Feature #14633
openCleanup states on dynamic routing changes
0%
Description
Currently, with FRR, dynamic routing changes does not cleanup old firewall states causing traffic to flow incorrectly after new routes have converged. For a dynamic routing protocol to work with a firewall, the states have to be purged when the route changes.
Updated by Jim Pingle over 1 year ago
- Project changed from pfSense Plus to pfSense Packages
- Category changed from Routing to FRR
- Release Notes deleted (
Default)
This is specific to FRR, so I moved it to the FRR package.
Base system routing changes of this nature are already covered by the open feature request at #855
Updated by Jim Pingle over 1 year ago
The scripting hook described at https://docs.frrouting.org/en/latest/scripting.html seems promising. If nothing else it would be fairly easy to add support in FRR to set a path to a script and let the user supply their own LUA script to determine what happens as a half-measure.
Naturally, having our own script to check for routes and kill states on certain routing changes would be a more complete solution.
At the moment the FreeBSD port does not appear to build FRR with --enable-scripting
and there is no option to enable it in the port, so that would need to be addressed first.
Updated by Christopher de Haas about 1 year ago
Any update on this? Without cleanup up states on route changes, routing based redundancy is impossible to implement. I would argue any kind of dynamic routing is impossible when also running a stateful firewall without this feature.
Updated by Henniee Walterson 11 months ago
Jim Pingle wrote in #note-2:
At the moment the FreeBSD port does not appear to build FRR with
--enable-scripting
and there is no option to enable it in the port, so that would need to be addressed first.
I opened the request here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=276534
Like this Lua things..
Updated by Azamat Khakimyanov 6 months ago
Tested on latest 24.08-DEVELOPMENT (built on Fri Jul 5 6:00:00 UTC 2024)
I deployed 2 pfSenses, created Routed IPsec between them, added VIPs on LocalHost on both pfSenses and created eBGP between them.
Then I added internal subnets of each pfSense to eBGP so in route tables on both firewall I saw internal subnets of each firewall reachable via IPsec tunnel.
And Marcos was right, with default 'Firewall State Policy: Interface Bound States' if I reboot pfSense with endless ping running on local host, I saw that when firewall booted up (but while BGP was still not active) traffic was forwarded via default gateway (WAN) but as soon as BGP went UP and routes occurred in route table, traffic was correctly forwarded via IPsec.
BUT if 'Firewall State Policy: Floating States' it's not happening. Even when BGP is UP and routes are in route table, traffic continued being forwarded via default gateway. And only when I deleted states created on WAN, traffic started to go via IPsec (as it should, according to route table).