Gateways, FRR and the multi-WAN solution



  • Hi all,

    I'm having some trouble understanding the role of assigning a gateway to an interface when one gets installed by an IP routing manager such as Zebra in the FRR package.

    I have a pfSense VM and have installed FRR. I've configured it to talk to two BGP neighbours for redundancy. They do this over the WAN - i.e. all on the same /29. Each of these neighbours provide a gateway to the internet. I use local BGP weights to preference one over the other.

    When I look at Diagnostics -> Routes, the gateway there is the one defined by System -> Routing -> Default Gateway IPv4. While it happens to be one of the neighbours, it's not the one I have preferenced. Is there a way to install a default route advertised by either of the BGP neighbours?

    Or am I doing this wrong and just use gateway groups (consisting of both the neighbours) instead and just ditch FRR/BGP altogether?

    The other thing I'd like to ask is what are the implications if I do/don't have a gateway defined under the WAN interface itself? I know that if there is no gateway defined then no automatic outbound NAT rules get created. Does this mean NAT is not happening before a packet leaves when entering from a LAN-like interface? Will outbound NAT rules get applied if I manually create them?

    Right now, I don't have a gateway defined under the WAN interface even though one is defined under System -> Routing -> Default Gateway. Yet from the outside, I can still get to my internal webservers via 1:1 NAT and appropriate firewall ACLs. I assume this is because it creates implicit rules to allow traffic back out like most firewalls do? If so, then is outbound NAT solely for traffic originating from a LAN-like interface and leaving the WAN interface?

    Thanks for your patience!



  • *"
    Hi all,

    I'm having some trouble understanding the role of assigning a gateway to an interface when one gets installed by an IP routing manager such as Zebra in the FRR package.

    I have a pfSense VM and have installed FRR. I've configured it to talk to two BGP neighbours for redundancy. They do this over the WAN - i.e. all on the same /29. Each of these neighbours provide a gateway to the internet. I use local BGP weights to preference one over the other.

    When I look at Diagnostics -> Routes, the gateway there is the one defined by System -> Routing -> Default Gateway IPv4. While it happens to be one of the neighbours, it's not the one I have preferenced. Is there a way to install a default route advertised by either of the BGP neighbours?"*

    Hello there! You have to know that there is a concept called AD which stands for administrative distance. AD used as a way to choose a route among other competing routes. So in case you define a default route from pfsense WebGUI actually you define a static default route. While default routes defined by BGP are dynamically defined. Here you have to now that the "AD of static default routes have a lower AD(lower means better in terms of AD) than BGP-learned routes. That is why the default route defined statically is the route according to which your traffic being forwarded to.

    Check out this link for further details about AD concept

    So to get route this issue simply don't define any "default routes" and pfsnse will route traffic according to BGP-learned routes assuming there are no "better" routes in the IP routing table.

    "Or am I doing this wrong and just use gateway groups (consisting of both the neighbours) instead and just ditch FRR/BGP altogether?"

    Well the answer depends on your needs. And by the way the gateway group is not an alternative to BGP protocol. If all you need a fail-over from one WAN to another one you can use gateway groups. No need for BGP at all. BGP is used for something very different although it can be used to receive default routes from ISP but actually you are wasting computing resources running BGP only for receiving defaults routes. If you need to traffic specific traffic for specific destinations over specific WAN then BGP is the answer assuming those destinations are changing dynamically.

    "The other thing I'd like to ask is what are the implications if I do/don't have a gateway defined under the WAN interface itself? I know that if there is no gateway defined then no automatic outbound NAT rules get created. Does this mean NAT is not happening before a packet leaves when entering from a LAN-like interface? Will outbound NAT rules get applied if I manually create them?"

    If you know what you do I guess you would face no issues with not designating an interface as WAN. for instance if know when NAT comes into play you really know when you have to use it. But in case you don't know about NAT and you simply attach your Internet access to an interface which is not designated as WAN then you would go into trouble by not being able to access the Internet. So designating an interface as WAN instruct pfsense to make a few assumptions such as, any traffic out of WAN interface should be NATed, WAN interface should be the default route.. etc.

    "Right now, I don't have a gateway defined under the WAN interface even though one is defined under System -> Routing -> Default Gateway. Yet from the outside, I can still get to my internal webservers via 1:1 NAT and appropriate firewall ACLs. I assume this is because it creates implicit rules to allow traffic back out like most firewalls do? If so, then is outbound NAT solely for traffic originating from a LAN-like interface and leaving the WAN interface?"

    Yes. pfsense behaves that way. You can even disable the auto-creation for ACLs which allow reply back connections.

    I guess a better question is this. When does NAT come into play? And the answer simply defined under Firewall->NAT->Outbound. That section tells you which traffic being NATed.