Idea: Support for virtualized routing table / VRF support

rufer · Dec 3, 2011, 1:15 PM

Idea: it would be nice to introduce support for OpenBSD virtualized routing table, thus to have the option of more than one routing domain. Or in Cisco words, make PFsense VRF aware. This could be useful for isolated networks and/or different clients.

All should be there in OpenBSD, here's an example:
http://www.packetmischief.ca/2011/09/20/virtualizing-the-openbsd-routing-table/

Thanks for all the development on PFsense, I like it a lot.

Greetings
Rufer

jimp · Dec 8, 2011, 4:43 PM

FreeBSD already has multiple routing tables with setfib(1). We don't have it in the GUI though, as there isn't really a compelling reason to use it in many cases as it tends to overcomplicate things and make them more confusing.

I've used it to run jails with a different default gateway than the main host, but that's about the only case I've seen where it made much sense.

rufer · Dec 8, 2011, 9:05 PM

I very much agree this should be optional.
May be a networkers thing… I wanted to create two separate internal networks with different 0.0.0.0 route. Two independent VRFs in Cisco terms.

Greetings
Rufer

jimp · Dec 8, 2011, 9:09 PM

Why not just use policy routing to do that, like any other multi-wan setup?

Interface rules for Net1:
pass from Net1 to other internal/vpn networks (no gateway set – will follow routing table)
pass from Net1 to *, gateway of whatever default Net1 should have

Interface rules for Net2:
pass from Net2 to other internal/vpn networks (no gateway set -- will follow routing table)
pass from Net2 to *, gateway of whatever default Net2 should have

No need for anything extra

rufer · Dec 8, 2011, 10:01 PM

It is possible, yes. On the other hand, policy routing tends to get complicated, too.
VRF support would make a difference to other products. It's just an idea and everything is there.

Greetings
Rufer

FreddyAV · Dec 20, 2011, 7:56 AM

Would this also solve/be a way of implementing a remedy to the "Multiple WAN with same gateway"-issue? See, e.g. http://forum.pfsense.org/index.php/topic,44059.0.html. This http://forum.pfsense.org/index.php/topic,10069.0.html old post seems to indicate that there at least was some interest in that issue…

Cheers!

rufer · Dec 20, 2011, 5:46 PM

It permits this - depending on how it is implemented.

Virtualized routing table support (aka VRF support) will permit two independent WAN interfaces, each with its own default route. That's relatively easy to implement in my opinion.
If you want one single LAN behind, you need to route/NAT packets between different routing tables. As far as I read the documentation, PF supports routing between different routing tables, but I'm not sure about NAT.

Greetings
Rufer

jimp · Dec 20, 2011, 5:47 PM

For that it's better to use ECMP, though from what Ermal said, using pf for state tracking on ECMP links isn't ideal (yet?).

FreddyAV · Dec 20, 2011, 10:20 PM

Uhmmm .. just to see if I understand, equal cost multipath routing was implemented in FreeBSD 8 but is not in pfSense, right? You meant that it would be better to implement a solution to what has been mentioned in this thread by implementing support for ECMP rather than using e.g. setfib(), right?

Cheers!

jimp · Dec 21, 2011, 12:06 AM

AFAIK setfib does multiple routing tables, it doesn't do multiple arp tables. You still can't have the same IP+MAC on two interfaces with multiple routing tables unless they can also separate based on interface.

ECMP lets you talk to the same destination via multiple paths, which is better for that scenario.