Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Setup filter for openbgp to specific hosts

    Scheduled Pinned Locked Moved Routing and Multi WAN
    2 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      stegbth
      last edited by

      Hi,

      i have several PFsense conencted with IPsec/Gre with MultiWAN on each location two boxes.
      Over the GRE Tunnel i run OpenBGPD to exchange the routes.

      So i can reach both boxes over WAN i created a BGP link between the two PFsense at one location.

      Unfortunatly it happens, that the local connected route get overwritten by an bgp route from the second machine, which lead to a loss of connectivity.

      Does there exist a way of filtering, as described in the manual or does there exist a possibility to define a lower precedence in the gui so the connected route does not get overwritten?

      best regards
      Thomas

      1 Reply Last reply Reply Quote 0
      • H
        heper
        last edited by

        so basically the static routes get overwritten by bgp ?

        i've never used openbgpd myself … i did use openospf in the past, but have since moved on to the much more feature-rich 'quagga-ospf' todo my dynamic routing.

        what i did find after some googling, you can find below (no clue if the package GUI allows you to insert manual entries to the config)

        Filters:
        But not so fast probably we should setup some filters so that only valid routes
        are accepted by bgpd. This sounds complex but luckily the default
        /etc/bgpd.conf file includes already a good default filter set.

        
# filter out prefixes longer than 24 or shorter than 8 bits
deny from any
allow from any prefixlen 8 - 24

# do not accept a default route
deny from any prefix 0.0.0.0/0

# filter bogus networks
deny from any prefix 10.0.0.0/8 prefixlen >= 8
deny from any prefix 172.16.0.0/12 prefixlen >= 12
deny from any prefix 192.168.0.0/16 prefixlen >= 16
deny from any prefix 169.254.0.0/16 prefixlen >= 16
deny from any prefix 192.0.2.0/24 prefixlen >= 24
deny from any prefix 224.0.0.0/4 prefixlen >= 4
deny from any prefix 240.0.0.0/4 prefixlen >= 4

        For each update message processed by the filter, the filter rules are evaluated
        in sequential order, from first to last. The last matching allow or deny rule
        decides what action is taken.
        The following rule-set allows only prefixes with a prefix length between a /8 and /24.
        Then the rule-set explicitly denies the default route plus other non routeable networks like those defined in RFC 1918.
        The example is using RFC 1918 addresses so it will not correctly work out of the box because of the filters but that's on purpose.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.