Bug #11836


Added by Gavin Owen about 2 months ago. Updated about 2 months ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Affected Version:
Affected Architecture:


Adding entries to the ACCEPTFILTER prefix-list creates erratic behavior within the FRR running configuration.

Have a look at my notes in "show running-configuration output.txt" and you'll see the configuration is constantly changing.
Leave it for hours and it'll still keep cycling.
This makes the FRR process unstable and leads to routes sporadically going inactive (which were not inactive beforehand). Example:  show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

K>* [0/0] via, em0, 04:20:57
K * [0/0] via inactive, 04:20:57
C>* [0/1] is directly connected, ovpns1, 04:20:57
O [110/20] via, ovpns2 inactive onlink, weight 1, 04:20:36       ### should not be inactive!!! VPN users behind firewall2
C>* [0/1] is directly connected, ovpns2, 04:20:57
C>* [0/1] is directly connected, ovpns3, 04:20:57
C>* [0/1] is directly connected, em0, 04:20:57
C>* [0/1] is directly connected, em2, 04:20:57
O [110/4] is directly connected, em1 inactive, weight 1, 04:20:57          ## this is fine - LAN of firewall1
C>* [0/1] is directly connected, em1, 04:20:57
O [110/8004] via, ovpns2 inactive onlink, weight 1, 04:20:37    ## should not be inactive!! LAN of firewall2
C>* [0/1] is directly connected, em3, 04:20:57

The topology diagram for this lab is logged in [[]].

I'm using the exact same topology as that for this issue, but enabling the options that trigger this ACCEPTFILTER problem.

In my production environment I have the same basic topology (simplified for fault analysis), but I also have downstream OSPF routers behind "firewall1" LAN.
I thus generate a default route on firewall1 and flood that out the LAN.
Over on my "firewall2" - that has its own default route being an Internet fireall, and it doesn't need firewall1's default. So, I use the option #2 above of filtering in the global settings - see screenshot "FRR Global ACCEPTFILTER.png".

This all seemed to work on older versions of pfSense such as 2.4.5p1, so looks to be a regression (feel free to confirm but don't have a non-production 2.4.5p1 lab setup anymore).

The combination of enabling both of these filtering methods at the same time (interface "Accept Filter" and global configuration "Routes: Do Not Accept") is pretty catastrophic - for me the vtysh locks up completely. Even trying the new option "Force Service Restart" will not allow FRR to run. The only fix then is to reboot the whole pfSense node, and then undo those settings - followed by another reboot for good measure.

This may account for some of the horror stories told to me on the pfsense subreddit, from OSPF users upgrading into the 2.5.x releases (issue #11835 was occuring in earlier releases).

show running-configuration output.txt (8.57 KB) show running-configuration output.txt Gavin Owen, 04/22/2021 06:22 AM
FRR OSPF Interface ACCEPTFILTER.png (96.7 KB) FRR OSPF Interface ACCEPTFILTER.png Gavin Owen, 04/22/2021 06:28 AM
FRR Global ACCEPTFILTER.png (173 KB) FRR Global ACCEPTFILTER.png Gavin Owen, 04/22/2021 06:28 AM


#1 Updated by Jim Pingle about 2 months ago

  • Project changed from pfSense to pfSense Packages
  • Category changed from Routing to FRR
  • Release Notes deleted (Default)

Also available in: Atom PDF