plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon opnsense

Add RPKI support to FRR plugin

Open ahadley1124 opened this issue 5 months ago • 6 comments

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

  • [ X ] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
  • [ X ] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
  • [ X ] When the request is meant for an existing plugin, I've added its name to the title.

Is your feature request related to a problem? Please describe. For a safer internet, networks should be implementing RPKI if they announce any networks. Implementing it in FRR is easy on the command line but gets overwritten when changing anything in the gui.

Describe the solution you'd like Within the /net/frr folder, add a new page to the frr subsection of the gui for configuring rpki. Then we can add the appropriate commands to the FRR config file and reload FRR.

Describe alternatives you've considered Manually write the FRR config every time a change is needed to keep RPKI enabled. I have also thought of a script to check if a certain line is in the file and if not to add lines to the file but it comes with too many headaches and crashed the router a few times.

Additional context The first link if FRR's docs showing how to enable and configure RPKI in FRR. The next 3 links are the RPKI standard is we have to manually implement any sections. https://docs.frrouting.org/en/latest/bgp.html#prefix-origin-validation-using-rpki

https://www.rfc-editor.org/rfc/rfc6480 https://www.rfc-editor.org/rfc/rfc7115.html https://datatracker.ietf.org/doc/html/rfc8210

ahadley1124 avatar Jul 16 '25 23:07 ahadley1124

What you could try is creating a custom jinja2 import at the spot you need it. All of the files in there will be merged into frr.conf.

https://github.com/opnsense/plugins/blob/master/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr.conf

So just create one with a custom config after adding it to frr.conf and put it in this folder and add it to the above frr.conf as import:

https://github.com/opnsense/plugins/tree/master/net/frr/src/opnsense/service/templates/OPNsense/Quagga

You dont have to use jinja2 syntax for the imported file, it will also render non conditional statements.

If this works we can think about adding a directory for custom configuration files maybe.

Monviech avatar Jul 17 '25 07:07 Monviech

After doing some digging into my configuration, it appears that the rpki lines never actually activate as they soft error and frr does not use them. This appears to be caused by the frr-rpki-rtrlib library not being available on opnsense. Is this something we need to look at brining over or it there another solution?

ahadley1124 avatar Jul 26 '25 03:07 ahadley1124

It has to be compiled into the binary:

https://github.com/opnsense/ports/blob/87a935c1c056588fbe7de7896477a24d29b40b78/net/frr10/Makefile#L120

Right now we compile frr10 like this:

https://github.com/opnsense/tools/blob/ddec68d9ea84ae3fd9e329bcf64192e27576e713/config/25.7/make.conf#L62

Monviech avatar Jul 26 '25 04:07 Monviech

Am I able to just recompile frr or do I have to manually compile opnsense?

ahadley1124 avatar Jul 27 '25 21:07 ahadley1124

You can compile any port.

Just clone the port repository and go into the folder of a port net frr10.

Then use "make config" to choose what to compile in, and afterwards "make -DBATCH install clean".

Monviech avatar Jul 28 '25 05:07 Monviech

When will there be a FRR-plugin with RPKI support in the Web-GUI?

openfnord avatar Oct 25 '25 18:10 openfnord