@heper Nevermind, got it figured out. I had to add mess with the Firewall rules on the LAN side and change some Mappings on the WAN side to accommodate for the fact that none of the subnets we're trying to route/NAT were local to the netgate.

@sbtech Perhaps "route-map Allow-All permit 100" should call a prefix-list which matches everything:

route-map Allow-All permit 100
match ip address prefix-list ALLOW-ALL

ip prefix-list ALLOW-ALL sq 5 permit any

I have found that in pfSense 2.5.x - the FRR has some differences compared to older rules when it comes to implicit permits and denys, so things have to spelled out explicitly now.

When you say traffic is not getting routed back you are talking about traffic coming from the internet back in to your network?

You have two different ISPs, with two different public IP addresses yes? Are you doing anything to maintain state? If your routes are equally weighted, sometimes packets may go out one or the other ISP making it hard to establish a TCP session.

Is there a reason you are using two separate firewalls, and not connecting both ISPs to the same firewall?

As for the static routes, all the routes you are showing us are from which device? It appears to be routing everything to 192.168.200.2 which is which device? and what do the routing tables on 192.168.200.2 look like?

Good morning,

I'd like to add myself to this request. I have the same problem as @chuskywalker (lost routing to my VoIP service).

Thanks a lot.

Alex G.

@ofloo

We also ran into this issue:

First we deleted /tmp/config.cache
This resulted in a very long boot up time (at starting apcupsd package).
But it finally came up.
https://forum.netgate.com/post/965863

Afterwards we had the issue with no "route map filter" configured on one path.
This was resolved by configuring the "Allow-all" filter like suggested.

https://forum.netgate.com/post/962875

Thanks

@jlauzer

https://www.netgate.com/blog/wireguard-removed-from-pfsense-ce-and-pfsense-plus-software.html

https://www.netgate.com/blog/painful-lessons-learned-in-security-and-community.html

@dutsnekcirf said in Pimd support?:

@612brokeaf I've been interested in getting away from troglobit's pimd package as well and would love to switch to FRR's pimd. The main reason I'm interested in doing so is because I want to avoid using multiple packages by separate developers that could conflict with each other.

Yeah a cleaner solution would be nice, but troglobit's pimd works. MSDP is what I'm really after with FRR's pimd, otherwise the other pimd works fine.

My understanding; however, is that FRR's implementation of PIMD isn't quite as complete as troglobit's pimd.

That's in FreeBSD. FRR isn't as widely used and tested on FreeBSD as it is on Linux (bar pfSense maybe).

Perhaps that's what you meant when you said that you're after SM and not SSM. I'm not quite familiar with the differences there.

I should have stated ASM not SM, still sparse mode. Any Source Multicast - join to *,G(roup) rather than S(ource),G. With SSM there is no need for an RP, you just send joins towards the source. I need static RPs so BSR is of not much use for me.

I need to eliminate slow start for multicast so I'm looking at FRR's pimd mostly because of MSDP, so I can have local RPs / anycast RP between sites. Right now I am forced to place the RP in one location, with loss or resiliency under failure conditions. I may be forced to use BSR.

Anyhow, over years of using pfSense I think I've learned to trust their judgement more. If a package is not available, 4/5 chance it's for a good reason.

I would still ove to hear from the team re. how frequent multicast requirements are, especially for non-local distribution. PfSense is seen as a security/fw first, routing second, type of platform.

@marcus_1302 it wasn’t very clear because you said you were trying to actually install it, not just document the last version to support it. Glad you got your answer. But yeah, check out the dynamic routing with FRR hangout (https://youtu.be/4IlKcB17rWk), Jim talks a bit about converting OpenBGPd installs to FRR.

@ulrik said in Filter some routes:

You may check the raw configuration in frr.conf, does it make any changes in the configuration when this option is selected? Furthermore if you dont want to distribute any routes, why should it be listed in the interfaces?

BFD labels removed from FRR WebGUI

see https://redmine.pfsense.org/issues/11477

Please update to FRR 1.1.0_6

fixed in FRR 1.1.0_6

@viktor_g

Hello,

I go my config to work by deleting all the route maps, acls, and prefix lists.

I have a bunch of pfsense firewalls that i'm upgrading and will be sending logs.

Ty,
Sean

@yon-0 feature request created: https://redmine.pfsense.org/issues/11405

@oremountain Usually it is the better choice to setup bgp with loopback adapters - I was just to lazy to configure an additional interface and static routes for each IPsec peer.

Maybe you try to reconfigure one peer bgp session directly on a VTI Interface, see if it helps.

https://redmine.pfsense.org/issues/10816

@zawi thats my setup from the beginning.
IPSEC with VTI.
Virtual CARP IP Address for both Firewalls.
BGP Listening on CARP IP.

edit: CARP IP is on WAN, not the VTI or something.

Do you mean you are going to use FRR over IPsec?