FRR package broken for OSPF Neighbors exchange

[gislaved]

Hi,

I have ran into a problem with is the same as in the following link but does not work as well in OPNsense as the guy of the topic claims.

Then you have the firewall enabled with a allow all any any any and really any rule, OSPF neigbors are stuck on Init and then everything dies. if you disable the firewall like pfctl -d then you get all routes int, traffic starts to flow but when you pfctl -e again... routes die, traffic stops flowing, etc...

I have tested this also on non-vlan interfaces before and that seems to work, could there be an issie related to vlans ?

https://forum.netgate.com/topic/142397/ospf-neighbors-not-coming-up/2

Any ideas or people who have the same related issue ?

[fabian]

do you have some warnings in the console when restarting the service (service frr restart) or in the log?

[rfc4711]

replied on the netgate forum too...

OPNsense 19.1.6-amd64
FreeBSD 11.2-RELEASE-p9-HBSD
OpenSSL 1.0.2r 26 Feb 2019

I did more work yesterday and got ospf now working. Initially the opnsense fw connected right out from the initial install to my ubuntu frr ospf on the LAN interface. However after a few hours of configuration and setting up rules and interfaces, I noticed OSPF to be down.

by tracing back my steps, on my setup the CARP interface was the issue, apparently you cannot have a virtual carp interface for redundancy and ospf on the same interface. I noticed the "ununumbered" interface on interfaces having CARP enabled:

"This interface is UNNUMBERED, Area 0.0.0.0,No Hellos (Passive interface),No Hellos (Passive interface)"

As soon as I deleted the CARP config, OSPF came up. My solution was to add a new VLAN interface between the firewalls and all servers in need to custom gateways and run OSPF for routing sync there. Since the VLAN is only for routing, rules are very easy there.

last but not least, the OSPF config seems to be very picky, make sure all interfaces are set to broadcast on ethernet connections and not as default. In my setup I got a pfsense firewall, one opnsense firewall and several ubuntu VMs now connected. 

[gislaved]

Thanks for the update!

That makes it all clear that my single interface IP, direct on eth0, worked. This because there was no CARP address there but there is on the VLAN.

As it's kinda late I update this later on with some extra info!

[gislaved]

I'm still having issues with this, even without VRRP, there is VRRP on the network but that should be fine.

OPNsense advertises itself with an old IP, Router-id seems to be OK so there might be some cache involved ?

If anyone has some extra information here it would be great because the documentation is quite unclear and incomplete.

[rfc4711]

the FRR package does not like the IP alias either. I configured one today and OSPF went down right away.
if you want to have a clean neighbor, add one east-west link between the firewalls and let OSPF be on this VLAN exclusively. when you got two firewalls, probably HA needs to be configured and use this link for that too.

my ospf config:

!
interface ix2_vlan20
 ip ospf authentication message-digest
 ip ospf cost 100
 ip ospf message-digest-key 1 md5 supersecret
 ip ospf priority 200
!
router ospf
 ospf router-id 10.169.3.2
 redistribute connected
 passive-interface ix1
 passive-interface ix3_vlan120
 passive-interface ix3_vlan131
 passive-interface openvpn
 network 10.168.20.0/24 area 0.0.0.0        <--- peering interface ix2_vlan20
 network 10.168.120.0/24 area 0.0.0.0
 network 10.168.131.0/24 area 0.0.0.0
 network 10.169.3.2/32 area 0.0.0.0
 network 172.17.17.0/24 area 0.0.0.0
 area 0.0.0.0 range 10.168.20.0/24
 area 0.0.0.0 range 10.168.120.0/24
 area 0.0.0.0 range 10.168.131.0/24
!

just replicate it similar and mirror on the second firewall.