pfSense

In pfSense CE 2.8.0 (FreeBSD 15), ECMP (Equal-Cost Multi-Path Routing) support is advertised as active, and per Redmine ticket #9545, it has been confirmed by Netgate staff that ECMP with 5-tuple flow hashing is functional in both pfSense Plus (23.05.1+) and CE (2.7.0+), provided traffic includes multiple distinct flows.

However, during our review and validation of ECMP behavior in pfSense CE 2.8.0, we observed that the net.route.hash_outbound tunable remains at 0, even when explicitly passed at boot time using /boot/loader.conf.local or entered manually at the loader prompt. The tunable appears in kenv, confirming it is accepted by the loader, but the kernel does not reflect this at runtime.

Key Points:

net.route.multipath=1 confirms multipath support is enabled in the kernel.

net.route.hash_outbound="1" is accepted by the loader (visible in kenv).

sysctl net.route.hash_outbound always returns 0, regardless of loader settings.

Based on ticket #9545, ECMP hashing is presumed to be active by default in the kernel, but this is not clearly documented or reflected in the sysctl behavior.

Request:

We respectfully request clarification on the following:

Is net.route.hash_outbound still used in pfSense CE 2.8.0, or is it now obsolete or ignored by the kernel?

If ECMP flow hashing is now always active by default (as implied in ticket #9545), should this tunable be updated, removed, or documented accordingly?

Can the documentation or GUI be updated to clarify current ECMP flow hashing behavior and runtime observability?

If hashing is enabled by default, should the sysctl reflect that (i.e., return 1)?

We believe a clear answer will help administrators accurately verify ECMP deployment status and avoid confusion when tuning systems for IPsec multi-tunnel aggregation or BGP-based multipath routing.
Environment:

pfSense CE 2.8.0-RELEASE

FreeBSD 15 (Netgate kernel)

Dual IPsec tunnel with BGP route injection

FRR package configured via GUI