Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenBGP package and pfSense firmware updates

    pfSense Packages
    2
    5
    1.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dniesen
      last edited by

      I believe I have created a chicken/egg problem.  We are using OpenBGP on a CARP pair.  We peer with our ISP via BGP to route out to the internet which poses a problem if we are to update the firmware on these firewalls.  My understanding of the process is that when the firmware is updated the packages are reinstalled afterwards.  If OpenBGP is being reinstalled, it will not be able to reach the internet to obtain the package and there does not seem to be a way to manually update the packages.

      Has anybody run into this before?

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        That's generally not an issue as long as you have a static default route, because your package updates are sourced from the IP nearest the destination, which is your interconnect with your ISP and hence not affected by your BGP. You will need a static default route, but that's generally always desirable anyway, and won't override any routes being fed from your ISP that are more specific.

        1 Reply Last reply Reply Quote 0
        • D
          dniesen
          last edited by

          I'm confused as to how the static route would be set up.  Here's how I understand the setup:

          WAN - using public /24 from ARIN, example pf01 wan = 1.1.1.2, pf02 wan = 1.1.1.3, carp VIP = 1.1.1.1

          OpenBGP - Listen on/Router IP = 2.2.2.6/30 (IFAlias on above CARP VIP)

          The default gateway provided by the ISP (2.2.2.4) doesn't come through until BGP is up.

          Are you saying I should have a static route to 2.2.2.6/30 (presumably to via the VIP of 1.1.1.1) and then set up a default gateway of 2.2.2.4?

          Thanks for your help!  This BGP setup is a first for me so I'm trying to get my head around it.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Where 2.2.2.4/30 is your interconnect to your ISP, 2.2.2.5 would be your gateway (and BGP neighbor), 2.2.2.6 your WAN IP. 2.2.2.6 will be out of your ISP's announced IP space and will be able to access the Internet regardless of whether your BGP session is up. If 1.1.1.0/24 is your public /24, it won't work until you have a BGP session established, but that has no relation to whether your 2.2.2.4/30 interconnect works.

            1 Reply Last reply Reply Quote 0
            • D
              dniesen
              last edited by

              That makes a lot of sense.  The last piece I'm struggling with is that I cannot add a gateway to 2.2.2.5 (the BGP neighbor) in the web GUI so I'm wondering if I maybe did my configuration goofy.

              On the WAN interface I have the public /24 set up with a CARP VIP and then an IP Alias that assigns the 2.2.2.6 (BGP peer) address on top of the CARP VIP.

              Did I do this backwards and maybe I should have assigned the 2.2.2.6 to the WAN interface, created a CARP VIP on that and then created IP aliases for the /24 on top of that CARP VIP?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.