Prevent OSPF from injecting a default route to a single neighbor

My_Network · January 08, 2025, 03:10:04 PM

Hi,

Is there a way in the GUI of the FRR plugin or in cli to prevent OSPF from injecting a default route to a specific OSPF neighbor?

Thank you,

Nicolas

Seimus · January 08, 2025, 05:07:42 PM

Uncheck the box?

https://docs.opnsense.org/manual/how-tos/dynamicrouting_ospf.html

Regards,
S.

Seimus · January 08, 2025, 05:09:17 PM

Or create a prefix list where you deny the default route and apply it to the specific neighbor.

Regards,
S.

My_Network · January 08, 2025, 05:40:06 PM

Hi Seimus,

In cli of the FRR plugin, that option is not present it seems.

I made a prefix list:

OSPF: ip prefix-list DEFAULT_ROUTE: 1 entries
seq 1 deny 0.0.0.0/0

but when I try to apply this list to the neighbor :

opnsense.srvnic.com(config-router)# neighbor 9.9.9.9
<cr>
poll-interval Dead Neighbor Polling interval
priority Neighbor Priority
opnsense.srvnic.com(config-router)# neighbor 9.9.9.9

There no option to apply the list on the neighbor.

Im i missing something?

Thank you,

Nicolas

Seimus · January 08, 2025, 08:10:55 PM

Its applied depending on the design of OSPF. Either under area or interface. But tell me 1st two things

1. Are you having P2P OSPF or DR/BDR design
2. Why you are doing it on OPNsense via CLI and not via GUI?

Regards,
S.

My_Network · January 08, 2025, 09:30:04 PM

Hi Seimus,

The neighbor in question is fonctionning with a network type Point to Point in area 1.1.1.1. In the GUI, I dont see a way to exclude the default route to a specific neighbor. Thats why i tried in CLI.

Thank you,

Nick

Seimus · January 08, 2025, 10:04:12 PM

I see,

Well do it via GUI. You can apply prefix-list via the networks TAB, you choose the Network you want and there is the option to set it. Inbound for receving prefixes, Outbound for advertisement.

Btw this will not work

Code Select

OSPF: ip prefix-list DEFAULT_ROUTE: 1 entries
   seq 1 deny 0.0.0.0/0

prefix-list have an explicit deny which means it will block everything you need a second entry in that prefix-list to allow everything else

Code Select

ip prefix-list DEFAULT_ROUTE
 seq 1 deny 0.0.0.0/0
 seq 2 permit 0.0.0.0/0 le 32

Regards,
S.

My_Network · January 08, 2025, 10:46:44 PM

Hi Seimus,

Thanks for your latest awnser. Did what you recommended, but im getting an error in the nerwork tab.

2025-01-08T16:37:12-05:00 Error ospfd [SHWNK-NWT5S][EC 100663304] Command returned Warning Config Failed on config line 32: network 10.0.0.0/8 area 1.1.1.1

!
router ospf
ospf router-id 1.1.1.1
log-adjacency-changes
area 1.1.1.1 filter-list prefix test in
area 1.1.1.1 filter-list prefix test out
default-information originate metric 1
exit
!

!
ip prefix-list test seq 10 deny 0.0.0.0/0
ip prefix-list test seq 20 permit 0.0.0.0/0 le 32
!
end

!
interface ipsec1
ip ospf area 1.1.1.1
ip ospf network point-to-point
exit
!

It is still sending the default route to the neighbor in area 1.1.1.1.

What i'm I missign here?

Thank you,

Nick

Seimus · January 09, 2025, 10:25:51 AM

The error

Quote2025-01-08T16:37:12-05:00 Error ospfd [SHWNK-NWT5S][EC 100663304] Command returned Warning Config Failed on config line 32: network 10.0.0.0/8 area 1.1.1.1

Is most likely related to the filled in network field, try to let it blank dont fill it. And see if it makes any difference. I think the 1st two fields including network in this section is not anymore used and its obsolete.

Otherwise the commands that were configured into frr looks good per the official docs

Code Select

 
 area 1.1.1.1 filter-list prefix test in
 area 1.1.1.1 filter-list prefix test out

Just keep in mind that this is used for filtering Type-3 summary-LSAs to/from area using prefix lists so its usable in ABR only.

If this is not Type-3 LSA then you have only 1 valid option.

Filtering prefixes between AREAs:
1. prefix-list
used for filtering Type-3 summary-LSAs to/from area using prefix lists so its usable in ABR only

2. Route-map
But this is used in conjunction with redistribution which you are not running. This gives sense only in ASBR

3. distribute-list out

Quotedistribute-list NAME out <kernel|connected|static|rip|isis|bgp|eigrp|nhrp|table|vnc|babel|openfabric>
Apply the access-list filter, NAME, to redistributed routes of the given type before allowing the routes to be redistributed into OSPF

But this is used in conjunction with redistribution which you are not running. This gives sense only in ASBR

Advertisement of default route:
1. General > Untick Advertise Default Gateway (this will disable default-information originate metric 1)
Basically because you have this one enabled you see the default route to be advertised

Controlling prefixes installed in a uRIB - locally significant
1. If your Neighbor device is CISCO, use distribute-list in on the CISCO router to exclude a route being installed into the uRIB.

As this is OSPF you can not prevent an advertisement of a prefix/route to a specific neighbor. Because we advertise and control prefixes in a AREA not in a neighborship.
Only the Option 3 is locally significant per the Router implemented. With Option 3 you can control what routes should be installed from OSPF database into uRIB, which means the routes still will be advertised with OSPF LSA but just not installed on the specific router having the specific distribute-list implementation.

Regards,
S.

Prevent OSPF from injecting a default route to a single neighbor

My_Network

January 08, 2025, 03:10:04 PM

Seimus

January 08, 2025, 05:07:42 PM #1

Seimus

January 08, 2025, 05:09:17 PM #2

My_Network

January 08, 2025, 05:40:06 PM #3

Seimus

January 08, 2025, 08:10:55 PM #4

My_Network

January 08, 2025, 09:30:04 PM #5

Seimus

January 08, 2025, 10:04:12 PM #6

My_Network

January 08, 2025, 10:46:44 PM #7

Seimus

January 09, 2025, 10:25:51 AM #8 Last Edit: January 09, 2025, 10:48:45 AM by Seimus