Running Your Own As: BGP on FreeBSD with FRR, GRE Tunnels, and Policy Routing

The story delves into the process of an individual establishing their own Autonomous System (AS) and announcing an IPv6 prefix to the internet's Default-Free Zone. It demonstrates that this capability is not exclusive to large enterprises but accessible to enthusiasts through sponsoring LIRs and robust open-source tools like FreeBSD and FRR. The article provides a step-by-step walkthrough of obtaining necessary resources, configuring the network, and managing routing challenges.

• Motivation for Personal AS: Running an AS offers provider-independent addressing, allowing IP addresses to remain constant across different hosting providers, simplifying migrations, and enhancing architectural flexibility. It also offers invaluable insights into internet routing mechanics.
• Resource Acquisition: The guide details how to obtain an AS number and IPv6 prefix (e.g., /48) from a Regional Internet Registry (like RIPE NCC) via a sponsoring LIR, avoiding direct membership fees. This includes creating RIPE database objects and setting up RPKI ROAs.
• Architectural Design: The setup involves a central BGP router (running FreeBSD + FRR) peering with upstream providers, which then distributes tunneled subnets (individual /64s or /62s) to downstream servers via GIF tunnels (IPv6-in-IPv4 encapsulation).
• BGP Router Configuration: Comprehensive configuration files are provided for the FreeBSD router, covering network interfaces, static routes, and FRR setup. Key FRR elements include prefix lists for filtering (e.g., PL-BOGONS for inbound routes), route maps for traffic engineering (e.g., AS-path prepending), and BGP session safety features (TTL security, maximum-prefix limits).
• Firewalling (PF): The router's PF firewall configuration is detailed, segmenting control plane (SSH, BGP) from data plane traffic. Important rules include dropping spoofed packets, MSS clamping for tunnels, and strict BGP peer limitations.
• Downstream Server (Policy Routing): A complex dual-stack scenario on a downstream server (VPS) is addressed. This server needs to use both provider-assigned IPv6 and the newly acquired BGP IPv6. The solution leverages FreeBSD's multi-FIB (Forwarding Information Base) policy routing, where traffic from BGP-addressed jails is directed to a separate FIB that routes through the GIF tunnel, while provider-addressed traffic uses the default FIB.
• Verification: The article concludes by demonstrating verification steps using curl --interface for source address checking and mtr for tracing packet paths, confirming BGP routes are correctly propagated and traffic flows as intended.
• Lessons Learned: Key takeaways include the critical importance of MSS clamping with tunnels, the elegance and debuggability of FreeBSD's FIB separation, the necessity of bogon filtering for security, using reply-to for asymmetric routing, and the benefits of having at least two upstreams for redundancy and traffic engineering.

In essence, the author demonstrates that running a personal AS is a technically achievable and deeply satisfying endeavor. The dual-FIB policy routing solution for managing multiple IPv6 address spaces on a single server is highlighted as a particularly elegant and robust method, showcasing the power of FreeBSD's networking capabilities. While perhaps 'overkill' for a simple blog, this robust infrastructure provides invaluable operational stability and a profound understanding of the internet's backbone.