[Babel-users] IPv6 ULA GUA S2S routing problem

Mon Mar 13 21:43:02 GMT 2023

Thank you for that detailed description.
It seems to be working. I simulate a prefix change at my home site by
adding a prefix to the redistribute:

config filter
        option type "redistribute"
        option ip "2a03:fe3:fe3::/48"

I then add an ip from that prefix to an interface and very fast it will
show up as a route at the remote firewall (OpenWrt btw at both sides).

Yet I cannot communicate. Is it possible that the wireguard tunnel
itself doesn't have the prefix in its allowed IPs? I always thought
this allowed_ips parameter is only for seting up the routing, even if
the name suggests otherwise.

Regards
Jochen

Am Montag, dem 13.03.2023 um 10:51 +0100 schrieb Daniel Gröber:
> Hi Jochen,
> 
> On Mon, Mar 13, 2023 at 09:50:31AM +0100, Jochen Demmer wrote:
> > I though I could use babeld to just fill that gap and always have a
> > route to the prefix I get at home. So even when there is a
> > disconnect
> > and a new prefix, I thought babeld will just fetch it and push it
> > over
> > to site B.
> > 
> > Is that a valid idea? If so, what would a configuration will look
> > like?
> 
> You can definetly use babel here. You just need to add some config
> lines to
> redistribute your prefixes. Quoting the manpage:
> 
>        By  default,  babeld  redistributes  all  local addresses, and
> no other
>        routes.  In order to make sure that only the routes you
> specify are re‐
>        distributed, you should include the line
> 
>               redistribute local deny
> 
> So that's a good start and then you just need to add filters to get
> the
> prefixes in:
> 
>     redistribute local deny
>     redistribute ip fd5e:ef07:ec1a::/48 #< Site A ULA prefix
>     redistribute ip 2000::/3            #< Site X GUA prefixes
> 
> And that's pretty much it for the babel side. Just add the
> interface(s) you
> want to run on to /etc/default/babeld (on Debian at least) and you
> should
> be good to go.
> 
> There is one gotcha that I'd like to point out. babeld fucks with a
> number
> of ip sysctls which you might not expect if your routers are already
> setup
> as you want them. You can disable this using `skip-kernel-setup
> true`. Grep
> the source for skip_kernel_setup to see the sysctls it touches.
> 
> Note that by default babeld will accept all routes from neighbours.
> You
> might want to add `in` filters to prevent the other site from
> announcing
> routes it's not allowed to send.
> 
> You can be more specific with the GUA prefixes if you like but that's
> a
> local policy matter :)
> 
> > Do I just have to configure the wireguard interface on both sites
> > or
> > will I have to add filters?
> 
> To get babel to work on wg you have to 1) add a unique fe80::/64
> interface
> address on each side and 2) if using restrictive AllowedIPs include
> fe80::/64 and ff02::1:6 in the list.
> 
> Let me know how it goes,
> --Daniel