frr: Configure ipv6 next-hop on route-map

nsapa commented 2 years ago

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

[X ] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
[X ] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
[X ] When the request is meant for an existing plugin, I've added its name to the title.

Is your feature request related to a problem? Please describe. I cannot setup a route-map to set "ipv6 next-hop prefer-global". I can put whatever I want in the "set" field, it will be ignored.

Describe the solution you'd like On the form for new route-map on ui/quagga/bgp/index#routemaps, add a new drop-list called "IPv6 Next-hop preference" with two options:

peer-address: «Set the BGP nexthop address to the address of the peer. For an incoming route-map this means the ipv6 address of our peer is used. For an outgoing route-map this means the ip address of our self is used to establish the peering with our neighbor.»
prefer-global: « For Incoming and Import Route-maps if we receive a v6 global and v6 LL address for the route, then prefer to use the global address as the nexthop.»

Describe alternatives you've considered Fix the free-form set field to accept "ipv6 next-hop .." command.

Additional context This is a workaround for an issue with missing link-local ipv6 on wireguard interface.

nsapa commented 2 years ago

Transcript of enabling this option:

root@Wormhole:~ # netstat -rn6
Routing tables

Internet6:
Destination                       Gateway                       Flags     Netif Expire
default                           ::1                           UGSB        lo0
::1                               link#1                        UHS         lo0
2001:db8:1234::192                link#5                        UHS         lo0
fd7c:3655:dbb6::/48               ::1                           UGSB        lo0
fd7c:3655:dbb6:1::/64             link#6                        U           hn1
fd7c:3655:dbb6:1::246             link#6                        UHS         lo0
fd7c:3655:dbb6:2::/64             link#7                        U           hn2
fd7c:3655:dbb6:2::217             link#7                        UHS         lo0
fd7c:3655:dbb6:3::/64             link#9                        U           wg1
fd7c:3655:dbb6:3::213             link#9                        UHS         lo0
fe80::%lo0/64                     link#1                        U           lo0
fe80::1%lo0                       link#1                        UHS         lo0
fe80::%hn0/64                     link#5                        U           hn0
fe80::ff:fec2:8a42%hn0            link#5                        UHS         lo0
fe80::%hn1/64                     link#6                        U           hn1
fe80::215:5dff:fec3:5502%hn1      link#6                        UHS         lo0
fe80::%hn2/64                     link#7                        U           hn2
fe80::fed4:f2ff:feb7:d6bc%hn2     link#7                        UHS         lo0
root@Wormhole:~ # vtysh

Hello, this is FRRouting (version 7.5.1).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

Wormhole.in.astriaporta.space# configure
Wormhole.in.astriaporta.space(config)#  route-map Force_Global_IPv6 permit 10
Wormhole.in.astriaporta.space(config-route-map)# set ipv6 next-hop prefer-global
Wormhole.in.astriaporta.space(config-route-map)# end
Wormhole.in.astriaporta.space# exit
root@Wormhole:~ # netstat -rn6
Routing tables

Internet6:
Destination                       Gateway                       Flags     Netif Expire
default                           ::1                           UGSB        lo0
::1                               link#1                        UHS         lo0
2001:db8:1234::192                link#5                        UHS         lo0
2001:db8:666:400::/56             fd7c:3655:dbb6:3::214         UG1         wg1
2001:db8:666:417::/64             fd7c:3655:dbb6:3::214         UG1         wg1
fd7c:3655:dbb6::/48               ::1                           UGSB        lo0
fd7c:3655:dbb6:1::/64             link#6                        U           hn1
fd7c:3655:dbb6:1::246             link#6                        UHS         lo0
fd7c:3655:dbb6:2::/64             link#7                        U           hn2
fd7c:3655:dbb6:2::217             link#7                        UHS         lo0
fd7c:3655:dbb6:3::/64             link#9                        U           wg1
fd7c:3655:dbb6:3::213             link#9                        UHS         lo0
fe80::%lo0/64                     link#1                        U           lo0
fe80::1%lo0                       link#1                        UHS         lo0
fe80::%hn0/64                     link#5                        U           hn0
fe80::ff:fec2:8a42%hn0            link#5                        UHS         lo0
fe80::%hn1/64                     link#6                        U           hn1
fe80::215:5dff:fec3:5502%hn1      link#6                        UHS         lo0
fe80::%hn2/64                     link#7                        U           hn2
fe80::fed4:f2ff:feb7:d6bc%hn2     link#7                        UHS         lo0
root@Wormhole:~ #

Since we are missing fe80 route on wg1, route to 2001:db8:666:400::/56 via wg1 cannot be inserted in the FIB. If we force FRR to use the global address of the peer (here fd7c:3655:dbb6:3::214), route are inserted in the FIB.

mimugmail commented 2 years ago

How does your /usr/local/etc/frr/bgpd.conf looks like when you inser ipv6 next-hop prefer-global in set field?

nsapa commented 2 years ago

When I insert ipv6 next-hop prefer-global in the set field, bgpd.conf look like that:

!
!
route-map Force_Global_IPv6 permit 10
!
!

davidheijkamp commented 2 years ago

We see the exact same behavior on OPNsense 22.1.6 with FRR plugin 1.27. When we edit the config manually in /usr/local/etc/frr/bgpd.conf and restart FRR with /usr/local/etc/rc.d/frr restart the config is picked up by FRR and is functional (our setting is set ip next-hop <ipv4>). The set command we've configured in the webinterface is included in the XML config backup:

<routemap uuid="fd5e2f9d-fabe-4391-a964-fbf581bc8c0c">
            <enabled>1</enabled>
            <description/>
            <name>next-hop-carp-inside</name>
            <action>permit</action>
            <id>20</id>
            <match/>
            <match2/>
            <match3/>
            <set>ip next-hop ...</set>
</routemap>

opnsense / plugins

frr: Configure ipv6 next-hop on route-map #2955