No route to host even though FRR BGP summary shows route in table.
-
Hi All,
First post so please be kind.
pfsense CE 2.5.0.
I have an issue where I am getting no route to host from the LAN net even though there is a route available via BGP from my peer.
Am I missing something here?
config:
AWS Transit Gateway connected to Pfsense IPsec w/ BGP.
Peer IPs are in 169.254.0.0/16
Local Peer IP is VIP on WAN if.
Allow APIPA traffic Enabled.
Allow bogons.
Allow RFC1918Peers are UP and routes exchanged (Can see them propagated AWS side as well).
LAN Range: 192.168.60.0/24
AWS VPC Range: 10.0.0.0/16no-nat for src lan-net to dst aws-vpc.
frr config:
!
frr defaults traditional
hostname *********
password *********
log syslog
service integrated-vtysh-config
!
router bgp 65000
bgp network import-check
no bgp ebgp-requires-policy
neighbor 169.254.87.45 remote-as 64512
neighbor 169.254.87.45 update-source 169.254.87.46
neighbor 169.254.113.73 remote-as 64512
neighbor 169.254.113.73 update-source 169.254.113.74
!
address-family ipv4 unicast
network 192.168.60.0/24
neighbor 169.254.87.45 activate
neighbor 169.254.113.73 activate
no neighbor 169.254.87.45 send-community
no neighbor 169.254.113.73 send-community
exit-address-family
!
!
line vty
!
endbgp routes;
Network Next Hop Metric LocPrf Weight Path
*> 10.0.0.0/16 169.254.87.45 100 0 64512 i
*= 169.254.113.73 100 0 64512 i
*> 192.168.60.0/24 0.0.0.0 0 32768 ibgp summary
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd PfxSnt
169.254.87.45 4 64512 442 439 0 0 0 01:12:56 2 3
169.254.113.73 4 64512 442 439 0 0 0 01:12:56 2 3Ping:
root: ping -S 169.254.87.46 169.254.87.45
PING 169.254.87.45 (169.254.87.45) from 169.254.87.46: 56 data bytes
64 bytes from 169.254.87.45: icmp_seq=0 ttl=254 time=19.119 ms
64 bytes from 169.254.87.45: icmp_seq=1 ttl=254 time=30.823 msroot: ping -S 192.168.60.1 10.0.4.169
PING 10.0.4.169 (10.0.4.169) from 192.168.60.1: 56 data bytes
ping: sendto: No route to hostroute show:
/root: route show 10.0.4.169
route to: 10.0.4.169
destination: 10.0.0.0
mask: 255.255.0.0
gateway: 169.254.87.45
fib: 0
interface: re1
flags: <UP,GATEWAY,DONE,PROTO1>
recvpipe sendpipe ssthresh rtt,msec mtu weight expire
0 0 0 0 1500 1 0If I have NAT on I just get blackhole as I presume its trying to send the traffic over the default gateway, so assuming no-nat is correct.
I have ruled out AWS security group and acl issues using a static ipsec tunnel.
How can I not have a route when there is clearly one in the route table?
Am I missing something obvious?
Cheers
-
I'm an idiot.
Use VTI instead of a tunnel and it works fine.
Days wasted.
-
@wstocker I have a strange issue where I can propagate routes into AWS and see them in Transit Gateway's route table, however I am getting no routes back from Transit Gateway for Propagated VPC attachments.
Did you use a Virtual IP address or and enable the P2 VTIs as an interface?