Project

General

Profile

Actions

Bug #15749

closed

BGP advertising all routes and ignoring networks statements.

Added by Mike Moore 3 months ago. Updated about 1 month ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
FRR
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
24.03
Affected Architecture:

Description

BGP is advertising ALL routes and does not respect the 'network x.x.x.x' statement within the configuration.
How this should work is that only networks outlined in the network statement(s) is what will be announced to peers. Attaching a route-map which is mandatory, to the neighbors is required to advertise routes. All though the route-map is set to advertise everything, in reality the network statement should control whats sent.
This is not how it should be of course.

sh running-config
Building configuration...

Current configuration:
!
frr version 9.1.1
frr defaults traditional
hostname GAFW-EDGE-FW.networkingtitan.com
log syslog
service password-encryption
service integrated-vtysh-config
!
password 8 p/85eaP85E10o
password 8 0cclW5b6o4m1k
password 8 VF9.M3ICoAu96
password 8 Mx6/XsBveHcB2
!
ip router-id 192.168.50.254
!
router bgp 65001
 bgp router-id 192.168.50.254
 bgp log-neighbor-changes
 bgp default local-preference 400
 bgp graceful-restart preserve-fw-state
 bgp bestpath as-path multipath-relax as-set
 bgp bestpath compare-routerid
 no bgp network import-check
 neighbor 10.6.106.2 remote-as 65520
 neighbor 10.6.106.2 description 790CCV
 neighbor 10.6.106.2 bfd
 neighbor 172.28.0.5 remote-as 65002
 neighbor 172.28.0.5 description k85enterprise
 neighbor 172.28.0.5 bfd
 !
 address-family ipv4 unicast
  network 172.26.0.0/24
  network 172.27.0.0/24
  network 192.168.3.0/24
  network 192.168.50.0/24
  neighbor 10.6.106.2 soft-reconfiguration inbound
  neighbor 10.6.106.2 route-map Access-All in
  neighbor 10.6.106.2 route-map Access-All out
  neighbor 172.28.0.5 soft-reconfiguration inbound
  neighbor 172.28.0.5 route-map Access-All in
  neighbor 172.28.0.5 route-map Access-All out
 exit-address-family
exit
!
route-map Access-All permit 100
 description Match any route
exit
!
end
Actions #1

Updated by Mike Moore 3 months ago

This is actually an issue with how FRR is presenting the announcements of routes.
It is showing that i am sending 19 routes which is.....true...BUT...its routes that are advertised from the neighbor to the firewall and the firewall advertises it back out. Because AS-Path is the native loop prevention of BGP this doesn't cause any issues albiet i can see it causing quite a problem if as-override is implemented and not tightly controlled.
In my opinion, FRR is not doing any sanity checking when advertising routes back out to a peer that it received the route from - SplitHorizon....

IPv4 Unicast Summary (VRF default):
BGP router identifier 192.168.50.254, local AS number 65001 vrf-id 0
BGP table version 366
RIB entries 37, using 3552 bytes of memory
Peers 2, using 26 KiB of memory

Neighbor        V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down State/PfxRcd   PfxSnt Desc
10.6.106.2      4      65520      1057      1116      366    0    0 08:43:21            2       19 790CCV
172.28.0.5      4      65002      1136      1094      366    0    0 08:43:20           13       19 k85enterprise

Actions #2

Updated by yon Liu 2 months ago

There is an option no bgp network import-check. When you do not add this option parameter, it will check the local network and the IP prefixes transmitted downstream
you should use Prefix Lists and rouemap Control and filter

Actions #3

Updated by Alhusein Zawi about 2 months ago

only listed networks (in Network Distribution) were advertised in my lab.

Please provide more details about your network/configurations.

Actions #4

Updated by Mike Moore about 2 months ago

Here is a set up that i have.
Device: SG-1100
Software: 24.03-RELEASE
Networks local to SG-1100: 192.168.70.0/24, 172.26.1.0/24

show ip bgp summary

IPv4 Unicast Summary (VRF default):
BGP router identifier 192.168.70.254, local AS number 65520 vrf-id 0
BGP table version 11
RIB entries 17, using 1632 bytes of memory
Peers 1, using 13 KiB of memory

Neighbor        V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down State/PfxRcd   PfxSnt Desc
10.6.106.1      4      65001      1231      1234       11    0    0 20:12:29            7        9 N/A

As you can see the output shows that PfxSent are 9. 9 routes is being sent.

nyc-fw1-inet.moore.lan# show ip bgp neighbors 10.6.106.1 advertised-routes
BGP table version is 11, local router ID is 192.168.70.254, vrf id 0
Default local pref 100, local AS 65520
Status codes:  s suppressed, d damped, h history, * valid, > best, = multipath,
               i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes:  i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

    Network          Next Hop            Metric LocPrf Weight Path
 *> 172.26.0.0/24    0.0.0.0                                0 65001 i
 *> 172.26.1.0/24    0.0.0.0                  0         32768 i
 *> 172.27.0.0/24    0.0.0.0                                0 65001 i
 *> 192.168.2.0/30   0.0.0.0                                0 65001 i
 *> 192.168.3.0/24   0.0.0.0                                0 65001 i
 *> 192.168.6.0/24   0.0.0.0                                0 65001 i
 *> 192.168.17.0/30  0.0.0.0                                0 65001 i
 *> 192.168.50.0/24  0.0.0.0                                0 65001 i
 *> 192.168.70.0/24  0.0.0.0                  0         32768 i

nyc-fw1-inet.moore.lan# show ip bgp neighbors 10.6.106.1 advertised-routes
BGP table version is 11, local router ID is 192.168.70.254, vrf id 0
Default local pref 100, local AS 65520
Status codes:  s suppressed, d damped, h history, * valid, > best, = multipath,
               i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes:  i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

    Network          Next Hop            Metric LocPrf Weight Path
 *> 172.26.0.0/24    0.0.0.0                                0 65001 i
 *> 172.26.1.0/24    0.0.0.0                  0         32768 i
 *> 172.27.0.0/24    0.0.0.0                                0 65001 i
 *> 192.168.2.0/30   0.0.0.0                                0 65001 i
 *> 192.168.3.0/24   0.0.0.0                                0 65001 i
 *> 192.168.6.0/24   0.0.0.0                                0 65001 i
 *> 192.168.17.0/30  0.0.0.0                                0 65001 i
 *> 192.168.50.0/24  0.0.0.0                                0 65001 i
 *> 192.168.70.0/24  0.0.0.0                  0         32768 i

PROBLEM: As part of the advertisement, the SG1100 is re-advertsing routes that it learned from its peer. The way BGP works is that the receiving peer will reject the routes seeing its own AS-PATH in the advertisements.

TO REPRODUCE.
1. Two pfsense firewalls connected to each other. Each in their own ASN. Each with local networks being advertised to each peer.
2. On the remote peer observe what routes are being advertised. It will be routes received from neighbor which is the problem.

Actions #5

Updated by Alhusein Zawi about 1 month ago

are the following enabled on 65520 peer?
redistribute connected
redistribute static
redistribute kernel

what is the routing table showing up if BGP was disabled?

Actions #6

Updated by Mike Moore about 1 month ago

I am not redistrbuting connected/local/kernel.

I would assume the route table would only contain directly connected routes only if BGP was disabled. Im not clear what the question has to do with how the BGP advertisements are being advertised. Can you explain what you are looking for?

Actions #7

Updated by Chris Linstruth about 1 month ago

BGP is advertising ALL routes and does not respect the 'network x.x.x.x' statement within the configuration.
How this should work is that only networks outlined in the network statement(s) is what will be announced to peers. Attaching a route-map which is mandatory, to the neighbors is required to advertise routes. All though the route-map is set to advertise everything, in reality the network statement should control whats sent.

This is incorrect. The network statement has nothing to do with what eBGP routes are sent to other eBGP peers.

This site is not for support or diagnostic discussion.

For assistance in solving problems, please post on the Netgate Forum .

Actions #8

Updated by Mike Moore about 1 month ago

Jesus Christ…you didn’t read the redmine…
Ehhh…alright man.
I’ll follow up Glen Shok.
Incredible….

Actions #9

Updated by Marcos M about 1 month ago

  • Description updated (diff)
Actions #10

Updated by Marcos M about 1 month ago

  • Status changed from New to Not a Bug

I don't believe there is a bug, at least not with pfSense or the GUI package. The stated behavior looks to be intentional - I see the same between two VMs. Adding filtering to avoid the issue worked in my testing and seems like an acceptable solution.

Actions

Also available in: Atom PDF