Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FRR - BGP RPKI patch

    Scheduled Pinned Locked Moved FRR
    3 Posts 2 Posters 963 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • mattundM
      mattund
      last edited by mattund

      Hey folks,

      I needed to support RPKI on my own little VPN mesh network, so I've made a patch that adds support in the GUI for RPKI, in BGP, on the lates (GA) pfSense/FRR version pair. As it turns out, pfSense ships with versions of FRR that support RPKI, and that package supports:

      • RTR protocol support (non-TLS)
      • SSH protocol support (RTR over SSH/TLS)

      What is RPKI?
      RPKI is a wonderful way to either secure your public internet routes against signed ROAs, or distribute your own route filtering/whitelist. FAQ on RPKI: https://www.apnic.net/get-ip/faqs/rpki/

      How do I use this in pfSense?
      To turn on RPKI, go to BGP -> Advanced and, under the RPKI section, select the values you want. Then, add cache servers for the RPKI ROA cache servers. I recommend switching on RPKI debugging in that advanced section, as you can see log messages.
      This patch does not have input validation yet. So, be mindful that you use/format IP addresses, host names, ports, timeout values, etc. correctly. Aside from that, business as usual.

      613cf3d1-cdbe-4e04-8ce4-0141cf406c7f-image.png

      78515a9a-8661-4626-865c-262b3346b589-image.png

      How do I run a RTR server?
      You can run your very own RTR server (even in Docker!) with Cloudflare's project GoRTR: https://github.com/cloudflare/gortr. For example, I run mine against a custom ROA file (as it's an internal VPN) with:

      docker run -d --restart always -p 8282:8282 -v /etc/rpki/roas.json:/rpki.json cloudflare/gortr -checktime=false -verify=false -cache=/rpki.json

      Which hosts a non-TLS bare RTR server that can be added in the Cache Servers section in the patched BGP configuration section. As an idea, you can even generate the ROAs on-the-fly for more real-time route filtering, if you want.

      Patch
      I'm open to suggestions, etc., as I'd like to make this into a pull request at some point (and add appropriate input validation) if it makes the most sense to do so.
      Patch file: rpki.patch

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        If you make a pull request for that we can certainly consider it for inclusion. Input validation would be nice but is not strictly required, since that's a work in progress throughout the FRR package.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        mattundM 1 Reply Last reply Reply Quote 1
        • mattundM
          mattund @jimp
          last edited by

          @jimp Thanks Jim, I'll get started on the process of designing a PR soon.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.