e7bd29ac1e32ac96835ff5a4e092480dd0233a9c
howto/networksettings.md
| ... | ... | @@ -43,4 +43,32 @@ but responses are fowarded via your network. This will prevent conntrack from as |
| 43 | 43 | and your firewall will drop it if it is configured to drop packets with invalid state. |
| 44 | 44 | |
| 45 | 45 | |
| 46 | -Happy Routing! |
|
| 46 | +## Avoiding Issues with Peer Addressing |
|
| 47 | + |
|
| 48 | +When configuring BGP peers in dn42, be cautious about using DN42 IP addresses as peer addresses, particularly in the following scenario: |
|
| 49 | +- You are NOT using extended next hop |
|
| 50 | +- You ARE using the same IP for other services |
|
| 51 | + |
|
| 52 | +### The Problem |
|
| 53 | +If your peering link goes down (while the interface remains configured), your peer may have a static route for your service IP via the non-functional tunnel interface. This can make your services inaccessible, even if you have other working peers, because: |
|
| 54 | +- The static route typically has higher priority than BGP routes |
|
| 55 | +- Wireguard interfaces don't automatically go down when peers are unreachable |
|
| 56 | +- Traffic might be routed through peers with broken static routes |
|
| 57 | + |
|
| 58 | +This is especially likely to occur if your peers are major transit providers within DN42. |
|
| 59 | + |
|
| 60 | +### Solutions |
|
| 61 | +To avoid this issue, use one of these approaches: |
|
| 62 | +1. Use extended next hop in BGP configuration |
|
| 63 | +2. Use non-DN42 addresses for BGP peering |
|
| 64 | +3. Use different IPs for services than for peering |
|
| 65 | +4. De-couple services from specific nodes |
|
| 66 | + |
|
| 67 | +### Other Non-Trivial Pitfalls |
|
| 68 | +- **MTU issues with anycast services**: Using higher than minimum MTU for anycasted services can cause issues because path MTU discovery doesn't work properly with anycast. Since different anycast points of presence (POPs) may be reached during discovery attempts, the path MTU detection can fail, leading to packet fragmentation or drops. |
|
| 69 | + |
|
| 70 | +- **accept_local sysctl settings**: When running anycast services on routers, ensure the accept_local sysctl is enabled. Without this setting, a router might drop transit traffic from other origins that has the anycasted IP as the source address, breaking connectivity through your network for those services. |
|
| 71 | + |
|
| 72 | +- **Inadequate source IP filtering**: Services with public internet access require careful source IP filtering. For example, a DNS server in DN42 might receive requests with spoofed source IPs from inside DN42 that appear to come from public internet addresses. Without proper filtering, your server could respond to these spoofed requests, potentially participating in reflection attacks or exposing internal services to the public internet. |
|
| 73 | + |
|
| 74 | +Happy Routing! |
|
| ... | ... | \ No newline at end of file |