Quagga not connecting to other routers
-
I have two pfsense boxes, connected via openvpn.
A: OpenVpn Server, Lan 192.168.10.0/24 (multi wan)
VPN- running on LAN, with NAT forwarding
- tunnel 172.21.12.0/22
- local network 192.168.10.0/24
- remote network 172.20.2.0/24
Client Specific Override (for B) - iroute 172.20.2.0 255.255.255.0
B: OpenVpn Client, Lan 172.20.2.0/24
From both A and B I can work on the lan of the other.
At both sides:
- fire wall rules on openvpn: allow all
Running Quagga on both ends:
- Router: id set to lan ip of that side
- Area: 192.168.10.0
Interface: only the vpn used on that site for the other site
On both ends:
Number of fully adjacent neighbors in this area: 0What am I missing?
-
Additional info:
on site A I captured the following fragment:
172.21.12.6 > 224.0.0.5: OSPFv2, Hello, length 44
Router-ID 192.168.2.32, Area 192.168.10.0, Authentication Type: none (0)
Options [External]
Hello Timer 10s, Dead Timer 40s, Mask 0.0.0.0, Priority 1Router-ID 192.168.2.32 is coming from site B
-
did you set a master password ?
-
Yep, masterpassword is set at both sites to the same value
-
could you provide us with some screenshot of all your quagga configuration tabs ?
if you've assigned interfaces to your openvpn tunnel, make sure you set type to 'none' & restart the tunnelsother then that i'm not sure what could be the problem, i have multiple sites with dynamic routing using quagga without issues.
-
The Quagga screens from the server side.
Client is almost identical, except:
- router id: has a different router id
- no addtional routes (yet)
- different interface (the openvpn client is choosen there)
-
2nd tab
-
only differences i see with my configurations are the following:
-my area is not an ip address (don't know what the limitations are). Try setting the area to 0.0.0.1
-i've filled in the metric @ interface config
-i've a description filled in @ interface config
-my openvpn server/clients are assigned as physical interface (interfaces–>assign). But ive been told by jimp or cmb that this is no longer a requirement when using quagga, so it shouldn't matteri hope one of these solves your problems, altho i somewhat doubt they will.
-
Here the current routes (first is the client, second is the server).
Tried the description and other area, no luck so far.
-
there are only a few basic requirements for quagga to work:
-tunnel endpoints must be able to reach each other
-firewall rules must allow ospf trafficit has allways worked for me. probably some small thing we're missing to get your setup working
-
Thanks for helping me think this through.
Seems I got all the point covered, but there must be a missing link (pun intended).Quagga status Server
Area ID: 0.0.0.1
Shortcutting mode: Default, S-bit consensus: ok
Number of interfaces in this area: Total: 2, Active: 2
Number of fully adjacent neighbors in this area: 0
Area has no authentication
Number of full virtual adjacencies going through this area: 0
OSPF Router with ID (192.168.10.254)Router Link States (Area 0.0.0.1)
Link ID ADV Router Age Seq# CkSum Link count
192.168.10.254 192.168.10.254 2 0x80000002 0x3cc9 2Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB routeK>* 0.0.0.0/0 via 194.xxx.xxx.xxx, re0
C>* 127.0.0.0/8 is directly connected, lo0
K>* 172.20.2.0/24 via 172.21.12.2, ovpns4
K>* 172.21.4.0/22 via 172.21.4.2, ovpns2
C>* 172.21.4.2/32 is directly connected, ovpns2
C>* 172.21.8.2/32 is directly connected, ovpns3
K>* 172.21.12.0/22 via 172.21.12.2, ovpns4
O 172.21.12.2/32 [110/10] is directly connected, ovpns4, 00:00:02
C>* 172.21.12.2/32 is directly connected, ovpns4
C>* 192.168.8.0/23 is directly connected, em1
O 192.168.10.0/24 [110/10] is directly connected, em1, 00:00:02
C>* 192.168.10.0/24 is directly connected, em1
C>* 192.168.11.0/24 is directly connected, em1
C>* 192.168.12.0/22 is directly connected, em2
C>* 192.168.178.0/24 is directly connected, em3
C>* 194.xxx.xxx.xxx/29 is directly connected, re0
C>* 194.xxx.xxx.xxx/32 is directly connected, re0
K>* 194.xxx.xxx.xxx/32 via 192.168.178.1, em3
K>* 194.xxx.xxx.xxx/32 via 194.xxx.xxx.xxx, re0
K>* 194.xxx.xxx.xxx/32 via 194.xxx.xxx.xxx, re0
K>* 208.67.220.220/32 via 192.168.178.1, em3
K>* 208.67.222.222/32 via xxx.xxx.xxx, re0(em3 and re0 are both wan)
em1 is up (= lan 1)
ifindex 2, MTU 1500 bytes, BW 0 Kbit <up,broadcast,running,promisc,simplex,multicast>Internet Address 192.168.10.254/24, Broadcast 192.168.10.255, Area 0.0.0.1
MTU mismatch detection:enabled
Router ID 192.168.10.254, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State Waiting, Priority 1
No designated router on this network
No backup designated router on this network
Multicast group memberships: OSPFAllRouters
Timer intervals configured, Hello 10s, Dead 40s, Wait 40s, Retransmit 5
Hello due in 7.921s
Neighbor Count is 0, Adjacent neighbor count is 0
ovpns4 is up (=openvpn server)
ifindex 14, MTU 1500 bytes, BW 0 Kbit <up,pointopoint,running,multicast>Internet Address 172.21.12.1/32, Peer 172.21.12.2, Area 0.0.0.1
MTU mismatch detection:enabled
Router ID 192.168.10.254, Network Type POINTOPOINT, Cost: 10
Transmit Delay is 1 sec, State Point-To-Point, Priority 1
No designated router on this network
No backup designated router on this network
Multicast group memberships: OSPFAllRouters
Timer intervals configured, Hello 10s, Dead 40s, Wait 40s, Retransmit 5
Hello due in 7.921s
Neighbor Count is 0, Adjacent neighbor count is 0Quagga on client
ovpns4 is up
ifindex 14, MTU 1500 bytes, BW 0 Kbit <up,pointopoint,running,multicast>Internet Address 172.21.12.1/32, Peer 172.21.12.2, Area 0.0.0.1
MTU mismatch detection:enabled
Router ID 192.168.10.254, Network Type POINTOPOINT, Cost: 10
Transmit Delay is 1 sec, State Point-To-Point, Priority 1
No designated router on this network
No backup designated router on this network
Multicast group memberships: OSPFAllRouters
Timer intervals configured, Hello 10s, Dead 40s, Wait 40s, Retransmit 5
Hello due in 7.921s
Neighbor Count is 0, Adjacent neighbor count is 0
OSPF Router with ID (172.20.2.254)Router Link States (Area 0.0.0.1)
Link ID ADV Router Age Seq# CkSum Link count
172.20.2.254 172.20.2.254 421 0x80000004 0xe62c 2Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB routeK>* 0.0.0.0/0 via 192.168.2.254, em0
K>* 8.8.8.8/32 via 192.168.2.254, em0
C>* 127.0.0.0/8 is directly connected, lo0
O 172.20.2.0/24 [110/10] is directly connected, em1, 00:07:41
C>* 172.20.2.0/24 is directly connected, em1
K>* 172.21.12.1/32 via 172.21.12.5, ovpnc4
O 172.21.12.5/32 [110/10] is directly connected, ovpnc4, 00:07:41
C>* 172.21.12.5/32 is directly connected, ovpnc4
C>* 192.168.2.0/24 is directly connected, em0
K>* 192.168.10.0/24 via 172.21.12.5, ovpnc4
K>* 208.67.222.222/32 via 192.168.2.254, em0em0 = wan
em1 is up
ifindex 2, MTU 1500 bytes, BW 0 Kbit <up,broadcast,running,simplex,multicast>Internet Address 172.20.2.254/24, Broadcast 172.20.2.255, Area 0.0.0.1
MTU mismatch detection:enabled
Router ID 172.20.2.254, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 172.20.2.254, Interface Address 172.20.2.254
No backup designated router on this network
Multicast group memberships: OSPFAllRouters OSPFDesignatedRouters
Timer intervals configured, Hello 10s, Dead 40s, Wait 40s, Retransmit 5
Hello due in 9.275s
Neighbor Count is 0, Adjacent neighbor count is 0ovpnc4 is up
ifindex 8, MTU 1500 bytes, BW 0 Kbit <up,pointopoint,running,multicast>Internet Address 172.21.12.6/32, Peer 172.21.12.5, Area 0.0.0.1
MTU mismatch detection:enabled
Router ID 172.20.2.254, Network Type POINTOPOINT, Cost: 10
Transmit Delay is 1 sec, State Point-To-Point, Priority 1
No designated router on this network
No backup designated router on this network
Multicast group memberships: OSPFAllRouters
Timer intervals configured, Hello 10s, Dead 2s, Wait 2s, Retransmit 5
Hello due in 9.275s
Neighbor Count is 0, Adjacent neighbor count is 0Firewall
On openvpn tab:
ID Proto Source Port Destination Port Gateway Queue Schedule Description
-
-
-
-
-
- none allow all</up,pointopoint,running,multicast></up,broadcast,running,simplex,multicast></up,pointopoint,running,multicast></up,pointopoint,running,multicast></up,broadcast,running,promisc,simplex,multicast>
-
-
-
-
-
-
assigning vpn server / client to interfaces did not work.
on server side I can see in pftop:
ospf I 172.21.12.6:0 224.0.0.5:0
ospf O 172.21.12.1:0 224.0.0.5:0on the client side I can see in pftop
ospf O 172.21.12.6:0 224.0.0.5:0
ospf I 172.21.12.1:0 224.0.0.5:0Doing a trace on 172.21.12.6 on both sides gets me on both sides
172.21.12.6 > 224.0.0.5: OSPFv2, Hello, length 44
Router-ID 172.20.2.254, Area 0.0.0.1, Authentication Type: none (0)
Options [External]
Hello Timer 10s, Dead Timer 40s, Mask 0.0.0.0, Priority 1And a trace on 172.2.12.1 gets me on both sides:
172.21.12.1 > 224.0.0.5: OSPFv2, Hello, length 44
Router-ID 192.168.10.254, Area 0.0.0.1, Authentication Type: none (0)
Options [External]
Hello Timer 10s, Dead Timer 40s, Mask 0.0.0.0, Priority 1So data is coming through on both ends, but somehow Quagga doesn't respond
-
i've been wondering ….
how have you been adding routes for you openvpn connection ?
also i just noticed```
172.21.12.6 > 224.0.0.5: OSPFv2, Hello, length 44192.168.222.1 > 224.0.0.5: OSPFv2, Hello, length 48
Router-ID 10.10.10.1, Area 0.0.0.1, Authentication Type: none (0)
Options [External]
Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.255, Priority 1
Neighbor List:
10.0.0.1 -
My vpn server settings:
- peer-to-peer ssl/tls
- udp
- tun
- interface LAN (portforwarded from two WAN)
- Tunnel: 172.21.12.0/22
- Local network: 192.168.10.0/24 *
- Remote network: 172.20.2.0/24 *
- nothing with advanced
Client specific override:
- iroute 172.20.2.0 255.255.255.0; *
Open vpn client:
- tunnel network: left empty
- remote network: left empty
- nothing with advanced
- Needed to work on both lans (prior to quagga)
No additional routes entered anywhere else
-
could you do me a favor and fill in the tunnel network on the client side ?
restart ovpn & quagga afterwards to be sure
-
I've setup a additional testbox to have two boxes that could be easily reset without disrupting the normal users.
I've now got it working on these test machines by adding tunnel and remote on the vpn client configuration.