OSPF Default Gateways vs Static Routes AGAIN

[TotalGriffLock]

Hi,

I found this thread from 2018 which is still valid in the current version https://forum.opnsense.org/index.php?topic=9759.0

I experience exactly these symptoms. I understand that static routes would take precedence over learned dynamic routes from FRR. I have 1 defined gateway, with 1 static route present for a small CIDR. Everything else is OSPF. What I don't understand is that my defined gateway does not have "Upstream Gateway" checked. From the documentation, this means that OPNSense should not consider it a candidate for a default gateway. Yet every time I reboot this gateway is back to being a default gateway, when it should not be. The gateway in question is actually over an IPSEC link, so selecting it as the default gateway is a catch-22. Surely if there is no suitable "Upstream Gateway" then OPNSense should not just arbitrarily pick a gateway which does not have this option checked, it should just continue with no default gateway?

Welcome your thoughts

[TotalGriffLock]

So immediately after posting this I saw these 2 bugs in Github (don't know why I didn't see them from searching before):

https://github.com/opnsense/core/issues/3966
https://github.com/opnsense/core/issues/3597

Unfortunately when the VTI interfaces for IPSEC are created they are always created as UP so it will always think the gateway is available in this scenario.

Is the right thing to do here to check the box on the gateway to say "Mark gateway as down"? Will OPNsense then still use it once the IPSEC tunnel is up?

[TotalGriffLock]

Another related question - The IPSEC gateway in question has 2 static routes assigned to it. They are done this way so that FRR will redistribute them. These routes are entered into the routing table at all times, because the IPSEC VTI interface (ipsec5000 in this case) is always marked as 'up' even when the tunnel is down. So the OS thinks this route is always the right way to send traffic even when the IPSEC link is not functional. Is there a way to only have these routes added into the OS routing table when the tunnel is activated?

I know that some IPSEC configurations will bring the tunnel up when traffic is sent down it and therefore the OS needs to think the interface is up in order to send traffic down it to trigger the tunnel. Is there a way to configure the reverse? Hopefully that doesn't involve hacking scripts that then get replaced every time there is an upgrade.

In all the VTI examples with Strongswan the VTI device is configured with an updown script so it is only marked up in the OS once the tunnel is established. In OPNsense it seems to be the other way round!

[mimugmail]

Mark as down should solve this.

Also, when IPsec is down, normally the gateway should also be down (when gateway monitoring is active).