FRR BGP issue once upgraded from 2.4.5-p1 to 2.5.0-RC
-
I am announcing a /48 with FRR on 2.4.5-p1. Upgraded to 2.5.0-RC, the /48 route has been withdrawn but status shows all good.
The sanitized config I had working on 2.4.5-p1:
FRR zebra.conf ##################### DO NOT EDIT THIS FILE! ###################### ################################################################### # This file was created by an automatic configuration generator. # # The contents of this file will be overwritten without warning! # ################################################################### password 2h2h4432kj452 log syslog FRR bgpd.conf ##################### DO NOT EDIT THIS FILE! ###################### ################################################################### # This file was created by an automatic configuration generator. # # The contents of this file will be overwritten without warning! # ################################################################### password phahceix2Eudic5 log syslog # BGP Config router bgp 64500 bgp log-neighbor-changes bgp router-id 12.34.136.51 address-family ipv6 unicast network 2001:DB81:13f::/48 exit-address-family # BGP Neighbors neighbor 2001:DB88:0100:2d88::8bfa remote-as 64501 neighbor 2001:DB88:0100:2d88::8bfa description LAX neighbor 2001:DB88:0100:2d88::8bfa update-source 2001:db83:4c0:100:2d88::8833 neighbor 2001:DB88:0100:2d88::8bfa password v3h4ddxX address-family ipv6 unicast neighbor 2001:DB88:0100:2d88::8bfa activate no neighbor 2001:DB88:0100:2d88::8bfa send-community neighbor 2001:DB88:0100:2d88::8bfa soft-reconfiguration inbound exit-address-family
I can assign an address from the announced space in Firewall - IP Alias - WAN and ping it successfully.
Once I upgrade to 2.5.0-RC I can see BGP session "Established" but the route has been withdrawn!
Replicated on two systems in two different locations.
Expected behavior:
-
2.4.5-p1's frr7-7.3.1 configuration is migrated to a working frr7-7.5_1 configuration during upgrade to 2.5.0-RC.
-
Status -> FRR -> BGP IPv6 Routes showing the correct route and Status -> FRR -> BGP neighbors showing BGP state = Established, the route should be up.
Actual Behavior:
While there were no errors and everything is showing OK, the route is not being announced.
I will start looking at changes between the two versions of FRR and try to figure out what went wrong. Will report back if I can figure it out. Grateful for any pointers in the meantime.
-
-
Seems not a pfSense issue. Only need to update documentation / FAQ.
What I found:
Between FRR versions 7.3 and 7.5 some things changed:
RFC8212 is now enforced by default.
frr defaults datacenter becomes frr defaults traditional
related items: bgp ebgp-requires-policy is now enabled by default as is bgp network import-check
The UI in pfSense 2.5.0-RC exposes bgp network import-check and it is off by default, however the underlying default of frr defaults traditional means that this check is automatically enabled, no matter what the GUI says.
As a result and depending on your previous setup and peers you may need to manually set frr defaults datacenter and/or no bgp network import-check
-
-
@mfld do I understand correctly, BGP no longer works after the update to 2.5.0? The BGP sessions are there, but the routes are not propagated....
If yes, i have the same Problem with the FRR Package. OSPF works as aspected.
Also the FRR Package update today didnt change anything.BR
K -
Yes that is exactly what I observed. It was a mix of new defaults in line with best practices that come with FRR 7.5 vs the 7.3 you would have been running on pfSense 2.4.5 as well as some bugs that are now in redmine.
If you see your BGP session as "Established" but your prefixes are not being announced checklist here:
- In your environment, are the prefixes to be announced in your local RIB or are they not ? If not, you need to set a flag
no bgp network import-check
This is sort of exposed in the GUI but currently broken because if you uncheck it in the GUI the new FRR 7.5 default means it is inherently enabled anyway. Thus you need to work with RAW CONFIG for now.
- Do you have any sort of filtering for your announcements ? A route map or prefix list ? Or do you just go Services -> FRR BGP and drop the prefixes in there. If so, you will need to enable a policy to satisfy the new default of bgp ebgp-requires-policy
You could, but probably should not disabled this check with
no bgp ebgp-requires-policy
This is exposed in the GUI and seems to work but it is not regarded best practice. Better you create a prefix list with the stuff you want to announce and then attach it to your neighbor(s).
Edit: Since this effects 2.5.0-release and we are no longer using a dev snapshot: There is more detail in this thread I have in the FRR sub-forum