[Babel-users] IPv6 ULA GUA S2S routing problem

[Jochen Demmer]

allright I figured it out.
On both sides I needed to set allowed-ips to 0.0.0.0/0 and ::/0.
Then set route_allowed_ips to 0.

This seems to work, yet it is generally recommended not to allow any in
a wireguard tunnel. I don't see another way right now thogh.
So I believe my setup is save, thank you!

Thanks
Jochen


Am Montag, dem 13.03.2023 um 22:43 +0100 schrieb Jochen Demmer:
> Thank you for that detailed description.
> It seems to be working. I simulate a prefix change at my home site by
> adding a prefix to the redistribute:
> 
> config filter
>         option type "redistribute"
>         option ip "2a03:fe3:fe3::/48"
> 
> I then add an ip from that prefix to an interface and very fast it
> will
> show up as a route at the remote firewall (OpenWrt btw at both
> sides).
> 
> Yet I cannot communicate. Is it possible that the wireguard tunnel
> itself doesn't have the prefix in its allowed IPs? I always thought
> this allowed_ips parameter is only for seting up the routing, even if
> the name suggests otherwise.
> 
> Regards
> Jochen
> 
> Am Montag, dem 13.03.2023 um 10:51 +0100 schrieb Daniel Gröber:
> > Hi Jochen,
> > 
> > On Mon, Mar 13, 2023 at 09:50:31AM +0100, Jochen Demmer wrote:
> > > I though I could use babeld to just fill that gap and always have
> > > a
> > > route to the prefix I get at home. So even when there is a
> > > disconnect
> > > and a new prefix, I thought babeld will just fetch it and push it
> > > over
> > > to site B.
> > > 
> > > Is that a valid idea? If so, what would a configuration will look
> > > like?
> > 
> > You can definetly use babel here. You just need to add some config
> > lines to
> > redistribute your prefixes. Quoting the manpage:
> > 
> >        By  default,  babeld  redistributes  all  local addresses,
> > and
> > no other
> >        routes.  In order to make sure that only the routes you
> > specify are re‐
> >        distributed, you should include the line
> > 
> >               redistribute local deny
> > 
> > So that's a good start and then you just need to add filters to get
> > the
> > prefixes in:
> > 
> >     redistribute local deny
> >     redistribute ip fd5e:ef07:ec1a::/48 #< Site A ULA prefix
> >     redistribute ip 2000::/3            #< Site X GUA prefixes
> > 
> > And that's pretty much it for the babel side. Just add the
> > interface(s) you
> > want to run on to /etc/default/babeld (on Debian at least) and you
> > should
> > be good to go.
> > 
> > There is one gotcha that I'd like to point out. babeld fucks with a
> > number
> > of ip sysctls which you might not expect if your routers are
> > already
> > setup
> > as you want them. You can disable this using `skip-kernel-setup
> > true`. Grep
> > the source for skip_kernel_setup to see the sysctls it touches.
> > 
> > Note that by default babeld will accept all routes from neighbours.
> > You
> > might want to add `in` filters to prevent the other site from
> > announcing
> > routes it's not allowed to send.
> > 
> > You can be more specific with the GUA prefixes if you like but
> > that's
> > a
> > local policy matter :)
> > 
> > > Do I just have to configure the wireguard interface on both sites
> > > or
> > > will I have to add filters?
> > 
> > To get babel to work on wg you have to 1) add a unique fe80::/64
> > interface
> > address on each side and 2) if using restrictive AllowedIPs include
> > fe80::/64 and ff02::1:6 in the list.
> > 
> > Let me know how it goes,
> > --Daniel
> 
> 
> _______________________________________________
> Babel-users mailing list
> Babel-users at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users