FRR OSPF + route map + ACL = no routes being redistributed

0daymaster

My topology:

My route map:

My ACL:
Zebra.conf

##################### DO NOT EDIT THIS FILE! ######################
###################################################################
# This file was created by an automatic configuration generator.  #
# The contents of this file will be overwritten without warning!  #
###################################################################
password ****
log syslog

# Access Lists
access-list 10 deny 96.78.149.24 0.0.0.7
access-list 10 deny 108.211.142.80 0.0.0.7
access-list 10 permit any
access-list 10 remark 

# Route Maps
route-map DNR permit 10
  set metric 200
  set metric-type type-1

# Accept Filters
ip prefix-list ACCEPTFILTER deny 10.64.70.0/30
ip prefix-list ACCEPTFILTER deny 10.64.70.1/32
ip prefix-list ACCEPTFILTER deny 10.64.71.0/30
ip prefix-list ACCEPTFILTER deny 10.64.71.1/32
ip prefix-list ACCEPTFILTER permit any
route-map ACCEPTFILTER permit 10
 match ip address prefix-list ACCEPTFILTER
ip protocol ospf route-map ACCEPTFILTER

ospfd.conf:

##################### DO NOT EDIT THIS FILE! ######################
###################################################################
# This file was created by an automatic configuration generator.  #
# The contents of this file will be overwritten without warning!  #
###################################################################
password ****
log syslog
interface ovpns1
  ip ospf network point-to-point
  ip ospf cost 5
  ip ospf authentication message-digest
  ip ospf message-digest-key 1 md5 ****
  ip ospf area 0.0.0.0
interface ovpns3
  ip ospf network point-to-point
  ip ospf cost 10
  ip ospf authentication message-digest
  ip ospf message-digest-key 1 md5 ****
  ip ospf area 0.0.0.0

router ospf
  ospf router-id 172.16.0.1
  area 0.0.0.0 shortcut default
  area 0.0.0.0 authentication message-digest
  redistribute connected route-map DNR metric 200 metric-type 1
  distribute-list 10 out connected
  ospf abr-type cisco

0daymaster

If I disable the route map but leave the ACL, the ACL seems to have no effect. if I leave the route map with the ACL, no routes get advertised.

0daymaster

Crap. I just noticed a typo in my visio diagram. pfsense 1 is acting as the openvpn server over 2 different WAN interfaces:

0daymaster

Oh and here is the web config page for FRR OSPF settings: pfSense.home.zerodaymasters.co - Services_ FRR_ OSPF_ OSPF Settings.png

jimp

I don't see anything in your route map that is matching anything, only setting the metric. Or is the config above from a time you removed the ACL from the route map?

Also I don't see the route table info/zebra status/ospf status that would show for sure what is being sent/received from the peers.

0daymaster

@jimp The route map missing the ACL is a leftover from me trying make things work. Here is the route map with the ACL in place: pfSense.home.zerodaymasters.co - Services_ FRR_ Global Settings_ Edit_ Route Maps.png

OSPF settings: pfSense.home.zerodaymasters.co - Services_ FRR_ OSPF_ OSPF Settings (1).png

Zebra.conf

##################### DO NOT EDIT THIS FILE! ######################
###################################################################
# This file was created by an automatic configuration generator.  #
# The contents of this file will be overwritten without warning!  #
###################################################################
password ****
log syslog

# Access Lists
access-list 10 deny 96.78.149.24 0.0.0.7
access-list 10 deny 108.211.142.80 0.0.0.7
access-list 10 permit any
access-list 10 remark 

# Route Maps
route-map DNR permit 10
  match ip address 10
  set metric 200
  set metric-type type-1

# Accept Filters
ip prefix-list ACCEPTFILTER deny 10.64.70.0/30
ip prefix-list ACCEPTFILTER deny 10.64.70.1/32
ip prefix-list ACCEPTFILTER deny 10.64.71.0/30
ip prefix-list ACCEPTFILTER deny 10.64.71.1/32
ip prefix-list ACCEPTFILTER permit any
route-map ACCEPTFILTER permit 10
 match ip address prefix-list ACCEPTFILTER
ip protocol ospf route-map ACCEPTFILTER

ospfd.conf

##################### DO NOT EDIT THIS FILE! ######################
###################################################################
# This file was created by an automatic configuration generator.  #
# The contents of this file will be overwritten without warning!  #
###################################################################
password ****
log syslog
interface ovpns1
  ip ospf network point-to-point
  ip ospf cost 5
  ip ospf authentication message-digest
  ip ospf message-digest-key 1 md5 ****
  ip ospf area 0.0.0.0
interface ovpns3
  ip ospf network point-to-point
  ip ospf cost 10
  ip ospf authentication message-digest
  ip ospf message-digest-key 1 md5 ****
  ip ospf area 0.0.0.0

router ospf
  ospf router-id 172.16.0.1
  area 0.0.0.0 shortcut default
  area 0.0.0.0 authentication message-digest
  redistribute connected route-map DNR metric 200 metric-type 1
  distribute-list 10 out connected
  ospf abr-type cisco

Zebra routes

Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR,
       > - selected route, * - FIB route

K>* 0.0.0.0/0 [0/0] via 96.78.149.30, bce0, 00:09:11
K>* 1.1.1.1/32 [0/0] via 108.211.142.86, bce1, 00:09:11
K>* 8.8.8.8/32 [0/0] via 96.78.149.30, bce0, 00:09:11
C>* 10.0.0.0/26 is directly connected, cxl0.10, 00:09:11
K * 10.0.5.0/24 [0/0] via 10.0.5.2 inactive, 00:09:11
C>* 10.0.5.0/24 is directly connected, ovpns2, 00:09:11
K * 10.0.6.0/24 [0/0] via 10.0.6.2 inactive, 00:09:11
C>* 10.0.6.0/24 is directly connected, ovpns6, 00:09:11
O>* 10.0.8.0/24 [110/205] via 10.64.70.2, ovpns1 onlink, 00:09:00
C>* 10.1.0.0/23 is directly connected, cxl0.54, 00:09:11
C>* 10.1.10.0/24 is directly connected, bce0, 00:09:11
C>* 10.2.0.0/24 is directly connected, cxl0.20, 00:09:11
C>* 10.4.0.0/24 is directly connected, cxl0.99, 00:09:11
C>* 10.4.1.0/30 is directly connected, cxl0.99, 00:09:11
C>* 10.4.1.4/30 is directly connected, cxl0.99, 00:09:11
C>* 10.6.0.0/24 is directly connected, bce2, 00:09:11
C>* 10.6.1.0/30 is directly connected, bce2, 00:09:11
C>* 10.6.1.4/30 is directly connected, bce2, 00:09:11
O   10.64.70.1/32 [110/205] via 10.64.70.2, ovpns1 inactive onlink, 00:09:00
C>* 10.64.70.2/32 is directly connected, ovpns1, 00:09:11
O   10.64.71.1/32 [110/205] via 10.64.70.2, ovpns1 inactive onlink, 00:09:00
C>* 10.64.71.2/32 is directly connected, ovpns3, 00:09:11
C>* 10.64.73.0/30 is directly connected, ipsec3000, 00:09:11
C>* 10.99.99.1/32 is directly connected, cxl0.50, 00:09:11
K>* 64.62.134.130/32 [0/0] via 96.78.149.30, bce0, 00:09:11
O>* 67.180.160.0/22 [110/205] via 10.64.70.2, ovpns1 onlink, 00:09:00
K>* 68.185.85.2/32 [0/0] via 96.78.149.30, bce0, 00:09:11
K>* 71.92.250.42/32 [0/0] via 96.78.149.30, bce0, 00:09:11
K>* 72.52.104.74/32 [0/0] via 108.211.142.86, bce1, 00:09:11
C * 96.78.149.24/29 is directly connected, bce0, 00:09:11
C * 96.78.149.24/29 is directly connected, bce0, 00:09:11
C * 96.78.149.24/29 is directly connected, bce0, 00:09:11
C * 96.78.149.24/29 is directly connected, bce0, 00:09:11
C>* 96.78.149.24/29 is directly connected, bce0, 00:09:11
C * 108.211.142.80/29 is directly connected, bce1, 00:09:11
C * 108.211.142.80/29 is directly connected, bce1, 00:09:11
C * 108.211.142.80/29 is directly connected, bce1, 00:09:11
C * 108.211.142.80/29 is directly connected, bce1, 00:09:11
C>* 108.211.142.80/29 is directly connected, bce1, 00:09:11
C>* 172.16.0.0/23 is directly connected, cxl0.50, 00:09:11
O>* 172.17.0.0/24 [110/205] via 10.64.70.2, ovpns1 onlink, 00:09:00
O>* 172.17.1.0/24 [110/205] via 10.64.70.2, ovpns1 onlink, 00:09:00
C>* 172.30.250.0/24 is directly connected, em0, 00:09:11
C>* 192.168.1.0/24 is directly connected, bce1, 00:09:11
K>* 192.168.10.0/24 [0/0] via 10.64.73.2, ipsec3000, 00:09:11

OSPF routes:

============ OSPF network routing table ============

============ OSPF router routing table =============
R    172.17.0.1            [5] area: 0.0.0.0, ASBR
                           via 10.64.70.2, ovpns1

============ OSPF external routing table ===========
N E1 10.0.8.0/24           [205] tag: 0
                           via 10.64.70.2, ovpns1
N E1 10.64.70.1/32         [205] tag: 0
                           via 10.64.70.2, ovpns1
N E1 10.64.71.1/32         [205] tag: 0
                           via 10.64.70.2, ovpns1
N E1 67.180.160.0/22       [205] tag: 0
                           via 10.64.70.2, ovpns1
N E1 172.17.0.0/24         [205] tag: 0
                           via 10.64.70.2, ovpns1
N E1 172.17.1.0/24         [205] tag: 0
                           via 10.64.70.2, ovpns1

JanPokorny

Hi I am facing same issue.

ip prefix-list ADMIN_VPN_PL seq 10 permit 192.168.27.0/24 
ip prefix-list ADMIN_VPN_PL description 

# Route Maps
route-map REDIS_CONNECTED_RM permit 10
  match ip address prefix-list ADMIN_VPN_PL

# Accept Filters
ip prefix-list ACCEPTFILTER permit any
route-map ACCEPTFILTER permit 10
 match ip address prefix-list ACCEPTFILTER
ip protocol ospf route-map ACCEPTFILTER

FRR ospfd.conf

interface em1
  ip ospf network broadcast
  ip ospf area 0.0.0.0
interface ovpns1
  ip ospf network broadcast
  ip ospf area 0.0.0.0

router ospf
  ospf router-id 192.168.20.4
  redistribute connected route-map REDIS_CONNECTED_RM metric 200 metric-type 1
  ospf abr-type cisco
  passive-interface ovpns1

pfSense.localdomain# show route-map 
ZEBRA:
route-map ACCEPTFILTER, permit, sequence 10
  Match clauses:
    ip address prefix-list ACCEPTFILTER
  Set clauses:
  Call clause:
  Action:
    Exit routemap
ZEBRA:
route-map REDIS_CONNECTED_RM, permit, sequence 10
  Match clauses:
    ip address prefix-list ADMIN_VPN_PL
  Set clauses:
  Call clause:
  Action:
    Exit routemap
pfSense.localdomai

pfSense.localdomain# show ip route 
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR,
       > - selected route, * - FIB route

....
O>* 192.168.23.0/24 [110/101] via 192.168.20.3, em1, 00:01:49
O>* 192.168.24.0/24 [110/101] via 192.168.20.3, em1, 00:01:49
O>* 192.168.25.0/24 [110/1602] via 192.168.20.2, em1, 00:01:49
K * 192.168.27.0/24 [0/0] via 192.168.27.2 inactive, 00:01:49
C>* 192.168.27.0/24 is directly connected, ovpns1, 00:01:49
O>* 192.168.27.1/32 [110/10] is directly connected, ovpns1, 00:01:49
....

My goal is to advertise subnet, that is being used for Open VPN. I cannot find any straightforward solution. Now I try to redistribute the exact one subnet from directly connected networks. Without route-map all routes are redistributed just fine. With the route-map nothing is being redistributed.

Any ideas? Thanks.

jimp

I found a bug here, and a fix will be coming along shortly.
https://redmine.pfsense.org/issues/9640

jimp

If you are on CE or Factory 2.4.4-p3, the new package is up now. CE snapshots will have it whenever the next new build happens. Factory snapshots will get the new version a little later, there are some changes we need to make to accommodate the 2019Q3 ports branch merge yet.

0daymaster

Thanks @jimp. The new package is working as expected.

JanPokorny

I also confirm. Package update solves the problem. Thanks @jimp.