Hi,
I have you correct your problem?

I migrate to 2.5.1 : I had ipv4 route but no ipv6 route with bgp
I had route maps and prefix lists on neighbors with no success

have you an configuration example ?

Very strange, I use pfSense 2.4.5-p1, 2.5.1-REL, 2.5.2-RC, 2.6.0-DEV with FRR doing BGP and this issue has always been solvable.

Only showstopper I have come across these past few weeks is https://redmine.pfsense.org/issues/11545 - If you assign virtual IPv6 addresses to WAN, FRR in pfSense may decide to use one of them for outbound communication, even to your BGP peers which will usually result in the session stuck in "active" and not getting "established" because the peer expects you to come from a specific address.

As an update, I have done some more troubleshooting on the issue:

Switching to static routes over the VTI tunnel works. Using regular tunnel IPv4 also works Its only when we use FRR via OSPF (have not tested BGP) that traffic does not flow between hub and spoke.

Topology is 1 Hub (virtual) with 3 spokes (2 virtual, 1 physical pfSense). Its the physical pfSense spoke that is having issue

Enable IPsec MSS Clamping with different values, 1400, 1350, 1200, etc. on both hub and spoke and no issue. Also adjusted the VTI MTU value as well with no luck

Both sides are using AES-NI CPU Crypto. Enable/Disabling this has no effect

Both sides are using IPsec Asynchronous Cryptography. Enable/Disabling this has no effect

Tried different P2 encryption options but no luck. Currently using

P1: AES128-GCM (128 bits) AES-XCBC via 14 (2048) DH Group P2: ESP AES128-GCM (128 bits) PFS Group: 14 (2048). NO Hash algorithms

It appears another user on Reddit is facing similar issues: https://www.reddit.com/r/PFSENSE/comments/mzab6v/251_and_ipsec_vti/

Any ideas why FRR and OSPF is not sending traffic over the network? What troubleshooting steps can I take to debug this further?

@ghezzino

This is off topic in the FRR category.

I opened a chat.

@zawi FRR OSPF in 2.5.1 in the overview screen: E.g. I don't know what Interface opt2 or opt3 is, if i do not enter a description manually. It would be very helpful to show the interface description from pfsense in this screen as well. Like:

opt2 ('Description from pfSense') => opt2 (OpenVPNS1)

Unbenannt.PNG

@kom Oh nice. Didn't see that. Thanks.

@jimp

That worked absolutely perfectly. Thanks!

My Fault.
in AS PATH BGP i configure "set" instead of "set prepend".

You need to install the System Patches package: https://docs.netgate.com/pfsense/en/latest/development/system-patches.html
And apply Patch ID 7dbe76cd5756082cbd67db1b93acb606ad84996e

Then you need to reinstall the FRR package.

see https://redmine.pfsense.org/issues/11290#note-12

@haritha-ramesh I was able to sort out this issue. Needed to configure global dynamic routing on my google side, as the new range was a different region.

I created a new topic, not sure if the problem I'm experiencing is related. https://forum.netgate.com/topic/163343/bgp-routes-not-updating-after-ipsec-p2-change

@heper Nevermind, got it figured out. I had to add mess with the Firewall rules on the LAN side and change some Mappings on the WAN side to accommodate for the fact that none of the subnets we're trying to route/NAT were local to the netgate.

@sbtech Perhaps "route-map Allow-All permit 100" should call a prefix-list which matches everything:

route-map Allow-All permit 100
match ip address prefix-list ALLOW-ALL

ip prefix-list ALLOW-ALL sq 5 permit any

I have found that in pfSense 2.5.x - the FRR has some differences compared to older rules when it comes to implicit permits and denys, so things have to spelled out explicitly now.

When you say traffic is not getting routed back you are talking about traffic coming from the internet back in to your network?

You have two different ISPs, with two different public IP addresses yes? Are you doing anything to maintain state? If your routes are equally weighted, sometimes packets may go out one or the other ISP making it hard to establish a TCP session.

Is there a reason you are using two separate firewalls, and not connecting both ISPs to the same firewall?

As for the static routes, all the routes you are showing us are from which device? It appears to be routing everything to 192.168.200.2 which is which device? and what do the routing tables on 192.168.200.2 look like?

Good morning,

I'd like to add myself to this request. I have the same problem as @chuskywalker (lost routing to my VoIP service).

Thanks a lot.

Alex G.

@ofloo

We also ran into this issue:

First we deleted /tmp/config.cache
This resulted in a very long boot up time (at starting apcupsd package).
But it finally came up.
https://forum.netgate.com/post/965863

Afterwards we had the issue with no "route map filter" configured on one path.
This was resolved by configuring the "Allow-all" filter like suggested.

https://forum.netgate.com/post/962875

Thanks