Friday, June 7, 2013

My pfSense giving the bird ( update )

Will here's some good news; " my upstream peer did find  a issue in his OpenBGP configuration".

He found a problem with his export policy, and made  the following adjustments
( snippet from  the email )

So now the bad news, my Bird6 client is not accessing the routing engine. As  I stated before, " the the Bird routing daemon is just okay! ". It far from being stable and mature in a lot of environments.



So with the lack of access to the Bird6 daemon, I can't even monitor the sessions or see what ipv6 prefixes where learned. This only leaves me the ability to  dump on the BGP keepalives,  &  to determine that we are indeed established  & from a BGP standpoint.



So I'm now reverting back to my original  OpenBGP configuration, and will have to wait till the  upstream peer accepts my connection;


and tcpdump shows the following ( resets from my upstream peer at 2607xxxxxxx.1 );



So I will wait :)


And now we have a  bgp session;

As you can see, only one ipv6 prefix.



Both opensource  routing daemons can present  very unique  problems and issues in it's own. So you have to pick the one that feels the best &  right for your solution. OpenBGP probably has more users overall, so I rather stay with it. You can read more at the below link;

http://en.wikipedia.org/wiki/OpenBGPD 
http://www.openbsd.org/cgi-bin/man.cgi?query=bgpd&sektion=8&arch=&apropos=0&manpath=OpenBSD+Current
http://www.openbsd.org/cgi-bin/man.cgi?query=bgpctl

Using it both for my  ipv4/ipv6 bgp peers,  and with the natural support in pfSense, it  make more sense to use  OpenBGP than Bird. In the longer run, we can only hope for better diagnostics and debugging within both of the opensource routing daemons. This also means better logging information & details.

This is where  commerical systems shine the best at. You have a  better overall support structure and some type of technical source to lean on. With any  opensource  solution, you have only a forum and wide internet audience.

Ken Felix
Freelance Network/Security Engineer
kfelix ---a-t--- hyperfeed ----d-o-t---com

    ^      ^
= ( *   * ) =
        @


No comments:

Post a Comment