English Forums > High availability

Filtering routes with FRR and OSPF

(1/3) > >>

clarknova:
I have two OSPF peers, both running OPNsense 21.1.7 and FRR. There is a Wireguard tunnel between them running over the WAN interfaces and OSPF enabled on the Wireguard interface such that both firewalls are sharing connected and static routes over the tunnel. The problem is that with OSPF running, after some short interval Wireguard starts sending its UDP packets via the tunnel rather than the WAN. After sending a few packets over the tunnel using the WAN destination address, Wireguard on the peer starts using the tunnel endpoint address as its peer address, such that its trying to form a tunnel within the tunnel.

I can circumvent this undesired behaviour by adding a static route for the remote endpoint via the WAN gateway, but I'd prefer to keep the routing table as small as possible, and there are other routes I'd prefer not to share via OSPF, such as the PFSYNC network and the network of the wireguard tunnel, which end up being redundant in the routing table and would be better not distributed via OSPF.

I have read the filtering section in the FRR documentation, but it's too sparse and appears to be written for somebody that is already familiar with the software. I tried adding prefix lists for these networks on both routers in Routing : OSPF : Prefix Lists with action Deny, but this didn't prevent these routes from being distributed or used.

It appears I can't filter a received route with OSPF. ref: https://forum.opnsense.org/index.php?topic=22852.0. Is there a good way to prevent FRR from either distributing these routes or from using received routes? Am I just doing it wrong?

mimugmail:
Screenshots of Ospf config please.

clarknova:
Configs sanitised and attached.

Green is md5 hash
Black is WAN IP or network of tdc01b
Red is WAN IP or network of ldc01b

Notice that the far side WAN network appears as a K route (static, added by me) and as an O route (added by OSPF on the Wireguard interface). I'd like to prevent it from being added as an O route so I could also not have to override it with the static route.

clarknova:
Routes attached.

mimugmail:
Can you try to configure are in networks tab and not interface tab? I also dont see where the prefix list is linked to

Navigation

[0] Message Index

[#] Next page