I previously blogged that you can install and enabled FRR on a UniFi UDM (or UDM SE) running UniFi OS 3.0.x. which gives you the ability to run BGP; in my case I was using it to talk to my NSX-T Tier-0 Edge. I noticed I started getting some weird issues after the first 3.1.x was installed (3.1.8 I think) and after a few posts on the UniFi forums a member of staff confirmed that the reason I was having issues is that I had manually installed FRR and UniFi also now bundle FRR to support their Magic VPN functionality. It would have been great if this was called out in the release notes and I may not have been as quick with upgrading!
While it does break some things, with the knowledge that FRR is now bundled into the OS, it makes it a little easier to configure BGP because there’s no requirement to install it.
Disclaimer: modifying your UniFi OS is unsupported and may break/brick your device. If you do go ahead, make sure you have a recent (and locally saved) backup and be prepared that you may have to factory reset and restore. This is very early stages and I have not had chance to test this much.
If we head into the FRR directory, we see there are 4 files present (daemons, frr.conf, support_bundle_commands.conf, and vtysh.conf). What I did is make backups of all of the files to allow quick rollback. The FRR service is not enabled if you don’t have multi-site VPN set up via the UniFi dashboard, if you do have this enabled then the following steps may not work.
Step 1 – Take a UniFi backup, and back up the original FRR files
Head to your UniFi console web UI and take a backup, I always prefer storing them locally so ensure you do that too.
Then back up all files in /etc/frr either by appending .original or similar to the file names, or tar them up. Whatever works for you, as long as they are backed up for quick recovery.
Step 2 – enable BGP daemon in daemons
You need to edit /etc/frr/daemons and find the bgpd line and enable it, use sed to keep things simple (or use vi and do it by hand, whatever works for you):
sed -i 's/bgpd=no/bgpd=yes/g' /etc/frr/daemonsStep 3 – modify frr.conf
As mentioned, I didn’t want to sway too much away from the default UniFi configuration, in the hope that any modifications I do make are survived during upgrades. Let us hope that they finally introduce BGP into the GUI – that would be cool. Here is my very basic frr.conf with BGP specific config below the default content in the file:
root@UDM-SE:/etc/frr# cat frr.conf
# default to using syslog. /etc/rsyslog.d/45-frr.conf places the log in
# /var/log/frr/frr.log
#
# Note:
# FRR's configuration shell, vtysh, dynamically edits the live, in-memory
# configuration while FRR is running. When instructed, vtysh will persist the
# live configuration to this file, overwriting its contents. If you want to
# avoid this, you can edit this file manually before starting FRR, or instruct
# vtysh to write configuration to a different file.
#log syslog informational
hostname UDM-SE
frr defaults datacenter
log file stdout
service integrated-vtysh-config
!
!
router bgp 65001
bgp router-id 172.16.72.254
neighbor 172.16.72.1 remote-as 65000
neighbor 172.16.72.1 default-originate
!
address-family ipv4 unicast
redistribute connected
redistribute kernel
neighbor V4 soft-reconfiguration inbound
neighbor V4 route-map ALLOW-ALL in
neighbor V4 route-map ALLOW-ALL out
exit-address-family
!
route-map ALLOW-ALL permit 10
!
line vty
!Modify the above to suit your environment/lab.
Step 4 – enable frr service
With the configuration complete, enable the frr service:
systemctl enable frr.service && service frr startIf all is well, you should see your config:
vtysh -c 'show ip bgp'Here’s mine and you can see some BGP routes appearing including the single segment I currently have:
It remains to be soon how this persists during upgrades, or if UniFi finally decide to bring this into the UI which would be really cool.
Let me know how this works for you and if you have any issues or questions. Thanks for reading.
1 thought on “Configure BGP on a UniFi Dream Machine (UDM) v3.1.x or later”