Moving your router inside container

Moving your routing
inside container
Marian Marinov <mm@siteground.com>

I'm running 2 routers inside
containers for the past 2 years

Disclaimer:
- my home router have 3 ISPs, two of which with BGP
sessions and I have my own /24 and /56 prefixes
- my office routers have at least two ISPs, BGP and
their own v4 and v6 prefixes

Why would you move your router inside a container?
● Isolating the routing from the other parts of the
system
● Solving problems with non-routed IPs
● Solving problems with wrong outgoing addresses
on multihomed routers
● Simplifying your firewall setup

If your routing table is similar to this:
# ip route show
default via 12.63.16.1 dev eth0
12.63.16.0/24 dev eth0 proto kernel scope link
src 12.63.16.99
127.0.0.0/8 dev lo scope link

If your routing table is similar to this:
# ip route show
default via 12.63.16.1 dev eth0
12.63.16.0/24 dev eth0 proto kernel scope link
src 12.63.16.99
127.0.0.0/8 dev lo scope link
You don't have any problems :)

But the moment you get two or more ISPs,
you get something like this:
root@hydra:~# ip rule list
0: from all lookup local
32761: from 77.104.187.0/24 lookup telepoint
32762: from 194.12.255.42 lookup evolink
32763: from 91.139.184.0/22 lookup bulsat
32764: from 46.40.126.131 lookup bulsat
32765: from 78.142.5.137 lookup bulsat
32766: from all lookup main
32767: from all lookup default

At that point, the problems start to show up:
● Services such as DNS servers choose the
wrong outgoing IP when making outgoing
connections
● Simple commands like ping require
parameters to get the correct result

Moving the router inside its own container
solves this!
By separating the actual routing from the rest
of the services, all services now choose the
correct(working) routes
Now your DNS and/or VPN can not, by accident,
select the wrong source IPs.

So what exactly means to move your router
inside a container?

Let's say you have a machine with 3 Ethernet
cards:
eth0 - your home/office network
eth1 - ISP1
eth2 - ISP2

What you need to do is:
1. create a new netns
# ip netns add router
2. create a veth pair between the host and the new netns
# ip link add veth0 type veth peer name veth1
# ip link set veth1 netns router
# ip netns exec router ip link set veth1 name eth3
3. move all eth devices to the router netns(this will drop the
connectivity)
# for i in {0..2}; do
ip link set eth$i netns router; done
4. setup the IP addresses inside the new netns
5. setup the routing

Now, all traffic that should go trough the VPN
should be routed via eth3 and also your
services, such as DNS should be routed via
eth3.
The firewall becomes much simpler for the
services and for the router, as it is now split
and you would never hit the problems with non-
routable IPs

If you want to put your BGP inside the new
netns, you simply have to start your BGP
daemon(Quagga, Bird, OpenBGPd) inside the
new netns:
# ip netns exec router /bin/bash
# bird

Moving your router inside container

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Moving your router inside container (20)

More from Marian Marinov (20)

Recently uploaded (20)

Moving your router inside container