DN42 Network Lab

What this project is

DN42 is a community network built by people who want to experiment with real routing, tunnels, BGP, DNS, addressing, peering and network operations without needing public Internet resources. It behaves like a small Internet made of private links between autonomous systems. Each participant gets an ASN, announces prefixes, builds tunnels with peers, filters routes, runs services and learns how routing behaves when the network is not hidden behind a single home router.

My goal was to join DN42 with my own ASN, expose services from my lab, route DN42 traffic through a real Cisco router, and make the setup usable from a laptop plugged directly into the DN42 VLAN. The result is a small but real network edge: WireGuard tunnels, FRR on Linux, a Cisco C1101, Proxmox LXC containers, public DN42 services and direct access to other DN42 networks.

A configuration-focused version of this build is available in the DN42 technical documentation.

My DN42 identity

Registry

ASN: AS4242420621

Maintainer: XYDRIVE-MNT

IPv4 prefix: 172.22.149.64/27

IPv6 prefix: fd51:fbc4:f614::/48

Services

DN42 web service: http://172.22.149.66/

Minecraft server: 172.22.149.66:25565

Contact: germain@godef.be

Topology overview

The design is split into three jobs. The LXC named Dn42 handles WireGuard and BGP sessions. The Cisco C1101 is the internal DN42 router for my lab. Proxmox hosts the service containers, including drive42, which has a real DN42 address on VLAN 10. 

RoutedBits Paris AS4242420207      Kioubit FR1 AS4242423914
              |                                  |
              | WireGuard + eBGP                 | WireGuard + eBGP
              |                                  |
        +-----+----------------------------------+-----+
        |              LXC Dn42 Gateway                |
        |              FRR + WireGuard                 |
        +---------------------+------------------------+
                              |
                              | iBGP / VLAN 99
                              | 10.255.255.0/30
                              |
                        Cisco C1101
                              |
                              | VLAN 10 - DN42 services
                              |
                 +------------+-------------+
                 |                          |
          Proxmox vmbr1 tag 10         Arch laptop
                 |
              drive42
        172.22.149.66 / fd51:fbc4:f614:1::42

BGP view

My AS is AS4242420621. Inside the lab, the Cisco and the LXC share the same AS with iBGP. Outside the lab, the LXC peers with external DN42 networks over eBGP. The two external peers currently used are RoutedBits in Paris and Kioubit in France. 

AS4242420621 - XYDRIVE
|
|-- eBGP - RoutedBits Paris - AS4242420207 - fe80::207 over peer1
|
|-- eBGP - Kioubit FR1 - AS4242423914 - fe80::ade0 over kioubit-fr1
|
|-- iBGP - Cisco C1101 - AS4242420621 - 10.255.255.2
|
+-- Services - drive42 - 172.22.149.66 - fd51:fbc4:f614:1::42

Outbound filters are strict: I only announce my own prefixes to external peers. I do not export the whole DN42 table back to a transit peer. That mistake is easy to make when learning BGP, and it creates AS path loops and useless route churn.

Machines involved

Cisco C1101

The Cisco is the router I use for the local DN42 network. It receives the global DN42 table from the LXC over iBGP and routes VLAN 10 for real clients and services.

Vlan10: 172.22.149.65/27 and fd51:fbc4:f614:1::1/64

Vlan99: 10.255.255.2/30 and fd51:fbc4:f614:ffff::2/64

LXC Dn42 gateway

This container runs WireGuard and FRR. It terminates tunnels, receives routes from DN42 peers, applies route-maps, installs routes into Linux, and sends the table to the Cisco.

dn42-port: 10.255.255.1/30

peer1: RoutedBits Paris

kioubit-fr1: Kioubit FR1

Proxmox

Proxmox is not routing DN42 for this part. It acts as a bridge host. The USB network interface connected to the Cisco is attached to vmbr1, and LXC interfaces can be tagged into VLAN 10 or VLAN 99.

vmbr1: Cisco trunk side

vmbr1 tag 10: public DN42 service network

drive42

This is the public service container. It hosts a web page, a Minecraft server and a local DNS resolver used by my laptop while exploring DN42.

172.22.149.66/27

fd51:fbc4:f614:1::42/64

Build steps

The first step was to register resources in the DN42 registry: an ASN, an IPv4 block, an IPv6 block, route objects and maintainer data. Without correct route objects, many serious DN42 peers filter the route because their ROA validation cannot confirm that the ASN is allowed to originate the prefix.

Then I built the gateway container. The LXC runs Debian, WireGuard and FRR. I connected it to the Cisco using a dedicated Proxmox bridge and a small point-to-point IPv4 network: 10.255.255.0/30. The Cisco is 10.255.255.2, and the LXC is 10.255.255.1.

The first external tunnel was RoutedBits Paris. It uses WireGuard with IPv6 link-local BGP. The second peer is Kioubit FR1. Adding Kioubit improved reachability and made it possible to reach mc.jerry.dn42, which resolves to 172.20.51.102 and listens on port 25565. 

1. Register AS4242420621 and prefixes in the DN42 registry
2. Build the Dn42 LXC gateway with WireGuard and FRR
3. Connect Cisco C1101 to the LXC over 10.255.255.0/30
4. Establish eBGP to RoutedBits Paris
5. Send global DN42 routes to the Cisco with iBGP
6. Attach Proxmox vmbr1 to the Cisco trunk
7. Put drive42 on VLAN 10 with a public DN42 address
8. Plug an Arch laptop into a Cisco access port in VLAN 10
9. Add Kioubit as a second peer for better reachability

Problems I hit

The hardest part was not making a tunnel come up. The hard part was making the Linux kernel, FRR, Cisco and remote BGP peers agree on what the next-hop should be.

IPv4 over an IPv6 tunnel

The RoutedBits session uses IPv6 link-local BGP while carrying IPv4 routes. The IPv4 next-hop received from Paris was not directly usable by Linux until the WireGuard interface was treated like a point-to-point link.

The fix was to explicitly bind the local tunnel address to the remote next-hop and keep a route for the remote tunnel IPv4 address.

Next-hop toward Cisco

The final iBGP setup uses next-hop-self and update-source dn42-port toward the Cisco. In iBGP, routes learned from external peers keep their original next-hop by default, so next-hop-self rewrites it to the LXC interconnect address 10.255.255.1.

A temporary static route-map was tried during debugging, but it was removed. The working check is show bgp ipv4 unicast neighbors 10.255.255.1 routes on the Cisco: the Cisco receives 1127 IPv4 routes from the LXC gateway.

Route filtering

At one point I was close to advertising too much back to a transit peer. The final setup uses prefix-lists and route-maps so external peers only receive 172.22.149.64/27 and fd51:fbc4:f614::/48.

Kernel forwarding

Forwarding must be enabled, and reverse path filtering must be disabled on the DN42 interfaces. Otherwise valid routed traffic can be dropped before BGP even becomes the problem.

ip_forward=1 and rp_filter=0 are part of the base configuration.

Traffic path

When someone visits my DN42 website or connects to my Minecraft server, the traffic reaches me through one of my BGP peers, enters the LXC gateway, crosses the Cisco, and lands on the public service VLAN. 

DN42 user
  |
  | BGP path to AS4242420621
  |
RoutedBits or Kioubit
  |
  | WireGuard tunnel
  |
LXC Dn42 gateway
  |
  | iBGP route and Linux forwarding
  |
Cisco C1101
  |
  | VLAN 10
  |
drive42 - web and Minecraft

Using DN42 from my laptop

I also wanted DN42 to feel like a real network from my laptop. I plugged my Arch laptop into GigabitEthernet0/1/1 on the Cisco. That port is an access port in VLAN 10, so the laptop does not need to tag VLANs. It just gets a DN42 address from my prefix. 

Arch interface: enp0s31f6
IPv4: 172.22.149.67/27
IPv6: fd51:fbc4:f614:1::67/64
Gateway IPv4: 172.22.149.65
Gateway IPv6: fd51:fbc4:f614:1::1
DN42 DNS resolver: 172.22.149.66

I do not route all 10.0.0.0/8 through DN42 from the laptop because it conflicts with private networks I already use at home. For now I keep targeted routes and avoid breaking access to local machines.

Current peers

RoutedBits Paris

AS: AS4242420207

Endpoint: router.par1.routedbits.com:50621

BGP neighbor: fe80::207

Role: first transit peer and main route source during the initial build.

Kioubit FR1

AS: AS4242423914

Endpoint: fr1.g-load.eu:20036

BGP neighbor: fe80::ade0

Role: second peer used to improve service reachability and reach mc.jerry.dn42.

Peering with me

I am interested in peering with other DN42 operators. I prefer WireGuard tunnels with MP-BGP over IPv6 link-local and extended next-hop enabled. If you want to peer, send me your ASN, WireGuard endpoint, WireGuard public key, link-local address, location and preferred policy. 

ASN: AS4242420621
Maintainer: XYDRIVE-MNT
IPv4 announced: 172.22.149.64/27
IPv6 announced: fd51:fbc4:f614::/48
Preferred BGP: MP-BGP over IPv6 link-local
Extended next-hop: yes
Example local link-local: fe80::621
Contact: germain@godef.be

I will only announce my own prefixes to peers. I expect the same kind of clean filtering on the other side. This keeps the network readable, avoids accidental transit leaks, and makes debugging much less painful.

What works now

  • My Cisco receives the DN42 IPv4 and IPv6 tables.
  • My public service container drive42 is reachable on VLAN 10.
  • The DN42 web page answers on 172.22.149.66.
  • The Minecraft server listens on 172.22.149.66:25565.
  • My Arch laptop can be plugged directly into the Cisco and use a DN42 address.
  • With Kioubit, mc.jerry.dn42 resolves to 172.20.51.102 and the Minecraft port is reachable.

This project is not finished. DN42 is exactly the kind of network where the next problem is usually one route-map away. That is also why I like it.

germain@godef.be
Linkedin