pfSense Dual Home BGP Networks Setup

A dual-homed BGP configuration is one of the most reliable ways to build internet redundancy, especially for networks that cannot afford downtime. By connecting your network to two separate ISPs or upstream routers using the Border Gateway Protocol (BGP), you ensure traffic can reroute dynamically if one connection fails.

For professionals using pfSense, a powerful open-source firewall and router platform, integrating BGP can transform your network into a highly available and intelligent system. While pfSense BGP routing is not enabled by default, the system supports it fully through the Free Range Routing (FRR) package, giving administrators enterprise-grade dynamic routing capabilities.

In this article, you’ll learn pfSense dual home BGP networks setup, allowing your environment to benefit from multihomed BGP routing, load balancing, and IPv6 support. If you’re a home lab enthusiast, a small business, or part of a larger infrastructure team, this guide will walk you through every important step.

If you’re ready to take the next step in your tech career journey, cybersecurity is the simplest and high-paying field to start from. Apart from earning 6-figures from the comfort of your home, you don’t need to have a degree or IT background. Schedule a one-on-one consultation session with our expert cybersecurity coach, Tolulope Michael TODAY! Join over 1000 students in sharing your success stories.

RELATED ARTICLE: pfSense vs VyOS: A Complete Analysis

Pre-requisites and Network Topology

Before diving into the configuration, it’s essential to understand what’s required and how the network will be structured.

Pre-requisites

To successfully deploy a BGP dual homed configuration on pfSense, you’ll need:

• A pfSense firewall with at least two WAN interfaces (e.g., WAN1 and WAN2)
  
• Two upstream BGP-capable peers (e.g., ISPs or edge routers)
  
• Basic IP connectivity between pfSense and each peer (via Ethernet, IPsec, or MPLS)
  
• The FRR package installed on pfSense
  
• BGP Autonomous System Numbers (ASNs) — one for your local pfSense router and one for each external peer

Optional but recommended:

• Access to both IPv4 and IPv6 space to enable pfSense BGP IPv6 routing
  
• Static routes or DNS configured for pfSense internet access (for updates and NTP)

Network Topology Overview

Here’s a simplified view of the pfsense multihome environment you’ll be setting up:

pgsql

CopyEdit

         +————-+       +————-+

          |   ISP1      |       |    ISP2     |

          | ASN 64501   |       | ASN 64502   |

          +——+——+       +——+——+

                 |                     |

             [WAN1]               [WAN2]

                \                   /

                 \                 /

                 +—————-+

                 |    pfSense     |

                 |  ASN 65000     |

                 +——-+——–+

                         |

                    [LAN Interface]

                         |

                    Internal Network

Each WAN link connects to a different BGP peer. pfSense will advertise its internal network (e.g., 10.1.1.0/24 or 2001:db8::/64) to both peers. In return, it will receive routes that allow traffic to flow through either ISP, depending on policy, availability, or routing metrics.

This dual-path model offers failover, load balancing potential, and diverse routing, forming the core of a resilient pfSense BGP routing design.

READ MORE: IPv6 Stateless vs Stateful: What Is the Difference?

Install and Enable FRR on pfSense

By default, pfSense does not include dynamic routing protocols like BGP. To enable this functionality, you need to install the FRR (Free Range Routing) package, a robust, enterprise-grade routing daemon suite that supports BGP, OSPF, RIP, and more.

Step 1: Install the FRR Package

1. Log in to your pfSense web interface.
   
2. Navigate to: System > Package Manager > Available Packages.
   
3. In the search bar, type FRR.
   
4. Click Install next to the FRR package listing.
   
5. Wait for the installation to complete. You’ll see a green success message once it’s done.
   

Step 2: Enable FRR and Set Global Parameters

After installation, the FRR service is present but inactive. To use BGP, you must enable the FRR daemon globally.

1. Navigate to: Services > FRR Global/Zebra.
   
2. Under the Global Settings tab, check the box labeled Enable FRR.
   
3. Enter a Master Password (choose a strong, random string; this is required for internal service communications).
   
4. Click Save.

Firewall Considerations

Ensure that TCP port 179 is open between pfSense and each BGP peer. If your peers are behind VPNs or firewalls, you must explicitly allow BGP sessions in your pfSense firewall rules (typically under the WAN or OPT interfaces).

At this point, FRR is installed and enabled, and you’re now ready to configure BGP and establish multihomed connectivity.

Configure Route Maps for BGP Filtering

Route maps are a critical part of BGP configuration. Without them, pfSense will not accept or advertise any routes by default, even if the BGP session comes up successfully.

In a pfsense dual homed configuration, where routes flow in and out of two different ISPs or peers, a route map acts as a control valve. Initially, you may want to allow all routes for testing purposes, but in production, you should restrict this to only trusted or required networks.

Create a Basic “Allow-All” Route Map

To get started, we’ll create a permissive route map that lets all routes in and out. Later, you can replace it with more specific rules based on prefix-lists or AS paths.

1. Go to: Services > FRR Global/Zebra > Route Maps tab.
   
2. Click Add.
   
3. Fill out the following:
   
   • Name: ALLOW-ALL
     
   • Description: Allow all routes (optional)
     
   • Action: Permit
     
   • Sequence: 100
     
4. Leave access and prefix lists blank for now.
   
5. Click Save.

This will serve as your temporary open route filter until you create more refined filtering policies.

Why It Matters in Multihome Environments

In pfsense multihome setups, each ISP may advertise different routes, or even the same ones with varying attributes. Route maps allow you to:

• Prefer one ISP over another for outbound traffic
  
• Prevent certain prefixes from being advertised
  
• Set local preference, MED, or AS path filters for smarter routing

Without at least one inbound and outbound route map, your BGP neighbors will connect, but you won’t exchange any usable routes, leading to black holes or routing loops.

With route maps in place, you’re now ready to enable and configure BGP peers.

SEE ALSO: OPNsense vs pfSense: A Comparative Analysis

BGP Configuration – IPv4 (Single Peer First)

With FRR enabled and route maps in place, it’s time to configure BGP on pfSense. In this step, we’ll establish a BGP session with just one upstream peer (e.g., ISP1 or a Cisco router). This helps isolate issues before introducing a second peer for full dual-homing.

Step 1: Enable BGP in FRR

1. Go to Services > FRR BGP.
   
2. Under the General Settings tab, check Enable BGP Routing.
   
3. Fill in the following fields:
   
   • Local AS: Use a private ASN like 65000
     
   • Router ID: Use an IP from your pfSense WAN interface, such as 10.100.0.1

Leave Redistribute connected unchecked unless you want to announce directly connected interfaces.

Step 2: Advertise Your LAN Network

Still on the BGP page:

• Scroll to the Network Distribution section.
  
• Add the IPv4 network(s) you want to advertise. For example:
  
  • 10.1.1.0/24 (your LAN or internal network)

This tells BGP which prefixes pfSense should announce to peers.

Step 3: Add a BGP Neighbor (ISP1)

1. Click the Neighbors tab > Add.
   
2. Enter the peer details:
   
   • Name/Address: IP of the BGP neighbor (e.g., 10.100.0.10)
     
   • Remote AS: ASN of the peer (e.g., 64515)
     
   • Update Source: Select the interface pfSense uses to reach the peer (e.g., WAN1 or OPT1)
     
3. Under Route Map Filters:
   
   • Inbound: ALLOW-ALL
     
   • Outbound: ALLOW-ALL

Click Save to complete the neighbor configuration.

Verify Session Establishment

After a few moments, the BGP session should come up. You can check this under the Status tab in FRR:

• Look for the neighbor IP.
  
• Confirm that State is Established.
  
• You should start seeing received and advertised routes.

This one-peer configuration is your baseline. Once stable, you can add a second peer to complete the BGP dual homed configuration.

MORE: pfSense Plus Vs CE: A Comprehensive Analysis

Add Second BGP Peer (ISP2 / Second Link)

With a stable BGP session already running through your first WAN interface, it’s time to complete your pfSense dual home BGP network by adding a second peer. This additional link ensures traffic can reroute dynamically if the first connection goes down, forming the backbone of a true BGP dual homed configuration.

Step 1: Configure the Second BGP Neighbor

1. Go back to Services > FRR BGP > Neighbors tab.
   
2. Click Add to create a second neighbor.
   
3. Enter the following:
   
   • Name/Address: IP of the second peer (e.g., 198.51.100.2)
     
   • Remote AS: ASN for the second ISP (e.g., 64516)
     
   • Update Source: Select the second WAN interface (e.g., WAN2)
     
   • Description: Optional but useful (e.g., “ISP2 BGP Peer”)

Step 2: Apply Route Maps

Scroll down to the Route Map Filters section and:

• Set Inbound to ALLOW-ALL
  
• Set Outbound to ALLOW-ALL

This ensures both inbound and outbound BGP updates are allowed while testing.

Step 3: Save and Monitor

Click Save and wait a few seconds. You should see the BGP session establish if:

• The second peer is reachable
  
• Firewall rules allow BGP (TCP port 179)
  
• Configuration on the remote router matches your settings

You can verify this in the Status tab. You should now see two active BGP neighbors—each with their own set of received and advertised routes.

At This Stage

You’ve now completed a working pfsense multihome setup with:

• Two live BGP neighbors
  
• Redundant WAN paths
  
• Dynamic routing enabled for IPv4

Load Balancing, Failover, and Best Practices

One of the biggest advantages of a BGP dual homed configuration is the ability to dynamically shift traffic paths based on network health, performance, or policy. With two BGP peers set up in pfSense, you now have the tools to implement smarter routing strategies for resilience and control.

Load Balancing: Understanding What’s Possible

While BGP isn’t a true load-balancer like a link aggregator, it can be influenced to distribute outbound traffic across both peers using:

• AS Path Prepending: Make one path less desirable by artificially extending the AS path.
  
• MED (Multi-Exit Discriminator): Signal preferred paths to your ISPs (if supported).
  
• Local Preference: Set higher preference internally for one path over another.

You can define these values in your route maps, modifying attributes per neighbor based on your goals, whether that’s speed, cost, or priority.

Failover: Ensuring High Availability

BGP naturally supports failover:

• If one ISP or peer goes down, the session drops.
  
• Routes learned from that peer are withdrawn.
  
• pfSense automatically routes traffic via the remaining BGP peer.

This is the true strength of pfSense multihome setups, failover without needing manual intervention or static route reconfiguration.

Tip: Use BFD (Bidirectional Forwarding Detection) if supported, to speed up failure detection beyond what BGP timers can do alone.

Best Practices for Production-Ready Stability

1. Secure Route Exchange

Avoid using ALLOW-ALL in production. Create precise route maps using prefix-lists and AS-path filters to control which prefixes are accepted and advertised.

2. Avoid Default Route Loops

Be cautious when advertising 0.0.0.0/0 to peers, especially upstream telecoms. You could inadvertently create a routing loop or draw in unwanted traffic.

3. Use Logging and Monitoring

Enable FRR logs in pfSense for visibility. You can also use SNMP or syslog to monitor neighbor status externally.

4. Test Routinely

Simulate ISP outages periodically to confirm that failover occurs as expected and that routing policies are honored.

With load balancing and failover best practices in place, your pfSense BGP routing setup is now reliable, scalable, and production-grade for IPv4. Next, we’ll extend this setup to include IPv6 support.

IPv6 BGP Setup on pfSense

As more networks transition to IPv6, it’s important to future-proof your routing setup. Fortunately, pfSense BGP IPv6 support is fully integrated through the FRR package, allowing you to run dual-stack (IPv4 + IPv6) BGP sessions on the same firewall.

Step 1: Prepare Your IPv6 Environment

Before configuring BGP, ensure that:

• Both WAN interfaces on pfSense have IPv6 addresses (manually or via DHCPv6/static assignment).
  
• Your upstream BGP peers (ISP1 and ISP2) also support IPv6 and are reachable over those interfaces.
  
• Your LAN has an IPv6 prefix you plan to advertise (e.g., 2001:db8::/64).

Step 2: Enable IPv6 BGP Neighbors

1. Go to: Services > FRR BGP > Neighbors tab.
   
2. Add a new neighbor (or edit an existing one), and ensure:
   
   • The IP Address is an IPv6 address.
     
   • The Update Source uses the IPv6-enabled WAN interface.
     
   • The Remote AS matches your peer’s ASN.
     
   • Under Address Family, enable IPv6 Unicast.

Repeat this for both ISP1 and ISP2 if you’re configuring full dual-homed IPv6 BGP.

Step 3: Advertise IPv6 Networks

1. Go back to FRR BGP > General Settings.
   
2. Scroll to Network Distribution.
   
3. Add your IPv6 LAN network (e.g., 2001:db8::/64) to advertise it to both BGP peers.

If you also want to redistribute connected IPv6 routes, enable the Redistribute Connected option under the IPv6 address family.

Step 4: Update Route Maps (Optional)

You can reuse your existing ALLOW-ALL route map, or define new route maps specifically for IPv6. For tighter control:

• Use prefix-lists for IPv6 (e.g., match 2001:db8::/64)
  
• Filter unwanted routes or apply different route attributes

Step 5: Confirm BGP IPv6 Sessions

Once configured:

• Go to the Status tab in FRR.
  
• You should see IPv6 neighbors in the BGP summary.
  
• Verify that your advertised IPv6 network is visible to your peers.
  
• Check received routes to ensure IPv6 reachability end-to-end.

With IPv6 BGP in place, your pfSense dual home BGP configuration is now fully dual-stack, giving you redundancy, reachability, and routing intelligence across both protocols.

ALSO READ: Can I Use pfSense As A DNS Server​?

BGP Status Verification and Troubleshooting

Once you’ve configured BGP sessions for both IPv4 and IPv6, the next critical step is verifying everything works as expected. A dual-homed BGP network can silently fail if routes are not being exchanged properly, so ongoing visibility is non-negotiable.

Check BGP Session Status in pfSense

1. Go to Services > FRR BGP > Status tab.
   
2. You’ll see:
   
   • Neighbor IP addresses (both IPv4 and IPv6)
     
   • Session state: Should say Established
     
   • Uptime: How long the session has been stable
     
   • Prefixes received/sent

Each neighbor should show active session data. If not, inspect logs or configuration errors.

View Advertised and Received Routes

Scroll to the bottom of the BGP Status page:

• You’ll see the BGP RIB (Routing Information Base)
  
• BGP-learned routes will be labeled with a B
  
• Confirm:
  
  • Your LAN subnet (e.g., 10.1.1.0/24) is being sent to both peers
    
  • Remote routes (e.g., 1.1.1.0/24, 172.31.0.0/16) are visible in the table

Common Troubleshooting Issues

Problem	Likely Cause
BGP session won’t establish	Firewall blocking TCP 179, wrong ASN, wrong update source
BGP session up but no routes	Missing route maps, no network statements, misconfigured prefix filters
Only one peer shows routes	Second peer unreachable or advertising no networks
Default route loops or hijacks	Incorrect use of default-originate or improper prefix filtering

Useful Diagnostics

• Use Diagnostics > Command Prompt in pfSense to ping or trace to peers
  
• Review system logs (Status > System Logs > FRR) for real-time BGP events
  
• Enable debug logs in FRR if needed for deeper insights

Once all sessions are stable and route tables are complete, you can consider your pfsense configure bgp implementation verified and working. Continue monitoring your environment to proactively detect any changes or disruptions.

Conclusion

Setting up a pfSense dual home BGP network is more than a technical upgrade; it’s a strategic move toward high availability, intelligent routing, and future-proof infrastructure. Whether you’re operating in a production enterprise or managing a high-resilience home lab, BGP offers the flexibility to steer traffic dynamically and recover from failures without human intervention.

While this guide focused on foundational and operational aspects, the possibilities go deeper: route prioritization, prefix filtering, BGP communities, and security hardening are areas you can explore next.

For now, you’ve built a pfSense multihome setup that can adapt to real-world network conditions, something static routing could never achieve. Your network isn’t just online; it’s aware.

FAQ