I just turned on BGP for the public IP's I announce. I'm assuming because i'm multi homed most website's don't like the 2 possible path's back to my public ips? I can't get any streaming site or PlayStation network to work while both peer's are connected. Should I use sticky on my BGP paths? or whats the best way to fix it?
Any idea's are much appreciated!
firewall { all-ping enable broadcast-ping disable group { address-group BLOCKED_USERS { description "UCRM blocked Users" } address-group PublicIPs { address xxx.yyy.92.0/23 address xxx.yyy.178.0/25 address xxx.yyy.178.192/26 address xxx.yyy.178.128/26 address xxx.yyy.221.32/27 address xxx.yyy.221.64/27 address xxx.yyy.221.240/30 address xxx.yyy.221.244/30 address xxx.yyy.221.248/30 address xxx.yyy.221.252/30 address xxx.yyy.221.176/30 address xxx.yyy.221.180/30 address xxx.yyy.221.184/30 address xxx.yyy.221.188/30 address xxx.yyy.221.160/28 address xxx.yyy.221.216/30 address xxx.yyy.221.220/30 address xxx.yyy.221.12/30 address xxx.yyy.221.224/28 address xxx.yyy.221.208/29 description "Public IP block" } network-group PRIVATE_NETS { network 192.168.0.0/16 network 172.16.0.0/12 network 10.0.0.0/16 } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians disable modify MSS_CLAMP { rule 10 { action modify modify { tcp-mss 1440 } protocol tcp tcp { flags SYN,!RST } } } name WAN_IN_ISP1 { default-action accept description "WAN to Internal" rule 2 { action accept description "Allow established/related" log disable protocol all state { established enable invalid disable new disable related enable } } rule 3 { action drop description "Drop invalid state" log disable protocol all state { established disable invalid enable new disable related disable } } } name WAN_IN_ISP2 { default-action accept description "WAN to Internal" rule 30 { action accept description "Allow established/related" log disable protocol all state { established enable invalid disable new disable related enable } } rule 40 { action drop description "Drop invalid state" log disable protocol all state { established disable invalid enable new disable related disable } } } name WAN_LOCAL_ISP1 { default-action drop description "" rule 10 { action accept description "Allow icmp" log disable protocol icmp } rule 20 { action accept description "Allow GUI" destination { port 22,80,179,443 } log disable protocol tcp_udp } rule 30 { action accept description "Allow established/related" log disable protocol all state { established enable invalid disable new disable related enable } } rule 40 { action drop description "Drop invalid state" log disable protocol all state { established disable invalid enable new disable related disable } } } name WAN_LOCAL_ISP2 { default-action drop description "" rule 10 { action accept description "Allow icmp" log disable protocol icmp } rule 20 { action accept description "Allow GUI" destination { port 22,80,179,443 } log enable protocol tcp_udp } rule 30 { action accept description "Allow established/related" log disable protocol all state { established enable invalid disable new disable related enable } } rule 40 { action drop description "Drop invalid state" log disable protocol all state { established disable invalid enable new disable related disable } } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address 10.0.200.1/24 duplex auto speed auto } ethernet eth1 { address xxx.yyy.83.254/30 description "WAN - ISP1" duplex auto firewall { in { name WAN_IN_ISP1 } local { name WAN_LOCAL_ISP1 } out { modify MSS_CLAMP } } mtu 1492 speed auto } ethernet eth2 { address xxx.yyy.222.22/30 description "WAN - ISP2" duplex auto firewall { in { name WAN_IN_ISP2 } local { name WAN_LOCAL_ISP2 } out { modify MSS_CLAMP } } mtu 1492 speed auto } ethernet eth3 { duplex auto speed auto } ethernet eth4 { duplex auto speed auto } ethernet eth5 { duplex auto speed auto } ethernet eth6 { duplex auto speed auto vif 2 { address 10.0.2.1/30 description ospf1-s ip { ospf { dead-interval 40 hello-interval 10 network point-to-point priority 1 retransmit-interval 5 transmit-delay 1 } } mtu 1500 } vif 3 { address 10.0.2.5/30 description ospf2-s ip { ospf { dead-interval 40 hello-interval 10 network point-to-point priority 1 retransmit-interval 5 transmit-delay 1 } } mtu 1500 } } ethernet eth7 { duplex auto speed auto vif 4 { address 10.0.2.21/30 description ospf1-a ip { ospf { dead-interval 40 hello-interval 10 network point-to-point priority 1 retransmit-interval 5 transmit-delay 1 } } mtu 1500 } vif 5 { address 10.0.2.25/30 description ospf2-a ip { ospf { dead-interval 40 hello-interval 10 network point-to-point priority 1 retransmit-interval 5 transmit-delay 1 } } mtu 1500 } vif 32 { address 10.0.32.1/24 description MManagement mtu 1500 } } ethernet eth8 { address 10.0.1.1/24 description "Local LAN" duplex auto speed auto vif 6 { address 10.0.2.37/30 description ospf1-m ip { ospf { dead-interval 40 hello-interval 10 priority 1 retransmit-interval 5 transmit-delay 1 } } mtu 1500 } vif 7 { address 10.0.2.41/30 description ospf2-m ip { ospf { dead-interval 40 hello-interval 10 priority 1 retransmit-interval 5 transmit-delay 1 } } mtu 1500 } vif 30 { address xxx.yyy.92.1/23 description MCustomers } vif 34 { address xxx.yyy.221.225/28 description Public } vif 166 { address xxx.yyy.221.217/30 description "LOffice" mtu 1500 } vif 209 { address xxx.yyy.221.209/29 description Web } } loopback lo { } } policy { prefix-list BGP-ISP-From { rule 10 { action permit description "Default Only" le 24 prefix 0.0.0.0/0 } } prefix-list BGP-ISP-To { rule 10 { action permit description "BGP Announce" prefix xxx.yyy.178.0/24 } rule 20 { action permit description "BGP Announce" prefix xxx.yyy.92.0/23 } rule 30 { action permit description "BGP Announce" prefix xxx.yyy.221.0/24 } rule 200 { action deny description "Do not Announce any other Route" prefix 0.0.0.0/0 } } } port-forward { auto-firewall enable hairpin-nat disable wan-interface eth1 } protocols { bgp XXX215 { neighbor xxx.yyy.50.111 { description "ISP2 Neighbor" ebgp-multihop 5 password **************** prefix-list { export BGP-ISP-To import BGP-ISP-From } remote-as XXX92 soft-reconfiguration { inbound } update-source xxx.yyy.222.22 } neighbor xxx.yyy.50.211 { description "ISP2 neighbor 2" ebgp-multihop 5 password **************** prefix-list { export BGP-ISP-To import BGP-ISP-From } remote-as XXX92 soft-reconfiguration { inbound } update-source xxx.yyy.222.22 } neighbor xxx.yyy.83.253 { description "ISP1 Nieghbor" prefix-list { export BGP-ISP-To import BGP-ISP-From } remote-as XXX10 soft-reconfiguration { inbound } update-source xxx.yyy.83.254 } network xxx.yyy.178.0/24 { } network xxx.yyy.92.0/23 { } network xxx.yyy.221.0/24 { } parameters { log-neighbor-changes } } ospf { area 0.0.0.0 { area-type { normal } network 10.0.2.0/30 network 10.0.2.4/30 network 10.0.2.20/30 network 10.0.2.24/30 network 10.0.2.36/30 network 10.0.2.40/30 } default-information { originate { metric-type 2 } } parameters { abr-type cisco router-id 1.1.1.1 } passive-interface default passive-interface-exclude eth6.2 passive-interface-exclude eth6.3 passive-interface-exclude eth7.4 passive-interface-exclude eth7.5 passive-interface-exclude eth8.6 passive-interface-exclude eth8.7 redistribute { connected { metric-type 2 } static { metric-type 2 } } } static { route xxx.yyy.50.111/32 { next-hop xxx.yyy.222.21 { description "ISP2 1 .111" } } route xxx.yyy.50.211/32 { next-hop xxx.yyy.222.21 { description "ISP2 2 .211" } } route xxx.yyy.178.0/24 { blackhole { } } route xxx.yyy.83.252/30 { next-hop xxx.yyy.83.254 { description "ISP1 Peer" } } route xxx.yyy.92.0/23 { blackhole { } } route xxx.yyy.221.0/24 { blackhole { } } } } service { dhcp-server { disabled false hostfile-update disable shared-network-name LOffice { authoritative disable subnet xxx.yyy.221.216/30 { default-router xxx.yyy.221.217 dns-server 8.8.8.8 dns-server 8.8.4.4 lease 86400 start xxx.yyy.221.218 { stop xxx.yyy.221.218 } } } shared-network-name LPublic { authoritative disable subnet xxx.yyy.221.224/28 { default-router xxx.yyy.221.225 dns-server 8.8.8.8 dns-server 8.8.4.4 lease 86400 start xxx.yyy.221.226 { stop xxx.yyy.221.238 } } } shared-network-name MCustomers { authoritative disable subnet xxx.yyy.92.0/23 { default-router xxx.yyy.92.1 dns-server 8.8.8.8 dns-server 8.8.4.4 lease 86400 start xxx.yyy.92.2 { stop xxx.yyy.93.254 } static-mapping Home { ip-address xxx.yyy.92.199 mac-address f4:92:bf:94:a9:0c } } } shared-network-name MManagement { authoritative disable subnet 10.0.32.0/24 { default-router 10.0.32.1 dns-server 8.8.8.8 dns-server 8.8.4.4 lease 86400 start 10.0.32.2 { stop 10.0.32.254 } } } static-arp disable use-dnsmasq disable } dns { forwarding { cache-size 1000 listen-on eth0 listen-on eth6 listen-on eth7 listen-on eth8 } } gui { http-port 80 https-port 443 older-ciphers enable } nat { rule 1 { description ucrm_forward_suspended destination { address !10.0.32.203 } inbound-interface eth8.30 inside-address { address 10.0.32.203 port 81 } log disable protocol tcp source { group { address-group BLOCKED_USERS } } type destination } rule 5000 { description "masquerade for WAN" exclude log disable outbound-interface eth1 protocol all source { group { address-group PublicIPs } } type masquerade } rule 5001 { description "masquerade for WAN 2" exclude log disable outbound-interface eth2 protocol all source { group { address-group PublicIPs } } type masquerade } rule 5002 { description "S Clients NAT to Eth1" log disable outbound-interface eth1 outside-address { address xxx.yyy.221.113-xxx.yyy.221.126 } protocol all source { address 10.0.40.0/24 } type source } rule 5003 { description "B Clients NAT to Eth1" log disable outbound-interface eth1 outside-address { address xxx.yyy.221.129-xxx.yyy.221.142 } protocol all source { address 10.0.50.0/24 } type source } rule 5004 { description "M Clients NAT to Eth1" log disable outbound-interface eth1 outside-address { address xxx.yyy.221.17-xxx.yyy.221.30 } protocol all source { address 10.0.60.0/24 } type source } rule 5005 { description "B Clients NAT to Eth1" log disable outbound-interface eth1 outside-address { address xxx.yyy.221.145-xxx.yyy.221.158 } protocol all source { address 10.0.70.0/24 } type source } rule 5006 { description "S Clients NAT to Eth2" log disable outbound-interface eth2 outside-address { address xxx.yyy.221.113-xxx.yyy.221.126 } protocol all source { address 10.0.40.0/24 } type source } rule 5007 { description "B Clients NAT to Eth2" log disable outbound-interface eth2 outside-address { address xxx.yyy.221.129-xxx.yyy.221.142 } protocol all source { address 10.0.50.0/24 } type source } rule 5008 { description "M Clients NAT to Eth2" log disable outbound-interface eth2 outside-address { address xxx.yyy.221.17-xxx.yyy.221.30 } protocol all source { address 10.0.60.0/24 } type source } rule 5009 { description "B Clients NAT to Eth2" log disable outbound-interface eth2 outside-address { address xxx.yyy.221.145-xxx.yyy.221.158 } protocol all source { address 10.0.70.0/24 } type source } rule 5010 { description "masquerade for WAN" log disable outbound-interface eth1 protocol all source { group { } } type masquerade } rule 5011 { description "masquerade for WAN 2" log disable outbound-interface eth2 protocol all source { group { } } type masquerade } } ssh { port 22 protocol-version v2 } suspend { allow-domain unms.website.com allow-ip redirect { url } } udapi-server unms { connection } } system { analytics-handler { send-analytics-report true } conntrack { expect-table-size 2048 hash-size 32768 table-size 262144 } crash-handler { send-crash-report true } host-name CoreRouter-ER8-XG login { user user { authentication { encrypted-password **************** plaintext-password **************** } full-name "" level admin } } name-server 8.8.8.8 name-server 8.8.4.4 ntp { server 0.ubnt.pool.ntp.org { } } syslog { } time-zone America/Chicago } traffic-control { optimized-queue { policy global policy queues } }
No comments:
Post a Comment