Ignore BGP routes
-
Im having a hard time trying to figure how to convince the firewall to ignore the accepted BGP routes when I contact a specific wan port's IP. The issue is its trying to use a return path from the bgp routing table instead of replying on the interface the traffic originated. This is a problem when trying to access the gui on wan port 3 for example with isp 3's IP but using a return path of ISP 2 using isp 3's IP. I tried a firewall rule of use isp 3's gateway for admin or ICMP for example but it ignores it and goes straight to the BGP routing table.
-
@snapcom firewall rules have nothing to do with BGP advertisements.
If you want to ignore BGP routes from a peer, configure a route-map and apply that route-map to the peer you want to ignore routes from.
My suggestion would be to of course do it through the GUI on pfSense.
The vtysh commands are belowip prefix-list 1 seq 10 permit x.x.x.x/xx
route-map RM-DENY-ROUTES deny 10
match ip address prefix-list 1router bgp x.x.x.x route-map RM-DENY-ROUTES in
-
Its not really that issue I think its actually closer to this https://forum.netgate.com/topic/152745/multi-wan-gateway-option-gets-ignored-in-firewall-rule I may try this later on. It does seem to be skipping the default gateway route in the firewall rule.