OPNsense Forum
English Forums => High availability => Topic started by: clarknova on June 22, 2021, 08:34:33 pm
-
I have two OSPF peers, both running OPNsense 21.1.7 and FRR. There is a Wireguard tunnel between them running over the WAN interfaces and OSPF enabled on the Wireguard interface such that both firewalls are sharing connected and static routes over the tunnel. The problem is that with OSPF running, after some short interval Wireguard starts sending its UDP packets via the tunnel rather than the WAN. After sending a few packets over the tunnel using the WAN destination address, Wireguard on the peer starts using the tunnel endpoint address as its peer address, such that its trying to form a tunnel within the tunnel.
I can circumvent this undesired behaviour by adding a static route for the remote endpoint via the WAN gateway, but I'd prefer to keep the routing table as small as possible, and there are other routes I'd prefer not to share via OSPF, such as the PFSYNC network and the network of the wireguard tunnel, which end up being redundant in the routing table and would be better not distributed via OSPF.
I have read the filtering section in the FRR documentation, but it's too sparse and appears to be written for somebody that is already familiar with the software. I tried adding prefix lists for these networks on both routers in Routing : OSPF : Prefix Lists with action Deny, but this didn't prevent these routes from being distributed or used.
It appears I can't filter a received route with OSPF. ref: https://forum.opnsense.org/index.php?topic=22852.0 (https://forum.opnsense.org/index.php?topic=22852.0). Is there a good way to prevent FRR from either distributing these routes or from using received routes? Am I just doing it wrong?
-
Screenshots of Ospf config please.
-
Configs sanitised and attached.
Green is md5 hash
Black is WAN IP or network of tdc01b
Red is WAN IP or network of ldc01b
Notice that the far side WAN network appears as a K route (static, added by me) and as an O route (added by OSPF on the Wireguard interface). I'd like to prevent it from being added as an O route so I could also not have to override it with the static route.
-
Routes attached.
-
Can you try to configure are in networks tab and not interface tab? I also dont see where the prefix list is linked to
-
I don't understand your recommendation. I have added nothing in the Networks tab. If I try to add an entry in the Networks tab there are references to the prefix lists I created, but I don't know the purpose of this dialogue.
-
Leave the Interface tab empty beside type and PW. Area and Network in network tab .. also the prefix list. Direction in is filtering received routes, out is adjusting sending routes
-
Ok, I set up a pair of test boxes and tried to follow your advice. This is what I have for a config on test box A:
Current configuration:
!
frr version 7.4
frr defaults datacenter
hostname ldc01a.localdomain
log syslog
!
router ospf
redistribute connected
network 192.168.1.0/24 area 0.0.0.0
area 0.0.0.0 filter-list prefix wan out
!
ip prefix-list wan seq 10 deny 207.228.103.128/26
!
line vty
!
end
Here's the routing table on test box B:
N 192.168.1.0/24 100 0.0.0.0 Directly Attached em1
R 207.228.103.a 100 0.0.0.0 192.168.1.252 em1
N E2 10.2.0.0/24 100 192.168.1.252 em1
N E2 207.228.103.128/26 100 192.168.1.252 em1
The problems:
- I am seeing the WAN address of test box A in the routing table of B (line 2)
- I am seeing the WAN network of A in the routing table of B (line 4)
I tried removing "redistribute connected" from the config but then no routes are shared from A to B. I also tried adding the 10.2.0.0/24 interface as a passive interface but this did not have the desired effect of sharing that route to B in the absence of "redistribute connected".
-
I didn't have much luck with OSPF over my openvpn tunnel, but I can share a BGP config that works, if that helps:
router bgp 65530
bgp router-id 172.28.24.1
no bgp ebgp-requires-policy
neighbor 172.28.29.1 remote-as 65530
!
address-family ipv4 unicast
redistribute connected
redistribute static
neighbor 172.28.29.1 next-hop-self
neighbor 172.28.29.1 prefix-list marvin-in in
neighbor 172.28.29.1 prefix-list marvin-out out
exit-address-family
!
ip prefix-list marvin-in seq 10 permit 172.28.31.0/24 le 32
ip prefix-list marvin-out seq 10 permit 172.28.30.0/24
-
I went through the same issue; You need to configure a route redistribution filter into OSPF from the local route table. OSPF does not allow Link State Advertisements (LSAs) to be filtered - it's not built into the protocol. That's why trying a prefix filter on an OSPF interface does not work. Rather you configure route redistribution by specifying a Redistribution Map Under Routing: OSPF. With this filter you can control which routes OSPF will receive and then pass on as LSAs.
So the details: this requires a Route Map that points to a Prefix List. WARNING: The interface is confusing at best, and simple errors like:
- Using a space in the Route Map, or Prefix List name
- Selecting two or more Prefix Lists for a Route Map
result in silent or obtuse errors. If you need to stop a route from being redistributed into OSPF, but accept others, you must set up multiple Prefix List entries using the same name with different Sequence Numbers
I can confirm that this solution prevented routes from 10.69.x.x from being propagated into my connected routers.
The generated config looks like this:
router ospf
ospf router-id x.x.x.x
redistribute connected route-map No-Management-Routes
redistribute static route-map No-Management-Routes
passive-interface xn2
passive-interface xn3
passive-interface xn4
network x.x.0.0/24 area x.0.0.0
!
ip prefix-list Accept-Connected seq 10 deny 10.69.0.0/16 le 32
ip prefix-list Accept-Connected seq 11 permit 10.0.0.0/8 le 32
!
route-map No-Management-Routes permit 10
match ip address prefix-list Accept-Connected
!
Hope this helps!
-
I never worked with FRR but already love it - this looks so much like Cisco IOS I feel right at home.
-
Currently have a similar customer setup, works great with couple of denies and an accept.