __dcl_node_exporter" | cdist config -i - -vv -c ~/vcs/ungleich-dot-cdist/ -j8