Customer Gear Configuration Examples

Linux / GRE / Netplan – Using Lectron IP Addresses

This setup would be used when configuring a Linux distro using netplan. This will create the GRE tunnel, the bridge, and the policy-based route to ensure you can route traffic symmetrically over the tunnel for Lectron provided IP addresses.

network:
  version: 2
  renderer: networkd
  ethernets:
    enp33s0:
      addresses:
        - {gre_endpont}/32
      routes:
        - on-link: true
          to: 0.0.0.0/0
          via: {carrier_next_hop}
      nameservers:
        addresses:
          - 1.1.1.1
          - 8.8.8.8
          - 1.0.0.1
          - 8.8.4.4
  bridges:
    br0:
       addresses:
       - {Lectron_subnet}/{Lectron_subnet_size}
       routing-policy:
        - from: {Lectron_subnet}/{Lectron_subnet_size}
          table: 100
  tunnels:
      Lectron0:
           mode: gre
           local: {gre_endpoint}
           remote: {Lectron_gre_endpoint}
           addresses: 
           - {customer_inner_addr}/30
           routes:
           - to: 0.0.0.0/0
             via: {Lectron_inner_addr}
             table: 100

Linux / GRE / Networkd – Using Lectron IP Addresses

auto Lectron
iface Lectron inet tunnel
        address { inner address}
        netmask 255.255.255.252
        mode gre
        mtu 1440
        endpoint {Lectron outer addresss}
        local { customer endpoint}
        ttl 255
        post-up ip route add 0.0.0.0/0 via {Lectron inner address} table 123
        post-up ip rule add from { protected ip}/32 table 123
        post-up ip address add { protected ip}/32 dev Lectron
        pre-down ip route del 0.0.0.0/0 via {Lectron inner address} table 123
        pre-down ip rule del from { protected ip}/32 table 123

Linux / IP6TNL – Using Lectron IP Addresses

This example will create a IP6TNL and a bridge to allow you to use Lectron provided public network and route traffic symmetrically. NOTE this setup will not persist upon reboot, please create a startup script to run at boot to apply the configuration.

ip link add name Lectron-tunnel type ip6tnl local {{ client_gre_endpoint_v6 }} remote {{ Lectron_gre_endpoint_v6 }} mode any
ip addr add {{ customer_inner_addr_v4 }}/30 dev Lectron-tunnel
ip link set Lectron-tunnel up
echo 100 custom >> /etc/iproute2/rt_table
ip link add name br0 type bridge
ip link set br0 up
ip link set mtu 1452 dev Lectron-tunnel
ip route add 0.0.0.0/0 via  {{ Lectron_inner_addr_v4 }} dev Lectron-tunnel table 123
ip rule add from  {{ Lectron_public_network_v4 }}/{{ subnet_length }} table 123
ip route add {{ Lectron_public_network_v4 }}/{{ subnet_length }} dev br0 table 123
ip addr add {{ Lectron_public_network_firstip_v4 }}/{{ subnet_length }} dev br0
 

Cisco ASR’s with PBR

neighbor {Lectron_inner_addr} soft-reconfiguration inbound
neighbor {Lectron_inner_addr} route-map Lectron_NETWORK in
neighbor {Lectron_inner_addr} route-map Lectron-Network-396998 out
interface Tunnel2
 description Lectron Network
 ip address {customer_inner_addr} 255.255.255.252
 ip mtu 1476
 ip tcp adjust-mss 1360
 tunnel source {customer_gre_endpoint}
 tunnel destination {Lectron_gre_endpoint}
 tunnel Lectron-mtu-discovery
ip access-list extended acl-Lectron
 permit ip  {customer_prefix} 0.0.0.255 any
route-map rmap-Lectron
 match ip address acl-Lectron
 set ip next-hop {Lectron_inner_addr}
int FortyGigabitEthernet0/2/0
 ip policy route-map rmap-Lectron
 

Juniper MX

set chassis fpc 1 pic 1 tunnel-services
set interfaces gr-1/3/0 description "GRE :: Lectron :: Remote Anti-DDoS"
set interfaces gr-1/3/0 unit 11 tunnel source {carrier_ip}
set interfaces gr-1/3/0 unit 11 tunnel destination {Lectron_gre_endpoint}
set interfaces gr-1/3/0 unit 11 family inet address {customer_gre_inner}
set protocols bgp group LectronNETWORK type external
set protocols bgp group LectronNETWORK import POL-REJECT-ALL
set protocols bgp group LectronNETWORK export POL-Lectron-ANTIDDOS-EXPORT
set protocols bgp group LectronNETWORK peer-as 396998
set protocols bgp group LectronNETWORK neighbor {Lectron_inner_addr}
set policy-options policy-statement POL-LectronNETWORK-EXPORT term 5-T-TEMP from protocol aggregate
set policy-options policy-statement POL-LectronNETWORK-EXPORT term 5-T-TEMP then next term
set policy-options policy-statement POL-LectronNETWORK-EXPORT term 10-T-LAUNDRY from prefix-list PL-UNDERATTACK
set policy-options policy-statement POL-LectronNETWORK-EXPORT term 10-T-LAUNDRY then accept
set policy-options policy-statement POL-LectronNETWORK-EXPORT term LAST then reject
 

VYOS

set interfaces tunnel tun0 address {customer_inner}
set interfaces tunnel tun0 description 'Lectron.net tunnel'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 mode gre
set interfaces tunnel tun0 source-address {wan_addr}
set interfaces tunnel tun0 remote {customer_anycast_ip}
set interfaces tunnel tun0 mtu 1460
set interfaces {wan interface} address {wan_addr}
set protocols static route 0.0.0.0/0 next-hop {Lectron_inner}
set protocols static route {customer_anycast_ip}/32 next-hop {carrier_gateway}
set protocols bgp local-as {customer_asn}
set protocols bgp neighbor {provider_inner_32} ebgp-multihop '2'
set protocols bgp neighbor {provider_inner_32} remote-as '396998'
set protocols bgp neighbor {provider_inner_32} update-source '{customer_inner_32}'
set protocols bgp address-family ipv4-unicast network '{customer_provided_network}'
set protocols bgp parameters router-id '{customer_inner_32}'
set policy prefix-list {customer_asn}-IN rule 10 action 'deny'
set policy prefix-list {customer_asn}-IN rule 10 prefix '{provider_learned_networks}'
set policy prefix-list {customer_asn}-OUT rule 10 action 'permit'
set policy prefix-list {customer_asn}-OUT rule 10 prefix '{customer_advertised_networks}'
set policy route-map {customer_asn}-IN rule 10 action 'deny'
set policy route-map {customer_asn}-IN rule 10 match ip address prefix-list '{customer_asn}-IN'
set policy route-map {customer_asn}-OUT rule 10 action 'permit'
set policy route-map {customer_asn}-OUT rule 10 match ip address prefix-list '{customer_asn}-OUT'
set protocols bgp local-as {customer_asn}
set protocols bgp neighbor {provider_inner_32} address-family ipv4-unicast route-map export '{customer_asn}-OUT'
set protocols bgp neighbor {provider_inner_32} address-family ipv4-unicast route-map import '{customer_asn}-IN'
set protocols static route {customer_advertised_networks} blackhole distance '254'
commit 
save

Bird

log syslog all;
router id {customer_inner};
protocol static {
        ipv4;
        route {customer_prefix} blackhole;
}
protocol bgp Lectrontunnel {
        local {customer_inner} as {customer_asn};
        neighbor {Lectron_inner} as 396998;
        multihop;
        ipv4 {
                import all;
                export all;
        };
}
 

Netgate / PFSense

The first thing you have to check when working with a Netgate Router running PFSense is the Package Manager. In order to do BGP you need to install package FRR; FRR Routing Daemon for BGP, OSPF and OSPF6.

NOTE: This Package conflicts with the following:

• Quagga OSPF
• OpenBGPD

1. After the package is installed go to Interfaces and create a new GRE Tunnel. The Parent Interface should be the WAN interface. Remote Address is the Public IP of the interface at Lectron the GRE tunnel is configured on. Under IPv4 Set the local and remote internal tunnel addresses and their subnet. Set the Description to “Lectron Tunnel”
   
   
   
2. Then Navigate to Services/FRR/BGP
   
   
   
3. Under BGP do the following; enable BGP, set the local AS and then specify the networks to distribute at the bottom and any route maps that need to be set. Then hit Save.
   
   
   
4. Navigate to /Services/FRR/Global Settings/Prefix Lists and add a new one. IP Type is IPv4, Name LectronOutACL and Prefix List Entries are as follows; Sequence 10, Action Permit, Network being announced if applicable. Then hit save.
   
   
   
5. Now you must select and configure Route Maps. The first one you create is as follows Name LectronInRmap, Action Deny, Sequence 10, and save the Route Map. The next route map you add is as follows; Name LectronOutRmap, Action Permit, and Sequence 10, and then Match Prefix List IPv4: LectronOutACL and save. Once again the BGP session will reset as changes are written to memory.
   
   
   
6. Next navigate to Neighbors and add a new neighbor entry. In General Options set the Name/Address to the Lectron tunnel endpoint (Should be RFC 1918) In the description mark it as “Lectron Tunnel” Set the peer group if needed. Next go to basic options and set the Remote AS (Lectron ASN 396998) Set the Update source to IPv4 and the Local Source of BGP Updates to the “Lectron Tunnel” GRE Interface. Enable the send community if there is one, and Enable Next Hop Self. Set the Route Map Filters to Inbound LectronInRmap and Outbound LectronOutRmap. Lastly check “Enforce EBGP neighbors perform multihop”. Click save and the BGP session will reset after the changes are written to memory.
   
   
   
7. The last thing you must do before you begin testing and trouble shooting is to setup several rules on the fire wall for the Lectron Tunnel Interface: The first one should be; Action Pass, Interface Lectron, Address IPv4, Protocol TCP, Source Single host or alias and IP of Internal Lectron GRE Tunnel End Point. The Destination is single host/alias Internal client side IP of GRE tunnel, port is BGP179 both from and to. Description can be set as Overlay BGP. Click save and move on to the next Rule. The next rule will allow ICMP over the tunnel for testing; Action is Pass, Interface Lectron, Address Family IPv4 and Protocol ICMP with sub protocol Echo Request. Source is going to be Lectron internal GRE tunnel IP, and Destination is customer internal GRE tunnel IP. Set the Description to “Overlay Ping” and then save. You may need to configure a rule to whatever end points are needed on the Lectron GRE tunnel if the customer is behind a NAT.
   
   
   
8. Once you have completed the configuration you can trouble shoot by choosing status and viewing the different logs on BGP. You can also go to Diagnostics/Ping and try to ping the other side of the GRE Tunnel.