To quote from Wikipedia:
Quagga is a network routing software suite providing implementations of Open Shortest Path First (OSPF), Routing Information Protocol (RIP), Border Gateway Protocol (BGP) and IS-IS for Unix-like platforms, particularly Linux, Solaris, FreeBSD and NetBSD.
The Quagga architecture consists of a core daemon (zebra) which is an abstraction layer to the underlying Unix kernel and presents the Zserv API over a Unix-domain socket or TCP socket to Quagga clients.
The Zserv clients typically implement a routing protocol and communicate routing updates to the zebra daemon. Existing Zserv clients are:
ospfd, implementing Open Shortest Path First (OSPFv2)
isisd, implementing Intermediate System to Intermediate System (IS-IS)
ripd, implementing Routing Information Protocol (RIP) version 1 and 2;
ospf6d, implementing Open Shortest Path First (OSPFv3) for IPv6
ripngd, implementing Routing Information Protocol (RIPng) for IPv6
bgpd, implementing Border Gateway Protocol (BGPv4+), including address family support for IP multicast and IPv6
pimd, implementing Protocol Independent Multicast (PIM-SSM) for Source-specific multicast
Additionally, the Quagga architecture has a rich development library to facilitate the implementation of protocol and client software with consistent configuration and administrative behavior.
Google has contributed to improvements to the IS-IS protocol and added BGP multipath support.
The Quagga routing package is comprised of 2 modules:
the Zebra daemon, and the Routing Processes (RIP,OSPF,BGP,IS-IS,Babel,OLSR,LDP,BFD)
Zebra daemon
The zebra daemon is an abstraction layer that sits between system kernel and the running routing processes. Each routing protocol operates its own routing daemon.
Quagga is responsible for updating the kernel routing table, setting static routes and managing dynamic routing. Quagga can also be used to modify the physical host interface and routing table.
Routing Processes
All the Quagga routing daemons (ripd, ripngd, ospfd, ospfv6d, bgpd, isisd, babeld, olsrd, ldpd & bfdd)
communicate with the zebra daemon rather than directly with the kernel.
The Quagga daemons can be configured individually via a network-usable CLI called a “vty”.
After installing Quagga, you have to configure each daemon’s port number to connect to them.
Add the following entries to /etc/services:
zebrasrv 2600/tcp # zebra service
zebra 2601/tcp # zebra vty
ripd 2602/tcp # RIPd vty
ripngd 2603/tcp # RIPngd vty
ospfd 2604/tcp # OSPFd vty
bgpd 2605/tcp # BGPd vty
ospf6d 2606/tcp # OSPF6d vty
ospfapi 2607/tcp # ospfapi
isisd 2608/tcp # ISISd vty
pimd 2611/tcp # PIMd vty
nhrpd 2612/tcp # nhrpd vty
The vty CLI provides a similar though not identical interface to that of other routing software.
Quagga also includes a tool called “vtysh”‘ which is a single CLI interface to all Quagga daemons. vtysh accepts commands which are compatible or similar to those supported by router vendors such as Cisco and Juniper.
For detailed information about using Quagga see the official documentation at: https://www.quagga.net/docs/quagga.html
The Installation Process for Quagga
root@intel:~# apt install quagga
Reading package lists… Done
Building dependency tree
Reading state information… Done
quagga is already the newest version (1.2.4-4build1).
The following packages were automatically installed and are no longer required:
libphonenumber7 libprotobuf17
Use ‘sudo apt autoremove’ to remove them.
0 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.
root@intel:~#
root@intel:~# apt install quagga-doc
Reading package lists… Done
Building dependency tree
………
done
root@intel:~# cp /usr/share/doc/quagga-core/examples/vtysh.conf.sample /etc/quagga/vtysh.conf
root@intel:~# cp /usr/share/doc/quagga-core/examples/zebra.conf.sample /etc/quagga/zebra.conf
root@intel:~# cp /usr/share/doc/quagga-core/examples/bgpd.conf.sample /etc/quagga/bgpd.conf
root@intel:~# sudo chown quagga:quagga /etc/quagga/*.conf
root@intel:~# sudo chown quagga:quaggavty /etc/quagga/vtysh.conf
root@intel:~# sudo chmod 640 /etc/quagga/*.conf
root@intel:~#
Enable packet forwarding and disable rp_filter, by uncommenting /etc/sysctl.conf:
nano /etc/sysctl.conf
net.ipv4.ip_forward=1
then to reload the values from the sysctl.conf
run:
root@intel:~# sysctl -p
net.ipv4.ip_forward = 1
root@intel:~#
Then set up the logging:
root@intel:~# mkdir /var/log/quagga/
root@intel:~# chown quagga:quagga /var/log/quagga/
root@intel:~# touch /var/log/zebra.log
root@intel:~# chown quagga:quagga /var/log/zebra.log
root@intel:~#
start the services and verify:
systemctl start zebra
systemctl start bgpd
systemctl status zebra
systemctl status bgpd
The bgbd service will automatically start the zebra service as this bdpd is dependent on it.
However, note that if you want to fully stop Quagga, you have to manually stop the zebra service too.
root@intel:~# systemctl start zebra
root@intel:~# systemctl start bgpd
root@intel:~# systemctl status zebra
● zebra.service – GNU Zebra routing manager
Loaded: loaded (/lib/systemd/system/zebra.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2021-06-01 14:25:05 CEST; 40ms ago
Docs: man:zebra
Process: 50339 ExecStartPre=/sbin/ip route flush proto zebra (code=exited, status=0/SUCCESS)
Process: 50354 ExecStartPre=/bin/chmod -f 640 /etc/quagga/vtysh.conf /etc/quagga/zebra.conf (code=exited, status=0/SUCCESS)
Process: 50355 ExecStartPre=/bin/chown -f quagga:quagga /etc/quagga/zebra.conf (code=exited, status=0/SUCCESS)
Process: 50356 ExecStartPre=/bin/chown -f quagga:quaggavty /etc/quagga/vtysh.conf (code=exited, status=0/SUCCESS)
Process: 50357 ExecStart=/usr/sbin/zebra -d -A 127.0.0.1 -f /etc/quagga/zebra.conf (code=exited, status=0/SUCCESS)
Main PID: 50358 (zebra)
Tasks: 1 (limit: 9344)
Memory: 3.3M
CGroup: /system.slice/zebra.service
└─50358 /usr/sbin/zebra -d -A 127.0.0.1 -f /etc/quagga/zebra.conf
Jun 01 14:25:05 intel systemd[1]: Starting GNU Zebra routing manager…
Jun 01 14:25:05 intel systemd[1]: Started GNU Zebra routing manager.
root@intel:~# systemctl status bgpd
● bgpd.service – BGP routing daemon
Loaded: loaded (/lib/systemd/system/bgpd.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2021-06-01 14:25:05 CEST; 3s ago
Docs: man:bgpd
Process: 50361 ExecStartPre=/bin/chmod -f 640 /etc/quagga/bgpd.conf (code=exited, status=0/SUCCESS)
Process: 50362 ExecStartPre=/bin/chown -f quagga:quagga /etc/quagga/bgpd.conf (code=exited, status=0/SUCCESS)
Process: 50363 ExecStart=/usr/sbin/bgpd -d -A 127.0.0.1 -f /etc/quagga/bgpd.conf (code=exited, status=0/SUCCESS)
Main PID: 50364 (bgpd)
Tasks: 1 (limit: 9344)
Memory: 4.0M
CGroup: /system.slice/bgpd.service
└─50364 /usr/sbin/bgpd -d -A 127.0.0.1 -f /etc/quagga/bgpd.conf
Jun 01 14:25:05 intel systemd[1]: Starting BGP routing daemon…
Jun 01 14:25:05 intel systemd[1]: Started BGP routing daemon.
root@intel:~#
Check that the services will start on reboot:
Check whether the services start at system startup:
systemctl is-enabled zebra.service
systemctl is-enabled bgpd.service
root@intel:~# systemctl is-enabled zebra.service
enabled
root@intel:~# systemctl is-enabled bgpd.service
enabled
root@intel:~#
Disable unnecessary services:
systemctl status ospfd
systemctl is-enabled ospfd
systemctl is-enabled ospf6d
systemctl is-enabled ripd
systemctl is-enabled ripngd
systemctl is-enabled isisd
systemctl disable ospfd
systemctl disable ospf6d
systemctl disable ripd
systemctl disable ripngd
systemctl disable isisd
then run again:
systemctl is-enabled ospfd
systemctl is-enabled ospf6d
systemctl is-enabled ripd
systemctl is-enabled ripngd
systemctl is-enabled isisd
root@intel:~# systemctl status ospfd
● ospfd.service – OSPF routing daemon
Loaded: loaded (/lib/systemd/system/ospfd.service; enabled; vendor preset: enabled)
Active: inactive (dead)
Condition: start condition failed at Sun 2021-05-30 14:43:26 CEST; 1 day 23h ago
Docs: man:ospfd
Mai 30 14:43:26 intel systemd[1]: Condition check resulted in OSPF routing daemon being skipped.
root@intel:~#
root@intel:~# systemctl is-enabled ospfd
enabled
root@intel:~# systemctl is-enabled ospf6d
enabled
root@intel:~# systemctl is-enabled ripd
enabled
root@intel:~# systemctl is-enabled ripngd
enabled
root@intel:~# systemctl is-enabled isisd
enabled
root@intel:~# systemctl disable ospfd
Synchronizing state of ospfd.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable ospfd
Removed /etc/systemd/system/multi-user.target.wants/ospfd.service.
root@intel:~# systemctl disable ospf6d
Synchronizing state of ospf6d.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable ospf6d
Removed /etc/systemd/system/multi-user.target.wants/ospf6d.service.
root@intel:~# systemctl disable ripd
Synchronizing state of ripd.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable ripd
Removed /etc/systemd/system/multi-user.target.wants/ripd.service.
root@intel:~# systemctl disable ripngd
Synchronizing state of ripngd.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable ripngd
Removed /etc/systemd/system/multi-user.target.wants/ripngd.service.
root@intel:~# systemctl disable isisd
Synchronizing state of isisd.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable isisd
Removed /etc/systemd/system/multi-user.target.wants/isisd.service.
root@intel:~# systemctl is-enabled ospfd
disabled
root@intel:~# systemctl is-enabled ospf6d
disabled
root@intel:~# systemctl is-enabled ripd
disabled
root@intel:~# systemctl is-enabled ripngd
disabled
root@intel:~# systemctl is-enabled isisd
disabled
root@intel:~#
Test connections to the vtysh, bgpd and zebra terminals:
vtysh
telnet localhost 2605
telnet localhost 2601
root@intel:~# vtysh
Hello, this is Quagga (version 1.2.4).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
intel#
intel#
intel#
intel# exit
root@intel:~# telnet localhost 2605
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
Hello, this is Quagga (version 1.2.4).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
User Access Verification
Password:
Password:
Password:
% Bad passwords, too many failures!
Connection closed by foreign host.
root@intel:~# telnet localhost 2601
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
Hello, this is Quagga (version 1.2.4).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
User Access Verification
Password:
Password:
Password:
% Bad passwords, too many failures!
Connection closed by foreign host.
root@intel:~#
This completes the basic installation of Quagga.
Next steps are to configure the logins for the above admin systems and then configure the router for BGP.
Configure Quagga VTY
Add your Linux user account to the quaggavty group. This lets you to access the Quagga VTY command-line interface:
adduser <user> quaggavty
root@intel:~# adduser kevin quaggavty
Adding user `kevin’ to group `quaggavty’ …
Adding user kevin to group quaggavty
Done.
root@intel:~#
vty uses “more” for pagination. However this can be switched to “less”, by adding the following environment variable to your ~/.profile or ~/.bash_profile configuration file:
export VTYSH_PAGER=”less -FX”
The -F argument is used to prevent less from activating if the output is smaller than one screen in size, and -X is used to prevent the screen being unnecessarily cleared.
kevin@intel:~$ cat ~/.profile
# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.
# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022
# if running bash
if [ -n “$BASH_VERSION” ]; then
# include .bashrc if it exists
if [ -f “$HOME/.bashrc” ]; then
. “$HOME/.bashrc”
fi
fi
# set PATH so it includes user’s private bin directories
PATH=”$HOME/bin:$HOME/.local/bin:$PATH”
export VTYSH_PAGER=”less -FX”
kevin@intel:~$
Finally, run the vtysh command in order to connect.
Quagga uses commands which are generally the same or similar to Cisco IOS
kevin@intel:~$ vtysh
Hello, this is Quagga (version 1.2.4).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
intel#
use ? to list basic level help:
intel# ?
clear Reset functions
configure Configuration from vty interface
copy Copy from one file to another
debug Debugging functions (see also ‘undebug’)
disable Turn off privileged mode command
enable Turn on privileged mode command
end End current mode and change to enable mode
exit Exit current mode and down to previous mode
list Print command list
no Negate a command or set its defaults
ping Send echo messages
quit Exit current mode and down to previous mode
show Show running system information
ssh Open an ssh connection
start-shell Start UNIX shell
telnet Open a telnet connection
terminal Set terminal line parameters
test Test
traceroute Trace route to destination
undebug Disable debugging functions (see also ‘debug’)
write Write running configuration to memory, network, or terminal
intel#
To enter configuration mode in vtysh use either
configure terminal
or
conf t
intel# configure terminal
intel(config)#
intel(config)# exit
intel#
intel# conf t
intel(config)#
You can then enter ? again and list the configuration level help:
intel(config)# ?
access-list Add an access list entry
bgp BGP information
debug Debugging functions
default Configure defaults of settings
dump Dump packet
enable Modify enable password parameters
end End current mode and change to enable mode
exit Exit current mode and down to previous mode
fpm fpm connection remote ip and port
hostname Set system’s network name
interface Select an interface to configure
ip IP information
ipv6 IP information
key Authentication key management
line Configure a terminal line
list Print command list
log Logging control
nhrp Next Hop Resolution Protocol functions
no Negate a command or set its defaults
password Assign the terminal connection password
route-map Create route-map or enter route-map command mode
router Enable a routing process
router-id Manually set the router-id
service Set up miscellaneous service
show Negate a command or set its defaults
table Configure target kernel routing table
undebug Disable debugging functions (see also ‘debug’)
username
vrf Enable a VRF
intel(config)#
To Configure Quagga Using vtysh
NOTE: This is included here for reference. Carry out the further configuration steps described further below before attempting this step!
Example of a basic BGP configuration:
vtysh> configure terminal
vtysh(config)> router bgp <your-asn>
vtysh(config-router)> neighbor <neighbor-ip> remote-as <neighbor-asn>
vtysh(config-router)> neighbor <neighbor-ip> interface <interface>
vtysh(config-router)> exit
vtysh(config)> exit
To display current BGP status:
intel# show ip bgp summary
No IPv4 neighbor is configured
intel#
How To Configure BGP on Quagga
First, check that Zebra is running. Zebra is the routing daemon for Quagga.
root@intel:~# netstat -tulpen | grep zebra
tcp 0 0 127.0.0.1:2601 0.0.0.0:* LISTEN 127 1232049 50358/zebra
root@intel:~#
Enable packet forwarding (ip_forwarding):
root@intel:/home/kevin# sysctl -a | grep net.ipv6.conf.default.forwarding
net.ipv6.conf.default.forwarding = 0
root@intel:/home/kevin# sysctl -a | grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
root@intel:/home/kevin# sysctl -a | grep net.ipv6.conf.all.forwarding
net.ipv6.conf.all.forwarding = 0
root@intel:/home/kevin#
root@intel:/home/kevin# echo “net.ipv4.ip_forward=1” >> /etc/sysctl.conf
root@intel:/home/kevin# echo “net.ipv6.conf.default.forwarding=1” >> /etc/sysctl.conf
root@intel:/home/kevin# echo “net.ipv6.conf.all.forwarding=1” >> /etc/sysctl.conf
root@intel:/home/kevin# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.ip_forward = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
root@intel:/home/kevin#
NOTE: if you are running a firewall such as iptables, also check that the firewall configuration is not blocking packet forwarding!
Disable the Linux rp_filter strict mode:
rp_filter is a network security mechanism in the Linux kernel. It checks packet source addresses and the source network interface.
Possible settings for rp_filter:
0 (disabled): allow all packets.
Packets that do not have entries in routing table and so cannot be handled correctly will instead be processed by userspace applications, so setting to 0 should be no problem here.
1 (strict): if the packets do not come in on the “best” network interface (or in other words, your server replies to the packet on a different network interface), then the packet will be dropped.
2 (relaxed): Linux will only drop packets which have a source address not in the routing table or else does not know how to respond properly to.
NOTE: Using different network interfaces for source and reply is common with DN42, so you should ensure you DON’T set rp_filter to 1!
ALSO NOTE: Firewalls such as ufw may be configured for Conntrack. Conntrack filters incoming packets from addresses it hasn’t seen before, which is effectively applying a strict rp_filter. So you may need to disable this setting.
echo “net.ipv4.conf.default.rp_filter=2” >> /etc/sysctl.conf
echo “net.ipv4.conf.all.rp_filter=2” >> /etc/sysctl.conf
sysctl -p
root@intel:/home/kevin# echo “net.ipv4.conf.default.rp_filter=2” >> /etc/sysctl.conf
root@intel:/home/kevin# echo “net.ipv4.conf.all.rp_filter=2” >> /etc/sysctl.conf
root@intel:/home/kevin# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.ip_forward = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.all.rp_filter = 2
root@intel:/home/kevin#
Install and Configure a VPN Tunnel Software Package for DN42
For peering in DN42 VPN tunneling software is required. This is because DN42 nodes are spread across the world, and tunneling provides encryption and protection against interception and hacking. Also, DN42 uses private addresses that will be automatically dropped by firewalls on the Internet.
Furthermore, if you do not use a VPN your ISP may assume you are operating IP Spoofing, which is a clear violation of ISP ToS and can have catastrophic technical consequences.