Stop automatic default route generation

[JimIFN]

Hello:

I run a small ISP, and I'm using OPNsense in a failover pair as my core ISP router.  I have some public IP address ranges assigned, and I am announcing them via BGP to my upstreams.  I also receive via BGP default (and some additional) routes.

Currently, in my route table, the kernel route is inserted by the gateways.  This overrides the default route from BGP.  Unfortunately, this means if BGP session drops to a peer, the default route remains in place..but I do NOT want that.  I want my default route managed by BGP.

I tried deleting the gateways, but "bad things" happened.  Is there some way to disable the gateway system, or at least suppress insertion of the default route into the kernel routing table?

[franco]

Removing drops you back to enabled defaults. Try disable or unchecking "Upstream Gateway".


Cheers,
Franco

[mooh]

Have you looked into the Firewall:Settings:Advanced:"Disable force gateway" setting? By default OPNsense creates a default policy route for traffic originating from the FW itself.

[Maurice]

If the gateway is needed for static routes or policy routing, keeping it enabled but marking it as "down" is what worked for me. Not sure whether this (still) is best practice though.

@franco Doesn't unchecking "Upstream Gateway" only lower the priority? From my experience, this doesn't prevent a gateway from becoming the default. Has this changed?

@mooh These firewall rules have nothing to do with the default route in the routing table.

Cheers
Maurice

[franco]

The default code treats it like this:

https://github.com/opnsense/core/blob/092433dae62be475918f498b101296cb41810d90/src/opnsense/mvc/app/models/OPNsense/Routing/Gateways.php#L497-L500

So disabled should work.

I'm a bit unsure about 'defaultgw' property. It has been weird historically in that it orders gateways, but it's more of a hint of what should be a default gateway so that may not work indeed.

But if you want a default route that is configured as a gateway to stick only checking that as upstream (defaultgw) will do the job so nothing else will create a different gateway.


Cheers,
Franco

[mooh]

@mooh These firewall rules have nothing to do with the default route in the routing table.

I agree, it doesn't change the kernel routing. Thanks to your response I now understand the question better, so please ignore my comment.

[Maurice]

But if you want a default route that is configured as a gateway to stick only checking that as upstream (defaultgw) will do the job so nothing else will create a different gateway.

That's a little off topic here since the OP doesn't want the default route to be set by a gateway at all, only by BGP. But while we're at it: Marking a gateway as upstream doesn't reliably prevent non-upstream gateways from becoming the default gateway.

I've had a situation with three gateways, 1 and 2 marked as upstream and with gateway monitoring enabled, 3 not marked as upstream. The intention was default gateway switching between gateway 1 and 2 (failover), while using gateway 3 only for some specific static routes.

This worked as long as gateway 1 and / or 2 were up. But when both went down, gateway 3 became default (which should never happen). The only way to prevent this was marking gateway 3 as "down".

If anything has changed in this regard, I'd be happy to learn about it.

[Monviech (Cedrik)]

From what I know if you have 3 gateways that all have priority 254, setting one with the upstream gateway flag will prefer it as candidate before the other active gateways with the same priority.

I always disable gateways I only need for installing static routes. And my (test) BGP setup does the same where I install a default route via BGP. All gateways disabled, no interface on DHCP.

[Maurice]

@Monviech Exactly, "Upstream Gateway" is a preference setting, not a "this gateway will always / never be upstream".
Having two preference settings (numeric "Priority" and binary "Upstream Gateway") has always been a bit confusing.