WebGUI not responsive when BGP is enabled

Started by nomad421, April 08, 2025, 04:46:43 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 08, 2025, 04:46:43 AM
Hi, I have a somewhat complex lab setup, where we're running EVPN / VXLAN on a SONiC based spine / leaf fabric. We're using OPNSense essentially as a border gateway to the greater corporate network and we're using NAT there to isolate everything in our lab on private IP Space. We have VRFs (Tenants) for each logical test environment (VXLAN allows L2 adjacency between physical racks). The OPNSense Border Gateway peers southbound with secondary OPNSense VMs we've setup for each tenant. This allows us to have auxiliary services (like DNS, NTP, proxy, firewall rules) for each tenant. Those Secondary OPNSense VMs peer further southbound with the VRFs on the L3 switch fabric. All the peering networks use private /31 p2p links on tenant specific vlans. These Secondary OPNSense VMs have no WAN interface, and only have their peering networks and a loopback address intended for ingress / egress to aux services like the WebGUI.

Suffice it to say, it's an interesting setup. And it works. But something I am struggling to figure out is the WebGUI. When I have BGP disabled I can access the WebGUI on any of the BGP peering IPs present on the tenant OPNSense. I just route through the border gateway directly to the peer IP on the tenant OPNSense. If I enable BGP and establish a peer relationship between border and tenant the tenant WebGUI is no longer accessible from a browser. Although I can still ping, traceroute, ssh to the same IP. Even the loopback interface become available after BGP is enabled because it's route is advertised. And I can ssh to that, etc. But WebGUI does not work on any IP on the tenant OPNsense. If I disable BGP, it all comes back.

I do have listen on all interfaces selected for Webgui, and I have firewall rules opening up all IPv4 on all the tenant OPNsense interfaces. I've also tested with pfctl -d, it does not seem firewall related. I suspect it's related to "Gateways" in the OPNsense context, or some esoteric tickbox related to far gateways or something along those lines. So far I have not be able to figure it out. But considering that all comms continue to work except WebGUI, it feels like there is something happening under the covers that I'm unaware of.

Any help is greatly appreciated.
Print
Go Up Pages1
User actions