123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122
log syslog all;
router id xxx.xxx.xxx.xxx; # WAN IPv4 Address
# The Device protocol is not a real routing protocol. It does not generate any
# routes and it only serves as a module for getting information about network
# interfaces from the kernel. It is necessary in almost any configuration.
protocol device {
}
# The direct protocol is not a real routing protocol. It automatically generates
# direct routes to all network interfaces. Can exist in as many instances as you
# wish if you want to populate multiple routing tables with direct routes.
# Assign IP address in announced prefix(es) to the interface listed below
protocol direct direct1 {
ipv4; # Remove if not announcing IPv4 prefixes
ipv6; # Remove if not announcing IPv6 prefixes
interface "dummy0";
}
# The Kernel protocol is not a real routing protocol. Instead of communicating
# with other routers in the network, it performs synchronization of BIRD
# routing tables with the OS kernel. One instance per table.
protocol kernel {
ipv4 {
# table master4; # Default IPv4 table is master4
# import all; # Import to table, default is import all
# export all; # Export to protocol. default is export none
export filter {
if proto = "direct1" then reject;
accept;
};
};
# learn; # Learn alien routes from the kernel
# kernel table 10; # Kernel table to synchronize with (default: main)
}
protocol static {
ipv4; # import to master4 table
route 0.0.0.0/0 via xxx.xxx.xxx.xxx; # default IPv4 gateway
}
protocol static {
ipv6; # import to master6 table
route ::/0 via xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx; # default IPv6 gateway
}
###############################################################################################
# RPKI filtering
###############################################################################################
roa4 table r4;
roa6 table r6;
protocol rpki {
roa4 { table r4; };
roa6 { table r6; };
remote "rtr.fqdn" port 8282; # RPKI filtering host
retry keep 90;
refresh keep 900;
expire keep 172800;
}
function is_v4_rpki_invalid() {
return roa_check(r4, net, bgp_path.last_nonaggregated) = ROA_INVALID;
}
function is_v6_rpki_invalid() {
return roa_check(r6, net, bgp_path.last_nonaggregated) = ROA_INVALID;
}
###############################################################################################
# BGP Sessions
###############################################################################################
protocol bgp AS53667v4 {
description "Frantech Solutions v4";
local xxx.xxx.xxx.xxx as XXXXXX; # WAN IPv4 address and client ASN
neighbor 169.254.169.179 as 53667; # Neighbour IPv4 address and ASN
multihop 2;
password "yyyyyyyyyy"; # BGP Session Password
hold time 90;
keepalive time 30;
graceful restart;
ipv4 {
export filter {
if is_v4_rpki_invalid() then reject;
accept;
};
import keep filtered;
import filter {
if is_v4_rpki_invalid() then reject;
accept;
};
};
}
protocol bgp AS53667v6 {
description "Frantech Solutions v6";
local xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx as XXXXXX; # WAN IPv6 address and client ASN
neighbor 2605:6400:ffff::2 as 53667; # Neighbour IPv6 address and ASN
multihop 2;
password "yyyyyyyyyy"; # BGP Session Password
hold time 90;
keepalive time 30;
graceful restart;
ipv6 {
export filter {
if is_v6_rpki_invalid() then reject;
accept;
};
import keep filtered;
import filter {
if is_v6_rpki_invalid() then reject;
accept;
};
};
}