Carp with BGP and private ASN

  • This is a bit foreign to me.

    We are located in a data center.
    We are currently have the following.
    Single ethernet connection from the ISP connected to a switch.
    We have 2 pfsense boxes running bgp.

    We are getting:
    2 ethernet connections.
    Private ASN from the isp
    We will still run the 2 pfsense boxes with carp.

    So we will connect an ethernet connection to each pfsense box.
    What else would need to be done for the ASN and bgp.

    Could someone be so kind to point me in the right direction for my research?

  • Each pfsense box will need to be setup to talk to the isp upstream router. They should have provided you with the ip address, asn and a password to connect. (password is optional but I like them)
    Then it's just a case of entering the information in the web page.
    I'd also be inclined to set a few rules for bgp to limit what routes it will except and what subnets it will advertise.
    Will you be relaying the routes back into ospf or are you just going to use a fixed route to the carp ip?

    I did try this a few years ago on our public ASN but loading a full internet routing table didn't sit well with the web front end so I switched to the bsd router project.
    There is a load of very useful and informative documentation on the site which should help you understand how to get it all working.

  • Thank you for answering.

    I drew up a few diagrams to illustrate.

    This is what we are doing today.

    This is what it will look like.
    Removed the images since it got changed.

    I think its a simple implementation of BGP but its new too me so I am asking.

    if I got this right.
    I would need to load openbgp and configure that part but should it be anything else?
    I know I might be way off on this but any help would be very appreciated.

  • You should find that setup straight forward. Just pair the primary firewall with the ISP BGP router by adding it's IP address, ASN and if required the password provided by the ISP.
    You should tie it down so you only advertise your netblock (Point to note BGP normally will not advertise less that a full class C and you have a /25 but it's a private ASN so they should have altered the settings on their side to accept less than a /24)

    For your router ID do not use the CARP address, use the fixed WAN IP. If it all works you should see a load of routes appear within 30 seconds. Make sure your holdtime is the same as the ISP router.

  • Thank you so much for taking the time.

  • is there any reason why you are using private ASN's?

    We have this week put in a Pfsense box connected to two upstream providers via BGP

  • We dont have our own IP block so we are using a private ASN from the provider.

  • We tried this last night but was not successful.

    When we activated the secondary WAN CARP showed it to be the Master showing the CARP IP.
    So did the primary.
    When we disconnected the primary no traffic went to the backup.

    Here is a pdf with the output from the BGP status screens on both.

    I would really appreciate if someone could assist here.

  • Just wondering if you ever got this solution working or not.

    We just stood up a pfSense box to replace our Brocade router that connects us to our 1 ISP via BGP.

    I think you have to put in a "neighbor" before your connection to your ISP will work, but I'm not 100% sure.

    Here is my config (IP addresses substituted to hide my real ones):

    AS 12345
    fib-update yes
    holdtime 30
    listen on
    neighbor {
    descr "ISP1"
    remote-as 4321
    softreconfig in yes 
    deny from any
    deny to any
    allow from
    allow to

    P.S. We originally had two ISP connections, two Brocade routers (each cost $20,000!!), and two Sonicwalls in HA mode (cost for 5 year lease on the Sonicwalls was $20,000).
    We only have one ISP connection.
    I replaced the Sonicwalls with two Netgate C2758 pfSense boxes in HA setup for under $4,000.
    Our Brocade routers became obsolete because they can't be upgraded to handle today's full Internet routes size, so I used an old 1U server with pfSense & OpenBGP to replace them.