@Napsterbater , Good morning, how are you?

This is also my understanding, but my question is "how to configure this" in FRR. I didn't find where to make these settings through the graphical interface. Can you help me?

@jimp Thanks Jim, I'll get started on the process of designing a PR soon.

Not currently. The script where it's called does not have any information which would allow it to make that kind of decision.

The reason for my IPv6 OSPFv3 neighbours not coming up was because I had configured gateway. I was staring right at the answer yet I had overlooked it numerous times...

"If this interface has a gateway, rules on this interface will have reply-to by default. This will interfere with the operation of OSPFv3 on the interface. Add a rule at the top of the ruleset for this interface to pass IPv6 OSPF traffic with Disable reply-to checked in Advanced Options."

Also works well with the gateway removed. (Was using the gateway for failover static routes)

Not strictly the topic of why this thread was opened in the first place but nevertheless thought best to come back and update on my experience.

You can use the any6 keyword there to match any for IPv6.

https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-frr/files/usr/local/pkg/frr/inc/frr_zebra.inc#L265

It's a different issue than your other thread. I'll reply over there shortly after this. Route-maps in general don't have a lot of testing done since they are so complicated. It's neigh impossible to attempt to test all combinations of things there. IPv6 doesn't see as much testing because there aren't many people actively using it compared to IPv4.

Open a bug report at https://redmine.pfsense.org/projects/pfsense-packages with the specific settings you have for the prefix-list and route-map, at least enough information to reproduce the issue. I'll have a look at it next time I'm working on FRR.

@nzkiwi68 Thanks for your answer! I know that pfSense is designed as an active passive arrangement.
In the end I configured it this way. Only the active Firewall has a BGP session to each provider and it's working fine.

Just stumbled over the explanation in the docs https://docs.netgate.com/pfsense/en/latest/packages/openbgpd-package.html and thought there should be active BGP sessions on both firewalls.

Anyway thanks for the help here!

Thanks, I'm happy that it's quite a simple setup, one set of ACL's to manage for the routes distributed.

It's working great.

Thank you and the whole pfSense team!

I also confirm. Package update solves the problem. Thanks @jimp.

If you are on CE or Factory 2.4.4-p3, the new package is up now. CE snapshots will have it whenever the next new build happens. Factory snapshots will get the new version a little later, there are some changes we need to make to accommodate the 2019Q3 ports branch merge yet.

Meanwhile i tried your 2nd suggested workaround, and after a while i got it to work.

What have i done?

turned off redistribution of connected networks (be careful, you might loose access to the device) under "OSPF Areas", i created Area 1 with the ID of 0.0.0.1 entered 10.1.1.0/24 under "Route Summarization" -> "Summary Range" -> "Summary Prefix
", this matches the subnet entered to OpenVPN under "Tunnel Settings" -> IPv4 Tunnel Network under "OSPF Interfaces" i set the ovpn interface to be in Area 1 marked it as "Interface is Passive", because vpn clients do not need to participate in OSPF and i changed the network type from "Not specified (default)" to "Point - multipoint"

With this setting, on the LAN side the Catalyst L3 was able to see 10.1.1.0/24 advertised from the FW, and only that subnet was advertised. The firewall was able to see all advertised routes from LAN from the beginning (after auth and a few basic thing was set up).

If i left the interface type on default or set it to point-to-point, there was nothing advertised from Area 1 , other types seemingly did the trick. From the working ones i picked P-MP which sounds OK for the VPN clients subnet.

If i removed the summary from Area 1 config, and the if type was "p-mp" or any of the working iftypes from aboove, there was only a /32 host route announced with the ovpn server address, despite a few clients were connected. The iftypes which yielded no redistribution, still remained silent irregardless of the value of the summary network.

FYI- FRR 0.6, now available on 2.5.0 snapshots, also has an option on interfaces to ignore MTU, which can also work around these sorts of issues.

I created a new subcategory under pfSense Packages for FRR. I ran some searches and found a lot more posts than I thought, but most were misfiled under Routing & Multi-WAN. I dropped a sticky there letting people know that routing package questions need to go under packages.

If you're reading this, you're already here, but the URL for the new FRR subcategory is: https://forum.netgate.com/category/79/frr

You'll have to allow more than OSPF and ping to allow traffic to flow over the 172.16.10.0/30 connection. Allow IPv4 traffic.

How is your gateway defined on ro2?

That should only affect cleartext passwords. I added a note to the issue and reset the status.

Upon further investigation, and finding this thread:

https://github.com/FRRouting/frr/issues/1617

I was able to confirm that the frr package in pfSense is not compiled with support for snmp:

[2.4.4-RELEASE][admin@pfSense.localdomain]/var/agentx: vtysh Hello, this is FRRouting (version 5.0.2). Copyright 1996-2005 Kunihiro Ishiguro, et al. pfSense.localdomain# show modules Module information for zebra: Module Name Version Description libfrr 5.0.2 libfrr core module zebra 5.0.2 zebra daemon Module information for bgpd: Module Name Version Description libfrr 5.0.2 libfrr core module bgpd 5.0.2 bgpd daemon pfSense.localdomain#

According to the ouput in the link, there should be a lines that look like this:

zebra_snmp 5.0.2 zebra AgentX SNMP module bgpd_snmp 5.0.2 bgpd AgentX SNMP module

It also appears net-snmpd is creating the Agent socket with permissions that wouldn't allow the frr user to connect, even if snmpd support was compiled in:

[2.4.4-RELEASE][admin@pfSense.localdomain]/var/agentx: ps aux | grep frr frr 55620 0.0 0.6 12232 6496 - Is 18:17 0:00.01 /usr/local/sbin/zebra -d -f /var/etc/frr/zebra.conf frr 56009 0.0 1.0 21588 9668 - Is 18:17 0:00.01 /usr/local/sbin/bgpd -d -f /var/etc/frr/bgpd.conf [2.4.4-RELEASE][admin@pfSense.localdomain]/var/agentx: ls -l total 0 srwxr-xr-x 1 root wheel 0 May 10 15:17 master

I chmod 777'ed it just an experiment, but still no joy.

So where do I go from here? Two feature requests on Redmine? A feature request and a bug? I'd like to think that Netgate would be very interested in addressing these two issues, as it's highly desirable functionality (SNMP monitoring) of one of the core uses cases for pfSense (BGP/OSPF routing).

Thanks again!