Routing domains

From securityrouter.org, an OpenBSD-based firewall
Jump to: navigation, search

The concept of routing domains (rdomain) can be described as having multiple routing tables (rtable) within the router, and attaching interfaces to these tables. It is similar to what other vendors refer to as Virtual/VPN Routing and Forwarding (VRF).

Having multiple routing tables can be useful in some scenarios. It allows for

  • the router to be configured with overlapping IP subnets
  • isolated "islands" consisting of one or more interfaces, with the firewall as "bridges" between them
  • MPLS VPNs based on MPLS provider edge interfaces, LDP and BGP

Configuration

Since routes are added to interfaces (the routes' gateways has to be reachable on that interface), it makes sense that a route inherit the routing table number from its parent interface. In other words, routes belongs to the same routing domain as the interface they are configured on. The following example demonstrates two routing domains with one default gateway each (the first interface is implicitly in routing domain zero).

interface em0 {
   group "primary"
   address 6.6.6.2/30
   route default 6.6.6.1
}
interface em1 {
   group "backup"
   address 1.1.1.2/30
   route default 1.1.1.1
   rdomain 1
}

The example above is not very useful, until you configure some services to use, or explicitly forward traffic to, the backup routing domain. Forwarding to a routing domain is performed by adding the rtable keyword to a firewall rule (the first example below). It's also possible to filter based on which routing domain a packet belongs to (the second example below).

firewall {
   ...
   pass in on lan rtable 1 label usebackup
   pass on rdomain 1 label passbackup
}