Opnsense networking gets very slow with full BGP routing table

[ns]

Hello,

when adding the full routing table to an DEC4040, the system needs ca. 5 minutes to just display the content of netstat -nr. A lot of network related operations such as fetch time out sometime as well.

root@router1:~ # date; netstat -nr|wc -l; date
Thu Oct  6 09:28:26 CEST 2022
 1041529
Thu Oct  6 09:33:18 CEST 2022
root@router1:~ #


Is there any tuning that needs to be done for the system to support the full routing table?

Best regards,

Nico

[Patrick M. Hausen]

I doubt you can manage the DFZ on a stock OPNsense installation. I would look into the BSD Router Project for that.

https://bsdrp.net

[ns]

That matches with my observation, but I fail to understand what causes that problem on opnsense, because in the end it's just a GUI + FreeBSD - or am I mistaken?

[seed]

You want to add a fulltable to a softwarerouter?
I would not do that. There is a reason why ISPs use dedicated hardwarerouters with ASICs like the Juniper MX480.
In my experience FRR on opnsense is great for smaller projects.

[lilsense]

To correct Seed here, ASIC are designed for Packet/Frame forwarding as in switching but not routing. ASIC comes in handy in MPLS/eVPN/VXLAN concepts of BGP, but plain jane routing table requires beefy CPU and lots of RAM to achieve this such as Opteron or Xeon CPU.

[seed]

Its simple.

If a router specifies wirespeed for routing it goes through a ASIC. if not (slower) its most likely done by cpu.

[Patrick M. Hausen]

Yes. But in most designs the control plane is the general purpose CPU and the forwarding plane is ASIC. And BGP is run on the control plane.

A Cisco Catalyst 6500 will easily appear to have come to a halt when a full feed BGP peer toggles. SSH completely unresponsive. Yet it will continue to forward pavkets at wire speed.

As for your observation with OPNsense - I expect the BSD Router Project to have some special tuning in place. Maybe not, sorry if that remark was misleading. What kind of CPU and memory interface does your box have?

[lilsense]

Many large ISP's STILL use Ultra high performance servers with dual/quad CPU (as in Opteron/Xeon) that are built as Route Reflectors and that can handle millions of AS at line rate. This is still needed as not all ISP's are 100% MPLS. Think "T" as in Deutsche Telekom AG or T-Mobile...

[mimugmail]

We have linx boxes around 5 years old running full-table with FRR, we also handled fulltable 10 years ago with Quagga, no worries. Also your OPNsense should handle this, but you never should a netstat -nr on full-table, I'd also never run a route -n on a linux with full-table. And NEVER .. NEVER .. use the UI to show routes in GUI.

You should stick into FRR via "vtysh" and quere your bgp daemon via sh ip bgp X.X.X.X ..