OpenBGP routes not getting installed
-
Ive established OpenBGP peering over IPSec to 2 different Azure Vnet gateways (each in separate Vnets). I see routes coming from each of them in the openbgp stats page:
flags: * = Valid, > = Selected, I = via IBGP, A = Announced, S = Stale origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin AI*> 192.168.0.0/22 0.0.0.0 100 0 i 192.168.252.0/24 192.168.252.254 100 0 65200 i 192.168.253.0/24 192.168.252.254 100 0 65200 i 192.168.254.0/24 192.168.254.254 100 0 65100 i 192.168.255.0/24 192.168.254.254 100 0 65100 i
however for whatever reason, these routes are not making it into the pfsense's routing table in diagnostics->routing, or in results from
netstat -nr
so my LAN devices cannot reach into my Azure Vnets.Oddly enough, Azure was sending me a /32 of my pfsense's local bgp peer IP, I was able to get that removed from the table above using
deny from any prefix { 0.0.0.0/0, 192.168.1.1/32 }
so at least we know the filtering is working. but why arent the routes installed? (I do havefib-update yes
in the config) -
not sure if im supposed to manually create an SA for the bearer traffic (between 192.168.0.0/22 and 192.168.255.0/24) to go along with the SA I created between the BGP peer IPs?
I noticed I was not getting any encrypted traffic out my wan interface when trying to ping from 192.168.0.0/22 to 192.168.255.0/24, so I did add an additional SA between 192.168.0.0/22 and 192.168.255.0/24 in pfsense, and now I do see encrypted traffic when I ping, but still no routes in
netstat -nr
, so this leaves me a bit concerned as to whether/not Ill have good BGP routing resilience in the first place...