Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.
I'm having trouble configuring BGP on our UTM software appliance (9.601-5). I seems that I'm am missing something basic, so I hope someone can push me in the right direction.
Our provider has provided us with information that resulted in the following setup:
- BGP neigbor with ASN and IP adress, no authentication or anything else defined --> works
- Local router ID (under Global) and local AS number -->works
- Subnet to be used as WAN range is bound to local interface that is connected to the CPE.
- Local IP address (same as local router ID) bound to same local interface as virtual IP
With BGP active, I can see that we can connect, BGP summary shows status up and traffic is shown.
However, I cannot connect to any IP address on the WAN range (e.g. ping) of ping from UTM to any external address.
It must be something I am missing. Any help is appreciated. I more information is needed, please let me know.
Hoi Karl-Heinz and welcome to the UTM Community!
Please show pictures of your configuration including pictures of the Edits of the objects used.
Cheers - Bob
Glad to be back :)
Hope these pictures are sufficient:
BGP neighbor definition:
Default originate was set after studying the video on https://www.youtube.com/watch?v=4Od4iqSMvd0
Router ID is Ip adress from assigned subnet that should be used for internet traffic
BGP WAN is what should connect to internet via BGP
I though this was necessary (these are the two IP adresses used by our node and Neighbor).
What I am trying to do is, after succesfully connecting to the neighbor, is to use the 126.96.36.199/28 subnet to communicate with the outside world.
Everything looks OK, BGP Neighbor shows:
BGP neighbor is 188.8.131.52, remote AS 6830, local AS 65000, external link BGP version 4, remote router ID 184.108.40.206 BGP state = Established, up for 00:00:08 Last read 00:00:08, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: 4 Byte AS: advertised and received Route refresh: advertised and received(old & new) Address family IPv4 Unicast: advertised and received Graceful Restart Capabilty: advertised Message statistics: Inq depth is 0 Outq depth is 0 Sent Rcvd Opens: 1 1 Notifications: 0 0 Updates: 2 2 Keepalives: 2 1 Route Refresh: 0 0 Capability: 0 0 Total: 5 4 Minimum time between advertisement runs is 30 seconds For address family: IPv4 Unicast Inbound soft reconfiguration allowed Community attribute sent to this neighbor(both) Default information originate, default sent 1 accepted prefixes Connections established 1; dropped 0 Last reset never Local host: 220.127.116.11, Local port: 53423 Foreign host: 18.104.22.168, Foreign port: 179 Nexthop: 22.214.171.124 Nexthop global: :: Nexthop local: :: BGP connection: non shared network Read thread: on Write thread: off
BGP table version is 0, local router ID is 126.96.36.199 Status codes: s suppressed, d damped, h history, * valid, > best, = multipath, i internal, r RIB-failure, S Stale, R Removed Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 0.0.0.0 188.8.131.52 100 0 6830 6830 i *> 184.108.40.206/28 0.0.0.0 0 100 32768 i *> 172.30.0.0 0.0.0.0 0 100 32768 i Total number of prefixes 3
I must be doing something basic wrong with routing, but I can't figure it out yet. ip route on the UTM shows no Defaulg GW, seems that that shoudl be it (hopefully)
Additional information: I can reach the UTM from outside, so a ping / traceroute from an external address (to 220.127.116.11) works. The only thing I am still not able to figure out is how to get my UTM to communicate to the outside world. I now uses the Neighbor address as a gateway, which is not what it should be.
Finally got it working.
The answer was to change our masquerade rules. Normally, we would masquerade all internal networks to use the primary address. However, when using BGP, it seems that this address is set to the local BGP ip address, which is a non-routable address.
We defined an additional address on the network card, and changed the masquerade address to that IP. Worked like a charm :)