This is an addendum to the MetalLB recipe, explaining how to configure MetalLB to perform BGP peering with a pfSense firewall.

This is a companion discussion topic for the original entry at

Hello, if I am with a digitalocean, I should create a new droplet or where install pfsense?

Pfsense would make “sense” (haha) for a self-hosted, bare-metal install. If you’re with a cloud provider, you’ll typically use their tooling / services for firewalling / load-balancing…

Thank you for your work on these, it has been very helpful.

I’m attempting to follow this one, but my pfsense does not seem to be receiving the advertisements from metallb.

I can see in the logs that metallb updated the advertisements:
{“caller”:“bgp_controller.go:285”,“event”:“updatedAdvertisements”,“ips”:[“”],“level”:“info”,“msg”:“making advertisements using BGP”,“numAds”:1,“pool”:“metallb-pool”,“protocol”:“bgp”,“ts”:“2024-05-09T20:56:31Z”}
{“caller”:“main.go:344”,“event”:“serviceAnnounced”,“ips”:[“”],“level”:“info”,“msg”:“service has IP, announcing”,“pool”:“metallb-pool”,“protocol”:“bgp”,“ts”:“2024-05-09T20:56:31Z”}

and pfsense shows the neighbor as established:
BGP version 4, remote router ID, local router ID
BGP state = Established, up for 01:48:47

Yet nothing shows up under BGP routes and I get no results when running:
show ip bgp neighbors advertised-routes
show ip bgp neighbors received-routes

I ran a packet trace on pfsense when metallb advertised a route, but I only captured keepalive messages, no route updates.

Any ideas?

Update: it was the tainted master node. Set the speaker tolerance and now it works.

Aah, nice find! I was about to go down a rabbit hole of prefix lists, filters, etc, but glad we didn’t need to go there!