Setup filter for openbgp to specific hosts

  • Hi,

    i have several PFsense conencted with IPsec/Gre with MultiWAN on each location two boxes.
    Over the GRE Tunnel i run OpenBGPD to exchange the routes.

    So i can reach both boxes over WAN i created a BGP link between the two PFsense at one location.

    Unfortunatly it happens, that the local connected route get overwritten by an bgp route from the second machine, which lead to a loss of connectivity.

    Does there exist a way of filtering, as described in the manual or does there exist a possibility to define a lower precedence in the gui so the connected route does not get overwritten?

    best regards

  • so basically the static routes get overwritten by bgp ?

    i've never used openbgpd myself … i did use openospf in the past, but have since moved on to the much more feature-rich 'quagga-ospf' todo my dynamic routing.

    what i did find after some googling, you can find below (no clue if the package GUI allows you to insert manual entries to the config)

    But not so fast probably we should setup some filters so that only valid routes
    are accepted by bgpd. This sounds complex but luckily the default
    /etc/bgpd.conf file includes already a good default filter set.

    # filter out prefixes longer than 24 or shorter than 8 bits
    deny from any
    allow from any prefixlen 8 - 24
    # do not accept a default route
    deny from any prefix
    # filter bogus networks
    deny from any prefix prefixlen >= 8
    deny from any prefix prefixlen >= 12
    deny from any prefix prefixlen >= 16
    deny from any prefix prefixlen >= 16
    deny from any prefix prefixlen >= 24
    deny from any prefix prefixlen >= 4
    deny from any prefix prefixlen >= 4

    For each update message processed by the filter, the filter rules are evaluated
    in sequential order, from first to last. The last matching allow or deny rule
    decides what action is taken.
    The following rule-set allows only prefixes with a prefix length between a /8 and /24.
    Then the rule-set explicitly denies the default route plus other non routeable networks like those defined in RFC 1918.
    The example is using RFC 1918 addresses so it will not correctly work out of the box because of the filters but that's on purpose.

Log in to reply