Anybody who’s spent time troubleshooting BGP advertisements and/or Internet reachability issues has probably made use of one or many looking glass servers. These are servers, usually managed and maintained by ISPs, which provide a set of useful troubleshooting tools (ping, traceroute) and outputs (show ip bgp) that allow you to view the Internet from the perspective of their network. Large, geographically diverse carriers often allow you to select a router you would like to troubleshoot from, which is useful if the issue you are troubleshooting seems to be localized to a specific area.
As a network guy, I’ve spent A LOT of time on various looking glasses, and I’ve even set a few up — albeit many years ago. Internet routing tables can be chaotic at times and, in my opinion, there can never be too many looking glasses. So when the time came to set up a new looking glass at my day job, I figured it would be a good opportunity to take some notes to make it easier for the next guy or gal to get who is willing to show the world what the Internet looks like from their perspective. After a bit of research, I decided that I would install bgplg, a clean, robust OpenBGPD add-on.
Get the OS
I installed OpenBSD 5.2, which can be freely downloaded here
Install the OS
OpenBSD is a very lightweight OS, so I probably went overkill when I configured my VMWare guest with 1GB RAM, 2 CPUs and 15GB HDD space.
The installer is also very lightweight — just select (I)nstall when it asks and start walking through the prompts. I followed the defaults until it asked if I’d like to install X Windows. There’s no need for it on this server so, unless extenuating circumstances warrant it, I’d select "no". A few more questions and then it will ask to install sets. I used the CD as my source and, in keeping with the ideal of a minimal install, removed packages I felt were unnecessary: type "-x*", which will remove all X-related packages and then "-game*" to remove the game set. Simply press Enter when done selecting sets and the install will begin.
When installation is complete, eject your install media and type "reboot".
(Optional) Add an IPv6 Default Gateway
If you’ve configured IPv6, you will notice that there is no default IPv6 route installed. To fix this, edit your network config file (mine is /etc/hostname.em0) and add the following line to the end:
!route -n add -inet6 default <IPv6 default gateway>
When added & saved, you can activate your changes by running the netstart
script:
# sh /etc/netstart
Configure bgplg & Apache
You’ll now want to enable bgplg, which is installed by default. The next steps are straight out of the man page:
# chmod 0555 /var/www/cgi-bin/bgplg # chmod 0555 /var/www/bin/bgpctl # mkdir /var/www/etc # cp /etc/resolv.conf /var/www/etc # chmod 4555 /var/www/bin/ping # chmod 4555 /var/www/bin/ping6 # chmod 4555 /var/www/bin/traceroute # chmod 4555 /var/www/bin/traceroute6
Change the following values in /etc/rc.conf
to start OpenBGPD & Apache at boot time:
bgpd_flags="" httpd_flags=""
OpenBSD runs Apache in a chroot. We tweaked a lot of permissions above to give the chroot environment access to basic network tools, but by default things like DNS lookups will still not work. To test DNS resolution and the ping tool from your chroot environment, you can run the following command:
# chroot -g www -u www /var/www /bin/ping google.com
which will likely result in the following error:
ping: socket: Permission denied
This is a result of the nosuid flag being set on the /var partition by default. You can verify this by looking at how /var is currently mounted:
# mount | grep var /dev/sd0e on /var type ffs (local, nodev, nosuid)
To fix this problem, remove the nosuid flag from the /var partition in <code>/etc/fstab</code> and reboot your machine. Your should now see something similar to:
# mount | grep var /dev/sd0e on /var type ffs (local, nodev)
Verify that your chrooted user is now working:
# chroot -g www -u www /var/www /bin/ping google.com PING google.com (74.125.129.100): 56 data bytes 64 bytes from 74.125.129.100: icmp_seq=0 ttl=49 time=57.249 ms 64 bytes from 74.125.129.100: icmp_seq=1 ttl=49 time=56.861 ms --- google.com ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 56.861/57.055/57.249/0.194 ms
Also, Apache should be up and running after the reboot. Even though we haven’t configured OpenBGPD yet, you should still be able to test ping & traceroute functionality.
Configure OpenBGPD
Finally, we’ll configure OpenBGPD. To do this, edit the `/etc/bgpd.conf`file and enter the relevant bgpd config information (see the man page for help). My config looks like:
#macros
peer1="198.51.100.1"
peer2="2001:DB8::1"
# global configuration
AS 65000
router-id 198.51.100.2
# restricted socket for bgplg(8)
socket "/var/www/logs/bgpd.rsock" restricted
# neighbors and peers
group "peering AS65000" {
remote-as 65000
neighbor $peer1 {
descr "IBGP-V4"
local-address 198.51.100.2
}
neighbor $peer2 {
descr "IBGP-V6"
local-address 2001:DB8::2
}
}
Once you’re done configuring, you can restart OpenBGPD:
/etc/rc.d/bgpd restart
And that’s it. Next step: create/update your ASN’s PeeringDB record with your sexy new looking glass URL.