FRR - ADD BFD feature on web interface

[LensHunnel]

Is your feature request related to a problem? Please describe.
always frustrated when I configure the routing on Opnsense because I'm using bfd on my OSPF configuration and I can't start the bfdd process because on the template /usr/local/opnsense/service/templates/OPNsense/Quagga/frr it only configure ospf rip and BGP and not BFD.

Describe the solution you'd like
I would like two checkboxes fields:
the first one to activate bfd globally and
the second one in the ui/quagga/ospf/, in the interface configuration view, which would add ip ospf bfd in frr configuration under interface.

[mimugmail]

Did you check If bfd is compatible on the FreeBSD Version of FRR? Most of it only works with linux

[LensHunnel]

Hi, thanks for your answer. I can activate BFD via the cli vtysh but all the BFD configuration is reset when the server reboot or the service frr reloaded because it's not configured via OPNSense.

[mimugmail]

Can you leave a füll sample Here so I can have a look

[LensHunnel]

In the file /etc/rc.conf.d/frr I have to add bfdd in variable frr_daemons :

frr_daemons="zebra ospfd bfdd bgpd"

And My frr cli configuration looks like:

Building configuration...

Current configuration:
!
frr version 7.4
frr defaults traditional
hostname XXXX
log file /var/log/frr.log informational
!
interface vtnet1
 ip ospf bfd # That is the line that disappear when I reboot.
 ip ospf authentication message-digest
 ip ospf dead-interval 3
 ip ospf hello-interval 1
 ip ospf message-digest-key 1 md5 liain-border
!
router bgp XXX
 bgp router-id X.X.X.X
 no bgp ebgp-requires-policy
 neighbor X.X.X.X remote-as XXX
 !
 address-family ipv4 unicast
  neighbor X.X.X.X next-hop-self
 exit-address-family
!
router ospf
 ospf router-id 192.168.199.241
 passive-interface lo2
 passive-interface vtnet0
 network 192.168.199.0/24 area 0.0.0.0
!
route-map RM_SET_SRC permit 10
!
line vty
!
bfd  # That is the other line that disappear when I reload.
!
end

[mimugmail]

And after this BFD really works? I mean, it eats the commands, but regarding FreeBSD and FRR this means nothing.

[LensHunnel]

Yes I can see BFD packets get out from my interface using tcpdump.

[mimugmail]

I had a look at the docs, they are using peer syntax in bfdd.conf, is there a reason why you not configuring it?

I will try to add a bfd submenu

[LensHunnel]

Firstly I can't use it because the BFD configuration that I use is in the file /usr/local/etc/frr/ospfd.conf generated by opnsense and Secondly the file /etc/rc.conf.d/frr where we can specify to frr to start BFD daemon is also generated by opnsense.

Thanks for your answers.

[mimugmail]

They only get overwritten when you hit save in the UI. You can setup everything from UI, then switch to CLI, edit rc.conf.d file and also add a bfdd.conf in etc folder and restart via service frr restart

[LensHunnel]

But it'll be overwritten after a reboot and each time after a save in the UI.

[mimugmail]

Indeed, the only thing I need from you is an "OK", I've tested it with just config files and CLI, it runs fine, peers are detected. (a show run and show bfd XXX would be nice)

I can't count the times I added a feature which in the end wasn't supported the way, the issuer thought it should work, dont take it as an offence.

[LensHunnel]

Oh no worries, I'm grateful that feature could be added. It's all fine to me if the configuration I pasted before can be configured in UI or at least not reset when I save in the UI

[fprina]

BFD would be great ... it should also speed up the convergence if used with the "Enable CARP Failover" option

[mimugmail]

When you follow the thread you'll see that this needs more testers before to get integrated.

[fprina]

Oh I see, I misunderstood you previous post.

IMHO it works fine; I've added bfdd as daemon and ip ospf bfd to the interface via vtysh.
If I stop the FFR service on the firewall the device immediately disappear from the neighbor list of the device on the other side (at the moment a VyOS)

opnsense# show bfd peer 10.1.92.101
BFD Peer:
        peer 10.1.92.101 vrf default interface vtnet0
                ID: 4136871459
                Remote ID: 1140280080
                Status: up
                Uptime: 1 minute(s), 24 second(s)
                Diagnostics: ok
                Remote diagnostics: ok
                Peer Type: dynamic
                Local timers:
                        Detect-multiplier: 3
                        Receive interval: 300ms
                        Transmission interval: 300ms
                        Echo transmission interval: 50ms
                Remote timers:
                        Detect-multiplier: 3
                        Receive interval: 300ms
                        Transmission interval: 300ms
                        Echo transmission interval: 50ms	

vyos# show bfd peer 10.1.92.11
BFD Peer:
        peer 10.1.92.11 vrf default interface eth0.2009
                ID: 1140280080
                Remote ID: 4136871459
                Status: up
                Uptime: 1 minute(s), 58 second(s)
                Diagnostics: ok
                Remote diagnostics: ok
                Peer Type: dynamic
                Local timers:
                        Detect-multiplier: 3
                        Receive interval: 300ms
                        Transmission interval: 300ms
                        Echo transmission interval: 50ms
                Remote timers:
                        Detect-multiplier: 3
                        Receive interval: 300ms
                        Transmission interval: 300ms
                        Echo transmission interval: 50ms

[mimugmail]

Can you do a write in vtysh and post the contents of bfdd.conf, please?

[fprina]

if I add the BFD only under the interface the file is:

!
! Zebra configuration saved from vty
!   2020/12/10 13:14:30
!
frr version 7.4
frr defaults traditional
!
hostname opnsense
!
!
!
line vty
!
!

if I add it in the main configuration

!
! Zebra configuration saved from vty
!   2020/12/10 13:16:58
!
frr version 7.4
frr defaults traditional
!
hostname opnsense
!
!
!
line vty
!
!
bfd
!

[fprina]

The vtysh commands was

1st case:

configure						
interface vtnet0
 ip ospf bfd
!

2nd case:

configure						
bfd
exit

PS: In my operational tests I used only the interface config as with the vyos I use just this one

[mimugmail]

@fprina ok thx, and can you also check this: #2050 (comment)

[fprina]

vtysh

configure
bfd
peer 10.1.92.101
exit
exit

bfdd.conf

!
! Zebra configuration saved from vty
!   2020/12/10 14:12:10
!
frr version 7.4
frr defaults traditional
!
hostname opnsense
!
!
!
line vty
!
!
bfd
 peer 10.1.92.101
 !
!

After a quick test it have the same behaviour of ip ospf bfd in the interface section

BFD Peer:
        peer 10.1.92.101 vrf default
                ID: 557545475
                Remote ID: 2851476737
                Status: up
                Uptime: 2 minute(s), 15 second(s)
                Diagnostics: ok
                Remote diagnostics: ok
                Peer Type: configured
                Local timers:
                        Detect-multiplier: 3
                        Receive interval: 300ms
                        Transmission interval: 300ms
                        Echo transmission interval: 50ms
                Remote timers:
                        Detect-multiplier: 3
                        Receive interval: 300ms
                        Transmission interval: 300ms
                        Echo transmission interval: 50ms

[LensHunnel]

When you follow the thread you'll see that this needs more testers before to get integrated.

What do you mean by this needs more testers before to get integrated ? Should I show you more tests results and configurations ?

[mimugmail]

When you follow the thread you'll see that this needs more testers before to get integrated.

What do you mean by this needs more testers before to get integrated ? Should I show you more tests results and configurations ?

Not anymore, initially I needed a confirmation of #2050 (comment) cause it changes they way to introduce it. The first test would be a checkbox in OSPF, the second one is a new submenu where you configure peers outside of the protocol (which is more generic)

[LensHunnel]

Thanks for quick response. Since it is the same behavior, the second seems to me indeed more suitable.

[fprina]

hai @mimugmail
do you need further test ?

[MarkStitson]

I am just setting up an opnsense router in a BGP environement and want to use BFD as well. The other routers in my test lab use BFD, so I am happy to help testing this.

[mimugmail]

Sorry for the delay guys, I added a PR for BFD

[mimugmail]

@MarkStitson @fprina @LensHunnel can anyone of you guys test the new devel package and check if it works for you?

[fprina]

Which is the right command to use to patch the code ?

[MarkStitson]

Being new to OpnSense, it took me a few attempts to get the update, but basically I switched to Development in System->Firmware->Settings->Type, then ran an update rebooted and ran an update again.
If you check in System->Firmware->Plugins, you should see version 1.22 of the os-frr-devel plugin which has the change.

It seems to do the right thing for me and bfd is running:
`root@OPNsense:/usr/local/opnsense/mvc/app # vtysh

Hello, this is FRRouting (version 7.4).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

OPNsense.local.xxx.com# show bfd peers brief
Session count: 1
SessionId LocalAddress PeerAddress Status
========= ============ =========== ======
2815985383 192.168.11.92 192.168.11.1 up
OPNsense.local.xxx.com# show bfd peers
BFD Peers:
peer 192.168.11.1 vrf default
ID: 2815985383
Remote ID: 1673250282
Status: up
Uptime: 20 minute(s), 20 second(s)
Diagnostics: ok
Remote diagnostics: ok
Peer Type: configured
Local timers:
Detect-multiplier: 3
Receive interval: 300ms
Transmission interval: 300ms
Echo transmission interval: 50ms
Remote timers:
Detect-multiplier: 5
Receive interval: 10ms
Transmission interval: 100ms
Echo transmission interval: 0ms

OPNsense.local.xxx.com#
`

A useful addition would be to add BFD to the diagnostics under Routing->Diagnostics->BFD with 2 tabs like BGP:

• Neighbours displaying show bfd peers
• Summary displaying show bfd peers

Should I raise a separate feature request for that?

[MarkStitson]

Oops. I spoke too soon.

I can't enabled BFD in Routing->BGP-Neighbors when adding a peer to create the line: neighbor 192.168.11.1 bfd in the config file bgpd.conf in a router section, eg.

router bgp 65509
no bgp ebgp-requires-policy
bgp router-id 192.168.252.25
neighbor 192.168.11.1 remote-as 65501
neighbor 192.168.11.1 bfd
neighbor 192.168.11.1 update-source bce0
address-family ipv4 unicast
network Null
redistribute connected
neighbor 192.168.11.1 prefix-list Upstream in
neighbor 192.168.11.1 prefix-list Remote out
exit-address-family
!

[mimugmail]

@MarkStitson Do you really need this line in bgp when you already have a peer in BFD.
My thoughts were this should be enough, also confirmed by @fprina (regarding OSPF).

By the way you don't need to switch to Development branch, you can also just install via CLI:
pkg install os-frr-devel

[MarkStitson]

Thanks for the hint how to install the package.

With regard to if the line is required in the BGP section, the BGP daemon needs to be told which peer uses BFD and which peer does not use BFD, the FRR docs also say that http://docs.frrouting.org/en/latest/bfd.html

BFD is a helper for the actual routing protocol, alone it doesn't do anything useful. It needs to be linked to an actual routing protocol and tells the routing protocol if a peer with BGP (or interface with OSPF) is up or down.

If I configure with the extra line, then the vtysh show ip bgp neighbors command shows 3 additional lines:

BFD: Type: single hop
Detect Multiplier: 3, Min Rx interval: 300, Min Tx interval: 300
Status: Up, Last update: 0:00:01:01

If I don't have the extra line the BFD status is missing from BGP, to enable it we need a tickbox in the BGP Neigbour config.

I believe you have to do something similar for OSPF, but there it is per interface, not per peer, see above

[mimugmail]

So this means you only need a checkpoint in neighbor grid to enable/disable BFD correct?

[MarkStitson]

Correct, there has to be a checkpoint in the BGP Neighbour and the OSPF Interface so BFD can be enabled or disabled for each neighbout/interface.

There should probably also be a checkbox in the BFD Neighbour settings, so you can enable multihop per neighbour, but I don't use that and I am not sure how to test it. This would generate peer A.B.C.D multihop instead of peer A.B.C.D in the bfd config. If you do want to put it in, I'll try to create a test setup for it.

[mimugmail]

I try to add it tomorrow

[MarkStitson]

That's great. I would offer to help more, but I'm not that familiar with the OpenSense system yet.

[mimugmail]

@MarkStitson no worries .. these were the required changes for adding the checkbox:
https://github.com/opnsense/plugins/pull/2364/files

[MarkStitson]

I've now checked the change and it works as expected.

I've also created the missing diagnostics and made a pull request for that: #2399

I've got the code for the OSPF setup for BFD here as well, but I need someone who can test this for me.

[mimugmail]

Thx 😍

[jberkleef]

Hi @MarkStitson,

Sorry to reopen such an old issue, but I'm in a situation where I want to use BFD over OSPF. Would you still be willing to contribute the code if I run the tests for you?

[MarkStitson]

As far as I recall I added the code for BGP and OSPF. I just couldn't test it. The thing that I never finished was the diagnostics. Happy to get back onto that and test with you. I won't have time to look at it until next week though. Mark Sent from Outlook for Android<https://aka.ms/AAb9ysg>

…

________________________________ From: Jeremy Berkleef ***@***.***> Sent: Tuesday, June 20, 2023 7:42:43 PM To: opnsense/plugins ***@***.***> Cc: Mark Stitson ***@***.***>; Mention ***@***.***> Subject: Re: [opnsense/plugins] FRR - ADD BFD feature on web interface (#2050) Hi @MarkStitson<https://github.com/MarkStitson>, Sorry to reopen such an old issue, but I'm in a situation where I want to use BFD over OSPF. Would you still be willing to contribute the code if I run the tests for you? — Reply to this email directly, view it on GitHub<#2050 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AGFP3ILJJOVGEQ7CBSIVOWDXMHVKHANCNFSM4SA5JZ7Q>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[jberkleef]

Hi Mark,

Thanks for getting back to this. As far as I can tell, there's no UI to enable BFD for my OSPF interfaces.
Take all the time you need, I'll be ready when you are.

[MarkStitson]

If you are confident in trying it out on your box, here is my branch commit for BFD on OSPF:

af6e9f4

[jberkleef]

Hi Mark,

I've just deployed the patch to 2 live boxes, seems to be working fine.

The packets seem to be being sent out and received over the wireguard tunnels I've set up.
These are 3 firewalls (2 opnsense, 1 pfsense) connected in a full mesh, BFD seems to remove the OSPF routes from the database properly.

One thing I ran into is that if BFD peers are configured and enabled, but the BFD checkbox is not checked on the OSPF interface, the routes never get accepted into the OSPF table by the other end, therefore locking me out. I assume this is just a quirk of FRR and not something related to this plugin.

[jberkleef]

I've also found a small issue.

I believe this line should read "ip ospf bfd" instead.