Cannot advertise ipv6 via BGP to ISP - Fixed!

Started by PacketChomper, March 26, 2025, 03:45:36 AM

Previous topic - Next topic
March 26, 2025, 03:45:36 AM Last Edit: March 29, 2025, 05:48:26 AM by PacketChomper Reason: Problem resolved.
I have a very simple setup on 25.1.3 - it consists of a single /24 ipv4 and a single /48 ipv6 I'm trying to advertise to my ISP.

I have both v4 and v6 CIDRs in the BGP -> General -> Network field and I have the ISP's v4 and v6 Neighbours configured.

Both the v4 and v6 sessions to the ISP come up but only the v4 session sends the /24 network. No matter what I tweak I cannot get the v6 session to advertise the /48 network.

I have tried toggling "Network Import-Check" and tried various prefix lists and route maps. Nothing I toggle seems to cause the /48 to be sent to the remote end. I have also tried advertising just the v6 address, but no difference.

Not that it should matter, but both the v4 and v6 networks are configured on an active interface.

Other information:

1. The ISP is sending down default routes on the v4 and v6 session so the sessions are definitely up and running.

2. I'm tcpdumping the BGP traffic to confirm what is going on.

3. The /48 *is* showing up in the Routing -> Diagnostics -> ipv6 Routing Table but with 'x' under Valid and Best.

4. Oddly the v6 default route received is not showing up under Routing -> Diagnostics -> ipv6 Routing Table but the v4 default route
received *is* showing up in the corresponding ipv4 Routing Table.

I can't believe I'm the first person to advertise ipv6 this way, so I presume there is some trick or other that I've missed.

If neither the v4 or the v6 network were being sent, I'd be happy assuming I've messed up, but that v4 is working makes it harder to understand why v6 is not.

Thoughts or experiences anyone?

Hmm. Perhaps the first question I should ask is, is anyone successfully advertising ipv6 via BGP?

I saw it at a customer recently who peered IPv6 and IPv4 over BGP with default routes by the ISP, but I don't remember the specific configuration.

Essentially it should work.
Hardware:
DEC740

Quote from: Monviech (Cedrik) on March 26, 2025, 10:44:23 AMI saw it at a customer recently who peered IPv6 and IPv4 over BGP with default routes by the ISP, but I don't remember the specific configuration.

Essentially it should work.

Thanks. Do you recall whether it was a two-way exchange of routes?

I am getting default routes from the ISP correctly for both ipv4 and ipv6. It's me sending my specific networks up to the ISP that is not working for v6 (v4 is fine).

So the distinction between sending and receiving is important in this regard.

March 26, 2025, 07:58:24 PM #4 Last Edit: March 26, 2025, 07:59:58 PM by Monviech (Cedrik)
Sorry I cannot recall if they had to advertise their own networks.

What I imagine is, that when you do not have a full internet routing table installed, that you do not need to advertise the networks you use?

Shouldnt the ISP advertise them for you since you get the specific networks routed by the ISP to you via BGP and you just install a default route back?

Thats all just assumptions, I never created complex BGP setups on my own, there were always BGP experts around doing the actual configuration.
Hardware:
DEC740

If you run with full tables you advertise your own prefixes. Picture you have two uplinks. If one of the lines is offline your prefixes are only announced over the remaining one so all inbound traffic goes to the correct remaining ISP. That's just how the Internet works ;-)

Also confusing: your inbound BGP defines your outbound IP traffic. Your outbound BGP defines your inbound IP traffic. Then there's path prepend/append, MED, ... it's fun and pretty simply once you get to it. Simple and reliable.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Quote from: Monviech (Cedrik) on March 26, 2025, 07:58:24 PMShouldnt the ISP advertise them for you since you get the specific networks routed by the ISP to you via BGP and you just install a default route back?

No. That's the whole point of BGP. I tell my ISP what networks I have at my end and they in turn tell their peers and upstreams.

My network assignments come from my regional registry (not my ISP) so strictly speaking my ISP doesn't even know what networks I'll advertise until they show up in their BGP session. (In practice ISPs do know for filtering and security reasons).

As for accepting the full routing table vs the default routes, that should not affect what I send upstream. Again, this is strictly my ISP telling me which routes they accept.

As I said in the OP, this is about as simple as you can get when it comes to route exchanges over BGP. I'm trying to send one v4/24 and one v6/48 and my ISP is sending defaults for both v4 and v6. Everything is working in both directions *except* my sending of the  v6/48.

Quote from: Patrick M. Hausen on March 26, 2025, 08:21:14 PMAlso confusing: your inbound BGP defines your outbound IP traffic. Your outbound BGP defines your inbound IP traffic. Then there's path prepend/append, MED, ... it's fun and pretty simply once you get to it. Simple and reliable.
Right. In this case there is no path prepend/append, MED, communities or any other complexity. It's a straightforward route exchange, but my OPNSense instance is not sending the v6 network for reasons I don't yet understand. But that's the beauty of Open Source. I have a chance to dig into the relevant programs and code if necessary.

March 28, 2025, 10:13:57 AM #8 Last Edit: March 29, 2025, 06:01:51 AM by PacketChomper
Problem solved!

It was fat-fingering on my part. Sorry about the noise.

I reconfigured from scratch with more paranoid filtering rules and to my surprise, my end started sending my v6 network to my ISP who appropriately has now propagated out to the rest of the world.

So the good news is that - at least for simple cases like mine - OPNSense is perfectly capable of exchanging v4/v6 routes with other BGP instances.

And thanks to all those who responded. Some of you may or may not have been on the right track, but every post gave me a question to answer and an opportunity to check whether what I was doing was right or not.

Edit: Just to be clear: it wasn't the more paranoid filtering rules that solved the problem. It was that the whole process of re-entering the config serendipitously removed my previous typos that were present in the initial config.

Nice thanks for checking back in. :)
Hardware:
DEC740