Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FRR6 filter connected routes to be distributed into OSPF

    Scheduled Pinned Locked Moved FRR
    frrfrr6ospfacldistribute-list
    4 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      szpeter
      last edited by

      My setup is fairly simple, pfSense firewall is doing OSPF with a bunch of Cisco Catalyst L3 switches. There is a transit network between the firewall and the switches, and only that is part of Area 0 on the pfSense. OSPF is a single-area setup for start. Connected networks are set up to be advertised into OSPF.

      What happens now, OSPF works fine, and the firewall advertises all of its connected networks.
      My problem is, that i want the firewall to announce its OpenVPN client range only. As much as i was able to find out, there is a simple way for doing this, by applying an ACL with the "distribute-list" feature. I tried many versions of this ACL, but none of them is working, despite any effort, all connected networks of the firewall are seen on the LAN L3 switch. The config is the following (copied from the webgui: Services / FRR Status / FRR Configuration / Configuration):

      FRR zebra.conf

      password xxxxx
      log syslog

      #Access Lists
      access-list testacl permit 10.1.2.0/24
      access-list testacl deny any
      access-list testacl remark ACL to match local OpenVPN client subnets

      #Accept Filters
      ip prefix-list ACCEPTFILTER permit any
      route-map ACCEPTFILTER permit 10
      match ip address prefix-list ACCEPTFILTER
      ip protocol ospf route-map ACCEPTFILTER

      FRR ospfd.conf

      password xxxxx
      log syslog
      interface em1.yyyyy
      ip ospf authentication message-digest
      ip ospf message-digest-key 1 md5 xxxx
      ip ospf area 0.0.0.0

      router ospf
      ospf router-id z.z.z.z
      area 0.0.0.0 authentication message-digest
      redistribute connected
      distribute-list testacl out connected
      ospf abr-type cisco

      Did i misunderstood something?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        distribute-list is a filter used to control which routes are distributed from the specified source. All you've done there is told it to only distribute 10.1.2.0/24 out of the list of all connected networks. If 10.1.2.0/24 is not a connected network, then it distributes nothing.

        The problem is most likely that there is no entry in the routing table for the OpenVPN client tunnel network subnet. No route in the table means nothing to distribute.

        What you need is likely either one of two things:

        1. Add a static route in the global zebra settings pointing 10.1.2.0/24 to localhost or something similar, and then set OSPF to redistribute static routes.
          -or-
        2. Setup pfSense as an ABR with your non-backbone interfaces on pfSense in another area (e.g. 0.0.0.1), and then setup a route summarization for the new area which includes 10.1.2.0/24 in a range as a summary route. OSPF will happily send a summary route even if it's not in the routing table. If all of your local networks are in a range you can use that instead, like 10.1.0.0/16.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        S 1 Reply Last reply Reply Quote 1
        • S
          szpeter @jimp
          last edited by

          Hi and thanks for getting back !

          My issue is, that there are too many connected networks advertised by FRR. The Ovpn subnet is a directly connected subnet, and its advertised (as an external route i think because on the fw only the transfernet is part of area 0).

          What i would like to achieve, and failed with it so far, is that prevent other routes than the vpn client subnet is, to be included in the advertisements.

          regards,
          Peter

          1 Reply Last reply Reply Quote 0
          • S
            szpeter
            last edited by

            Meanwhile i tried your 2nd suggested workaround, and after a while i got it to work.

            What have i done?

            • turned off redistribution of connected networks (be careful, you might loose access to the device)
            • under "OSPF Areas", i created Area 1 with the ID of 0.0.0.1
            • entered 10.1.1.0/24 under "Route Summarization" -> "Summary Range" -> "Summary Prefix
              ", this matches the subnet entered to OpenVPN under "Tunnel Settings" -> IPv4 Tunnel Network
            • under "OSPF Interfaces" i set the ovpn interface to be in Area 1
            • marked it as "Interface is Passive", because vpn clients do not need to participate in OSPF
            • and i changed the network type from "Not specified (default)" to "Point - multipoint"

            With this setting, on the LAN side the Catalyst L3 was able to see 10.1.1.0/24 advertised from the FW, and only that subnet was advertised. The firewall was able to see all advertised routes from LAN from the beginning (after auth and a few basic thing was set up).

            If i left the interface type on default or set it to point-to-point, there was nothing advertised from Area 1 , other types seemingly did the trick. From the working ones i picked P-MP which sounds OK for the VPN clients subnet.

            If i removed the summary from Area 1 config, and the if type was "p-mp" or any of the working iftypes from aboove, there was only a /32 host route announced with the ovpn server address, despite a few clients were connected. The iftypes which yielded no redistribution, still remained silent irregardless of the value of the summary network.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.