자체 AS 실행: FRR, GRE 터널 및 정책 라우팅을 사용한 FreeBSD의 BGP

Running Your Own As: BGP on FreeBSD with FRR, GRE Tunnels, and Policy Routing

65 pointsby todsacerdoti2026. 2. 8.21 comments
원문 보기 (blog.hofstede.it)
DevOpsCloudNetworking

요약

이 글은 FreeBSD를 사용하여 공개 인터넷에서 자체 자율 시스템(AS)을 설정하고 실행하는 방법을 자세히 설명합니다. 스폰서 LIR로부터 AS 번호와 IPv6 접두사를 얻는 것, BGP를 위해 FRR을 사용하는 FreeBSD 라우터 구성, 원격 서버에 접두사를 배포하기 위한 GRE 및 GIF 터널 설정, 그리고 듀얼 스택 라우팅 문제를 관리하는 것에 대해 다룹니다.

댓글 (24)

tw043시간 전
Not to nitpick, but the title should have AS capitalized. It’s confusing with the current capitalization.
pickup1912시간 전
Right! I was confused for a bit until I started reading it.

Otherwise, getting to know the power of FreeBSD is awesome. Thanks for creating the blog!

DarkFuture2시간 전
I looked into buying my own IP space from that IP auction site, an IPv4 C-class costs around $10,000. What stopped me was finding out I also to register with RIPE and pay the LIR annual fee, costing hundred Euros per month or so, even if I wasn't yet ready to use the IP space (I wanted to setup a basic Anycast IP without Cloudflare with help of VPS host who said they can help and had multiple locations around world).
frantathefranta2시간 전
Yeah for single person use, this only really makes sense with IPv6. I'm interested in doing this in the near future and I think the yearly price for all-in (IPv6 /48 allocation, AS allocation + necessary VPS connections) comes out to about $200. It goes up to $300-400 if you want a PI subnet instead of PA (PI follows you to another LIR, PA does not).
rmoriz2시간 전
While I strongly support IPv6 migration, the current IPv4 pricing is a rip-off. All the brokers and auction sites are fantasizing.

The market is tight, but nowhere near the point where it was 4-5 years ago. Big cloud providers already bought enormous amounts of IPv4 while many regional ISPs and colocation providers went out of business.

There is no real pressure to buy IPv4 except for brand-new companies to get their initial /24 or /23 to start. Everything else is optional.

alibarber1시간 전
If you have a ham radio licence (anywhere in the world) you can request a /24 if IPv4 space from AMPR for free.

It cannot be used commercially and should be in the ‘spirit’ of amateur radio. Unfortunately there’s also a bit of a backlog it seems (a couple of months) right now.

[삭제된 댓글]
direwolf2041분 전
You only need an LIR annual fee (~$2000) if you want to be an LIR and manage other people's resources. Otherwise you find another LIR (some popular choices are the ones the OP used) to manage your resources on your behalf. The annual fee is then ~$60. The resources are allocTed directly to you, even when managed by a third party.
candiddevmike2시간 전
I was hoping with IPv6, getting an address space as an individual would go back to how it was in the early IPv4 days, but alas you need to be a multihomed individual with tons of usage instead of just a sophisticated netzien that wants to own their block.
[삭제된 댓글]
dogcow43분 전
Yes, same here. Very frustrating. It is almost as if the powers that be don't want lowly netizens controlling their own destiny.
shon2시간 전
If you’re reading this, you’re a neckbeard.
dorianmariecom2시간 전
how much does it cost?
[삭제된 댓글]
rmoriz2시간 전
I do a "light" version of this, but without running a public AS and using WireGuard for tunneling my public IPv4 subnet into my homelab (proxmox cluster).

Just running bird on my VPS to announce my routes to the upstream over a private link.

rmoriz2시간 전
Just a reminder, that the basic fees at RIPE are 2-3x the fees at ARIN which hurts individuals, SOHO and multihomed not-for-profit institutions.

fee schedules FYI

- ARIN 2026 PDF: https://www.arin.net/resources/fees/images/2026feeschedule.p...

- RIPE 2026 : https://www.ripe.net/membership/payment/

Enthusiasts, trainees and small orgs are paying a lot more with RIPE.

nazcan1시간 전
Good to know. As someone on the ARIN side, I always found the fees reasonable.
rnhmjoj1시간 전
> MSS clamping is non-negotiable with tunnels. Every layer of encapsulation eats into the MTU.

Can this tunnel be avoided somehow? If I have to choose between owning my prefix and having 1500 MTU, I'd probably take the latter: MTU issues are so annoying to deal with, and MSS-clamping doesn't solve all of them.

bc569a80a344f9c1시간 전
Kind of but not really.

The whole point of BGP is to influence your routing tables. This fundamentally makes very little sense to do when you have a bunch of routers whose routing policy you don't control between you and whoever you're speaking BGP to. eBGP is just TCP and supports knobs to run over multiple hops (so up to 255), but at that point you can't really do anything with the routing information you exchange because the moment you hand the traffic off, the other party can do with it how it pleases. Also, very few people have enough public IP addresses for this, and on the Internet you obviously can't route RFC1918 space. Therefore, you need tunnels, so that you can be one hop away even if the tunneled traffic is traversing the Internet, and so that you can reach peers that let you announce whatever IP space you want.

The other thing you can do, of course, is to just do the same thing internal to your lab. You can absolutely stand up multiple ASN at home. I'd even argue that if you really want to learn BGP, this is a great way to do it, especially if you use two different platforms (say, FRR on FreeBSD peering with a cheap Mikrotik running RouterOS). That way you learn the underlying protocol and not a specific implementation, which is something that is very hard to undo in junior network engineers that have only ever been exposed to one way of doing things.

That's different from some of the goals outlined in the article, but if your goal is to learn this stuff rather than have provider-independent IP space (which even for home labs isn't very valuable to most people), doing it all yourself works fine.

mvanbaak1시간 전
`-rxcsum -txcsum -rxcsum6 -txcsum6 -lro -tso`

Why disable all offloading? It's not explained anywhere.

mark_round1시간 전
If you'd like to experiment with running your own AS in private address space, connecting to a friendly network of geeks over wireguard tunnels, check out DN42 https://dn42.dev/Home.

It's a great way to explore routing technologies and safely experiment with your own AS, running the same protocols as the "real" Internet, just in private space.

If you do get set up, give me a shout (https://markround.com/dn42), I'd be happy to peer with you if you want to expand beyond the big "autopeer" networks :)

direwolf2045분 전
iFog and Lagrange Cloud, naturally.

I am always very curious why these operations exist. ISPs for the very specific niche of hobbyists who want to run ASNs.

insuranceguru32분 전
i always love a good freebsd networking deep dive, frr has come a long way.

from a risk side, running your own as is the ultimate digital sovereignty move, but the operational debt is huge. most people don't realize that when you stop renting the routing from a big carrier, you're also taking on 100% of the liability for your own uptime and 'fat finger' errors. it’s a high-stakes hobby for sure.