Good morning,

I'd like to add myself to this request. I have the same problem as @chuskywalker (lost routing to my VoIP service).

Thanks a lot.

Alex G.

@ofloo

We also ran into this issue:

First we deleted /tmp/config.cache
This resulted in a very long boot up time (at starting apcupsd package).
But it finally came up.
https://forum.netgate.com/post/965863

Afterwards we had the issue with no "route map filter" configured on one path.
This was resolved by configuring the "Allow-all" filter like suggested.

https://forum.netgate.com/post/962875

Thanks

@jlauzer

https://www.netgate.com/blog/wireguard-removed-from-pfsense-ce-and-pfsense-plus-software.html

https://www.netgate.com/blog/painful-lessons-learned-in-security-and-community.html

@dutsnekcirf said in Pimd support?:

@612brokeaf I've been interested in getting away from troglobit's pimd package as well and would love to switch to FRR's pimd. The main reason I'm interested in doing so is because I want to avoid using multiple packages by separate developers that could conflict with each other.

Yeah a cleaner solution would be nice, but troglobit's pimd works. MSDP is what I'm really after with FRR's pimd, otherwise the other pimd works fine.

My understanding; however, is that FRR's implementation of PIMD isn't quite as complete as troglobit's pimd.

That's in FreeBSD. FRR isn't as widely used and tested on FreeBSD as it is on Linux (bar pfSense maybe).

Perhaps that's what you meant when you said that you're after SM and not SSM. I'm not quite familiar with the differences there.

I should have stated ASM not SM, still sparse mode. Any Source Multicast - join to *,G(roup) rather than S(ource),G. With SSM there is no need for an RP, you just send joins towards the source. I need static RPs so BSR is of not much use for me.

I need to eliminate slow start for multicast so I'm looking at FRR's pimd mostly because of MSDP, so I can have local RPs / anycast RP between sites. Right now I am forced to place the RP in one location, with loss or resiliency under failure conditions. I may be forced to use BSR.

Anyhow, over years of using pfSense I think I've learned to trust their judgement more. If a package is not available, 4/5 chance it's for a good reason.

I would still ove to hear from the team re. how frequent multicast requirements are, especially for non-local distribution. PfSense is seen as a security/fw first, routing second, type of platform.

@marcus_1302 it wasn’t very clear because you said you were trying to actually install it, not just document the last version to support it. Glad you got your answer. But yeah, check out the dynamic routing with FRR hangout (https://youtu.be/4IlKcB17rWk), Jim talks a bit about converting OpenBGPd installs to FRR.

@ulrik said in Filter some routes:

You may check the raw configuration in frr.conf, does it make any changes in the configuration when this option is selected? Furthermore if you dont want to distribute any routes, why should it be listed in the interfaces?

BFD labels removed from FRR WebGUI

see https://redmine.pfsense.org/issues/11477

Please update to FRR 1.1.0_6

fixed in FRR 1.1.0_6

@viktor_g

Hello,

I go my config to work by deleting all the route maps, acls, and prefix lists.

I have a bunch of pfsense firewalls that i'm upgrading and will be sending logs.

Ty,
Sean

@yon-0 feature request created: https://redmine.pfsense.org/issues/11405

@oremountain Usually it is the better choice to setup bgp with loopback adapters - I was just to lazy to configure an additional interface and static routes for each IPsec peer.

Maybe you try to reconfigure one peer bgp session directly on a VTI Interface, see if it helps.

https://redmine.pfsense.org/issues/10816

@zawi thats my setup from the beginning.
IPSEC with VTI.
Virtual CARP IP Address for both Firewalls.
BGP Listening on CARP IP.

edit: CARP IP is on WAN, not the VTI or something.

Do you mean you are going to use FRR over IPsec?

@avvero

VXLAN isn't available on pfSense in any stable Release yet. According to release notes it will be implemented in version 2.5.0.

@wavesound see pfSense 2.5 FRR version

Screenshot from 2021-01-13 13-50-35.png

the best way(if you have more than one WAN is to assign VIP to localhost then use it as updating source of BGP.

In case anyone stumbles across this. The solution is to create a rule on the LAN interface that uses the "default" gateway for packets headed toward subnets that live on the other side of the VTI tunnels. This new rule needs to be higher in the list than the rule that you create which redirects incoming packets to a gateway group.

not an issue anymore https://forum.netgate.com/topic/158592/pfblockerng-devel-v3-0-0-no-longer-bound-by-unbound:
CHANGELOG:

Add Localhost at the default DNSBL Listening interface
(Suggest all existing users change to this interface)

Not sure where to go with this, is it not possible, do I need to submit it as a feature request instead?

Pfsense FRR is based on this :

https://github.com/FRRouting/frr/releases

we need an updated package from time to time.

After Gui blew up, I restarted 11/16, I disabled xagent on both the Global and BGP level.

IT reset BGP which should be a bug....

But after removing xagent BGP peered, I checked the BGP status and all worked well, same with the Global(all) status.

So somehow I have something configured wrong or xagent enabled break Gui.
Any takers?

Sounds like you might have created an asymmetric routing situation having nothing to do with BGP (other than distributing routes as instructed).

FRR has some outdated documention, ospfv3 with areas should work. Alternative solutions are depending on your environment and size of your networks. Its all about static vs dynamic routes. If you dont have lots of routes (eg. less then 50) ospfv3 isnt worth the efforts and time. If you are dealing with more routes, you have usually dedicated routers in place, which can handle ospfv3 very well, in this case is no need for FRR on pfsense.

On VirtualBox 6.1.14, with the exact same pfSenseVM, but one of the interfaces changed from 82540EM to virtio, I still see the configured IPv6 address used as the source OSPF6 address, so changed the vNIC type didn't change the behavior.

However, the funny thing is that I then added two new vNICs to the VM (one 82540EM and one virtio) and then configured an IPv6 address and OSPF6 on both. Lo and behold, both new interfaces send out OSPF6 Hellos with the link-local address!

I compared the interface and frrospf6dinterfaces>config sections for those interfaces and they're the same as the interface that use the configured IPv6 address. I really can't explain the behavior in difference that I'm observing.

! address-family ipv6 unicast network 2606:0000:a100::/56 network 2606:0000:a101::/56 neighbor 2606:0000:a120:5::12 activate neighbor 2606:0000:a120:5::13 activate no neighbor 2606:0000:a120:5::13 send-community exit-address-family !

So i changed the above to remove the route-map

And this allowed peering to come online.

Yes, test that patch if you're able to. It's also reported in the thread @pete35 linked to above.

The correct way to go about this is to open a bug report if you have found a bug:
https://redmine.pfsense.org/

Or add to an existing bug if there is one. It sounds like there may well be if what you're reporting affects a lot of users. But we can always merge or link them.

That way it can be tracked and seen by developers.

Steve

@Gcon, YES!

I was able to get it working. In fact, we built it out to cover sites in the US, Europe and the Asia Pacific areas. The failover works quite nicely.

It's been some time since I made the original post, so my memory is a little foggy. I can't remember the exact setting I changed to get it to work. But it can be done.

That client had some internal personnel shake-ups so I don't work on their systems anymore, but the last automated report I saw indicated they were still using it through the pandemic.

DM me and I see what I can do to help.

The route map name must have no spaces, and you could only use alphanumeric characters and/or hyphens (no underscores). Otherwise the route map won't work.

@Elegant Good to hear you got it sorted out. Which pfsense plugin was it frr or openbgpd?

I don't think it is possible in the GUI because I have looked as well. For this sort of thing I have always just resorted to the staticd raw config.