4. Setup filter for openbgp to specific hosts

Setup filter for openbgp to specific hosts

  • S

    Hi,

    i have several PFsense conencted with IPsec/Gre with MultiWAN on each location two boxes.
    Over the GRE Tunnel i run OpenBGPD to exchange the routes.

    So i can reach both boxes over WAN i created a BGP link between the two PFsense at one location.

    Unfortunatly it happens, that the local connected route get overwritten by an bgp route from the second machine, which lead to a loss of connectivity.

    Does there exist a way of filtering, as described in the manual or does there exist a possibility to define a lower precedence in the gui so the connected route does not get overwritten?

    best regards
    Thomas

    0
  • H

    so basically the static routes get overwritten by bgp ?

    i've never used openbgpd myself … i did use openospf in the past, but have since moved on to the much more feature-rich 'quagga-ospf' todo my dynamic routing.

    what i did find after some googling, you can find below (no clue if the package GUI allows you to insert manual entries to the config)

    Filters:
    But not so fast probably we should setup some filters so that only valid routes
    are accepted by bgpd. This sounds complex but luckily the default
    /etc/bgpd.conf file includes already a good default filter set.

    
# filter out prefixes longer than 24 or shorter than 8 bits
deny from any
allow from any prefixlen 8 - 24

# do not accept a default route
deny from any prefix 0.0.0.0/0

# filter bogus networks
deny from any prefix 10.0.0.0/8 prefixlen >= 8
deny from any prefix 172.16.0.0/12 prefixlen >= 12
deny from any prefix 192.168.0.0/16 prefixlen >= 16
deny from any prefix 169.254.0.0/16 prefixlen >= 16
deny from any prefix 192.0.2.0/24 prefixlen >= 24
deny from any prefix 224.0.0.0/4 prefixlen >= 4
deny from any prefix 240.0.0.0/4 prefixlen >= 4

    For each update message processed by the filter, the filter rules are evaluated
    in sequential order, from first to last. The last matching allow or deny rule
    decides what action is taken.
    The following rule-set allows only prefixes with a prefix length between a /8 and /24.
    Then the rule-set explicitly denies the default route plus other non routeable networks like those defined in RFC 1918.
    The example is using RFC 1918 addresses so it will not correctly work out of the box because of the filters but that's on purpose.

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy