Archive

Posts Tagged ‘FreeBSD’

Tunning BGP, FreeBSD, Quagga IPv4 And IPv6

January 26th, 2012 No comments

Quagga adalah salah satu software routing protocol suite bersifat totally free (Open Source) yang sangat populer disamping produk branded komersial semacam Cisco, Mikrotik, Juniper,dll. Meskipun sifatnya open source tidak berarti bahwa aplikasi ini tidak handal, terbukti banyak Provider/Perusahaan/Universitas/Institusi menggunakan aplikasi ini untuk menghandle transaksi routing mereka, dengan fitur OSPF,  BGP, RIP, Firewall, Plus pengelolaan yang baik maka Quagga pun dapat dijadikan alternatif pengganti atas branded router komersil. Quagga dapat berjalan berdampingan dengan system operasi Open Source manapun. Di Universitas Lampung menggunakan kombinasi OS FreeBSD+Quagga sebagai border terluar menangani prefix Network dari berbagai penjuru dunia baik dari IPv4 maupun IPv6. Sekarang akan muncul pertanyaan bagaimana kita mendeploy jaringan dengan fitur Dynamic Routing pada FreeBSD dan Quagga, jawabnya ada dibawah; :-)

1.  Langkah pertama pastikan bahwa System Operasi FreeBSD telah terinstall sempurna pada Komputer Server, source terbaru FreeBSD Versi 9 Release dapat anda unduh dialamat berikut http://mirror.unila.ac.id .

2.   Proses tuning pertama dilakukan pada level System Operasi dengan memodifikasi /etc/sysctl.conf

# According to our experience a lot of loss with fastforwarding
net.inet.ip.fastforwarding=0

net.inet.tcp.inflight_enable=0

# No redirect
net.inet.icmp.drop_redirect=1
net.inet.icmp.log_redirect=1
net.inet.ip.redirect=0
net.inet6.ip6.redirect=0

# Source routing = off
net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0 

# no icmp broadcast
net.inet.icmp.bmcastecho=0
net.inet.icmp.maskrepl=0 

# For GigaBit controler
net.inet.tcp.sendbuf_auto=1
net.inet.tcp.sendbuf_inc=16384
net.inet.tcp.recvbuf_auto=1
net.inet.tcp.recvbuf_inc=524288

3. Install Quagga Routing Protocol Suite via port.

4. Aktifkan Peer BGP ke arah Provider untuk menerima Full Route/ Prefix

AS56237-NOC-Cyber-VLAN2011-MK670-AP# telnet localhost bgpd
Trying ::1...
Connected to localhost.
Escape character is '^]'.

Hello, this is Quagga (version 0.99.17).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

User Access Verification

Password:
INTL-global-gw-POP1-unila# 

hostname INTL-global-gw-POP1-unila        #HOSTNAME 
password 8 vbfxxxcvv  #Password 
enable password 8 basdhkjhwehhHSKDJHhh #Password Enable 
log file /var/log/quagga/bgpd.log  #Aktifkan Fitur Logging 
log stdout 
service password-encryption  #Password Encryption 
! 
router bgp 56237  #AS Number yang kita kelola  
bgp router-id 27.50.31.178  #Router ID - IP P2P yang kita miliki  
bgp log-neighbor-changes  #Setiap perubahan BGP akan kita monitor  
network 103.3.46.0/24  #Advertise prefix Network yang kita kelola  
neighbor 27.50.31.177 remote-as 23947  #Peer Neighbour IP P2P ke ISP  
neighbor 27.50.31.177 description UNILA-MORATEL #Peer Description  
neighbor 27.50.31.177 next-hop-self  #Next Hoop  
neighbor 27.50.31.177 soft-reconfiguration inbound  
neighbor 2001:470:17:9::1 remote-as 6939  #Peer Neighbour IPv6  
neighbor 2001:470:17:9::1 description UNILA-HE #Peer Neighboyr IPv6 Description  
neighbor 2001:470:17:9::1 update-source 2001:470:17:9::2  #Update Source  
neighbor 2001:470:17:9::1 remove-private-AS #Buang private ASN 

!  
address-family ipv6  network 2001:df0:230::/48  #Advertise Prefix IPv6  
neighbor 2001:470:17:9::1 activate #Aktifasi Peer IPv6 Neighbour  
exit-address-family 
! 
line vty 
! 
end 

INTL-global-gw-POP1-unila# 

Contoh diatas adalah parameter minimal yang dapat digunakan, dapat anda modifikasi lagi misal dengan menambahkan akses list untuk keperluan firewall.

Lalu check apakah prefix IPv4 dan IPv6 berhasil diterima

IPv4 Check

INTL-global-gw-POP1-unila# sh bgp ipv4 unicast statistics
BGP IPv4 Unicast RIB statistics

Total Advertisements          :       402003
Total Prefixes                :       402003
Average prefix length         :        22.34
Unaggregateable prefixes      :       191613
Maximum aggregateable prefixes:       210390
BGP Aggregate advertisements  :        25173
Address space advertised      :   2512747923
                 %% announced :        58.50
                /8 equivalent :       149.77
               /24 equivalent :   9815422.00
Advertisements with paths     :       402003
Longest AS-Path (hops)        :           28
Average AS-Path length (hops) :         4.57
Largest AS-Path (bytes)       :          114
Average AS-Path size (bytes)  :        20.26
Highest public ASN            :     12845948
INTL-global-gw-POP1-unila#

IPv6 Check

INTL-global-gw-POP1-unila# sh bgp ipv6 unicast statistics
BGP IPv6 Unicast RIB statistics

Total Advertisements          :         7519
Total Prefixes                :         7519
Average prefix length         :        38.28
Unaggregateable prefixes      :         5796
Maximum aggregateable prefixes:         1723
BGP Aggregate advertisements  :          340
Address space advertised      :  29890695739
                 %% announced : 2989069516800.00
                /8 equivalent :      1781.62
               /24 equivalent : 116760528.00
Advertisements with paths     :         7519
Longest AS-Path (hops)        :           14
Average AS-Path length (hops) :         2.98
Largest AS-Path (bytes)       :           58
Average AS-Path size (bytes)  :        13.93
Highest public ASN            :       393246
INTL-global-gw-POP1-unila#

Lalu pastikan juga bahwa jalur yang kita lewati telah berfungsi dengan baik

IPv4

AS56237-NOC-Cyber-VLAN2011-MK670-AP# traceroute www.google.com
traceroute: Warning: www.google.com has multiple addresses; using 74.125.235.49
traceroute to www.l.google.com (74.125.235.49), 128 hops max, 40 byte packets
 1  ip-27-50-31-177.cepat.net.id (27.50.31.177)  6.620 ms  7.846 ms  5.686 ms
 2  v450.0-2-0.m10-cyb-jkt.moratelindo.co.id (202.43.177.38)  5.195 ms  5.143 ms  5.367 ms
 3  v223.2-1-2.sr7-cyb-jkt.moratelindo.co.id (27.50.17.250)  8.143 ms  6.292 ms  5.901 ms
 4  * * *
 5  p15169.sgw.equinix.com (202.79.197.30)  26.760 ms  26.604 ms  26.724 ms
 6  209.85.243.156 (209.85.243.156)  29.541 ms  29.578 ms  29.805 ms
 7  72.14.233.145 (72.14.233.145)  29.961 ms  29.817 ms  29.815 ms
 8  sin01s05-in-f17.1e100.net (74.125.235.49)  25.991 ms  26.008 ms  25.925 ms
AS56237-NOC-Cyber-VLAN2011-MK670-AP#

IPv6

AS56237-NOC-Cyber-VLAN2011-MK670-AP# traceroute6 ipv6.google.com
traceroute6 to ipv6.l.google.com (2404:6800:800b::6a) from 2001:470:17:9::2, 64 hops max, 12 byte packets
 1  donovanp-2.tunnel.tserv19.hkg1.ipv6.he.net  73.347 ms  67.989 ms  69.137 ms
 2  tserv19.hkg1.ipv6.he.net  69.619 ms  91.654 ms  67.177 ms
 3  google3-10G.hkix.net  68.479 ms  68.728 ms  68.508 ms
 4  2001:4860::1:0:1063  70.171 ms  71.939 ms  69.439 ms
 5  2001:4860::1:0:9d0  105.830 ms  203.226 ms  106.359 ms
 6  2001:4860::2:0:3c6  107.178 ms
    2001:4860::2:0:3c7  106.180 ms
    2001:4860::2:0:3c6  104.981 ms
 7  2001:4860:0:1::25b  114.613 ms
    2001:4860:0:1::257  107.181 ms
    2001:4860:0:1::25b  114.576 ms
 8  2404:6800:800b::6a  108.043 ms  108.270 ms  107.646 ms
AS56237-NOC-Cyber-VLAN2011-MK670-AP#

Terakhir selalu monitor aplikasi quagga anda..

mirror.unila.ac.id

July 7th, 2011 No comments

Hosting mirror.unila.ac.id sudah menempati mesin baru,  saat ini sudah bisa di “reach” baik dari internet maupun dari jaringan private INHERENT, upstream IIX 100Mbps, sedangkan via INHERENT 32Mbps.

Daftar ISO yg sudah disediakan;

Tunneling IPv6 with Ubuntu Linux Behind NAT ? Why Not..

March 31st, 2011 No comments

Source from WIKI:

An IP tunnel is an Internet Protocol (IP) network communications channel between two networks. It is used to transport another network protocol by encapsulation of its packets. IP tunnels are often used for connecting two disjoint IP networks that don’t have a native routing path to each other, via an underlying routable protocol across an intermediate transport network. In conjunction with the IPsec protocol they may be used to create a virtual private network between two or more private networks across a public network such as the Internet. Another prominent use is to connect islands of IPv6 installations across the IPv4 Internet.

 

IP tunnelling encapsulation In IP tunnelling, every IP packet, including addressing information of its source and destination IP networks, is encapsulated within another packet format native to the transit network. At the borders between the source network and the transit network, as well as the transit network and the destination network, gateways are used that establish the end-points of the IP tunnel across the transit network. Thus, the IP tunnel endpoints become native IP routers that establish a standard IP route between the source and destination networks. Packets traversing these end-points from the transit network are stripped from their transit frame format headers and trailers used in the tunnelling protocol and thus converted into native IP format and injected into the IP stack of the tunnel endpoints. In addition, any other protocol encapsulations used during transit, such as IPsec or Transport Layer Security, are removed. IP in IP, sometimes called ipencap, is an example of IP encapsulation within IP and is described in RFC 2003. Other variants of the IP-in-IP variety are IPv6-in-IPv4 (6in4) and IPv4-in-IPv6 (4in6). IP tunneling often bypasses simple firewall rules transparently since the specific nature and addressing of the original datagrams are hidden. Content-control software is usually required to block IP tunnels.

Tulisan diatas saya cuplik dari penjelasan WIKI tentang IP Tunnel yang menjelaskan gambaran umum seperti apa konsep IP Tunnel. pada tulisan sebelumnya saya menulis tentang bagaimana mengimplementasikan metode 6to4 untuk membuat jaringan IPv6 meskipun tidak memiliki Blok IPv6 sendiri. http://gigihfordanama.wordpress.com/2011/03/30/mencoba-sixxs-org-ipv6-gateway/ skim pada tulisan tsb server yang digunakan langsung terhubung ke global IPv4 dan menggunakan sistem operasi FreeBSD 8.0. Nah sekarang kita akan coba bereksperimen bagaimana jika server yang akan dijadikan server tunneling berada dibelakang NAT atau menggunakan IP Private. kita lihat contoh kasus yang saya ujicobakan, dengan topologi sebagai berikut

[(DMZ FIREWALL SERV – WITH IP PUBLIC – OS FREEBSD)/NOC ROOM]  ——–> [FAKULTAS ROUTER] ——> [JURUSAN ROUTER]

202.43.189.222                                ———-       192.168.170.254    ——-  192.168.170.211

Yang perlu dilakukan adalah:

  1. Set rule di FreeBSD-Firewall dengan konfigurasi bidirectional NAT pada paket filter BSD (karena saya tidak mau pusing),contoh skrip /etc/pf.conf binat   on $eIF from 192.168.170.211 to any -> 202.43.189.222 , kenapa saya pilih binat, karena saya akan mapping dari IPPublic ke IP 192.168.170.211 secara bolak balik dan tanpa filter apa apa, sebetulnya yang dibutuhkan untuk membuka servis tunnel cukup hanya dengan menggunakan protocol 41 di pass ke tujuan. Namun karena saya juga butuh untuk yang lain lain juga, makanya firewallnya di buat PLONG kayak jalan Tol.  😀
  2. Yak sudah itu saja, tinggal dibuktikan apakah dari NAT sudah bisa keluar                       .                                                                   elektro@elektro-desktop:~$ ifconfig
    eth0      Link encap:Ethernet  HWaddr d4:85:64:cc:58:23
    inet addr:192.168.170.211  Bcast:192.168.170.255 Read more…

Mencoba tunneling 4to6 , sixxs.org Ipv6 Gateway

March 30th, 2011 No comments

Seperti biasa, buat dulu tunneling ke provider yang menyediakan tunneling IPv6, berhubung di kampus saya masih menunggu approval IPv6 dan ASN dari APNIC, buka alamat http://www.tunnelbroker.net , buat account dan create reguler tunnel. kira kira akan menjadi seperti ini

IPv6 Tunnel Endpoints
Server IPv4 address: 66.220.18.42
Server IPv6 address: 2001:470:c:eb4::1/64
Client IPv4 address: 202.43.189.208
Client IPv6 address: 2001:470:c:eb4::2/64
Available DNS Resolvers
Anycasted IPv6 Caching Nameserver: 2001:470:20::2
Anycasted IPv4 Caching Nameserver: 74.82.42.42
Routed IPv6 Prefixes and rDNS Delegations
Routed /48: Allocate /48
Routed /64: 2001:470:d:eb4::/64
RDNS Delegation NS1: none

Jika sudah terdaftar tinggal create interface tunnel dan membuat route default IPv6, kira kira seperti ini; Read more…

Memanfaatkan sysctl untuk memantau Incoming Traffick – FreeBSD

March 17th, 2011 No comments

Sysctl is an interface for examining and dynamically changing parameters in the BSD and Linux operating systems. The implementation mechanism in these two systems is very different.

In BSD these parameters are generally objects in a management information base (MIB) that describe tunable limits such as the size of a shared memory segment, the number of threads the operating system will use as an NFS client, or the maximum number of processes on the system; or describe, enable or disable behaviors such as IP forwarding, security restrictions on the superuser (the “securelevel”), or debugging output.  In BSD a system call or system call wrapper is usually provided for use by programs, as well as an administrative program and a configuration file (for setting the tunable parameters when the system boots).

We’ll gonna try on FreeBSD environtment, and use tcp log feature for monitoring all connection input traffick .

DMZ# sysctl net.inet.tcp.log_in_vain=1
net.inet.tcp.log_in_vain:0 -> 1
DMZ# tail -f /var/log/messages

Read more…

Categories: World Of ICT Tags: , ,