You can use the any6 keyword there to match any for IPv6.

https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-frr/files/usr/local/pkg/frr/inc/frr_zebra.inc#L265

It's a different issue than your other thread. I'll reply over there shortly after this. Route-maps in general don't have a lot of testing done since they are so complicated. It's neigh impossible to attempt to test all combinations of things there. IPv6 doesn't see as much testing because there aren't many people actively using it compared to IPv4.

Open a bug report at https://redmine.pfsense.org/projects/pfsense-packages with the specific settings you have for the prefix-list and route-map, at least enough information to reproduce the issue. I'll have a look at it next time I'm working on FRR.

@nzkiwi68 Thanks for your answer! I know that pfSense is designed as an active passive arrangement.
In the end I configured it this way. Only the active Firewall has a BGP session to each provider and it's working fine.

Just stumbled over the explanation in the docs https://docs.netgate.com/pfsense/en/latest/packages/openbgpd-package.html and thought there should be active BGP sessions on both firewalls.

Anyway thanks for the help here!

Thanks, I'm happy that it's quite a simple setup, one set of ACL's to manage for the routes distributed.

It's working great.

Thank you and the whole pfSense team!

I also confirm. Package update solves the problem. Thanks @jimp.

If you are on CE or Factory 2.4.4-p3, the new package is up now. CE snapshots will have it whenever the next new build happens. Factory snapshots will get the new version a little later, there are some changes we need to make to accommodate the 2019Q3 ports branch merge yet.

Meanwhile i tried your 2nd suggested workaround, and after a while i got it to work.

What have i done?

turned off redistribution of connected networks (be careful, you might loose access to the device) under "OSPF Areas", i created Area 1 with the ID of 0.0.0.1 entered 10.1.1.0/24 under "Route Summarization" -> "Summary Range" -> "Summary Prefix
", this matches the subnet entered to OpenVPN under "Tunnel Settings" -> IPv4 Tunnel Network under "OSPF Interfaces" i set the ovpn interface to be in Area 1 marked it as "Interface is Passive", because vpn clients do not need to participate in OSPF and i changed the network type from "Not specified (default)" to "Point - multipoint"

With this setting, on the LAN side the Catalyst L3 was able to see 10.1.1.0/24 advertised from the FW, and only that subnet was advertised. The firewall was able to see all advertised routes from LAN from the beginning (after auth and a few basic thing was set up).

If i left the interface type on default or set it to point-to-point, there was nothing advertised from Area 1 , other types seemingly did the trick. From the working ones i picked P-MP which sounds OK for the VPN clients subnet.

If i removed the summary from Area 1 config, and the if type was "p-mp" or any of the working iftypes from aboove, there was only a /32 host route announced with the ovpn server address, despite a few clients were connected. The iftypes which yielded no redistribution, still remained silent irregardless of the value of the summary network.

FYI- FRR 0.6, now available on 2.5.0 snapshots, also has an option on interfaces to ignore MTU, which can also work around these sorts of issues.

I created a new subcategory under pfSense Packages for FRR. I ran some searches and found a lot more posts than I thought, but most were misfiled under Routing & Multi-WAN. I dropped a sticky there letting people know that routing package questions need to go under packages.

If you're reading this, you're already here, but the URL for the new FRR subcategory is: https://forum.netgate.com/category/79/frr

You'll have to allow more than OSPF and ping to allow traffic to flow over the 172.16.10.0/30 connection. Allow IPv4 traffic.

How is your gateway defined on ro2?

That should only affect cleartext passwords. I added a note to the issue and reset the status.

Upon further investigation, and finding this thread:

https://github.com/FRRouting/frr/issues/1617

I was able to confirm that the frr package in pfSense is not compiled with support for snmp:

[2.4.4-RELEASE][admin@pfSense.localdomain]/var/agentx: vtysh Hello, this is FRRouting (version 5.0.2). Copyright 1996-2005 Kunihiro Ishiguro, et al. pfSense.localdomain# show modules Module information for zebra: Module Name Version Description libfrr 5.0.2 libfrr core module zebra 5.0.2 zebra daemon Module information for bgpd: Module Name Version Description libfrr 5.0.2 libfrr core module bgpd 5.0.2 bgpd daemon pfSense.localdomain#

According to the ouput in the link, there should be a lines that look like this:

zebra_snmp 5.0.2 zebra AgentX SNMP module bgpd_snmp 5.0.2 bgpd AgentX SNMP module

It also appears net-snmpd is creating the Agent socket with permissions that wouldn't allow the frr user to connect, even if snmpd support was compiled in:

[2.4.4-RELEASE][admin@pfSense.localdomain]/var/agentx: ps aux | grep frr frr 55620 0.0 0.6 12232 6496 - Is 18:17 0:00.01 /usr/local/sbin/zebra -d -f /var/etc/frr/zebra.conf frr 56009 0.0 1.0 21588 9668 - Is 18:17 0:00.01 /usr/local/sbin/bgpd -d -f /var/etc/frr/bgpd.conf [2.4.4-RELEASE][admin@pfSense.localdomain]/var/agentx: ls -l total 0 srwxr-xr-x 1 root wheel 0 May 10 15:17 master

I chmod 777'ed it just an experiment, but still no joy.

So where do I go from here? Two feature requests on Redmine? A feature request and a bug? I'd like to think that Netgate would be very interested in addressing these two issues, as it's highly desirable functionality (SNMP monitoring) of one of the core uses cases for pfSense (BGP/OSPF routing).

Thanks again!

@jimp of course there is. Because that is the most logical place to put it that I wouldn't look without enough coffee. It actually makes perfect sense because you can do route maps for both frr and zebra from the same interface. Once I figured that out it all just worked. Thanks for the tip.

@gislaved

OPNsense 19.1.6-amd64
FreeBSD 11.2-RELEASE-p9-HBSD
OpenSSL 1.0.2r 26 Feb 2019

I did more work yesterday and got ospf now working. Initially the opnsense fw connected right out from the initial install to my ubuntu frr ospf on the LAN interface. However after a few hours of configuration and setting up rules and interfaces, I noticed OSPF to be down.

by tracing back my steps, on my setup the CARP interface was the issue, apparently you cannot have a virtual carp interface for redundancy and ospf on the same interface. I noticed the "ununumbered" interface on interfaces having CARP enabled:

"This interface is UNNUMBERED, Area 0.0.0.0,No Hellos (Passive interface),No Hellos (Passive interface)"

As soon as I deleted the CARP config, OSPF came up. My solution was to add a new VLAN interface between the firewalls and all servers in need to custom gateways and run OSPF for routing sync there.

last but not least, the OSPF config seems to be very picky, make sure all interfaces are set to broadcast on ethernet connections. In my setup I got a pfsense firewall, one opnsense firewall and several ubuntu VMs connected.

Might be unique to FRR. FRR forked from quagga but it does have several ways that it differs. The config sytnax is still very similar so you can compare the ospf and zebra config files to see if there is some different option setup between them.

It's possible that the quagga made an assumption that is now an optional behavior in the FRR package, which could explain the difference.