@frijolierthnthou Were you able to solve this issue? I've been dealing with this same exact problem from the past 2 weeks

@michmoor said in BGP Routing Issue: Traffic Still Preferring Default Route Despite Prepending and MED Adjustments:

Are you doing any policy based routing? Setting a specific gateway in the firewall rules? Thats the only thing i can imagine that would bypass the route table.

There is no policy based routing or specific gateway in firewall rule. Only one default gateway present on both site routers. I would say it is just a basic BGP config. I just followed the example configuration from the netgate docs - https://docs.netgate.com/pfsense/en/latest/packages/frr/bgp/example.html

" stop advertising these routes if the LAN interface goes down as the virtual IPs use 1:1 NAT to route traffic to internal IPs."

If the physical interface goes down then the subnet reachable out of that interface will be withdrawn in route advertisements.
VIPs like loopbacks, are logical and are always UP.

@mcury It seemed like a bug to me as well but this is my first time doing this kind of configuration. I felt like I was going crazy or had done something wrong. Thanks for the response.

@swiss If the log entries do not provide sufficient detail, one thing you can do is run a packet canpture on the VPN interface vor TCP port 179 and use wireshark to show you exactly what is being sent that your side does not like. Then you have something to either accommodate in your configuration or ask the other side to stop doing.

@mAineAc No - you'd have to build/install it manually for the public dev build. I'm not aware of any official bug report for the issue you're experiencing. My suggestion is to treat it like any other bug report: provide steps to reproduce it, and determine if it's a regression by finding the version(s) of the related software when it last worked.

@marcosm Does this fix the issue with selecting the redistribute default always? Whether a default is present or not?

@mcury Yes. It's here.

@michmoor - Yes, disabling the firewall didn't solve the issues, but I don't want a router only without any firewalling capabilities exposed to the public internet.

@yon-0 I'm not sure about CE, but there is FRR 9.1 in the latest PFsense+ 24.3 release. What is your motivation for upgrading from FRR 9.0.2 to 9.1 in pfSense CE 2.7.2?

@michmoor Yes, this is it.

Actually, someone from frr seems to be assigned to it, however last ticket update was 6mo ago:

https://github.com/FRRouting/frr/issues/14875

At least it's recognized as a frr issue, how long after a potential fix until that arrives in pfsense however is another story.

Regards
Thomas

@centromere We have the same problem, is there already a solution?
I have to correct myself a little, the error is just similar. It seems that the frr is running though. We also see briefly how the bgp router is set up

42232 - Ss 0:18.86 /usr/local/sbin/watchfrr -d -r /usr/local/etc/rc.d/frrbBrestartbB%s -s /usr/local/etc/rc.d/frrbBstartbB%s -k /usr/local/etc/rc.d/frrbBstopbB%s -b bB -t 30 zebra mgmtd staticd bgpd frr-reload.py /var/etc/frr/frr.conf --reload [78701|mgmtd] sending configuration [78923|zebra] sending configuration [79902|bgpd] sending configuration [81349|watchfrr] sending configuration [81506|staticd] sending configuration Waiting for children to finish applying config... [78701|mgmtd] done [79902|bgpd] done [81349|watchfrr] done [78923|zebra] done [81506|staticd] done [83692|mgmtd] sending configuration [83752|zebra] sending configuration [84958|bgpd] sending configuration [86227|watchfrr] sending configuration [86505|staticd] sending configuration Waiting for children to finish applying config... [84958|bgpd] done [83692|mgmtd] done [86505|staticd] done [83752|zebra] done [86227|watchfrr] done cat /var/log/frr/frr-reload.log 2024-05-30 07:23:52,336 INFO: /var/run/frr/reload-5VBEZR.txt content ['router bgp 65000\n' ' address-family ipv4 unicast\n' ' neighbor 169.254.185.105 activate\n' ' exit\n' 'exit\n', 'router bgp 65000\n' ' address-family ipv4 unicast\n' ' neighbor 169.254.146.9 activate\n' ' exit\n' 'exit\n', 'line vty\nexit\n', 'router bgp 65000\n' ' address-family ipv4 unicast\n' ' neighbor 169.254.185.105 activate\n' ' exit\n' 'exit\n', 'router bgp 65000\n' ' address-family ipv4 unicast\n' ' neighbor 169.254.146.9 activate\n' ' exit\n' 'exit\n', 'line vty\nexit\n']

@michmoor thanks for your time

@The-Party-of-Hell-No

Thanks for the pointer, I finally got it working using FR. The IPs were being assigned correctly however I had my subnet masks wrong. It has to match the tunnel.

https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/client-parameters-radius.html#static-ip-address

@johnpoz

If I give each user a unique IP address in FreeRadius, is this an address from the OVPN IPv4 tunnel network?