ISP Providing BGP Not sure how to setup pfsense



  • We have 2 buildings that are 1/4 mile apart with 60Ghz wireless connecting both buildings over the LAN.

    Each building has its own internet connection with public facing servers, each building has /26
    Each building has its own vlan routed through layer3 switches.

    The wireless link is passing tagged and untagged vlan traffic.

    I am running static routes inside the LAN and can manually reroute outgoing traffic if one internet goes offline, but the incoming traffic is offline until the internet connection is back online.

    ISP has their managed Cisco routers, they agreed to provide us BGP so that if 1 internet connection goes offline we can use the other for incoming traffic.

    I have a lot of 1-1 NAT rules on each site, what I don't know is how or what do i need to do to each pfsense box so that it can work correctly.



  • Hi,

    sounds mostly like our setup - we only added DMZ network (we have one internal VLAN and DMZ VLAN over WLAN Bridge)

          ISP-line1                    ISP-line2
            |    |                       |    |        (transfer-networks IPv4/IPv6 fixed)
      gw1-jws1  gw2-jws1           gw1-zws1  gw2-zws2
            |    |                       |    |
          [DMZ ----------------------------- DMZ]      (public static IPv4 / IPv6 networks - here BGP announced)
            |    |                       |    |
      fw1-jws1  fw2-jws1           fw1-zws1  fw2-zws2
            |    |                       |    |        (public NAT for IPv4 servers / public IPv6 networks wanted)
          [LANs JWS1]                  [LANs ZWS8]
    

    on the gw side we use OpenBGPd … on fw side we use Quagga OSPF.
    I tried also setup Quagga OSPFd on gw side to get full automatic default routing setting on firewalls but OpenGBPd and Quagga on same servers would conflict :(

    In http://forum.pfsense.org/index.php/topic,62277.msg336528.html#msg336528 I helped already for an "easy" 2 peer setup.

    BGPd needs a full mesh setup of all peers...

    • So if you have one firewall each for your office each firewall must communicate to both ISP BGPs and your opposite firewall and the config file need additionel iBGP peer.
    • If you have a setup like ours then you need also a full mesh between your 4 firewalls  and the config file gets "much more prettier" ...  ;)

    If you have no /24 (single / on both sides each) then you can't publically announce your networks and it would be much easier for you to use OSPF to set the outgoing routes...
    But I didn't know if your ISP likes offer you OSPF. CISCO/Juniper router supports it but I didn't know if your ISP has a change to filter incoming OSPF packets like he can with BGP.
    I think he won't accept from you routing offer of Google / Youtube network range for instance ;)