Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Two border nodes, no ASN  (Read 94 times)

ciroiriarte

  • Newbie
  • *
  • Posts: 1
Two border nodes, no ASN
« on: April 04, 2020, 10:16:57 PM »

Hello,

On my home lab I have two firewalls as border (VMs running OPNSense). I don't have my own ASN, unluckily so I cannot run a BGP tunnel.

What would be the best option to integrate my LAN using two tunnels for redundancy?
Logged

kasperd

  • Founder, Netiter ApS
  • Hero Member
  • *****
  • Posts: 962
Re: Two border nodes, no ASN
« Reply #1 on: April 05, 2020, 05:24:25 AM »

In such a configuration you will have a separate prefix from each tunnel. Assuming both of your routers send advertisements on the LAN you will end up with each device on the LAN having IP addresses from each prefix.

The ideal way to get redundancy in such a configuration is that each client device simply keep track of which IP addresses it got from which router. When the device needs to send packets through the default route it will look at the source IP address and send it through the router from which it got that IP address. If the devices do that, then applications running on the device can try both routers by creating two sockets which it binds to different local IP addresses before attempting to establish connections to the server.

In reality you cannot expect to see this ideal behavior with current implementations. More likely applications won't try multiple addresses and will rather just let the kernel pick a single one. And packets will likely be routed to the same router regardless of which source IP address is being used. And there is a high probability the tunnel provider will drop packets using IP addresses from the other tunnel. If you are lucky the kernel's choice of IP address matches its choice of gateway.

You can work around the dropped packets by configuring policy routing on both routers. Packets with a source IP belonging to the other router need a default route sending them to the other router. All other packets will need a default route sending them through the tunnel. The rest of the routing table just needs to be identical for all packets. Only the default route needs to depend on policy.
Logged