Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense not honoring OSPF routes from FRR

    Scheduled Pinned Locked Moved
    FRR
    2
    6
    1.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DigitalTony
      last edited by

      Hi:
      pfSense knows about OSPF routes from FRR, but it won't return WAN traffic there.
      steps:
      I Installed FRR
      Configured LAN interface for area 0.0.0.0
      pfsense has established a neighbor relationship with the router on the LAN interface
      I can see OSPF routes from this OSPF neighbor in zebra routing table and also when typing netstat -rn.
      pfSense can ping hosts on those advertiesed subnets
      But hosts on those subnets cannot receive WAN return traffic
      But when I put static routes to those subnets in pfSense, those hosts can now get WAN return traffic
      (I also had to set up the neighboring router as a gateway in pfSense to get this to work)
      Now those subnets show as both OSPF and kernel routes in pfSense

      Should pfSense honor OSPF routes by default, or is there some additional configuration required?

      Thank you!

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by Derelict

        The pfSense firewall software knows about static routes because they are in the configuration. It can, therefore, automatically add them as sources in Outbound NAT.

        You will have to manually add Firewall > NAT, Outbound entries for the inside subnets for OSPF routes. I recommend setting Hybrid mode there.

        It might be enough to just make a network alias called RFC1918 and add the following:

        10.0.0.0/8
        172.16.0.0/12
        192.168.0.0/16

        You can then use that alias as the source network for a hybrid NAT entry.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • D
          DigitalTony
          last edited by

          Thank you! That was the missing piece.
          I did create an alias for RFC1918 subnets, but it wouldn't allow me to use it in the NAT config.
          It was no big deal to create 3 separate NAT rules for those internal networks.

          Question: Now that my NATting and OSPF routing is working, do I still need to neighboring router to be configured as a gateway?

          Thanks.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            You need the neighbor gateway entry as a target for static routes. You should not need it for OSPF routes.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Not sure what's up with using an alias as a source for outbound NAT there. Works fine here. It is a little weird but you just need to start typing the alias name in the source network field and it should work.

              Screen Shot 2020-01-01 at 12.31.33 PM.png

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • D
                DigitalTony
                last edited by

                Great! Thank you on both accounts. I disabled the gateway, and we're still operational. :-)
                And I didn't realize you could just start typing names in the network box.... From the GUI, it sure looks like it wants a network address.
                But now the alias is in use.

                Thanks again, and Happy New Year!

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post