pfSense » pfSense Packages

The scripting hook described at https://docs.frrouting.org/en/latest/scripting.html seems promising. If nothing else it would be fairly easy to add support in FRR to set a path to a script and let the user supply their own LUA script to determine what happens as a half-measure.

Naturally, having our own script to check for routes and kill states on certain routing changes would be a more complete solution.

At the moment the FreeBSD port does not appear to build FRR with --enable-scripting and there is no option to enable it in the port, so that would need to be addressed first.

Any update on this? Without cleanup up states on route changes, routing based redundancy is impossible to implement. I would argue any kind of dynamic routing is impossible when also running a stateful firewall without this feature.

Jim Pingle wrote in #note-2:

At the moment the FreeBSD port does not appear to build FRR with --enable-scripting and there is no option to enable it in the port, so that would need to be addressed first.

I opened the request here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=276534
Like this Lua things..

Tested on latest 24.08-DEVELOPMENT (built on Fri Jul 5 6:00:00 UTC 2024)

I deployed 2 pfSenses, created Routed IPsec between them, added VIPs on LocalHost on both pfSenses and created eBGP between them.
Then I added internal subnets of each pfSense to eBGP so in route tables on both firewall I saw internal subnets of each firewall reachable via IPsec tunnel.

And Marcos was right, with default 'Firewall State Policy: Interface Bound States' if I reboot pfSense with endless ping running on local host, I saw that when firewall booted up (but while BGP was still not active) traffic was forwarded via default gateway (WAN) but as soon as BGP went UP and routes occurred in route table, traffic was correctly forwarded via IPsec.

BUT if 'Firewall State Policy: Floating States' it's not happening. Even when BGP is UP and routes are in route table, traffic continued being forwarded via default gateway. And only when I deleted states created on WAN, traffic started to go via IPsec (as it should, according to route table).