MENU

vyos配置和bgp宣告ipv6 (vyos:从入门到放弃)

最近一直考虑到底要用啥代替ros,之前试过pfsense和opnsense但由于无法运行wireguard或者zerotier便放弃了,然后搜了一下发现vyos支持wireguard,想起之前在vultr上试过这个系统,由于没有luci之类的web页面,装完系统随便看了下就放弃了,最近有空便又试了一次vyos,记录下配置过程,顺便一提虽然这次配置好了bgp,但是我决定要换回最初的ubuntu+bird,因为仔细想一想,当时用ros就是为了它的过滤器和bgp配置都能从winbox和web页面配置比较方便一点,换成了vyos不但是一个陌生的os,而且也没有luci之类的web页面,不如直接换回最早的方案.

安装

这次在vultr上测试的,vultr提供了vyos v1.2的iso,直接挂载之后开vnc安装,打开vnc后输入账户名和密码,默认都是vyos进去输入install image,然后选选分区,设置下账户的密码,然后取消挂载重启进入系统.

网络配置

先到vultr的面板中找到vps的network选项卡,查看ipv4的信息,会得到机器ip mask gateway信息,根据mask算出subnet的大小,得到cidr格式,这里假设机器ip为45.76.162.37 mask为255.255.254.0 gateway为45.76.161.1,然后进机器开始配置.

configure
set interfaces ethernet eth0 address "45.76.162.37/23"
set protocols static route 0.0.0.0/0 next-hop 45.76.161.1
set system name-server 8.8.8.8
set system name-server 8.8.4.4
commit
save
exit

然后ping 8.8.8.8查看机器网络是否正常,不正常则检查配置信息是否正确,正常的话继续配置ipv6,在vps的network中可以看到vps的ip和network和mask,但这里面的gateway写着use router discovery,但vyos和ros都不能正常发现vultr的默认网关,只能手动配置,所以我们需要手动找出它的网关,关于方法将在下面说明,我们首先配置ipv6,这里假设vps的ip是2001:19f0:4400:656b:5400:02ff:fe91:c318 network是2001:19f0:4400:656b:: mask是64

configure
set interfaces ethernet eth0 address "2001:19f0:4400:656b:5400:02ff:fe91:c318/64"
commit
save

设置好后首先ping network的ip查看ipv6是否设置正确ping6 2001:19f0:4400:656b::此时如果有回复则证明设置正确,如果无回则检查配置信息是否正确,然后开始确定vps的网关,运行ping6 -I eth0 ff02::2你会得到看其来像是这样的信息

PING ff02::2(ff02::2) from fe80::5400:2ff:fe91:c318 eth0: 56 data bytes
64 bytes from fe80::5400:2ff:fe91:c318: icmp_seq=1 ttl=64 time=0.064 ms
64 bytes from fe80::fc00:2ff:fe91:c318: icmp_seq=1 ttl=64 time=0.498 ms (DUP!)
64 bytes from fe80::5400:2ff:fe91:c318: icmp_seq=2 ttl=64 time=0.087 ms
64 bytes from fe80::fc00:2ff:fe91:c318: icmp_seq=2 ttl=64 time=0.462 ms (DUP!)
64 bytes from fe80::5400:2ff:fe91:c318: icmp_seq=3 ttl=64 time=0.076 ms
64 bytes from fe80::fc00:2ff:fe91:c318: icmp_seq=3 ttl=64 time=0.647 ms (DUP!)

在这里我们可以看出每一次ping都会收到2个回复,一个是fe80::5400开头另一个是fe80::fc00开头,这个fe80::fc00开头的fe80::fc00:2ff:fe91:c318就是我们的网关,然后我们开始设置ipv6网关.

configure
set protocols static route6 2000::/3 next-hop fe80::fc00:2ff:fe91:c318
commit
save
exit

这时ipv6的路由设置完毕了可以尝试运行ping6 ipv6.google.com来检查ipv6是否正常,目前全球的ipv6没有超过2000::/3,所以我们只需要设置这一个subnet的路由即可.

bgp宣告

在vultr面板的vps里的bgp选项卡可以看到自己的as信息和对端的asn信息和对段ip,假设我们的asn是123456,bgp密码是123321,我们要宣告2333::/48这段subnet.

configure
set protocols bgp 65534 neighbor 2001:19f0:ffff::1 ebgp-multihop '2'
set protocols bgp 65534 neighbor 2001:19f0:ffff::1 remote-as '64515'
set protocols bgp 65534 neighbor 2001:19f0:ffff::1  password 123321
set protocols bgp 65534 neighbor 2001:19f0:ffff::1 update-source '2001:19f0:4400:656b:5400:02ff:fe91:c318'
set protocols bgp 65534 neighbor 2001:19f0:ffff::1 address-family ipv6-unicast
set protocols bgp 65534 address-family ipv6-unicast network '2333::/48'
set protocols bgp 65534 parameters router-id '45.76.161.1'

set protocols static route6 `2333::/48` blackhole distance '254'

commit
save
exit

这时可以通过show ipv6 bgp neighbors来查看bgp session和宣告的情况并可以从其它机器进行traceroute测试了.

此外,最后那段set protocols static route62333::/48blackhole distance '254'是将宣告的subnet添加到在静态路由中,因为我在官网的说明中找到这样一段话:

Don’t forget, the CIDR declared in the network statement MUST exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route

而这句命令则是官网文档给出的示例中的命令.

配置到这里本应该开始讲过滤器的设置的,但是此时我突然发现如果没有web页面我为何不再去用ubuntu+bird这个组合呢.
然后就没有然后了...

最后编辑于: 2020 年 03 月 21 日
996.icu 996.icu