BGP between tnsr and openwrt

edebienne · June 26, 2023, 9:02am

Hello,

I would like to configure BGP between central tnsr router and 4G OpenWRT routers (in the field)
I've installed on OpenWRT FRR packages to enable BGP because it is the TNSR's BGP implementation.

I succeed to get BGP working between 2 OpenWRT, between TNSR and PFsense routers, but I can't get BGP connection between OpenWRT and TNSR.

As you can see below, on an TNSR router, bgp works with the PFSense neighbour (192.168.115.2 ), but not with the OpenWRT router (10.0.2.2)

tnsr3 tnsr# show route dynamic bgp summary

IPv4 Unicast Summary (VRF default):
BGP router identifier 192.168.115.254, local AS number 65014 vrf-id 0
BGP table version 13
RIB entries 23, using 4416 bytes of memory
Peers 2, using 1448 KiB of memory

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd PfxSnt Desc
10.0.2.2 4 65014 0 0 0 0 0 never Active 0 N/A
192.168.115.2 4 65014 9 6 0 0 0 00:00:23 7 6 N/A

Total number of neighbors 2

As you can see below, on an OpenWRT router, bgp works with the OpenWRT neighbour (10.204 and 10.211), but not with the TNSR router (10.0.2)

rti-cmde# show bgp summary

IPv4 Unicast Summary (VRF default):
BGP router identifier 10.0.2.2, local AS number 65014 vrf-id 0
BGP table version 7
RIB entries 11, using 2024 bytes of memory
Peers 3, using 2149 KiB of memory

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd PfxSnt Desc
10.0.2.254 4 65014 0 0 0 0 0 never Connect 0 N/A
10.204.1.26 4 65014 28 24 0 0 0 00:20:53 7 1 N/A
10.211.1.26 4 65014 28 24 0 0 0 00:20:53 7 1 N/A

Total number of neighbors 3

Does anyone has made GBP between between TNSR and OpenWRT?
Or even has an Idea?

Regards,

trendy · June 26, 2023, 9:47am

Check that BGP packets reach both routers.
Check that firewall is not blocking anything.
From the status it seems that the peers are not able to communicate.

iplaywithtoys · June 26, 2023, 9:57am

@trendy is right. If you're expecting BGP traffic to arrive at the WAN interface, have you allowed port 179/tcp ?

edebienne · June 26, 2023, 2:44pm

I've already checked the firewall:
On OpenWRT, in /etc/config/firewall:

config rule
        option name 'wireguard - all'
        option src '*'
        option dest '*'
        option target 'ACCEPT'
        option family 'ipv4'
        list proto 'all'

On TNSR, I Haven't configure any access list
Both routers are directly connected

trendy · June 26, 2023, 2:47pm

This rule is wrong as it is allowing forwarded traffic among all zones, but you want ingress traffic to the device.

edebienne · June 27, 2023, 8:24am

I've add the firewall rule BGP:

And after a manual restart of the firewall (/etc/init.d/firewall restart), it works (A simple "Save and Apply" on Luci interface didn't change anything)

My error was thinking that my first FW rule allows all traffic.

Thanks

trendy · June 27, 2023, 9:58am

This is again allowing forwarded traffic, not ingress.