Messages

In that new P1 PL you have a prefix entry per line. Totally 3 prefixes in one and same PL. If you take this PL in this exact format and put it into RP still same issue observed?

I have tested this 2 ways

1) adding all the 3 P1 PL into the RouteMap
2) adding only 1 of the 3 P1 PL into the RouteMap

Both ways it works as expected, only shows routes permitted in the PL.

Code Select Expand

Routing table for VRF=0
B       10.10.11.0/24 [20/1] via 192.168.3.151 (recursive is directly connected, port1), 00:00:05, [1/0]
C       192.168.3.0/24 is directly connected, port1
B       192.168.30.0/24 [20/1] via 192.168.3.151 (recursive is directly connected, port1), 00:00:05, [1/0]
C       192.168.40.0/24 is directly connected, port2
C       192.168.50.0/24 is directly connected, port3

Seems like some issue between Prefix-Lists and RouteMaps..

Found this to work [https://forum.opnsense.org/index.php?topic=28414.0]

If all permitted and denied routes are named the same Prefix-List then added as a prefix-List in Outbound, it works as expected..

As can be seen below, I have all 3 prefix-lists all with same name p1, which are then added to the neighbours as below..





In the prefix-list I have permitted 192.168.30.0/24 and 10.10.11.0/24, and denied 10.10.12.0/24.

The rouring table in Fortigate shows permitted networks only.

Code Select Expand

Routing table for VRF=0
B       10.10.11.0/24 [20/1] via 192.168.3.151 (recursive is directly connected, port1), 00:01:52, [1/0]
C       192.168.3.0/24 is directly connected, port1
B       192.168.30.0/24 [20/1] via 192.168.3.151 (recursive is directly connected, port1), 00:01:52, [1/0]
C       192.168.40.0/24 is directly connected, port2
C       192.168.50.0/24 is directly connected, port3

[VMware workstation Setup.]

VMware workstation Setup.

With No RouteMap added to neighbours all routes are advertised.

Code Select Expand


Routing table for VRF=0
B       10.10.11.0/24 [20/1] via 192.168.3.151 (recursive is directly connected, port1), 00:00:00, [1/0]
B       10.10.12.0/24 [20/1] via 192.168.3.151 (recursive is directly connected, port1), 00:00:00, [1/0]
B       10.10.13.0/24 [20/1] via 192.168.3.151 (recursive is directly connected, port1), 00:00:00, [1/0]
C       192.168.3.0/24 is directly connected, port1
B       192.168.30.0/24 [20/1] via 192.168.3.151 (recursive is directly connected, port1), 00:00:00, [1/0]
B       192.168.35.0/24 [20/1] via 192.168.3.151 (recursive is directly connected, port1), 00:00:00, [1/0]
C       192.168.40.0/24 is directly connected, port2
C       192.168.50.0/24 is directly connected, port3


With 1 Prefix-List which has only 1 network (10.10.11.0/24) in it, advertises fine.

Code Select Expand

Routing table for VRF=0
B       10.10.11.0/24 [20/1] via 192.168.3.151 (recursive is directly connected, port1), 00:00:15, [1/0]
C       192.168.3.0/24 is directly connected, port1
C       192.168.40.0/24 is directly connected, port2
C       192.168.50.0/24 is directly connected, port3


With 1 Prefix-List with 2 networks in it (10.10.11.0/24, 192.168.35.0/24), only 1 network is advertised.

Code Select Expand

Routing table for VRF=0
C       192.168.3.0/24 is directly connected, port1
B       192.168.35.0/24 [20/1] via 192.168.3.151 (recursive is directly connected, port1), 00:00:20, [1/0]
C       192.168.40.0/24 is directly connected, port2
C       192.168.50.0/24 is directly connected, port3





I have rearranged the networks in the prefix-list, it has no significance which is added 1st only 192.168.35.0/24 get advertised.

Thanks,

I have checked, the routes not advertising are in the routing table in OPNSense.

I created a new setup in VMware workstation, and it had the same behaviour, once a RouteMap is added with 2 or more prefix list 1 route in Fortigate.

[10.21.30.0, and 10.21.45.0]

Hi,

I'm facing an issue where the Prefix List I have set for BGP is only advertising 1 route from each Prefix list, I have 2 Prefix List with 2 routes in each list, and each list is added to a Route Map. I'm sure I'm not configuring as it should be, just not able to figure out what is it.

I have setup my Prefix List as follows



And RouteMaps are configured as follows





The Fortigate firewall routes from OPNSense received are as below, routes not being advertised are 10.21.30.0, and 10.21.45.0.

Code Select Expand


Routing table for VRF=0
B*      0.0.0.0/0 [20/0] via 192.168.9.11 (recursive is directly connected, port1), 02:15:57, [1/0]
B       10.21.35.0/24 [20/1] via 192.168.9.25 (recursive is directly connected, port1), 00:02:44, [1/0]
B       10.21.40.0/24 [20/1] via 192.168.10.25 (recursive is directly connected, port2), 00:02:44, [1/0]
B       192.168.1.0/24 [20/0] via 192.168.9.11 (recursive is directly connected, port1), 02:15:57, [1/0]


OPNSense receives all routes as configured in the Fortigate



Not able to figure out what is misconfigured ?

I thought it was a sequence number issue so I changed all numbers in both Prefix list and Route Map, that did not help.

Thank You

Thanks,

I have captured packets on the firewall when VLAN 26 cannot ping its firewall interface.



The firewall parent interface sends an ARP Broadcast.

Appreciate all the help, will go through, and try and rebuild again, must be something I missed.

Thanks again..

Just adding..

As you can see the Distributed Switch Portgroup has 2 VLANs 25 and 26, only VLAN 26 faces this issue of not reaching its firewall interface, all traffic in VLAN 25 reaches its firewall interface without any issues.

Point being VLAN 25 faces no issue at all in any configuration, but VLAN 26 faces this issue, even though both uplink configurations are the same, except the VLAN ID.

[Network Diagram]

Could you do a quick and simple diagram of the two configurations, please?

Network Diagram



Distributed Switch Uplink Portgroup with All VLANs allowed (works)



Distributed Switch Uplink Portgroup with only VLANs 26, and 24 allowed (not working)

[when the Edge Uplink Portgroups are configured with all VLANs [0-4094], the Edge vNIC carrying VLAN 26 traffic can reach the firewall interafce]

That should work, but if you expect VLANs on OPNsense to be connected in sny way across multiple ports, then that is your problem. OPNsense is not a switch. There is no "fabric". You would need to create bridge interfaces manually.

E.g. VLAN 10 on igb0, VLAN 10 on igb1, and an untagged igb2 are NOT connected in any way. As I wrote you could create a bridge with all these interfaces as members.

I understand the VLANs are not connected in anyway even though they belong to the same parent interface.

I'm just trying to understand why when the Edge Uplink Portgroups are configured with all VLANs [0-4094], the Edge vNIC carrying VLAN 26 traffic can reach the firewall interafce but when specific VLANs are added in the portgroup [26, 24], the same Edge Uplinks that allow VLAN 26 can't reach the same firewall interface.

Just use the physical interface without the VLAN.

What exactly do you want to achieve?

Thanks, this is what I plan to do now.

Yes, exactly.

In order to access the untagged port on OPNsense you use the interface itself rather than a VLAN.

However, same question from me: Why?

Thanks, I though it was possible to set up a VLAN interface without tagging.

I was trying to setup NSX Edge to send traffic over Uplinks for all VLANs over Trunk Ports (works), and for specific VLANs over Trunk ports (does not work) as I found it should work both ways, so I'm trying to understand why it does not work with the 2nd way, solely for learning purpose. I'm sure its a configuration issue, so trying to troubleshoot it but couldn't find where the issue was.

Please don't change the scope from the original question or at least don't require me to comment on the moving goal post. I just want to help with a simple question and not troubleshoot packet dumps.

Apologies, you are mistaken, the original question is related to what ever has been added.

I don't recall asking to troubleshoot packet dumps.

Anyway, no worries, appreciate your help..

A packet capture on firewall reveals the firewall Parent Interface sends an ARP Broadcast even though the VLAN interface 10.10.26.1 and 10.10.26.101 are on the same network and directly connected to it.

[(opt9 in the diagram)]

VLAN 26 tagged traffic will be ignored unless you add a VLAN interface for it.

The firewall has a VLAN interface with IP address 10.10.26.1 for VLAN tag 26 (opt9 in the diagram).

[but only traffic from VLAN 25 can reach the firewall VLAN interface 10.10.25.1. Traffic from 10.10.26.101 or 10.10.26.102 cannot reach its gateway 10.10.26.1.]

So the reason for this question is the below.

This is how the network is.



Below is the Portgroup from Distributed Switch where Edge_UL1 and Edge_UL2 are VLAN trunks carrying only traffic with VLAN ID 25 and 26, but only traffic from VLAN 25 can reach the firewall VLAN interface 10.10.25.1. Traffic from 10.10.26.101 or 10.10.26.102 cannot reach its gateway 10.10.26.1.



However, when I change both the Edge_UL1 and Edge_UL2 Portgroups to carry all VLAN traffic as below.



Everything works fine, all IP addresses from 10.10.25.0/24 and 10.10.26.0/24 can ping their respective gateway of 10.10.25.1 and 10.10.26.1 on the firewall VLAN interfaces.

So the question :

When Distributed Switch Portgroup is adding VLAN 26 tag to traffic heading to the firewall interface 10.10.26.1, is the firewall stripping the VLAN tag 26, or adding another VLAN 26 tag, or what does it do because the traffic never reaches the gateway ?

Basically both.

Thanks,

If I understood your reply correctly, any packets coming to this firewall interface will have VLAN 10 tagged to it by the firewall if its leaving the interface to the outside only if its not already tagged by the switch.

Any packets coming with tag other than 10 will be dropped right ?