pfSense

Environment
Item Value
Appliance Netgate 4100
pfSense Plus 24.11-RELEASE (latest as of 20 Jun 2025)
FRR package 2.0.2_6
Scenario Two IPsec VTI tunnels to Oracle Cloud (OCI) DRG, each with its own BGP neighbor (Oracle ASN 31898)
Local ASN 65000
OCI networking DRG ECMP enabled (flow-based hashing)
Problem Statement

ECMP fails for stateful (TCP) traffic when both VTI tunnels are up.

First TCP attempt almost always times out; second succeeds.

ICMP and UDP work fine.

Single-tunnel operation is flawless.

FreeBSD sysctls (net.inet.ip.multipath*) are automatically enabled when FRR learns two paths, but only one next-hop is installed because the FRR GUI exposes no way to set maximum-paths (and, if needed, bgp bestpath as-path multipath-relax).

Manual CLI changes via vtysh work until the next GUI “Apply,” which overwrites them.

No “Raw Config” injection field is present in the current UI, so there is no persistent workaround.

Experiments & Findings

Two tunnels up (default GUI config)

show ip route x.x.x.x shows one next-hop.

TCP first SYN fails (asymmetric return); retry works (hash flips).

One tunnel administratively shutdown

All TCP flows succeed.

Stateless floating rules on both vtiX interfaces

Improved, but first-attempt TCP failure still present.

Adding maximum-paths 2 via CLI

Two next-hops appear; ECMP works; TCP stable.

Change lost on next GUI Apply/boot.

Business Impact

Unable to use both OCI tunnels concurrently for active-active redundancy / bandwidth aggregation.

Forces us to prefer a single tunnel or deploy an external router in front of pfSense, defeating the appliance’s advertised BGP+IPsec capabilities.

Related (but closed) Issues

#9545 – “Add maximum-paths GUI option for BGP ECMP” → still not implemented.

#10890 and #11116 – Added other BGP options but not maximum-paths.

Community thread confirming gap: https://forum.netgate.com/topic/159714/frr-gui-maximum-paths

All three tickets are closed, yet the core feature remains absent.
Requested Fixes

Expose maximum-paths (and ideally ebgp-multipath, multipath-relax) in the FRR BGP GUI under Advanced.

Optionally add a Raw Config override field (similar to OSPF area raw text) so power-users can persist custom FRR directives.

Update documentation to clarify ECMP prerequisites.

Steps to Reproduce

Create two IPsec VTI tunnels to OCI DRG, enable BGP on both.

Observe only one best-path installed (show ip route).

Run iperf3 -c <OCI_IP> -P 5 -R from on-prem VM → first attempt fails, second succeeds.

Add maximum-paths 2 via CLI → two next-hops appear; TCP succeeds consistently.

Hit Save / Apply in GUI → directive lost; issue returns.

Expected Result

With GUI support for maximum-paths, both equal-cost routes remain installed permanently, allowing FreeBSD multipath hashing to keep flows symmetric and all TCP traffic stable.