OpenBGPD with CARP

  • Hello all,
    We are in the process of replacing a single Vyatta BGP router with a failover setup using pfSense, CARP, and OpenBGPD.  Last night we were working with one of our ISPs and attempted to bring up our BGP sessions.  The sessions failed at first due to the source IP being used was the one for the physical interface and not the CARP VIP (connection denied).  With a bit of reconfiguration to swap IP's, we were able to bring up the sessions and validate that our BGP configuration was at least correct.  Our ISP's policy is that they will only allow a single IP to initiate the session, so we're not able to simply allow both routers to have sessions.

    My question is if there is a way to force OpenBGPD to talk to our ISP routers using the CARP VIP so that it will work after a failover event?

    I did notice that you can specify multiple, specific, "listen on" directives in the config.  Originally OpenBGPD was listening on all interfaces.  I have since changed that, but won't be able to test it until another session with our ISP support is scheduled.  Will having OpenBGPD only listen on the VIP interface be enough to make the traffic originate from that IP?

    If the "listen on" directives are not enough, what else can I do to control the source IP for our BGP sessions?

    We are running 2.0.2-RELEASE (amd64)

    Thank you in advance for any advice.

  • you must use "set nexthop" on your prefixes
    in case on a hardware failure you will lose all your active connections for couple of seconds(until slave carp take all feeds from isp)
    best scenario is with 2 bgp sessions for every isp (one for every pfsense box from each isp …if they allow this)
    be sure that you have stable hardware/pfsense case of many switches between boxes(master and slave) and you take global tables some isp blocks connections for a while

  • Thanks for the reply.

    I do have the nexthop configured appropriately so that it will use the CARP address.

    As our ISP won't allow multiple sessions, I'm not able to have 2 at once.  The main issue I'm trying to solve is to have all BGP session traffic originate from the VIP and not the physical interface as my ISP is only allowing 1 IP address to initiate the session.  If it won't use the VIP, then failover won't be possible.

    If the "listen on" doesn't do the trick, then I'll have to find some other way.  Maybe a static route will work.

Log in to reply