Setup filter for openbgp to specific hosts
stegbth last edited by
i have several PFsense conencted with IPsec/Gre with MultiWAN on each location two boxes.
Over the GRE Tunnel i run OpenBGPD to exchange the routes.
So i can reach both boxes over WAN i created a BGP link between the two PFsense at one location.
Unfortunatly it happens, that the local connected route get overwritten by an bgp route from the second machine, which lead to a loss of connectivity.
Does there exist a way of filtering, as described in the manual or does there exist a possibility to define a lower precedence in the gui so the connected route does not get overwritten?
heper last edited by
so basically the static routes get overwritten by bgp ?
i've never used openbgpd myself … i did use openospf in the past, but have since moved on to the much more feature-rich 'quagga-ospf' todo my dynamic routing.
what i did find after some googling, you can find below (no clue if the package GUI allows you to insert manual entries to the config)
But not so fast probably we should setup some filters so that only valid routes
are accepted by bgpd. This sounds complex but luckily the default
/etc/bgpd.conf file includes already a good default filter set.
# filter out prefixes longer than 24 or shorter than 8 bits deny from any allow from any prefixlen 8 - 24 # do not accept a default route deny from any prefix 0.0.0.0/0 # filter bogus networks deny from any prefix 10.0.0.0/8 prefixlen >= 8 deny from any prefix 172.16.0.0/12 prefixlen >= 12 deny from any prefix 192.168.0.0/16 prefixlen >= 16 deny from any prefix 169.254.0.0/16 prefixlen >= 16 deny from any prefix 192.0.2.0/24 prefixlen >= 24 deny from any prefix 188.8.131.52/4 prefixlen >= 4 deny from any prefix 240.0.0.0/4 prefixlen >= 4
For each update message processed by the filter, the filter rules are evaluated
in sequential order, from first to last. The last matching allow or deny rule
decides what action is taken.
The following rule-set allows only prefixes with a prefix length between a /8 and /24.
Then the rule-set explicitly denies the default route plus other non routeable networks like those defined in RFC 1918.
The example is using RFC 1918 addresses so it will not correctly work out of the box because of the filters but that's on purpose.